Cypher Stack Research

Cypher Stack is the independent applied-cryptography research firm that publishes open audits and research papers on Monero, Firo, Salvium, and other privacy-currency protocols. Listed at Grade A because Cypher Stack occupies a structurally unique position: it's the only firm that combines academic-grade cryptographic rigour + focus on privacy currencies + public open-source publication model — making it the canonical external-audit option for privacy-coin protocols that need credible third-party cryptographic review.

Background. Cypher Stack was founded by Brandon Goodell (cryptographer, formerly active in Monero Research Lab) and operates from the United States as Cypher Stack LLC. The firm has been operating since around 2019-2020, growing out of the same applied-cryptography research community that produced MRL contributions. Funding: cryptographic-audit contracts paid by the projects being audited (typical of the firm-audits-protocol model in cryptography); some research is grant-funded by privacy-tooling foundations. Open publication model: research papers and audit reports are published openly at cypherstack.com; the firm's commitment is that external review of privacy-currency cryptography should be publicly accessible rather than locked behind paid client reports. This is meaningfully different from commercial cryptography-audit firms (Trail of Bits, NCC Group, Quarkslab, Kudelski) where reports are typically published only at the client's discretion.

What you trust. Named cryptographer leadership — Brandon Goodell has a public track record in Monero protocol research, including contributions to MRL bulletins. The firm's audit-and-research methodology is informed by direct cryptographic-research experience, not just engineering-audit checklists. Open-publication model — audits and research papers are published at cypherstack.com without paywalls; the firm explicitly chose this model because privacy-currency cryptography is in the public interest and needs public scrutiny. Privacy-currency specialisation — most commercial cryptography-audit firms work across the broader software industry; Cypher Stack's focus on privacy currencies means deeper protocol-specific expertise (Monero ring signatures, RingCT, Bulletproofs, FCMP++, Salvium's privacy-stablecoin design, Firo's Lelantus/Lelantus-Spark). Research papers cross-published with academic venues — some Cypher Stack research has been published at academic cryptography conferences (Real World Crypto, similar venues), bringing in additional external peer review. What you don't trust: paid-by-clients model — like all audit firms, Cypher Stack is paid by the protocols it audits. The open-publication commitment mitigates conflict-of-interest concerns (a misleading audit report can't be hidden), but readers should still consider the structural incentive. Smaller team than Trail of Bits / NCC Group — for very-large audit scopes, Cypher Stack may not have the team size to compete with industry-scale audit firms. Some research is preliminary — papers describing research-in-progress should be cross-referenced with production deployment.

Operational specs. Website: cypherstack.com — research papers + audit reports + team information. Publication formats: research papers (typical LaTeX cryptographic-paper format, hosted on the website + sometimes mirrored on eprint.iacr.org or arXiv), audit reports (PDF format, signed-released for client audits), bulletins (shorter technical notes). Areas of expertise: ring signature analysis, zero-knowledge proof systems (Bulletproofs, Lelantus, Triptych, Plonk), threshold cryptography, hash-based commitments, privacy-currency-specific protocols (FCMP++, Carrot/Seraphis, Firo's spark protocol). Clients (publicly disclosed): Monero Research Lab work via CCS funding, Firo (Lelantus protocol audits), Salvium (privacy-stablecoin protocol), and others. Team: small but credentialed — Brandon Goodell + research staff with academic-cryptography backgrounds. Engagement model: ranges from focused-protocol audits to longer research collaborations. Open-source contributions: some research output includes reference implementations published as open-source code.

Philosophy. Cypher Stack's editorial differentiator is the academic-rigor-applied-to-privacy-currencies + open-publication model. The cryptography-audit industry has two main approaches: (1) commercial confidential audits where reports are published only at client discretion (Trail of Bits, NCC Group, etc.), good for paying clients but creates information asymmetry between insiders and the public, (2) academic peer review where research is open but typically not tied to specific commercial deployments. Cypher Stack hybrids these: commercial audit engagements with public-by-default reports. For privacy currencies specifically, this matters: privacy protocols depend on public scrutiny to maintain trust, and a closed-audit model conflicts with that requirement. Cypher Stack's editorial choice is to align with privacy-currency values rather than industry-standard audit confidentiality.

Grade rationale. Grade A reflects: 5+ years of operational continuity (since ~2019-2020); named cryptographer leadership (Brandon Goodell, public MRL contribution track record); open-publication model with research papers and audit reports freely accessible; privacy-currency specialisation (Monero, Firo, Salvium, others) with deep protocol-specific expertise; cross-published research at academic venues; published audits cross-referenced from primary projects (MRL bulletins, Firo's protocol documentation, Salvium's docs); company structure as a small specialised firm rather than a commercial scale-out. The canonical external-audit reference for privacy-currency protocols. Last verified 2026-05-11.

Useful when. You're a privacy-currency developer needing an external audit — Cypher Stack is one of the few firms with focused expertise in this domain. You're a researcher or academic studying privacy-currency protocols — Cypher Stack's published papers and audit reports are credible primary sources. You're evaluating a privacy protocol's cryptographic claims (a coin you're considering using, integrating, or researching) — Cypher Stack's audit reports are useful third-party evidence. You're citing applied-cryptography research in academic or technical writing — Cypher Stack publications are peer-grade and citable. You're a journalist or policy researcher covering privacy currencies — Cypher Stack's commitment to open publication makes their work accessible and citable. You want to understand specific protocol decisions (why was Bulletproofs+ chosen, what does the audit say about FCMP++, how does Lelantus differ from RingCT) — Cypher Stack publications cover these comparisons in depth.

Caveats. Paid-by-clients audit model — like all cryptographic-audit firms, Cypher Stack is paid by the protocols it audits. The open-publication commitment mitigates conflict-of-interest concerns (audit findings can't be hidden), but the structural incentive remains. Cross-reference audit findings with independent academic literature when stakes are high. Smaller team than industry-scale audit firms — for very-large-scale audits or compliance-grade audit needs (regulatory submissions, enterprise risk management), Cypher Stack may not have the team size to compete with Trail of Bits or NCC Group. For most privacy-currency protocol audits, Cypher Stack's focused expertise is the right trade-off. Some research is preliminary — papers describing in-progress research should be cross-referenced with production deployment. Don't assume an audited protocol design is shipped to production until you check the actual codebase. English-only publications — research papers and audit reports are in English; for non-English readers, no official translations exist (though community translations may exist for specific papers). Specific-project specialisation — Cypher Stack's focus is Monero / Firo / Salvium / similar privacy currencies. For audits of non-privacy-focused protocols (e.g., DeFi smart contracts, blockchain consensus), other firms are more appropriate. Audit-scope limitations — every audit is bounded by scope; a Cypher Stack audit of a specific protocol component doesn't mean every other component of the same protocol has been audited. Read scope statements carefully. Don't conflate "audited by Cypher Stack" with "perfectly secure" — audits identify *specific* concerns and remediate them; they don't prove the absence of all vulnerabilities. Continued vigilance is required regardless of audit history. Don't substitute Cypher Stack publications for primary protocol documentation — the audit findings are useful but the canonical source for "how does protocol X actually work" remains the protocol's own documentation and source code. Audit dates matter — a 2021 audit of a specific protocol version doesn't cover changes shipped since. For currency of audit findings, cross-reference the audit date with the current production deployment.