On-chain activity
Zellic Security Auditing Services
Zellic implements security assessment protocols through manual code review and automated analysis, identifying critical vulnerabilities in smart contracts, zero-knowledge circuits, and cross-chain infrastructure. The system combines traditional auditing with competitive security research methodologies.
Zellic
Zellic is a security assessment firm founded in 2021 and headquartered in New York City. It focuses on the security of emerging technologies — particularly blockchain protocols, smart contracts, zero-knowledge circuits, and applied cryptography. Its tagline, "Real security. Not rubber stamps," reflects a deliberate positioning against perfunctory compliance-driven audits: Zellic approaches each engagement as an adversarial exercise designed to find what could actually go wrong, not merely to confirm that a codebase follows a checklist.
Origins and Team
Zellic was co-founded by Luna Tong (CEO) and Jasraj Bedi (CTO), both of whom came out of the competitive hacking world. Before starting the firm, they co-founded Perfect Blue, a Capture the Flag team that ranked as the world's number one CTF team in 2020, 2021, and 2023. Luna Tong previously worked on vulnerability research at Dataflow Security with a focus on iPhone exploitation, conducted peer-reviewed fuzzing research, and traded at Two Sigma. Jasraj Bedi built his background hacking Android at Google and collecting bounties against Fortune 500 companies' bug bounty programs.
This offensive-security heritage shapes how Zellic conducts assessments. The team treats client protocols the way an attacker would: probing assumptions, chasing unusual execution paths, and applying techniques — formal verification, fuzzing, static analysis — that go well beyond manual code review. The firm has grown to more than forty researchers and engineers with specializations spanning cryptography, web security, mobile security, low-level exploitation, ZK proof systems, and finance.
Services
Zellic conducts security assessments across a wide range of targets:
- EVM smart contracts — including DeFi primitives, token standards, and complex protocol mechanics
- Zero-knowledge circuits — Circom, Halo2, Plonky2, and other ZK proving systems
- Layer 1 and Layer 2 protocols — consensus layers, rollup stacks, and bridges
- Move-based blockchains — Aptos and Sui
- Cosmos ecosystem — SDK modules and IBC implementations
- Cross-chain applications — bridges and messaging protocols
- Applied cryptography — including signature schemes, hash functions, and trusted execution environments
- Web application security — for web2 surfaces associated with web3 projects
The firm emphasizes daily communication with clients throughout an engagement and tailors which security techniques are applied based on what each protocol actually needs, rather than running a fixed checklist.
Track Record and Metrics
By the end of 2025, Zellic had completed 338 security reviews, with 45 percent of those engagements identifying at least one critical or high-impact vulnerability. Across that work, the firm documented 247 critical vulnerabilities and 308 high-impact findings — numbers the company presents not as marketing but as evidence that the issues being caught are real and consequential, not noise.
Notable audit clients include LayerZero, Jump Crypto, Wormhole, the Solana Foundation, Sui (Mysten Labs), Scroll, Hyperliquid, Polymarket, Morpho, Pyth Network, Injective, Osmosis, ZetaChain, Succinct Labs, Babylon, and 1inch Network. The Sui engagement is among the most publicly cited: during an audit of Sui's Move bytecode verifier and programmable transactions module, Zellic discovered a critical bug in the construction of a function's control flow graph that put potentially billions of dollars of assets at risk.
Solana Ecosystem Work
Zellic has an extensive audit history within the Solana ecosystem, spanning core protocol components and major application-layer protocols. Published audit reports from the firm's public GitHub repository cover:
- Anza (Solana's core development organization): multiple engagements including the BPF Stake Program (March 2025), Solana BPF runtime (October 2024), P Token (October 2025), Token Wrap (May 2025), and a Token 2022 pull-request review (December 2025)
- SPL Token 2022: reviewed in December 2022
- Audius Solana: initial audit October 2022, follow-up on claim and rewards programs November 2025
- LayerZero Solana Endpoint: July 2024
- LayerZero Solana Examples: December 2025
- Pyth Lazer Solana: January 2025
- Chainflip Solana: August 2024
- Ondo Global Markets: December 2025
- Single Pool: January 2024
The Anza relationship in particular — covering multiple engagements across the BPF execution environment and token programs that underpin the entire Solana runtime — demonstrates Zellic's depth of involvement in Solana's most security-critical infrastructure.
Zellic researchers have also published original security research focused on Solana internals. In February 2026 the firm published "Inside the SVM — sBPF JIT Security Pitfalls," a technical analysis of the Solana Virtual Machine's sBPF (Solana Berkeley Packet Filter) JIT compiler that dissects execution paths and identifies real vulnerability classes in JIT compilation. This kind of original research, beyond paid client work, signals genuine expertise in the underlying platform rather than surface-level familiarity.
Code4rena Acquisition
In August 2024, Zellic acquired Code4rena, a Paradigm-backed competitive audit platform. The acquisition combined two historically separate audit modalities under one roof. Zellic's consultative audits deliver intensive, time-boxed analysis by a small number of expert researchers focused on critical security properties. Code4rena's competitive audit format deploys a larger community of independent auditors across an entire codebase, catching a broader spectrum of issues including lower-severity findings that a small consultative team might not surface.
Zellic packaged these together as "Audits+" — a single offering that gives clients both models without the overhead of managing two vendors. Code4rena continued operating independently under its existing management after the deal closed. Zellic also announced that Code4rena would run its audit competitions at zero platform fee going forward, a policy change that reflected Zellic's stated priority of client and ecosystem benefit over fee maximization.
Philosophy and Positioning
Zellic is self-described as unfunded, a relatively unusual choice in an industry where most security firms have taken venture capital. The firm positions its independence as a feature: without investor pressure to scale headcount rapidly or maximize deal volume, it can be selective about engagements and maintain audit quality.
The "real security, not rubber stamps" positioning targets a genuine problem in blockchain security. Many projects seek audits primarily as a marketing signal — a badge to display rather than a genuine adversarial review. Zellic's public statistics on critical and high findings per engagement, its original security research, and the seniority of its researchers are all aimed at a client base that wants substantive findings, not assurance theater.
Within the Solana ecosystem specifically, Zellic occupies a trusted-partner position. The Solana Foundation is a named client, and Anza's repeated use of Zellic across core BPF and token-program work reflects ongoing confidence in the firm's ability to audit Rust-based, low-level protocol code — a specialized skill set that not all blockchain security firms possess.
Contents
- Origins and Team
- Services
- Track Record and Metrics
- Solana Ecosystem Work
- Code4rena Acquisition
- Philosophy and Positioning
Solana Token Markets
