Skip to content

Security Auditor Research

Date: November 27, 2025 Purpose: Evaluate potential security auditors for SIP Protocol


CriterionWeightDescription
Cryptography ExpertiseHighExperience with ECC, commitments, ZK
DeFi/Privacy FocusHighPrior work on privacy protocols
ReputationMediumTrack record, notable findings
TimelineMediumAvailability and turnaround
CostMediumBudget alignment
CommunicationLowResponsiveness, collaboration style

Website: https://www.trailofbits.com

Expertise:

  • Audited @noble/* libraries (our core dependencies)
  • Strong cryptography team
  • Extensive blockchain experience

Notable Audits:

  • Zcash (privacy protocol)
  • Ethereum Foundation
  • Uniswap, Compound

Estimated Cost: $100,000-150,000 Timeline: 6-8 weeks (backlogged)

Fit for SIP: EXCELLENT

  • Already familiar with @noble/* internals
  • Deep cryptographic expertise
  • Premium reputation

Contact: https://www.trailofbits.com/contact


Website: https://www.openzeppelin.com/security-audits

Expertise:

  • Industry standard for smart contract audits
  • Strong Solidity/EVM focus
  • Some cryptography experience

Notable Audits:

  • Compound, Aave, 1inch
  • Ethereum 2.0 components

Estimated Cost: $80,000-120,000 Timeline: 4-6 weeks

Fit for SIP: GOOD

  • Strong reputation
  • Less crypto-focused than Trail of Bits
  • Better for smart contract layer

Contact: security@openzeppelin.com


Website: https://consensys.io/diligence

Expertise:

  • Ethereum ecosystem focus
  • Smart contract security
  • Some cryptographic audits

Notable Audits:

  • MetaMask, Gnosis Safe
  • Various DeFi protocols

Estimated Cost: $60,000-100,000 Timeline: 4-6 weeks

Fit for SIP: GOOD

  • Strong EVM expertise
  • Wallet integration experience relevant
  • Less ZK-specific

Contact: https://consensys.io/diligence/contact


Website: https://zellic.io

Expertise:

  • ZK circuit auditing
  • Cryptographic implementations
  • Noir/Aztec familiarity

Notable Audits:

  • Aztec Protocol
  • Various ZK projects

Estimated Cost: $50,000-80,000 Timeline: 3-5 weeks

Fit for SIP: EXCELLENT

  • ZK expertise aligns with future Noir circuits
  • Cryptography-focused
  • Competitive pricing

Contact: contact@zellic.io


Website: https://leastauthority.com

Expertise:

  • Privacy-focused audits
  • Cryptographic protocol review
  • Strong academic ties

Notable Audits:

  • Zcash (multiple audits)
  • Tor Project
  • Various privacy protocols

Estimated Cost: $40,000-70,000 Timeline: 4-6 weeks

Fit for SIP: EXCELLENT

  • Privacy protocol specialists
  • Zcash experience directly relevant
  • Strong cryptographic review

Contact: https://leastauthority.com/contact


Website: https://www.nccgroup.com/us/our-services/cyber-security/specialist-practices/cryptography-services/

Expertise:

  • Cryptographic protocol analysis
  • Enterprise security
  • Broad experience

Notable Audits:

  • Various enterprise blockchain
  • Cryptographic libraries

Estimated Cost: $60,000-100,000 Timeline: 4-6 weeks

Fit for SIP: GOOD

  • Strong crypto team
  • More enterprise-focused
  • Thorough methodology

Contact: https://www.nccgroup.com/contact-us/


Background: Co-designer of BLAKE2, SipHash, Argon2 Expertise: Symmetric cryptography, hash functions, protocol analysis Availability: Limited, selective projects

Fit for SIP: MODERATE

  • Hash/symmetric focus (less ECC)
  • World-class reputation
  • May be interested in novel protocols

Contact: Via Twitter/academic channels


Background: Former Google/Cloudflare, Go crypto team Expertise: TLS, cryptographic implementations Availability: Selective consulting

