A practical checklist for what to have ready before you open the application form. Repository hygiene, scope decisions, team materials, and the Krait pre-audit step.
Carlos (Bloqarl) - April 30, 2026
The application form takes about 30–45 minutes if you have your materials ready. It can take much longer if you haven't decided what to audit, who's on your team, or where your code lives. This guide is the checklist I wish every applicant had read before clicking Apply.
Have these five things in hand. None require permission from anyone outside your team.
A public GitHub repository is easiest. A private repository works too — you'll add the auditors as collaborators after the grant is awarded.
What we look for in the repo:
README that explains what the protocol does in 3–5 sentences.contracts/, src/, programs/).forge build, anchor build, aptos move compile, or sui move build depending on the chain).Pick a commit on the main branch and write it down. The audit scope is locked at this hash — anything merged after kickoff is out of scope unless you explicitly extend the engagement.
If you're still actively shipping features, plan a code freeze. Most teams pick a hash 1–2 weeks before applications close to give themselves time to stabilize.
We use this to size the engagement. A rough cloc src/ or tokei src/ number is fine — be generous and include everything you want reviewed (tests, helper libraries, deployment scripts).
If you have multiple modules and you only want some audited, draw the scope line clearly. "Audit the lending module, skip the governance module" is much easier to scope than "audit everything except the parts that don't matter."
At least one team member must have a verifiable public identity — this is a hard eligibility requirement. The strongest applications include:
We are not looking for resumes. We're looking for evidence that someone is accountable for the code.
Even pre-launch protocols can answer "what changes for your users one week after the audit ships?" — testnet to mainnet, partner protocol integration, public launch, etc. We weight this in the Protocol Merit category.
These are scoring tasks. None are required to apply, but each adds points and most have value beyond the application.
The Krait Claude Skill is a smart-contract security review you can run yourself in Claude. It produces a markdown report with first-pass findings — vulnerabilities, design observations, and gas considerations. Submit the report URL on the application; you earn 10 points.
Why we ask: a Krait pass before the audit kickoff means our human auditors start higher up the stack. Easy bugs are already on paper, so the engagement focuses on the hard ones.
krait.zealynx.io walks you through a structured pre-audit. Submit the assessment ID; another 10 points.
Three modules of your choice from academy.zealynx.io. Each takes 30–60 minutes. Auto-verified through the shared platform backend. 10 points.
Shadow Audits range from 2 days to 7 days depending on contest size. They are real audits run on already-completed engagements, with our findings as the answer key. The most involved scoring task; 10 points.
Five points each for X and LinkedIn shares, five for a successful referral (capped at 5). Submit URLs as evidence; we verify authenticity.
I see the same handful of issues in nearly every batch of applications. Here are the ones that cost the most points.
Open grants.zealynx.io/apply, save your draft, and come back as many times as you need. Drafts are unlimited; once you submit, the application is final.
Questions: contact@zealynx.io.