Category: smart-contract security firm / public audit-report and vulnerability-disclosure infrastructure / blockchain cybersecurity research
Summary: iosiro is better cataloged as blockchain security research infrastructure than as a plain audit boutique. In this pass, the clearest first-party evidence came from the official site, the smart-contract-auditing service page, the public audit archive, and first-party vulnerability disclosures involving Across and OpenZeppelin UUPS proxies. Taken together, those materials show a firm that does not just sell private reviews: it also maintains a reusable public audit corpus and publishes technically detailed incident writeups that document real-world protocol failures, remediation timelines, and exploit mechanics for the broader ecosystem.
What it does:
Performs smart-contract audits and broader cybersecurity work, with the official site prominently featuring blockchain and smart-contract security services
Maintains a public archive of audit reports covering live crypto protocols and applications including Wormhole, Nexus Mutual, Synthetix, Infinex, Kwenta, and others
Publishes technical vulnerability disclosures and postmortem-style research explaining exploit conditions, affected code paths, and mitigations
Positions its team as hands-on security researchers rather than only report writers, with disclosures tied to concrete protocol incidents and bounty outcomes
Uses the audit archive and disclosure blog together as a public knowledge surface that other builders can learn from even when they are not direct clients
Key claims:
The homepage prominently markets smart-contract auditing and highlights featured crypto audit reports as a core part of the company’s public surface
The smart-contract-auditing page says iosiro identifies functional and security issues in smart contracts and provides comprehensive reports intended to verify that code functions as intended
The public audits index shows a continuing stream of crypto audit reports across 2024-2026 for projects such as Wormhole, Nexus Mutual, Synthetix, Infinex, Kwenta, and Paravel Citadel DAO
The Across bridge disclosure says an iosiro researcher identified a high-risk vulnerability in Across relayer infrastructure that could have enabled a double-spend condition, and that Risk Labs awarded iosiro a $90,000 bounty after remediation
The UUPS disclosure says iosiro research into arbitrary delegatecall behavior helped prevent more than $50 million in losses across affected projects and contributed to the broader response around the OpenZeppelin UUPS proxy vulnerability
The same disclosure explicitly connects iosiro’s work to ecosystem-wide library and deployment risk, which is a stronger signal of public security-research infrastructure than a normal one-off client audit
Whitepaper: No canonical standalone iosiro whitepaper or litepaper surfaced in this pass. The clearest current sources of truth were the official site, the smart-contract-auditing page, the audit archive, and first-party vulnerability disclosures; see ../whitepapers/iosiro-primary-sources-2026-05-04.md.