Smart Contracts & DApps: Audit, Deployment, and Maintenance
We often encounter clients who come with the idea of "launching a blockchain project" but cannot clearly articulate why they need a blockchain. The key question: what exactly does blockchain solve in your product that a traditional database does not? If the answer is vague—you probably just need a distributed system, not a blockchain. If the answer is clear—trustless execution of logic, verifiable data, tokenization of assets, permissionless participation—we start designing. Our team has 10+ years of experience in blockchain development and has completed over 50 projects—from NFT marketplaces to DeFi protocols with over $10M in TVL. We offer a full-cycle turnkey development: from architecture to deployment and audit. Budget estimation is the first step in any project, and we always conduct it during the initial consultation.
How to Choose a Blockchain for Your Project?
There is no "best blockchain"—only the right one for a specific use case.
EVM-compatible Networks
Ethereum mainnet—maximum decentralization and security, first-class development tooling (Foundry, Hardhat, Slither, Echidna). Justified for: protocols with large TVL where security outweighs cost; financial primitives that must be composable with the DeFi ecosystem.
Arbitrum / Optimism—Optimistic Rollups. EVM equivalence (Arbitrum One) or EVM compatibility (OP Stack). Gas is 10–50x cheaper than mainnet, finality ~7 days for withdrawals (fraud proof window). Justified for high-frequency transactions: trading, gaming, social applications.
Base—OP Stack L2 from Coinbase. Rapidly growing ecosystem, good onramp via Coinbase. Suitable for consumer-facing applications.
Polygon PoS—not an L2, but a sidechain with a bridge to Ethereum. Fast, cheap, but a different security model. Good for NFT projects with frequent transactions.
zkSync Era / Polygon zkEVM / Scroll—ZK Rollups. Stronger security guarantees than Optimistic (no fraud window), but ZK proofs create overhead on execution. zkSync has Native Account Abstraction (AA) at the protocol level—an important architectural advantage for UX.
| Parameter |
Arbitrum One |
Optimism |
zkSync Era |
Polygon zkEVM |
| Type |
Optimistic Rollup |
Optimistic Rollup |
ZK Rollup |
ZK Rollup |
| Gas (ETH mainnet=1) |
0.05–0.1 |
0.05–0.1 |
0.01–0.05 |
0.01–0.05 |
| Security |
Fraud proofs |
Fraud proofs |
ZK proofs |
ZK proofs |
| EVM equivalence |
Full |
Full |
Partial |
Full |
| Ecosystem |
Large |
Medium |
Growing |
Growing |
Non-EVM
Solana—high throughput (65k TPS theoretically, ~3–5k TPS real), parallel transaction execution via Sealevel, low fees. Programming in Rust with the Anchor framework. Tooling is significantly less mature than EVM; the debugger is primitive, errors are harder to read. Justified for: high-frequency trading, gaming with real-time mechanics, applications where gas cost is critical.
TON—native integration with Telegram (900M MAU). Smart contracts in FunC/Tact. If your audience is on Telegram—a strong argument for TON.
Cosmos SDK—for cases requiring your own blockchain (application-specific chain). IBC for cross-chain communication. High entry threshold but full control over consensus, governance, and gas token.
Typical mistakes when choosing a blockchain
1. Choosing a network based on hype rather than project requirements. 2. Ignoring liquidity issues for DeFi—the network must have active pools. 3. Not considering jurisdictional constraints (e.g., US legislation may affect the choice).
What Smart Contract Vulnerabilities Are Most Common?
From years of audit work, here are the most frequent issues:
Reentrancy—a classic. Still occurs. Protection: ReentrancyGuard from OpenZeppelin + CEI pattern (Checks-Effects-Interactions):
// INCORRECT:
function withdraw(uint256 amount) external {
token.transfer(msg.sender, amount); // interaction before effect
balances[msg.sender] -= amount; // effect after
}
// CORRECT:
function withdraw(uint256 amount) external nonReentrant {
balances[msg.sender] -= amount; // effect
token.transfer(msg.sender, amount); // interaction
}
Price manipulation via flash loans—if the contract reads the price from the Uniswap spot price. Solution: TWAP (Time-Weighted Average Price) via IUniswapV3Pool.observe() or Chainlink Price Feed.
