Zellic

Zellic is a leading blockchain security firm specializing in securing emerging technologies across the Web3 ecosystem. Founded by Luna Tong and Jasraj Bedi, who previously established perfect blue (the world's #1 CTF team in 2020, 2021, and 2023), Zellic brings world-class offensive security expertise to crypto and blockchain projects.

Core Services

Zellic delivers comprehensive security assessments across multiple blockchain ecosystems including Ethereum/EVM, Solana, Cosmos, Aptos, Sui (Move), and more. Their services span smart contract audits, zero-knowledge circuit reviews, web application security, applied cryptography, secure enclave/TEE assessments, and formal verification. In 2024, they conducted 241 security reviews, identifying 193 critical vulnerabilities and 266 high-impact findings, with 59% of assessments revealing critical or high-severity issues.

Key Strengths

What sets Zellic apart is their deep offensive security background and CTF heritage. Before founding Zellic, Luna Tong worked as a vulnerability researcher at Dataflow Security and published peer-reviewed fuzzing research, while Jasraj Bedi hacked Android at Google and claimed bug bounties on Fortune 500 companies. Their team combines expertise in cryptography, web security, mobile security, low-level exploitation, and competitive hacking, enabling them to find vulnerabilities others miss. They employ multiple engineers per engagement with dedicated Engagement Managers for quality control, and maintain daily client communication throughout reviews.

Notable Clients and Discoveries

Zellic has secured some of the largest names in Web3, including LayerZero, Jump, Solana Foundation, Aptos Labs, Mysten Labs, Scroll, StarkNet, Wormhole, SushiSwap, PancakeSwap, Pyth, Wintermute, Aave, Uniswap Foundation, Injective, and Osmosis. Their most significant discovery was a critical billion-dollar bug in the Move bytecode verifier affecting Sui and Aptos that could have allowed attackers to obtain multiple mutable references and break fundamental security guarantees. They also discovered a critical inflationary bug in Solana's Zero-Knowledge confidential token transfer and buffer overflow vulnerabilities in Cosmos SDK's Ledger integration.

Specialized Expertise

Zellic excels across diverse blockchain platforms and security domains. They are experts in EVM smart contracts (reviewing everything from 20 to tens of thousands of lines of code), zero-knowledge circuits (Circom and Halo2), L1/L2 protocols and rollups, cross-chain bridges (serving on Uniswap's Bridge Assessment Committee), DeFi primitives, and TEE/secure enclave implementations. Their applied cryptography team has secured major Web3 wallets including Aptos IdentityConnect, Pontem, Avara (Aave Lens), and Privy's Shamir Secret Sharing implementation used by friendtech.

Research and Innovation

Zellic is deeply committed to advancing Web3 security through open-source research and innovation. They publish regular security research on topics ranging from ZK security to blockchain-specific vulnerabilities, and maintain public audit reports on GitHub. They've developed Forky, a tool that identifies important differences between protocol forks and their parents in plain English. As an active ecosystem participant, Zellic serves as the top validator by voting power on Injective, converting validator rewards into audit credits for ecosystem projects. They also introduced V12, an automated security tool that finds critical bugs consistently and is being released for free to the community.

Why Choose Zellic

Organizations choose Zellic because they deliver real security, not rubber stamps. Their background in real-world offensive security research, combined with their CTF competition success, means they approach code with an attacker mindset—conducting full vulnerability research including attack surface enumeration, static analysis, manual review, and dynamic analysis. They customize assessments to each client's needs, offering specialized techniques like formal verification, fuzzing, and symbolic execution when appropriate. With testimonials from CTOs at Mysten Labs, Axiom, Scroll, Wintermute, and others praising their technical prowess, curiosity, and ability to find subtle bugs in intricate constraints, Zellic has earned its reputation as the go-to security firm for teams whose innovation outpaces the existing security landscape.