Proving code is safe, not just hoping it is
Jon Stephens runs Veridise, an Austin security firm that audits the code holding up large parts of the blockchain world. The company's pitch is unusual in a market crowded with bug-bounty programs and quick manual reviews: it treats "prove the code is correct" as a technical requirement rather than a slogan. That comes straight from Stephens, whose training is in formal methods, the branch of computer science concerned with reasoning mathematically about what a program does.
Day to day, that means auditing smart contracts, blockchain implementations, and zero-knowledge circuits for teams that cannot afford a subtle mistake. Under Stephens, Veridise has worked with protocols including RISC Zero, Succinct, Semaphore, vLayer, and Ankr. The work sits at the point where a single overlooked condition in a proof system can quietly undermine an entire protocol, and where the bugs are the kind humans reliably miss.
Stephens describes his own starting point plainly. "I'm paranoid about computer security," he has said, crediting his parents with instilling that instinct early. What sets Veridise apart is what he decided to do with the paranoia: instead of asking users to be more careful, he wants to remove the need for care altogether. His stated goal is to help everyday users feel secure without having to implement complex protective measures themselves.
My goal is to help everyday users feel secure without having to implement complex protective measures themselves.
That philosophy explains the company's method, which Stephens calls top-down. An audit begins with a high-level read of the protocol to understand its design and where an attacker might push. From there the team goes deeper into the code, refining a list of invariants the system is supposed to hold and the ways those might break. The manual review does not run alone. Static analyzers and fuzzers run in parallel, so automated tooling and human judgment cover each other's blind spots.
The approach is not academic theater. It is the practical residue of Stephens's research path. Before Veridise existed, there was a paper.
The tool that became a company
During his PhD research at the University of Texas at Austin, Stephens worked in the UToPiA Group alongside Isil Dillig and Kostas Ferles on formal verification. That work eventually pointed at smart contracts and produced SmartPulse, a tool that could formally verify temporal properties of contracts: not just whether something bad could happen, but whether the good things a contract promises actually keep happening over time. Checking those liveness properties was novel enough that it drew attention from blockchain security specialists, and it became the foundation the company was built on.
SmartPulse was not the end of the toolmaking. Stephens went on to build Zequal, aimed at verifying consistency in zero-knowledge proof circuits, and contributed to the line of ZK security tooling Veridise now runs at scale. Zero-knowledge systems are elegant on paper and notoriously easy to get subtly wrong in practice, which is exactly the gap he set out to close. He has said he finds off-chain computation approaches, including ZK, multiparty computation, and trusted computing bases, among the most compelling directions in the field because they address the practical limits of doing everything on-chain.
I'm paranoid about computer security.
The route to that expertise ran through a different kind of security. As an undergraduate and master's student at the University of Arizona, Stephens researched the offensive side under Saumya Debray: malware detection evasion, exception-based control transfers, covert channels, and both static and dynamic analysis. He knew how attackers hide. What bothered him was that heuristic defenses could only ever say a system looked safe, never that it was. That discomfort pushed him toward formal methods, where the guarantees are stronger, and it is the through-line connecting the Arizona lab to the Austin firm.
The partnership and the pranks
Veridise is a two-founder story. Stephens co-founded it in 2022 with Isil Dillig, who was his advisor and remains a full-time professor while contributing to the company. He is generous about the arrangement, praising her ability to "quickly understand problems, brainstorm solutions and present information in a very approachable way," and calling it fortunate that she keeps contributing despite the demands of her academic post. It is a rare setup: the student became the CEO, the professor stayed the professor, and both kept building the same thing.
He is not all invariants and proof obligations. Colleagues know Stephens for a streak of mischief. After Dillig's wedding, he hid ridiculous photos throughout her house, and by his own telling some were still undiscovered six months later. Away from the keyboard he keeps a large board game collection, which he cheerfully admits is currently collecting dust, and he cooks, does woodworking, and hikes. He will defend pineapple on pizza, though his real recommendation is thinly sliced pears with a little balsamic vinegar, an experiment that says something about how he approaches defaults everywhere: question them, then test.
One professional moment he singles out with pride is a ZK tooling workshop his team ran for Secureum, where the coordination and the large-scale parallel use of the firm's tools came together the way they were supposed to. It is a telling thing to be proud of. Not a single flashy exploit, but a system working end to end, which is more or less the whole point of Veridise.
Online he goes by @FormallyJon, a handle that doubles as a mission statement. The word formally is not decoration. It is the difference between a security firm that reviews code and one that tries to prove things about it, and it is why teams handling zero-knowledge proofs and high-value contracts keep sending their work to Austin. Stephens's bet is that rigor scales better than luck, and so far the client list suggests the market agrees.
From Arizona to Austin
B.Sc. and M.Sc. in Computer Science; research on malware evasion, covert channels, and static/dynamic analysis under Saumya Debray.
PhD research in formal methods with Isil Dillig and Kostas Ferles, turning toward smart contracts.
Builds SmartPulse to formally verify temporal properties of smart contracts, the work that seeded Veridise.
Co-founds Veridise with Isil Dillig; becomes CEO.
Develops Zequal and contributes to the firm's zero-knowledge security tools.
Speaks as CEO of Veridise at L2CON Bangkok.
The Toolkit
TOOLS BUILT & CO-BUILT
LANGUAGES & STACKS
HANDLE His X username, @FormallyJon, is a nod to formal methods, the field his whole career rests on.
PRANK After his co-founder's wedding he hid ridiculous photos around her house; some reportedly went unfound for months.
PIVOT He started on the offensive side of security studying malware before deciding heuristics weren't enough and moving to formal proofs.
READING He enjoyed Fern Brady's memoir "Strong Female Character," calling it both tragic and funny.
METHOD Every audit runs manual review, static analyzers, and fuzzers in parallel so each covers the others' blind spots.
DUO Veridise is led by a former student and his former PhD advisor who never stopped collaborating.