Integer overflow/underflow—in Solidity 0.8.x built-in protection, but still relevant with unchecked blocks and custom arithmetic with downcast.
Signature replay—when using ecrecover without a nonce or chain ID in the signed message. EIP-712 + EIP-2612 (Permit) solve this in a standard way.
Front-running—MEV. For AMM-like contracts: deadline + slippage tolerance. For sensitive operations: commit-reveal scheme.
What Tools Do We Use?
Foundry—preferred tool for serious development. Tests in Solidity, built-in fuzz testing, mainnet forking with a single flag:
forge test --fork-url $ETH_RPC --fork-block-number 19000000 -vvv
Fuzz testing finds edge cases that manual tests miss:
function testFuzz_deposit(uint256 amount) public {
amount = bound(amount, 1, type(uint128).max); // reasonable bounds
deal(address(token), user, amount);
vm.prank(user);
vault.deposit(amount, user);
assertEq(vault.totalAssets(), amount);
}
Slither—static analyzer. We run it in CI on every PR; critical findings block merging.
Echidna—property-based fuzzer. For invariants: "totalSupply always equals the sum of all balances", "protocol health never goes negative".
OpenZeppelin Security Audits recommends combining multiple tools to cover different vulnerability types.
What Does a Typical Deployment Stack Look Like?
No deployments from EOA in production. Schema:
Developer EOA → Gnosis Safe 3/5 multisig → Timelock (48h delay) → Contract
A timelock gives users time to react to a malicious upgrade. For DeFi protocols with TVL > $1M—mandatory.
Hardhat Ignition or Foundry Deploy Scripts for reproducible deployments. All deployment parameters are in version control, not in developers' heads.
Audit—not a final step but part of the process. For serious protocols: internal review (Slither + Echidna + manual analysis) → preliminary audit by one firm → main audit → fix findings → re-audit of changes. Timeline: 4–8 weeks for a typical medium-complexity DeFi protocol. Budget is calculated individually.
How We Develop: Step by Step
-
Requirements analysis and network selection. Determine which blockchain best suits your use case, considering tokenomics, expected load, and legal aspects.
- Contract architecture design. Develop interaction diagrams, interface specifications, and data schemas.
- Smart contract development. Write code in Solidity or Rust, cover with unit tests (100% coverage).
- Integration testing. Fork mainnet and verify full scenarios.
- External audit. Hand over code to a trusted firm, fix findings, re-audit.
- Deployment to testnet and mainnet. Use multisig wallets and timelocks.
- Monitoring and support. Set up Tenderly, OpenZeppelin Defender, provide 30 days post-deployment support.
Project Phases
| Phase |
Content |
Duration |
| Architecture & design |
Network selection, contract architecture, tokenomics |
1–2 weeks |
| Core contracts |
Development and unit tests |
2–6 weeks |
| Integration testing |
Fork tests, integration scenarios |
1–2 weeks |
| Frontend |
dApp, wallet integration |
2–6 weeks |
| Audit |
External audit + fixes |
4–8 weeks |
| Testnet deployment |
Public testnet, bug bounty |
2–4 weeks |
| Mainnet |
Deployment, monitoring |
1 week |
Realistic timeline from idea to mainnet: 3–6 months for a medium-complexity protocol. Projects that "launch in 2 weeks" usually have critical unpatched vulnerabilities.
What Is Included in the Work
- Architectural documentation with justification for network and pattern choices.
- Smart contract source code with comments and unit tests (100% coverage).
- Integration tests on mainnet fork.
- External audit report with recommendations.
- Deployment on testnet and mainnet (if required).
- Operational instructions and support for 30 days post-deployment.
- Access to monitoring tools (Tenderly, OpenZeppelin Defender).
Contact us for an assessment of your project. We will analyze the requirements, propose the optimal blockchain architecture, and calculate timelines. Get a consultation—this will help you avoid costly mistakes at the start.
