Skip to main content
Table of contents
Luna Tong

Why We Acquired Code4rena

How Zellic's acquisition of Code4rena benefits you
Article heading

A lot of startup news tends to focus on the company or its founders, not the product or its customers. For example: “Company [ABC] is disrupting how you [XYZ]”; “These dropouts want to […]”; and so on. I find that strange. As someone reading the news, why should I care about some random company? That headline seems far removed from me. A more useful headline would be like, “Next year you’ll be doing XYZ instead of ABC,” which tells me how the news actually affects my life.

There’s a few reasons. For one, the name in the headline is good for the company’s brand. It makes the leadership look good for its shareholders. And sometimes, the founders just want to feel special. So a blog post like this one would typically deliver some long spiel about the two companies and how it’s strategic, creating synergies and value for stakeholders and whatever nonsense. Or some complicated saga about the company ethos, their journey, their culture, etc.

But I’m not going to write about that. Because you don’t care. You want to know how it affects you. So that’s what I’ll tell you. Here is the key point: this acquisition isn’t about Zellic or Code4rena or any of its founders. It’s about you, our clients and Wardens.

For Clients

To our valued clients: first, thank you for choosing Zellic and Code4rena. We like to think we’re the best at what we do, and we’re glad you’re with us. We also believe that we can do even better. The reason lies in the fundamental nature of our respective audits, which I’ll describe shortly.

But first, a word for Code4rena’s Wardens.

For Wardens

To our trusted Wardens: Thank you. Code4rena is only possible due to your efforts and your courage. I know how hard it is hunting for bugs independently. I am a security researcher myself. I’ve struggled with impostor syndrome and it sucks. From like 16 to 21 years old, I felt like shit because I felt like I didn’t find the cool bugs my friends and people on Twitter found. When I did find something, I felt untouchable and godlike; when I didn’t, I felt worthless. The emotional rollercoaster of being an independent researcher is just… hard. So thank you for helping us make Web3 safer, and thank you for all of your hard work. We hope you continue your great work with us.

There won’t be any major changes to Code4rena as you currently know it. For the most part, things will stay the same. Code4rena will continue to operate independently, with the existing management and team that you know and trust. We’ll continue to invest in the platform as we always have, and we’ll be rolling out a few key improvements over the next couple of months that were planned before the acquisition.

Now, I’ll discuss how combining Zellic and Code4rena lets us deliver better security than any other audits.

From Audits to Audits+

First, let’s talk about code in general. For any piece of software, there are a few critical security properties that absolutely must hold. For a bridge or a DeFi app, this would be that funds can’t be stolen or that funds can’t be bricked. For a Cosmos chain, this would be that the chain doesn’t halt. For a perps DEX, this would be that users can’t get infinite leverage or intentionally create bad debt. For a wallet, this would be that we’re not logging users’ seed phrases to disk or the cloud. Here is a visual aid:

Now, Zellic’s audits are consultative and time-boxed. We are trying to break your code in catastrophic ways. We’re thinking: How can I steal all the funds? Does your mechanism actually work? What about this or that loophole? We focus on these things because our #1 priority is you not getting hacked. But since our audits are time-boxed, we naturally have less time to enumerate every single possible avenue. We have to allocate our time judiciously and seriously cover a few essential, critical components and attack vectors. But unfortunately, this means we sometimes have to deprioritize low and informational findings over non-critical parts of the codebase.

While we staff our audits with world-renowned researchers and CTF winners, this trade-off has been a consistent pain point for us. We don’t want to have to choose between focusing on the crits or catching every possible issue. Why can’t we have both? After all, our customers deserve that. Whenever we miss anything—even if it’s a low severity finding—we feel just as bad as you do.

That’s where Code4rena comes in. Unlike consultative audits, competitive audits are bound by the prize pool size. Rather than a handful of gigachads, you get an entire community of Wardens (independent auditors) who will pick your code apart until it’s clean to the bone. Regardless of the nature of the issue, they will look for and report it. And that’s not to say that a Code4rena competition isn’t going to catch deep bugs. They do, and “dark horses”—previously unknown auditors who demonstrate immense depth and thoroughness—regularly appear in competitions, outperforming even well-established auditors.

Finally, by pairing a Zellic audit with a Code4rena competition, you get a new hybrid engagement that outclasses any individual audit. First, Zellic comes in to ensure that the priorities are taken care of. Then, a Code4rena competition brings a wide range of coverage for all kinds of potential issues, including not just the critical components but also things like integration and auxiliary contracts. There’s no more tradeoff: clients get the concentrated assurance of a Zellic audit but with the “as many eyes on code as possible” benefits of a competitive audit.

Consultative audits and competitive audits are complementary. They’re not replacements or substitutes. The best security comes from getting both.

Here’s another way to look at it. Here’s what most software development looks like, and how expensive it is to catch bugs at each stage of development.

As you go from earlier to later stages of development, the code is under scrutiny from more and more people. Beginning with just a single code owner, the person originally writing the code, you eventually reach every potential adversary in the world. And of course, the earlier you catch a bug, the cheaper it is. Before, Zellic sat squarely near the middle:

For security-minded projects, the most natural next step after us is a competitive audit. In fact, we were already proactively recommending our clients to do this:

But if you think about it, there’s a lot of inefficiency here. Administering a competitive audit is a lot of work. You have to decide what scope you want reviewed; then you need to provide the Wardens with guidance on what attack vectors to look for; and finally, you have to help judges evaluate all of the findings, which is tremendously laborious. That’s all on top of the ordinary logistical work of sales calls, vendor selection, legal document redlining and signing, invoicing and collecting accounts receivables, KYB, … and on and on. And you have to do this twice for both the consultative audit and the competitive audit.

So the obvious solution here is to combine both these steps into a single, cohesive service, which we call Audits+:

And not only is this more efficient, it gets clients BETTER SECURITY with LESS HASSLE. That’s because our auditors—who already spent days or weeks reviewing the project—know where the most important scope is and what attack vectors to pay attention to. They can guide the Wardens, answer questions, and help review findings, with minimal involvement from the client (who of course is kept in the loop with full visibility the whole time).

In Zellic audits, we always include a detailed threat model exercise, and we document the results in the audit report. These threat models are extremely thorough and outline exactly how the protocol works and what can go wrong. Being able to finish a consultative audit and hand that prep work to a hundred auditors is pretty incredible. When starting a time-boxed audit, you have no idea what you’re in for, particularly where you might wish for more time. In this combination, instead of a consultative audit being constrained, a strategic handoff turns the auditor’s work into a force multiplier through the competitive audit.

In short: Zellic audits combined with Code4rena competitions is a killer combination that gets our clients better security, more quickly, and more affordably.

Conclusion

Zellic acquired Code4rena for a simple reason: because it will enable us to do better audits for our clients. We’re not going to mess up the platform, we’re not going to suddenly change things up. We just want to do the best audits in the world and treat our auditors fairly, which have been our goals since the very beginning. Thank you all so much.