Hashlock Review 2024
The Bottom Line: Hashlock stands out in the blockchain security sector with its focus as a smart contract auditor and in-depth work tailored to each client’s needs. With a team of young yet experienced professionals, Hashlock has established itself as a reputable and trusted partner in the industry.
Their active involvement in the Australian blockchain community, alongside strategic partnerships with educational institutions and government bodies, further underscores their capabilities.
Hashlock’s approach not only identifies vulnerabilities but also provides strategic recommendations for mitigation, ensuring the long-term success and integrity of blockchain projects.
Pros
- Rigorous manual security research, not just software tools
- World class clientele, including government & university partnerships
- Tailored, in-depth client care
- Supports several smart contract languages
Cons
- More expensive than some firms that rely mostly on tools
- Less established than well-known firms such as CertiK and Open Zeppelin
- More hands-on than other firms, requiring higher project team involvement
Hashlock Overview
Hashlock is a cybersecurity company focused on web3 and blockchain cybersecurity. They provide a wide range of services for your security needs. This includes automated testing, manual code reviews, testing support, blockchain security education, incident response, on-chain monitoring, and more!
Based in Australia, Hashlock is interested in providing information and tools to the community at large in addition to helping their clients.
| Services | Clients | Headquarters location | Manual or tool audits? | Supported platforms/languages |
| Smart Contract Security Auditing, Corporate Blockchain Security, Ongoing Support including bug bounties and incident response | The Verida Network, RMIT and UNSW, New South Wales Australian Government | Sydney, NSW, Australia | Manual audits, supported by software tools | Rust, Solidity, Haskell/Plutus, Bitcoin L2 |
What Is Hashlock?
Hashlock is an Australian blockchain security firm that specializes in thorough, manual smart contract auditing and ongoing security services. The company offers its services globally, with a robust list of current and former clients and partners. Most notably, this includes the New South Wales Australian government, Verida Network, Redbelly Network, and more.
Smart contract audits are crucial for ensuring the security and reliability of blockchain applications, meticulously examining the code to identify vulnerabilities, bugs, and security flaws that could potentially be exploited by malicious actors.
By detecting these issues before a smart contract is deployed on the blockchain, audits help to safeguard against potential financial losses, unauthorized access, and other security breaches. Smart contract audits also enhance the trust and confidence of users and investors in the respective protocol, as they demonstrate a commitment to security and due diligence. This proactive approach to security can prevent costly errors and enhance the overall integrity and functionality of dApps.
In a nutshell, Hashlock manually examines existing smart contracts from head-to-toe, to identify any bugs or vulnerabilities. The company formalizes any discovered issues in private reports, as well as directly fixing those bugs.
Hashlock Key Features
Manual auditing
Hashlock manually audits smart contracts, offering a thorough examination and customized approach that automated tools can’t match.
This method leverages the auditor’s experience and critical thinking to anticipate potential attack vectors and adapt to the latest security research, ensuring a comprehensive assessment.
While more time-consuming and costly, the in-depth analysis and educational value provided by manual audits justify the investment for projects prioritizing high security standards.
In-depth correspondence & tailored focus
Hashlock makes a point of getting to know their clients in-depth, tailoring their services to their specific needs and goals.
They are unique in this regard, as many other firms (especially tools-based auditing firms) can often focus on quick turnaround times rather than a thorough and tailored job.
Fixing vulnerabilities
Hashlock ensures that it thoroughly combs the smart contract code both before and after making necessary amendments, in the case that vulnerabilities are found.
This ensures that these vulnerabilities are not only identified, but that the implementations to fix them are also air-tight.
Ongoing support
Hashlock provides much more than just a one-off audit service. The company also excels in a range of ongoing support activities, including pre-launch consulting, auditing, testing, post launch monitoring, bug bounties, incident response, and more.
Protocol teams can receive security assistance at any phase of their project’s lifespan, ensuring that users and stakeholders are protected throughout.
Hashlock Pricing
- More affordable than leading established firms.
- More costly than quick, automated competitors.
Hashlock offers an approach to pricing that emphasizes personalized quotes tailored to the specific needs of each client.
