How Rain keeps your smart contracts (and your reputation) safe
When you launch a card program with Rain, you're building on top of a high-performance, high-security platform. Our onchain smart contracts are what hold value, enforce the rules, and keep your program running smoothly. They’re foundational to how Rain works—highly secure, performance-tested, and built to earn trust.
We don’t just build these smart contracts. We subject them to independent security reviews, partner with best-in-class auditors like Sherlock. Sherlock is the lifecycle security partner for Web3 protocols. From development through launch to live operations, they combine AI-powered analysis, collaborative auditing, bug bounties, and financial coverage to catch vulnerabilities before they become exploits.
If you’re new to smart contracts, here’s a simple way to picture them: they’re tamper-resistant vaults with built-in instructions. They can receive, store, and send value based on clearly defined rules without any middlemen, which is why security is of the utmost importance.
We audit (and re-audit) every chain
Rain supports multiple blockchains, each with its own architecture and risk profile. That’s why we run a fresh audit every time we add support for a new chain, and continue auditing regularly to maintain security and trust.
Why? Because code doesn’t sit still. Dependencies evolve, networks upgrade, and attackers don’t take time off. Continuous assurance is the only real assurance.
Before any smart contract is available for our customers to use, we freeze the code and bring in independent auditors to review it. That includes Sherlock, one of our trusted security partners.
Sherlock doesn’t recruit auditors in a traditional sense—their network of experts grows through measured performance, not applications. Every researcher must first start by competing in open audit contests, where all submissions are tracked, judged, and scored for accuracy, false positives, and severity alignment.
Over time, this data builds a transparent performance profile for each researcher. The top performers—those consistently demonstrating precision, impact, and strong judgment—are invited into the collaborative audit pool, where they work in smaller teams led by senior auditors.
What a Rain + Sherlock audit actually looks like
Here’s how it works:
- We build the contracts. Rain’s protocol engineers design and implement smart contracts tailored to the chain in question.
- We engage independent auditors. We bring in firms, like Sherlock, and hire multiple auditors to ensure no single point of view dominates.
- They go deep. Over a week or two, these expert auditors explore the codebase, simulate threats, and look for logic errors or vulnerabilities.
- We patch and retest. Based on their findings, we fix what needs fixing, and then have the auditors confirm that the issues are resolved.
- We publish the results. Once everything’s clean, the firm issues a final report and certification. We share a plain-English summary with our customers, and provide the full report under NDA.
Critical issues (like potential fund loss or broken permissions) are rare, but if they’re found, they’re fixed fast. We also treat lower-severity findings as opportunities to improve clarity, efficiency, and maintainability.
We also regularly schedule additional audits when new features are launched or environments change, and our smart contract infrastructure gets thoroughly vetted for every new blockchain we deploy to. Where a bug bounty is appropriate, we work with Sherlock to define scope, rewards, and a responsible disclosure path.
Want proof? Let’s talk.
If you're evaluating a specific chain or use case, we can share the relevant certifications, audit histories, and a summary packet that walks through our approach. We’re also happy to connect you with an Engineering lead to answer questions or walk you through how upgrades and ongoing monitoring work.
At Rain, we sweat the hard stuff so your program can launch fast, scale cleanly, and operate with confidence.
