OtterSec

• Name: OtterSec
• URL: https://osec.io/
• Category: smart-contract security / multichain audit firm / formal-verification and verifiable-build tooling / security-research infrastructure
• Tags: solana-ecosystem
• Summary: OtterSec is a real security-engineering shop with tooling behind the audit brand. The note matters because the firm combines broad audit work with public research, Solana verification infrastructure, and verified-build tooling instead of stopping at client-service copy.
• What it does:
  • Performs blockchain security reviews and smart-contract audits for protocols, wallets, foundations, exchanges, and infrastructure teams across multiple chains
  • Publishes public exploit research, security tutorials, and protocol-specific engineering writeups spanning Solana, zkVMs, ERC-4337, Aptos, Cosmos, browser security, and software supply-chain risks
  • Maintains open-source security tooling and verification infrastructure including Solana verified-build tooling, an onchain verification program, reverse-engineering utilities, and challenge/testing frameworks
  • Contributes to the Solana verified-builds ecosystem through repositories and documentation that help users confirm deployed programs match public source code
  • Positions itself as a hands-on security partner for major ecosystem teams rather than a narrowly packaged SaaS scanner or bug-bounty marketplace
• Key claims:
  • The homepage says OtterSec has secured more than $36.82BinonchainTVLandpatchedmorethan$1B in vulnerabilities while working with major ecosystems and applications across Solana, Sui, Aptos, Circle, LayerZero, Wormhole, MetaMask, PancakeSwap, Jito, Backpack, and others
  • The homepage frames OtterSec around deep multichain expertise, communication-heavy audit work, and credibility with core ecosystem infrastructure rather than only one-off contract reviews
  • The public blog index is unusually high-signal because it shows a steady stream of first-party exploit research and technical education across smart contracts, verification, virtual machines, authentication, browser bugs, and supply-chain security
  • OtterSec’s 2023 formal-verification case-study post says the team built a prototype for formally verifying security-critical properties of Solana programs, integrating with Anchor and the Kani Rust Verifier to express and check instruction/account invariants
  • The solana-verifiable-build repository says verified builds ensure deployed Solana programs match public source code and documents workflows for repo-based verification plus remote-job submission, making OtterSec part of the practical verification pipeline rather than only an external reviewer
  • The otter-verify repository documents an onchain Solana program and PDA-based verification data flow for verifying deployed programs, reinforcing that OtterSec also ships verification infrastructure rather than only audit reports
• Whitepaper: No canonical OtterSec whitepaper or litepaper surfaced in this pass. The clearest current sources of truth are the homepage, public research blog, public reports index, GitHub organization, and the verified-build / onchain-verification repositories; see ../whitepapers/ottersec-primary-sources-2026-04-28.md.

Internal linkages

• Best upward reads: trail-of-bits, runtime-verification, and sec3.

Control surface

• The leverage sits in verified-build policy, what the firm chooses to formalize for Solana and adjacent stacks, and how much downstream teams rely on OtterSec’s tooling and reports during launches and upgrades.

• Keep it as a tooling-heavy multichain security note with a real Solana center of gravity, not as a generic audit-market directory entry.

• Sources:

  • https://osec.io/
  • https://osec.io/blog/
  • https://osec.io/blog/2023-01-26-formally-verifying-solana-programs/
  • https://osec.io/reports
  • https://github.com/otter-sec
  • https://raw.githubusercontent.com/otter-sec/solana-verifiable-build/master/README.md
  • https://raw.githubusercontent.com/otter-sec/otter-verify/master/README.md

• Last reviewed: 2026-05-31 UTC