While an exact fee structure isn’t available upfront, Hashlock is committed to providing prospective clients with an estimated quote rapidly, promising a response time as quick as 6 hours and no longer than 24-48 hours after inquiry.
This responsive and customized pricing strategy stands out in the marketplace and suggests a flexible approach compared to other similar products, which may offer more standardized but less tailored fee arrangements.
Hashlock claims to be more cost effective than the top 5 global firms in the smart contract auditing space, but still on the more expensive end when compared to popular software tool-based alternatives.
Our Expert Review of Hashlock
Most major Hashlock clients request their smart contract auditor services, so let’s get straight to going over what you get with a Hashlock audit.
A typical smart contract audit from Hashlock consists of the following:
Preliminary Phase
Initial Consultation & Project Scoping
The initial stages of Hashlock’s smart contract auditing process begin with an in-depth initial consultation, where the team closely collaborates with the client to fully understand their blockchain application and its unique security requirements.
This foundational step ensures that Hashlock can tailor their approach to meet the specific needs of the project.
Following this, the project scoping phase allows Hashlock’s experts to review the client’s code and underlying technology. This review is crucial for accurately defining the scope of the audit or security service, enabling the provision of a detailed quote and a realistic timeline, ensuring a bespoke and efficient audit process.
Preliminary report
Once the team’s been given the green light for undertaking the auditing process, Hashlock will meticulously review the smart contract(s) from head to toe, using both manual and automated methods. This involves both going through a standardized list of checks that apply to most smart contracts, as well as tailored checks that cover all facets of the project at hand.
All findings are formalized in a private preliminary report, containing a detailed breakdown of any vulnerabilities detected in the code – as well as the recommended fixes for them.
This breaks down how many issues were found in the audit and rating their severity. As shown in the example, issues are broken down into high, medium, or low severity. Here’s an example from one of their public audit reports, for project called Montage Token:
One cool thing we noticed in this audit was the gas optimizations. These weren’t exploitable flaws in the contract, but rather improvements that Hashlock made to the efficiency of the smart contract.
This is a great indication that the company goes above and beyond their duties of simply fixing bugs in the code.
Revision Phase
Re-audit
Rather than giving the contract code a once-over look, Hashlock has standardized its process to provide a thorough code review at least twice; once to discover the initial vulnerabilities, and then another time (or more, if necessary) to ensure any fixes have been implemented correctly.
Final Audit Report
The finalized outcome is then published in a final audit report, which can be made public at the client’s discretion. This is presented along with a summary and an overall rating, showing the degree of safety that the finalized smart contract should uphold.
Hashlock assures their clients that all detected vulnerabilities will be fixed so that the project is secure going forward.
Beyond the Smart Contract Audit: Ongoing Support
In addition to smart contract audit services, Hashlock boasts a list of ongoing support options, including:
- Pre-launch consulting – Strategic advice on project development before an official launch, ensuring that the architecture and design stick to best practices and are optimized for security and efficiency.
- Testing – Executing smart contracts under controlled conditions to evaluate their behavior and performance.
- Post-launch monitoring – Continuous surveillance of smart contract activity and blockchain operations to detect and respond to anomalies, potential security threats, or inefficiencies.
- Bug bounties – Programs that offer rewards to individuals who find and report bugs or vulnerabilities in a project’s code.
- Incident response – An organized approach to addressing and managing the aftermath of a security breach or attack.
- Upgradeable security – Strategies and implementations that allow smart contracts to be updated in response to evolving security challenges and technological advancements.
Engaging Hashlock for these services not only brings in specialized knowledge and tools but also adds an additional layer of credibility and assurance for investors, users, and partners, showcasing the project’s commitment to security and quality.
Overall, it appears that the company makes a deep and genuine effort to go in-depth in understanding their client’s mission and needs, rather than performing just a surface-level smart contract check. This includes getting to know the client and project in detail, as well as their hesitations or aim for what they need out of the audit.
This also allows Hashlock to provide a tailored and mission-oriented quote for their services, to ensure they tackle all of the right issues.
Customer Service
Customer service appears to be excellent for Hashlock, even for general inquiries. I was able to submit a question about supported smart contract platforms and languages using the “Contact Us” form on the Hashlock website, and managed to receive a perfect reply within just over 20 minutes – from the executive BDM himself.