Fit for SIP: GOOD

  • Implementation security expertise
  • Go/TypeScript experience
  • Strong communication

Contact: https://filippo.io


Option: Partner with university crypto labs

Potential Partners:

  • Stanford Applied Cryptography Group
  • MIT Digital Currency Initiative
  • UC Berkeley RDI

Advantages:

  • Deep theoretical expertise
  • Lower cost
  • Publication opportunities

Disadvantages:

  • Slower timeline
  • Less industry-focused

Website: https://code4rena.com

Model: Competitive audit with multiple auditors Cost: $20,000-50,000 (prize pool) Timeline: 1-2 weeks contest + judging

Fit for SIP: MODERATE

  • Good coverage breadth
  • Variable quality
  • Better for smart contracts

Website: https://www.sherlock.xyz

Model: Curated auditor competition Cost: $30,000-60,000 Timeline: 2-3 weeks

Fit for SIP: MODERATE

  • Higher quality than open competitions
  • DeFi focus
  • Crypto expertise varies

Website: https://immunefi.com

Model: Ongoing bug bounty program Cost: Pay per finding (define bounty table) Timeline: Continuous

Fit for SIP: GOOD (post-audit)

  • Complements formal audit
  • Ongoing security
  • Community engagement

Phase 1: Cryptographic Review (Now)

  • Auditor: Least Authority or Zellic
  • Scope: commitment.ts, stealth.ts, privacy.ts
  • Cost: $30,000-50,000
  • Timeline: 3-4 weeks
  • Rationale: Privacy protocol specialists, cost-effective

Phase 2: Full SDK Audit (With Noir Circuits)

  • Auditor: Trail of Bits or Zellic
  • Scope: Full SDK + Noir circuits
  • Cost: $70,000-100,000
  • Timeline: 5-6 weeks
  • Rationale: Complete coverage after circuits implemented

Phase 3: Bug Bounty (Post-Launch)

  • Platform: Immunefi
  • Cost: $10,000-50,000 reserve
  • Timeline: Ongoing
  • Rationale: Continuous security
PhaseCost RangePriority
Phase 1$30,000-50,000High
Phase 2$70,000-100,000Medium
Phase 3$10,000-50,000Low
Total$110,000-200,000

If budget allows for single engagement:

Recommended: Trail of Bits

  • Cost: ~$120,000
  • Timeline: 6 weeks
  • Coverage: Complete SDK review

  1. Immediate: Reach out to Least Authority and Zellic for quotes
  2. Week 1: Compare proposals, evaluate timeline fit
  3. Week 2: Select auditor, sign engagement
  4. Week 3+: Begin audit process

Subject: Security Audit Request - SIP Protocol (Privacy Layer)
Hi [Auditor Team],
We're seeking a security audit for SIP Protocol, a privacy layer for
cross-chain transactions built on NEAR Intents.
Key Details:
- ~5,000 lines TypeScript (SDK)
- Core crypto: Pedersen commitments, stealth addresses (EIP-5564)
- Dependencies: @noble/* (audited by Trail of Bits)
- Full documentation: threat model, crypto assumptions
Timeline: Flexible, prefer Q1 2026
Budget: [Range]
Would you be available for a scoping call?
Repository: https://github.com/sip-protocol/sip-protocol
Audit docs: docs/security/
Best regards,
[Name]
SIP Protocol Team

AuditorCryptoPrivacyZKCostTimelineFit
Trail of BitsA+AA$$$6-8wExcellent
Least AuthorityAA+B$$4-6wExcellent
ZellicAB+A+$$3-5wExcellent
OpenZeppelinBBB$$$4-6wGood
ConsensysBBB$$4-6wGood
NCC GroupABB$$4-6wGood
Code4renaBCC$2-3wModerate

Legend: A+ = Exceptional, A = Strong, B = Adequate, C = Limited Cost: $ = <$40k, $$ = $40-80k, $$$ = >$80k