Sec3

• Name: Sec3
• URL: https://sec3.dev/
• Category: Solana security / formal-methods-heavy audit firm / static-analysis tooling / public report archive
• Tags: solana-ecosystem
• Summary: Sec3 is a real Solana security shop with tooling behind the audit brand. The note matters because it ships static analysis, IDL-recovery tooling, and a public report archive instead of stopping at consulting copy.
• What it does:
  • Performs security audits and formal verification, mostly around Solana but with some work across other stacks
  • Ships X-Ray, an open-source static-analysis CLI for Solana programs written in Rust
  • Maintains IDLGuesser for recovering instruction layouts from closed-source Anchor-based Solana programs compiled to sBPF bytecode
  • Publishes public audit reports and ecosystem research, including a Solana security review with vulnerability statistics across engagements
  • Offers launch and post-deployment security support, including nonce and multisig monitoring
• Key claims:
  • The homepage frames Sec3 around “Security for Solana Protocols” and pitches a mix of formal-methods depth and adversarial auditing
  • The homepage claims 200+ protocols secured and names major Solana teams including Solana Foundation, Solana Labs, Jupiter, Wormhole, Kamino, Raydium, Orca, Metaplex, Helium, and Bonk
  • The X-Ray repository describes a CLI that parses Rust Solana programs, lowers them into LLVM IR, and applies static-analysis rules to detect bug and security patterns
  • The public sec3-service/reports repository exposes a long audit history, which is better evidence than marketing blurbs
  • The 2025 Solana Security Ecosystem Review says Sec3 analyzed 163 security reviews with 1,669 recorded vulnerabilities and found issues in 99.4% of audits reviewed
• Whitepaper: No canonical Sec3 whitepaper or litepaper surfaced in this pass. The clearest current sources of truth are the official homepage, ecosystem report, public audit-reports repository, and public tooling repositories; see ../whitepapers/sec3-primary-sources-2026-04-28.md.

Internal linkages

• Best upward reads: ottersec, certora, and trail-of-bits.

Control surface

• The practical leverage sits in rule coverage, closed-source program recovery, report publication, and whatever Sec3 chooses to monitor or formalize for downstream Solana teams.

• Keep it as a strong Solana-specialist security note, not as a universal security anchor.

• Sources:

  • https://sec3.dev/
  • https://sec3.dev/report
  • https://github.com/sec3-service
  • https://github.com/sec3-service/reports
  • https://github.com/sec3-product/x-ray
  • https://github.com/sec3-service/IDLGuesser

• Last reviewed: 2026-05-31 UTC