Book a review →
QA for Web3 · DeFi · GameFi · infrastructure

Your smart contract is audited. Your app still leaks funds.

Contract audits check the chain. They don't check the swap flow, the approval that over-permits, the WebSocket price feed that lies under load, or the API endpoint that lets anyone bypass your limits. I do. Before your users find out the hard way.

loadfault — audit-run · dapp-frontend + api
run audit --target dapp.example.xyz --scope full → mapping user flows ......... 14 flows ✓ wallet connect / disconnect ... ok ✗ [CRITICAL] approve() grants unlimited allowance by default ✗ [CRITICAL] /api/v2/order — rate limit bypass via header spoof ⚠ [HIGH] price feed desync under 200 concurrent WS clients ⚠ [MED] tx signature request shows wrong chain on network switch → generating report with reproduction steps ... ✓ report ready · 2 critical · 3 high · 5 medium
The gap nobody covers

A contract audit is not a product audit.

Most exploits that reach users aren't broken Solidity. They're broken flows, sloppy approvals, and infrastructure that falls apart the moment real traffic hits it. That's the layer between your contract and your user — and it's usually shipped untested.

FUNDS AT RISK

Over-permissioned approvals

The frontend asks for unlimited allowance when it needs an exact amount. One compromised contract later, wallets drain.

FUNDS AT RISK

API limits that don't hold

Header spoofing, param tampering, missing auth on a single endpoint — the bypass that lets one actor abuse the whole platform.

BREAKS UNDER LOAD

Feeds that lie at scale

Your price WebSocket is perfect with one client and desynced with two hundred. Users trade on stale numbers. You eat the difference.

SILENT FAILURE

Wrong-chain signing

Network switch mid-session, the sign prompt still points at the old chain. Best case, confusion. Worst case, a transaction on the wrong network.

Fixed scope · fixed price · no surprise invoices

Three ways to work together.

You know the cost before we start. Every audit ships a severity-graded report with reproduction steps, and the automated tests are yours to keep.

SMOKE AUDIT
$500
3–4 days · pre-launch check
  • Critical user flows: connect, swap, approve, sign
  • Endpoint bypass & auth spot-checks
  • Price-feed consistency sanity pass
  • Severity-graded PDF report
Start here →
QA RETAINER
$1,200 / mo
ongoing · every release
  • Regression pass on each deploy
  • Continuous feed & load monitoring
  • Priority turnaround on hotfixes
  • Monthly risk summary
Talk retainer →
How a run works

From "here's our app" to "here's what will hurt you."

01

Written intake — no call

You send the app link and a short brief on where the money moves. I reply with the exact surface I'll test — which flows, endpoints and feeds — and a fixed price. All in writing, so scope is locked before we start.

02

Flow mapping

I map every path a user's funds can take and every request the app makes. This is where most of the dangerous gaps first show up.

03

Attack & load

Endpoint tampering, approval inspection, wrong-chain checks, then concurrency and load on the parts that break quietly at scale.

04

Report you can act on

Each finding: severity, impact in plain terms, exact reproduction steps. Not a wall of noise — a prioritized list of what to fix first.

Who's behind it

QA automation, aimed at the Web3 stack.

I build and break high-concurrency systems for a living — Selenium & Playwright automation, API testing, WebSocket data pipelines, and load testing where thousands of events per second is normal. I run my own trading infrastructure across ten chains, so on-chain flows, wallet interactions and exchange APIs aren't theory to me — they're the thing I debug every day. Loadfault points that toolkit at your product.

API bypass
Found a real rate-limit bypass on a live blockchain platform
10 chains
Multi-chain wallet & balance tooling in production
High-load
WebSocket & concurrency testing as a core specialty
Testnet
Hands-on with emerging L1/L2 testnets
Limited slots — I take a small number of audits at a time

Find the leak before your users do.

Start with a free smoke test on one critical flow. If it's clean, you get peace of mind. If it isn't, you just avoided a very expensive week.

Fully async. Send your app + scope by email, get a written plan back. No calls required.