Blockchain Infrastructure Deployment: Nodes, RPC, Indexing
Subgraph fell at 3:47 AM. By morning users saw outdated balances, transactions "hung" in the UI, support received 47 tickets in an hour. Cause: the handler in the subgraph failed on a transaction with a non-standard event log — and the entire index stopped. We have encountered such situations dozens of times. Our experience shows: blockchain infrastructure does not forgive gaps in observability. Guaranteeing uptime without multi-layered monitoring and fault-tolerant architecture is impossible. Over 8 years working with Ethereum, Polygon, and Solana, we have developed an approach that allows predictable deployment of infrastructure of any scale — from a single node to a multichain grid with dozens of subgraphs.
RPC Layer Architecture
Every dApp interaction with the blockchain goes through RPC — the JSON-RPC API provided by a node. Three options:
Managed providers — Alchemy, QuickNode, Infura, Ankr. Minimal operational costs, SLA, built-in monitoring. Limits: rate limits (Alchemy Free: 300 RU/sec), vendor lock, potential downtime during provider incidents. For most projects — the right choice at the start.
Self-owned nodes — full control, no rate limits, no third-party dependence. Cost: archive Ethereum node requires 2.5–3TB SSD, a strong server, and DevOps support. Sync from scratch on Ethereum via Geth/Nethermind — 3–7 days. Justified under high load or latency requirements.
Hybrid — self-owned node as primary, managed provider as fallback. Standard for protocols with high TVL. Proper load balancing can reduce costs by 20–30% compared to pure managed setup. Under high monthly request volume, hybrid saves significantly.
| Provider |
Strength |
Limitation |
| Alchemy |
Supernode, Enhanced APIs, webhooks |
Expensive on high-volume |
| QuickNode |
Low latency, multi-chain |
More expensive than Alchemy on basic plan |
| Infura |
Historical reliability |
Rate limits on free, one major incident halted half of DeFi |
| Ankr |
Cheap, 40+ chains |
Less stable |
How to Set Up an RPC Layer Without a Single Point of Failure?
At least two providers, DNS round-robin with health check every 5 seconds, automatic fallback when latency >500 ms. In practice, this gives 99.99% availability during any provider failure. For protocols with high TVL, we recommend a custom HA-proxy (nginx or Envoy) in front of two managed providers.
Why Is a Hybrid RPC Scheme More Cost-Effective Than Pure Managed?
At high request volumes, managed providers can be very expensive; a hybrid using a self-owned node as primary and a managed fallback cuts costs significantly without losing SLA.
Ethereum Node Clients
Execution clients: Geth (most used), Nethermind (C#, fast sync), Besu (Java, enterprise), Erigon (fastest sync, efficient archive mode ~2TB instead of 3TB).
Consensus clients (post-Merge): Lighthouse (Rust), Prysm (Go), Teku (Java), Nimbus (Nim). Each node after The Merge requires a pair of execution + consensus clients.
For DevOps: eth-docker — Docker Compose configurations for all client combinations. Setting up monitoring via Grafana + Prometheus is mandatory; a standard dashboard is available in each client's repository.
The Graph: Event Indexing
The Graph Protocol — decentralized indexing. A subgraph describes which events from which contracts to index and how to transform them into a GraphQL schema.
Subgraph structure:
-
subgraph.yaml — manifest: contract addresses, startBlock, events to handle
-
schema.graphql — GraphQL schema of entities
-
src/mapping.ts — AssemblyScript event handlers
dataSources:
- kind: ethereum
name: UniswapV3Pool
network: mainnet
source:
address: "0x88e6A0c2dDD26FEEb64F039a2c41296FcB3f5640"
abi: UniswapV3Pool
startBlock: 12370624
mapping:
eventHandlers:
- event: Swap(indexed address,indexed address,int256,int256,uint160,uint128,int24)
handler: handleSwap
AssemblyScript handlers — not TypeScript. No nullable types, no closures, no many standard APIs. An error in the handler stops the subgraph indexing on that transaction. Important: add try-catch for operations that can fail (e.g., store.get() for an entity that may not exist).
How to Avoid Subgraph Indexing Stops?
Graph Node logs are monitored in real-time; on hasIndexingErrors = true an alert fires and an automatic node restart (via systemd or Kubernetes). Typical downtime on error — 150–300 seconds to recover. Additionally, for production we set up a watchdog that restarts Graph Node if subgraph lag exceeds 50 blocks.
