RedMirror_

Affordable code security scans. Pay Only After Results.

your code 
function withdraw(uint amt) {
  require(balance[user] >= amt);
  user.call{value: amt}("");

  balance[user] -= amt;
}
RedMirror 
function withdraw(uint amt) {
  require(balance[user] >= amt);
  user.call{value: amt}("");   // sent before the balance is updated
  balance[user] -= amt;
}

RedMirror models your critical subsystems as state machines and exhaustively explores every reachable state, returning either a concrete, reproducible vulnerability — the exact path that triggers it — or, when none surfaces, a precise account of what was verified and how far. Across nine languages and smart contracts.

Book a discovery call No upfront cost — you pay only if the findings are worth it.

How it works

  1. 1

    Book a discovery call

    A short call to understand your stack and agree on what matters most.

  2. 2

    Share your code

    Grant read access to the repositories or subsystems in scope.

  3. 3

    We scan the code

    RedMirror models each subsystem and explores its full state space.

  4. 4

    Receive a report

    Every finding ships with a concrete, reproducible attack path.

  5. 5

    Pay if satisfied

    No upfront cost. You pay only when the results are worth it.

  6. 6

    Bug fix (optional)

    We can patch each finding and re-verify that the fix holds.

Under the hood

1 · lift every code path 2 · explore rules over the state tree inv · balance ≥ 0 balance < 0 3 · refute counterexample path ✗ refuted · balance ≥ 0 1 withdraw(amt) 2 ↳ external call reenters 3 withdraw(amt) 4 balance -= amt 5 balance < 0

Get In Touch

Tell us what you want verified. We will reply to set up a session.

Trusted By

Fixes and findings RedMirror surfaced in major OSS projects:

Beyond the public fixes above, many findings have been disclosed privately through HackerOne, Bugcrowd, and Cantina.xyz, on programs including Polymarket, Mattermost, and Reserve Governor, among many others.