CertiK: audits, Skynet scores, and Token Scan for Solana builders
CertiK is the large Web3 security platform behind smart-contract audits, formal-verification heritage, Skynet project scores, Solana Token Scan, KYC, and CertiK Hunt. What it is for Solana teams — and what a badge does not mean.
devrels.xyz/a/148short linkIn crypto, "we got audited" is still treated like a finished sentence. It is not. Security is a lifecycle: design review, code review, deployment hygiene, continuous monitoring, and a place for researchers to report issues after launch. CertiK (@CertiK) is the largest pure-play Web3 security brand built around that full lifecycle — formal-verification DNA, commercial audits, public Skynet scores, token scanners, and a newer researcher marketplace.
For Solana builders the question is practical: when do you buy a CertiK engagement, when do you just pull a Skynet score or Token Scan, and what does none of that actually prove?
Who CertiK is
CertiK markets itself as the largest blockchain security auditor / Web3 security platform, combining formal verification with human audits and productized monitoring. Founding roots sit in academic formal methods (the company's long-standing pitch is that mathematical proof techniques plus manual review beat either alone). Clients span L1s, DeFi, wallets, CEXs, and consumer apps — the homepage client wall runs from major exchanges and L1s through wallets and consumer crypto brands.
Public communication is split across three X handles worth following for different jobs:
- @CertiK — company, product launches, audit announcements.
- @CertiKCommunity — Skynet product surface and scores.
- @CertiKAlert — incident and scam signal feed.
The product map
Think in three layers rather than "they do audits":
- Engagements (paid, human-led). Smart contract / program audits, penetration testing, proof-of-reserves style work, and specialized reviews (including grey-box audits that spin up attack infrastructure and runtime tests against live validator-like setups). Formal verification is still part of the heritage pitch, applied where the model fits.
- Skynet (skynet.certik.com). A public, multi-factor security scoring and intelligence portal covering projects, exchanges, and wallets — on the order of 14,500–17,000+ scored entities depending on which CertiK surface you read. Leaderboards show trending projects, recently audited listings, team-verified (KYC) badges, and wallet/exchange rankings. Solana shows up as a major ecosystem slice; names like Jito and Pump.fun appear as scored projects; Phantom appears on wallet boards.
- Self-serve and continuous tools. Token Scan (address-level risk checks — CertiK launched it with a Solana focus for fast memecoin launches), team verification, fundraising and unlock calendars, Skynet reports (markets, policy, fraud), and agent-facing pieces (SkyInsights / Skylens style wallet and forensics tooling, plus MCP-oriented integrations so agents can pull scores and screening into workflows).
In July 2026 CertiK announced CertiK Hunt — an invite-only platform for elite researchers: bug bounty programs, audit competitions, and AI security challenges in one place. That is the post-deploy researcher loop, not a replacement for a pre-launch audit.
What Solana builders actually do with it
Solana program security is its own skill set (Rust, Anchor, account constraints, CPI, Token-2022 extensions). CertiK is one of the large multi-chain firms that will take Solana work; it is not the only firm, and it is not Solana-only. A sane builder path looks like:
- During design / private testnet — threat model your program yourself; write property tests; use local tools (see our LiteSVM and verified builds pieces). CertiK is optional this early unless you are raising with a committed auditor slot.
- Pre-mainnet with real money — commission a program audit (CertiK or a Solana-specialist shop). Scope matters: IDL-level interfaces, upgrade authorities, admin keys, oracle assumptions, and economic attacks — not only "reentrancy style" checklists that do not map cleanly to Solana.
- Launch packaging — publish the report; list or boost on Skynet if partners or CEXs care about the score; run Token Scan on mint addresses for community self-checks (especially if you are in meme / consumer launch territory).
- After launch — keep upgrade paths locked or multisig'd; watch @CertiKAlert-class feeds for ecosystem incidents; consider Hunt / bug bounty once TVL justifies the surface.
If you are an integrator rather than a protocol author — wallet, frontend, agent — Skynet scores and Token Scan are the free/public layer: use them as signals, never as sole allowlist logic. A high letter grade is multi-factor (code quality, ops, market, governance inputs depending on the product), not a mathematical proof that funds are safe.
What a CertiK badge is not
- Not a warranty. Audited protocols still get exploited — new code paths, economic design, oracle failure, key compromise, or issues outside scope.
- Not free of marketing noise. Projects buy audits partly for legitimacy. Read the report: severity list, fixed vs acknowledged, and whether the audited commit matches what is deployed.
- Not a Solana-only specialty firm. For deep Anchor/Pinocchio edge cases, many teams dual-source: one large multi-chain firm (CertiK et al.) plus a Solana-native reviewer.
- Skynet ≠ audit. Continuous scores update as data changes; they do not re-audit every commit for free.
Related on devrels
- Verified program builds — prove the deployed binary matches source.
- LiteSVM — fast local program tests before you pay for a human audit.
- Squads multisig — operational security for upgrade authorities after the audit.
Resources
- Site: certik.com
- Skynet: skynet.certik.com · Token Scan under /tools/token-scan
- X: @CertiK · @CertiKCommunity · @CertiKAlert
TL;DR
- CertiK = large multi-chain security platform: audits + formal methods heritage + Skynet continuous scores + scanners + Hunt bounties.
- Solana builders use Token Scan early, program audits before TVL, Skynet for public signaling, Hunt/alerts after launch.
- Treat every badge and score as evidence, not a guarantee — verify deployed programs, authorities, and post-deploy monitoring yourself.
Keep reading
Every general explorer shows you transactions. ProgramWatch shows you the things you actually want to know about a program before you CPI into it — upgrade authority, freeze status, verified build, IDL availability.
The fastest Solana vanity grinder just made its slow path fast. v0.8.0 batches ed25519 keygen 8 lanes wide with AVX-512 IFMA on CPU and rebuilds the OpenCL keypair kernels — Montgomery batch inversion, a radix-32 comb for fixed-base scalarmult, fused base58 early-reject. Real signable vanity keypairs at 65M/s per 4090.
Every EVM developer hits this wall: on Ethereum you inline a function signature string and call the contract; on Solana you're handed a JSON IDL and told to run a code generator. The gap is real, it has a structural reason, and the tooling has quietly caught up. A field guide to IDLs, Codama, and the account model that makes inline ABIs impossible.
Get new articles in your inbox
Technical deep-dives on Solana tooling, infrastructure, and ecosystem. No noise.
