plainshift
Our mission
Plainshift is a full-stack security firm built on the “shift left” security philosophy. We often work with teams early in the product development process to bring security to a greater organizational range than just smart contracts. From the web app, to fuzzing/formal verification, to a team’s operational security, full-stack security can only be achieved by first understanding there is no “scope” to protect the users that trust you.
We’re here to meaningfully revolutionize how teams approach security and guide them towards a holistic approach rather than the single sided approach so prevalent today.
Timeline
- Pentest: April 1st - April 7th, 2025
- Smart contracts: April 1st - April 22nd, 2025
We understand that HedgeHogs has a mid-to-late April launch target. Although the smart contract audit report delivery is scheduled for April 22nd, most findings will be identified, communicated, and fixed before then. To support the client’s launch timeline, Plainshift will establish a dedicated Telegram group connecting our auditors with the HedgeHogs development team. We will provide regular updates on potential leads and confirmed findings as we progress through the audit, and we will support the mitigation review process throughout the entire audit timeline.
This collaborative approach ensures that the client does not need to wait until the official report delivery date to view and address our findings, allowing for a more efficient security implementation process.
Prior similar experience
Smart contracts
Our team is highly trusted in the industry:
-
We were contracted by the Ethereum Foundation to conduct comprehensive audits for the Pectra Upgrade EIP bytecode contracts, working alongside a16z and three other respected firms.
-
The Uniswap v4 lead designer and Uniswap v3 core developer specifically entrusted Plainshift to conduct the core audits for both the Starknet and EVM implementations of Ekubo after a previous auditing firm missed a critical vulnerability.
Ekubo is a Concentrated Liquidity Market Maker (CLMM) heavily inspired by Uniswap v3/v4, for which we developed a complementary custom testing suite alongside our audit to extensively evaluate all potential edge cases.
You can review both of our audits for Ekubo at https://docs.ekubo.org/integration-guides/reference/audits, where we identified a critical vulnerability in the Solidity smart contracts.
Our auditors assigned to the HedgeHogs project have also discovered significant vulnerabilities in several major DeFi protocols, including:
- Revert Lend (Uniswap v3 Integration)
- Ekubo (Uniswap v3/v4 inspired CLMM) in both Solidity and Cairo
- Zerolend (Aave fork)
- Bunni
- Aave v3.3
For additional information about our team of smart contract auditors, one of our senior auditors’ profiles can be found at: https://audits.sherlock.xyz/watson/unforgiven
Pentest
All of our auditors come from extensive web2 security backgrounds. Our founder, Surya, discovered two critical vulnerabilities affecting all Apple operating systems, which were assigned official CVEs. He is also a captain of a top-2 international Capture The Flag (CTF) team that regularly qualifies as DEFCON Finalists.
The auditors assigned to the HedgeHogs penetration test have previously conducted security assessments for other web3 protocol frontends, such as Royco.
For more insights into their expertise, you can read one of their technical blogs at: https://dreyand.rs/
Our penetration testing team consists of former professional pentesters and red team operators, all holding the Offensive Security Certified Professional (OSCP) certification and with multiple CVEs to their credit.
Proposed quote
| Service | Timeline | Engineer Weeks | Cost |
|---|---|---|---|
| Smart Contracts (includes custom testing suite if deemed necessary) | April 1st - April 22nd | 9 | 45,000 USDC base + 5,000 USDC bonus if a critical severity loss of funds issue is found (validated by the HedgeHogs team) |
| Pentest (includes threat modeling if documentation is available) | April 1st - April 7th | 4 | 20,000 USDC |