Choosing Between Hosted Service and Decentralized Network
Graph Hosted Service (free, centralized) is deprecated in favor of Subgraph Studio + Graph Network. For production: deploy on Graph Network with GRT curation signal — the subgraph gets indexers proportional to curation.
Alternatives to The Graph: Ponder (TypeScript, self-hosted, easier to debug), Envio (ultra-fast indexer, supports EVM + non-EVM), Subsquid (TypeScript, own network), Moralis Streams (managed, webhook-based). Our experience shows: for high-load projects with unique logic, Ponder or Envio are more effective — they give full control over the process and do not require GRT tokenomics.
Webhooks and Real-Time Notifications
Alchemy Webhooks and QuickNode Streams allow receiving events in real-time via HTTP webhook or WebSocket. For monitoring addresses, new transactions, mints — this is faster than polling RPC.
Tenderly — platform for monitoring and alerts. You can set up an alert for a specific contract event, balance change, function call with certain parameters. Transaction simulation via Tenderly API is invaluable for debugging.
Monitoring and Observability
Minimum monitoring stack for a protocol:
On-chain: OpenZeppelin Defender Sentinel — watches contract events, triggers webhook or Autotask when conditions are met. Forta Network — community-maintained bots detect anomalies (large withdrawals, flash loans, governance attacks).
Infrastructure: Grafana + Prometheus for nodes, Datadog or Grafana Cloud for managed metrics. Alerts on: node is 10+ blocks behind, RPC latency >500ms, subgraph lag >100 blocks.
Uptime: Better Uptime or PagerDuty on RPC endpoint and subgraph health endpoint (The Graph provides _meta { hasIndexingErrors, block { number } }).
Why Is Monitoring Without Tenderly Insufficient?
Tenderly provides transaction simulation and detailed traces — critical for debugging subgraph and smart contract errors. Forta focuses on network anomalies, not your infrastructure. The combination of Tenderly plus a custom Grafana dashboard covers 90% of incident scenarios.
Multichain Infrastructure
A protocol on 5 chains = 5 separate RPC endpoints, 5 subgraphs, 5 monitoring configs. Manageable but requires deployment automation.
For subgraph multi-network deployment: graph deploy --network mainnet, graph deploy --network arbitrum-one etc. with a unified codebase and network-specific addresses in separate config files.
Chainlink CCIP and LayerZero for cross-chain messaging require monitoring of both chains and transactions on intermediate relayers. A reorg on the source chain after a confirmed mint on the target chain is a classic bridge problem. Solution: wait for finality (on Ethereum ~15 minutes after Merge for economic finality) before confirming on the target chain.
Infrastructure Setup Process
- Audit current stack — determine chains, request volume, latency and availability requirements.
- Architecture design — select providers, load balancing, redundancy.
- Subgraph development — manifest → schema → handlers → testing on local Graph Node → deploy to testnet → mainnet.
- Monitoring configuration — Tenderly alerts, Grafana dashboard, PagerDuty integration.
- Documentation and runbook — what to do when: subgraph falls behind, RPC downtime, node desync.
- Handover to operations — team training, access transfer, first month support.
What's Included
- Deployment of managed or self-hosted Ethereum, Polygon, BNB Chain nodes
- RPC layer setup with primary/fallback and load balancing
- Subgraph development and deployment for your protocol
- Monitoring connection (Tenderly, Grafana, alerts)
- Runbook and operations documentation
- Team training (up to 4 hours online)
- 30-day support after delivery
Timeline
| Task |
Duration |
| RPC and basic monitoring setup |
1–2 weeks |
| Subgraph for one protocol |
2–4 weeks |
| Self-hosted node with monitoring |
2–3 weeks |
| Full infrastructure (multi-chain, monitoring, runbooks) |
6–10 weeks |
All projects are managed in a GitHub/GitLab repository with CI/CD; configuration code stays with you. Order infrastructure deployment — we'll show how to cut costs by 20–30% without losing reliability. Get a consultation — we'll demonstrate how we deployed infrastructure for a protocol with large TVL on Ethereum and Arbitrum. Contact us.