If the contact form isn’t your style, the company also provides a direct email address, as well as an Australian telephone number.
Who’s Hashlock For?
Hashlock’s services are designed for serious blockchain-based developers and dApp projects, who are seeking to beef up their security and reputation.
Here are some project and client types that would be suitable for using Hashlock:
1. Blockchain developers and dApp projects pre-launch
Developers and teams in the process of building blockchain-based applications or services that have not yet been launched, focused on ensuring their smart contracts are secure before going live.
Hashlock’s auditing services are helpful for these clients to iron out any vulnerabilities and improve the security of their code. By addressing these issues pre-launch, projects can enhance community trust and participation, ensuring a smoother and more successful launch.
2. Existing blockchain projects post-launch
Projects that have already launched and have active smart contracts managing real funds already have higher stakes, as any vulnerabilities could immediately lead to financial losses.
An audit wouldn’t just help in securing these projects, but also play a significant role in boosting community trust and attracting more users. Hashlock’s ability to provide on-chain monitoring and faster incident response further enhances the resilience of these projects.
3. Large-scale blockchain enterprises
Large projects or enterprises seeking comprehensive blockchain solutions and security are heavily invested in the blockchain space and require thorough, manual audits to ensure the highest level of security and efficiency.
Given the complexity and scale of their operations, large-scale enterprises benefit from Hashlock’s in-depth manual audits and ongoing support. The company’s services, including industry research, on-chain monitoring, and extensive testing, are tailored to minimize risks and increase transparency.
Who’s it Not For?
1. Small-scale projects seeking quick validation
Small projects involving small NFT collections or simple tokens looking for a rapid audit, often to gain a basic level of validation are most likely not suited for Hashlock audits and services.
Hashlock’s comprehensive and intensive manual audit process, designed for in-depth analysis and detailed reporting, does not align with the needs of these projects.
The detailed nature of the company’s audits, focusing on thorough vulnerability identification and resolution, may be more extensive and time-consuming than what these projects require or can afford.
2. Projects with incomplete code
Projects that are still in the development phase and have not finalized their code are also likely poor candidates for seeking Hashlock audits.
Hashlock specializes in reviewing completed code to identify and rectify vulnerabilities, but primarily are not seeking to offer services for completing or developing smart contracts from an incomplete state.
Projects in need of development assistance rather than just auditing would need to look elsewhere, as Hashlock focuses solely on security auditing of ready-to-review codebases.
Hashlock Alternatives
Hashlock vs. Hacken
Both firms employ the latest technological advancements and provide extensive client support beyond the audit, catering to clients seeking long-term partnerships.
Hashlock sets itself apart from Hacken by employing tailored auditing techniques and catering more to clients seeking customized solutions.
In contrast, Hacken is a more established company with a broader service offering, specialized teams for each blockchain security domain, and recognized contributions to auditing standards.
| Feature | Hashlock | Hacken |
| Auditing Techniques | Advanced static and dynamic analysis, formal verification | Advanced static and dynamic analysis, line-to-line review |
| Solutions | Tailored to project needs | Comprehensive, efficient, & standardized |
| Support | Long-term partnership and ongoing support | Client portal, partnership benefits |
| Overall Approach | Comprehensive and customized | Layered risk mitigation |
Hashlock vs. CertiK
CertiK is another key player in the smart contract auditor space, with its own unique strengths.
Hashlock excels through its use of advanced auditing techniques that blend advanced static and dynamic analysis with formal verification, tailored to meet the specific needs of each project and emphasizing long-term client support.
In contrast, CertiK focuses on formal verification methods within their audits, leveraging their early mover advantage to establish a strong market presence.
While Hashlock is highlighted for its technological leadership and customized, client-centric approach, CertiK’s formal verification offers a rigorous but potentially less flexible auditing solution. This may make Hashlock the preferred choice for projects seeking innovative, adaptable, and in-depth security services.
| Feature | Hashlock | CertiK |
| Auditing Techniques | Advanced static and dynamic analysis, formal verification | Formal verification |
| Solutions | Tailored to project needs | Rigorous, with a first-mover advantage |
| Overall Approach | Comprehensive and customized | Less flexible, formal methods |
Is Hashlock Safe to Use?
