Auditor × Tooling .
1st place Ronin. Top-10 on four more Code4rena contests. 27 published QA reports.
Blue Eyes Security was built around two things: an auditor who knows what to investigate, and proprietary in-house tooling that makes the investigation scale.
After two years in the contest space, the edge has proven to be the combination of both.
Founded by Auditor_Nate, who has been hunting bugs full-time since July 2024. Body of work includes five top-10 Code4rena contest finishes and 27 published QA reports — produced through Team PolarizedLight, a contest-focused auditing team.
Blue Eyes Security extends that practice into private engagements. Solidity and Rust smart contract audits — including Stellar/Soroban — are the core offering: fixed-scope, manually reviewed, every finding backed by a working proof-of-concept. Engagements concentrate where funds actually break: accounting, precision, and invariant violations — in Solidity and Rust codebases.
Contest findings credited across Phi, Reserve, Ronin, Axelar Network, Chakra, Morpheus, Flex Perpetuals, Virtuals Protocol, Blackhole, Megapot, Concrete, Lambo.win — plus many more across multiple contest platforms. Every finish is produced by Team PolarizedLight↗ and verifiable on the public leaderboard.
Full contest history, rank pages, and QA report links available on Code4rena’s public leaderboard.
View profile ↗Four ways to engage — every one delivered end to end by the same auditor.
Pricing scales with audited lines of code and complexity — you get one fixed quote at scoping, and it does not move after kickoff. Every audit includes one remediation review round within 30 days of report delivery.
A short preparation pass ahead of a full audit: threat-model sketch, assumption map, prioritized pre-audit fix list, and a scope recommendation for the follow-on review — so the audit starts on code that is actually ready for it.
Fixed-scope audit of a contained codebase — a single component, an upgrade, a new feature. Manual review backed by proprietary tooling, severity calibrated against real-world impact, and every High and Medium finding shipped with an executable proof of concept.
The full audit for a protocol heading to mainnet. Everything in the focused review, plus protocol-level invariant analysis — accounting identities, conservation properties, rounding direction discipline — cross-contract interaction review, and a mid-engagement findings call.
Not an audit — a CI-ready invariant test suite your team keeps. Protocol invariants identified, documented in plain English, wired into executable fuzz tests, and handed over with documentation and a walkthrough call.
A hybrid approach: one auditor, proprietary tooling, every finding verified before it ships.
Discovery call — meet both the team and the code. Scope is anchored to a specific commit hash, documentation reviewed, protocol walkthrough done, and a direct communications channel opened between auditor and team.
Manual review and proprietary tooling work the code in parallel. Candidate findings surface from both; the auditor triages every one, investigates leads, and follows threads until the deepest issues are on the table.
Every High and Medium finding must survive an executable proof-of-concept that demonstrates the actual harm — what can’t be demonstrated is downgraded or cut. Severity is calibrated against real-world impact, not theory.
Full report with finding write-ups, reproducible PoCs, and concrete fix guidance. Confirmed Criticals are flagged within 24 hours — never held for the report. One remediation review round included within 30 days of delivery.
Engagements run serially — one codebase gets full attention, then the next. Windows are claimed in order, so the queue position you inquire at is the one you get.