An exhaustive state-space verification oracle to harden your security stack.
function withdraw(uint amt) {
require(balance[user] >= amt);
user.call{value: amt}("");
balance[user] -= amt;
}
function withdraw(uint amt) {
require(balance[user] >= amt);
user.call{value: amt}(""); // sent before the balance is updated // if this crashes, the balance is never updated
balance[user] -= amt;
}
We offer model-driven security audits. RedMirror models your critical subsystems as state machines and exhaustively explores every reachable state, returning either a concrete, reproducible vulnerability (the exact path that triggers it) or, when none surfaces, a precise account of what was checked and how far. Across nine languages and smart contracts.
RedMirror lifts your source into a tree of every reachable code path, lays your business logic over that tree as invariants, then walks the entire state space breadth-first hunting for a path that breaks one; when it finds the attack path (traced in red above) it does not merely flag a line, it returns the exact sequence of transitions that drives the system into the illegal state and replays it as a concrete, reproducible counterexample, and when no such path exists within the budget that exhaustion is itself the proof.
Fixes and findings RedMirror surfaced in major OSS projects:
Beyond the public fixes above, many findings have been disclosed privately through HackerOne, Bugcrowd, and Cantina.xyz, on programs including Polymarket, Mattermost, and Reserve Governor, among many others.
Tell us what you want verified. We will reply to set up a session.