Smart contracts
Every contract we ship goes through internal review, static analysis (Slither), fuzzing (Echidna and Foundry invariants), and an external audit before mainnet. We coordinate audits with Trail of Bits, OpenZeppelin, Spearbit, Pashov, yAudit, and Cyfrin Codehawks. We include a re-audit budget for every meaningful change post-audit.
Custody and keys
We never hold long-term custody of client funds. Multisigs are set up on Safe (EVM) or Squads (Solana) with the client as the primary signer from day one. We are a signer during the build only and rotate out at handover.
Production systems
Least-privilege IAM, secrets in a managed vault (1Password / Doppler / cloud KMS), signed commits, required reviews on main. SSO with hardware-key MFA for all critical accounts.
Responsible disclosure
If you believe you've found a security issue, email contact@shazralabs.com with subject "Security disclosure". We will acknowledge within 48 hours and work with you on a fix.