All articles
solanasecurityauditsskynettooling

CertiK: audits, Skynet scores, and Token Scan for Solana builders

CertiK is the large Web3 security platform behind smart-contract audits, formal-verification heritage, Skynet project scores, Solana Token Scan, KYC, and CertiK Hunt. What it is for Solana teams — and what a badge does not mean.

Share
devrels.xyz/a/148short link

In crypto, "we got audited" is still treated like a finished sentence. It is not. Security is a lifecycle: design review, code review, deployment hygiene, continuous monitoring, and a place for researchers to report issues after launch. CertiK (@CertiK) is the largest pure-play Web3 security brand built around that full lifecycle — formal-verification DNA, commercial audits, public Skynet scores, token scanners, and a newer researcher marketplace.

For Solana builders the question is practical: when do you buy a CertiK engagement, when do you just pull a Skynet score or Token Scan, and what does none of that actually prove?

Who CertiK is

CertiK markets itself as the largest blockchain security auditor / Web3 security platform, combining formal verification with human audits and productized monitoring. Founding roots sit in academic formal methods (the company's long-standing pitch is that mathematical proof techniques plus manual review beat either alone). Clients span L1s, DeFi, wallets, CEXs, and consumer apps — the homepage client wall runs from major exchanges and L1s through wallets and consumer crypto brands.

Public communication is split across three X handles worth following for different jobs:

The product map

Think in three layers rather than "they do audits":

  • Engagements (paid, human-led). Smart contract / program audits, penetration testing, proof-of-reserves style work, and specialized reviews (including grey-box audits that spin up attack infrastructure and runtime tests against live validator-like setups). Formal verification is still part of the heritage pitch, applied where the model fits.
  • Skynet (skynet.certik.com). A public, multi-factor security scoring and intelligence portal covering projects, exchanges, and wallets — on the order of 14,500–17,000+ scored entities depending on which CertiK surface you read. Leaderboards show trending projects, recently audited listings, team-verified (KYC) badges, and wallet/exchange rankings. Solana shows up as a major ecosystem slice; names like Jito and Pump.fun appear as scored projects; Phantom appears on wallet boards.
  • Self-serve and continuous tools. Token Scan (address-level risk checks — CertiK launched it with a Solana focus for fast memecoin launches), team verification, fundraising and unlock calendars, Skynet reports (markets, policy, fraud), and agent-facing pieces (SkyInsights / Skylens style wallet and forensics tooling, plus MCP-oriented integrations so agents can pull scores and screening into workflows).

In July 2026 CertiK announced CertiK Hunt — an invite-only platform for elite researchers: bug bounty programs, audit competitions, and AI security challenges in one place. That is the post-deploy researcher loop, not a replacement for a pre-launch audit.

What Solana builders actually do with it

Solana program security is its own skill set (Rust, Anchor, account constraints, CPI, Token-2022 extensions). CertiK is one of the large multi-chain firms that will take Solana work; it is not the only firm, and it is not Solana-only. A sane builder path looks like:

  1. During design / private testnet — threat model your program yourself; write property tests; use local tools (see our LiteSVM and verified builds pieces). CertiK is optional this early unless you are raising with a committed auditor slot.
  2. Pre-mainnet with real money — commission a program audit (CertiK or a Solana-specialist shop). Scope matters: IDL-level interfaces, upgrade authorities, admin keys, oracle assumptions, and economic attacks — not only "reentrancy style" checklists that do not map cleanly to Solana.
  3. Launch packaging — publish the report; list or boost on Skynet if partners or CEXs care about the score; run Token Scan on mint addresses for community self-checks (especially if you are in meme / consumer launch territory).
  4. After launch — keep upgrade paths locked or multisig'd; watch @CertiKAlert-class feeds for ecosystem incidents; consider Hunt / bug bounty once TVL justifies the surface.

If you are an integrator rather than a protocol author — wallet, frontend, agent — Skynet scores and Token Scan are the free/public layer: use them as signals, never as sole allowlist logic. A high letter grade is multi-factor (code quality, ops, market, governance inputs depending on the product), not a mathematical proof that funds are safe.

What a CertiK badge is not

  • Not a warranty. Audited protocols still get exploited — new code paths, economic design, oracle failure, key compromise, or issues outside scope.
  • Not free of marketing noise. Projects buy audits partly for legitimacy. Read the report: severity list, fixed vs acknowledged, and whether the audited commit matches what is deployed.
  • Not a Solana-only specialty firm. For deep Anchor/Pinocchio edge cases, many teams dual-source: one large multi-chain firm (CertiK et al.) plus a Solana-native reviewer.
  • Skynet ≠ audit. Continuous scores update as data changes; they do not re-audit every commit for free.

Related on devrels

Resources

TL;DR

  • CertiK = large multi-chain security platform: audits + formal methods heritage + Skynet continuous scores + scanners + Hunt bounties.
  • Solana builders use Token Scan early, program audits before TVL, Skynet for public signaling, Hunt/alerts after launch.
  • Treat every badge and score as evidence, not a guarantee — verify deployed programs, authorities, and post-deploy monitoring yourself.

Keep reading

Get new articles in your inbox

Technical deep-dives on Solana tooling, infrastructure, and ecosystem. No noise.