In the ever-changing realm of blockchain, it’s impossible to guarantee the absolute safety and security of a product, such as a smart contract auditing service. However, by examining a range of information and signals, we can make an informed assessment of its potential reliability.
Here’s some information we think might be handy to look at when evaluating if Hashlock is a safe company to work with:
Hashlock Founders
The Hashlock team, including its founders, are notably quite young – something which may initially raise questions regarding their experience in a professional context. However, this potential concern is easily countered by the team’s robust educational background and practical experience in the technology and blockchain sectors.
Despite graduating with a Bachelor of Computer Science from Charles Sturt University in just 2022, Co-founder Jock Haslam was previously a Cyber Security Consultant at Northcroft Australia, for ten years.
His partner and co-founder Fletcher Roberts also has received education in the tech sector at the University of Technology Sydney, while also having a position as a Digital Strategist at Smith Brothers Media for two years.
They are supported by a strong cast in Lead Security Researcher Chris Moore, formerly with cyber security firms Seer Security and CyberCX, while Executive Business Development Manager Kristoffer Lewinsky has strong experience in blockchain at Danish Blockchain Lab and blockchain gaming organization, Whale Connected.
As a whole, the team is completely public and has active involvement in Australian blockchain community organizations such as Blockchain Australia and Fintech Australia, as well partnerships with local government and universities. This underscores their reputable standing and trustworthiness within the industry.
When Was Hashlock Founded?
Hashlock was founded in 2020 in Newcastle, New South Wales, Australia. It is currently headquartered in Sydney, New South Wales, and trades under the business name Hashlock Pty Ltd.
What’s Their Reputation on the Internet?
Being a developer-facing company, Hashlock naturally has a smaller and more discreet client base compared to broader platforms like exchanges – in turn resulting in fewer publicly available reviews and feedback.
However, their reputation is well-supported by notable mentions and articles, such as a feature on CoinmarketCap as a top-rated smart contract auditor, as well as the aforementioned partnerships with entities like Verida and the NSW Australian government for CBDC development.
They also run Blockchain Cybersecurity hub trustedweb3.io, which further cements their reputation via partnerships with some notable entities.
Once again, Hashlock’s active participation in prominent organizations like FinTech Australia and Blockchain Australia highlights their front-facing positioning and strong community involvement.
Final Thoughts On Hashlock
Despite being one of the younger and less-established teams in the blockchain security space, Hashlock has demonstrated impressive strength in just a few short years with its notable partnerships and track record.
Hashlock seems to excel in providing a very tailored and thorough smart contract auditing service, which gives it a strong position among some more established competition. With a genuine effort in understanding its clients’ needs, Hashlock provides an above-and-beyond service that is hard to replicate.
Paired with its offering of ongoing services, Hashlock puts itself in a unique position to forge long-term relationships with high-profile projects.
Frequently Asked Questions
Are Hashlock audits manually performed, or do they use automated tools?
Hashlock audits are primarily manually performed, focusing on in-depth and comprehensive analysis to identify vulnerabilities in smart contracts.
This is paired with automated tools as a precaution, allowing for a more detailed and customized examination of the code and catering to the specific needs and complexities of each project.
How much does a Hashlock smart contract audit cost?
Hashlock offers personalized pricing for smart contract audits, promising rapid quotes within 6 to 48 hours, highlighting their commitment to tailored and flexible service.
Although not the cheapest option, especially compared to automated tool-reliant services, Hashlock positions itself as more cost-effective than the top global auditing firms, focusing on delivering high-quality, customized audits.
Do Hashlock audits provide patches to vulnerabilities?
Yes, Hashlock not only identifies vulnerabilities in smart contracts through their auditing process but also provides recommendations for patches or fixes.
Its approach is to work closely with its clients to ensure that any security issues are thoroughly understood and effectively addressed.
Is Hashlock a trustworthy company?
Hashlock boasts a relatively brief yet robust presence within the blockchain sector, underscored by strategic partnerships with universities and the New South Wales (NSW) Australian government.
The firm’s portfolio of distinguished clients, coupled with a highly visible team actively engaged in Australia’s blockchain community, underscores Hashlock’s reliability and esteemed standing in the industry.
