Blog
Web3 security, written by people who audit it
Audit case studies, protocol deep-dives, and security fundamentals. Every article ties back to a hands-on module you can rebuild yourself.
The Build (14)
The Case for Rebuilding Protocols Line by Line (Instead of Forking)
Forking a protocol ships code you don't understand. Rebuilding from scratch with a test suite as forcing function teaches what every defensive choice exists for.
Why Compound V2's Close Factor Caps Liquidations at 50%
Compound V2 caps single-liquidation seizure at 50% of borrower debt. Why partial liquidations beat one-shot total liquidations, and the trade-offs.
The Compound V2 Jump Rate Model: Why the Kink Is at 80% Utilization
Compound V2's interest rate curve is piecewise linear with a kink at 80% utilization. The math, the parameters, and the economic rationale for each piece.
Lazy Interest Accrual: How Compound V2 Scales to Millions of Borrowers
Compound V2 accrues interest in O(1) per market, no matter how many borrowers exist. The trick is a global borrowIndex plus per-account snapshots. Walking through the math and what forks get wrong.
accountLiquidity(): Where Compound V2 Audit Findings Cluster
Almost every critical bug in a Compound V2 fork lives in or around accountLiquidity(). Why this single function attracts oracle, exchange-rate, mantissa, and overflow risks all at once.
Why Compound V2's Oracle Returns Zero (and That's a Security Feature)
When the oracle returns zero, every borrow and liquidation in that market reverts. That is not a bug. It is the safest possible failure mode, and the alternative cost Mango $114M and Cream $130M.
How Uniswap V2's Protocol Fee Works (LP Dilution, Not Per-Swap)
Uniswap V2's protocol fee is 1/6th of K growth, paid as LP token dilution at the next mint or burn. Why this design saves gas, and the math that drives it.
UQ112x112: How Uniswap V2's TWAP Math Actually Works
Uniswap V2's UQ112x112 fixed-point format encodes prices as 224-bit values for the TWAP oracle. Why 112 integer + 112 fractional, and how the math preserves precision.
skim() and sync(): The Uniswap V2 Functions That Look Optional, Aren't
Why Uniswap V2 has skim() and sync() helpers, what donation attacks become possible without them, and why integrators reading reserves directly need to understand both functions.
Why Uniswap V2's Timestamp Wraps in 2106 (and Why It's a Feature)
Uniswap V2 packs block.timestamp into uint32, which wraps to zero on January 19, 2106. The TWAP oracle keeps working across the wrap because modular subtraction handles it for free.
Same Function, Opposite Arithmetic: Uniswap V2's _update()
Inside Uniswap V2's _update(), reserve writes must revert on overflow, but the price accumulator math must allow it. Why Solidity 0.8 makes this trickier than it looks.
How Uniswap V2 Saves 2100 Gas Per Swap with Storage Packing
Uniswap V2 packs reserve0, reserve1, and blockTimestampLast into a single 256-bit storage slot. The math, the tradeoffs, and why this is the most consequential gas optimization in DeFi.
Uniswap V2's 1000-Wei Minimum Liquidity Lock, Explained
Why Uniswap V2 burns 1000 wei of LP tokens forever on the first mint of any pair. The attack it prevents, the code that implements it, and what happens to forks that strip it.
The _mintFee() Ordering Bug in Uniswap V2 Forks
In Uniswap V2's mint() and burn(), _mintFee() must run before reading totalSupply. Reverse the order and you silently dilute the protocol fee recipient on every liquidity event.
Shadow Arena (8)
Flux Finance's KYC Signature Replay: EIP-712 Without a Nonce
Flux Finance's KYC verification uses EIP-712 signatures but omits the nonce. Once signed, the same KYC approval can be replayed indefinitely.
Canto v2's Oracle Mantissa Confusion: 1 vs 1e18
Canto v2's oracle uses a 1 mantissa where Compound V2 expects 1e18. The result: 18-decimal-place errors in liquidation math. A pattern that recurs in cross-chain forks.
How Basin's Pump-Encoding Code Produced Four Distinct Bug Classes
Basin's low-level bit-packing produced 4 documented bugs in Shadow Arena: off-by-one, slot confusion, bit-shift, and a missed update. One subsystem, four lessons.
Velodrome's Reward System: Three Permanent-Lock Paths in One Subsystem
Velodrome (Solidly fork on Optimism) has three documented permanent-lock bugs in its bribe-distribution code. Same subsystem, three different mechanisms. Every Solidly descendant inherits them.
33% of Bugs in 6 Real Audit Targets Are 'Missed State Updates'
Across 63 documented findings in Zealynx Academy's Shadow Arena, the dominant bug class isn't reentrancy or oracle manipulation. It's missed state updates in conditional paths.
Fee-on-Transfer Tokens Break 3 of 6 Shadow Arena Audit Targets
How fee-on-transfer tokens silently break accounting in DeFi protocols. Pattern, real findings from Basin and Velodrome, and the one-line fix most teams miss.
How Venus Inherited a 5x Interest Inflation Bug When Forking Compound to BSC
Compound V2 hardcodes blocksPerYear = 2,102,400 (15-second blocks). BSC has 3-second blocks. Forking the constant unchanged turns a 5% APR market into a 25% APR one. The Venus H-01 finding, walked through.
The Compound V2 Fork Donation Attack: 3 of 6 Shadow Arena Targets Have It
Three of six audit targets in the Zealynx Academy Shadow Arena are Compound V2 forks, and all three share the same cToken exchange-rate manipulation. Walking through the attack, the math, and why $7M of Hundred Finance proved the design is fragile under fork.
AI Auditor Builder (6)
Why Domain-Tuned AI Auditors Beat Generic Ones (DEX, Lending, Staking, Governance)
Generic AI auditors plateau in precision. Loading domain primers (DEX, lending, staking, governance) with category-specific exploits and checklists is what closes the gap.
The Multi-Mindset Pattern: Attacker, Accountant, Spec Auditor, Edge-Case Hunter
Running 4 specialized AI auditor roles in parallel surfaces bug classes that single-pass auditors miss. How to structure the prompts and synthesize the findings.
How Krait Achieves 100% Precision Across 50 Blind Code4rena Contests
The single biggest reason teams stop trusting AI security tools is false positives. Krait was built around eight kill gates that filter every candidate finding before it reaches the report.
The AI Auditor Arena: Benchmarking Against 118 Real Code4rena Findings
Most AI auditor benchmarks use toy code with planted bugs. The Arena uses 118 real Code4rena findings (41 High, 77 Medium) across 10 contests and 19,200 lines of Solidity. Submit your auditor and get a precision and recall score.
27 Open-Source AI Audit Tools, 7 Architectural Patterns, One Choice You Probably Haven't Made
AI smart contract auditing tools cluster into 7 architectural patterns. Each has a different failure mode. Most teams adopt one without knowing which they picked.
An AI Auditor Without Exploit Context Is a Security Guard Who's Never Seen a Break-In
Why generic AI security agents plateau and domain-tuned ones keep improving. The specific exploits that turn pattern matching into pattern recognition: DAO, Cream, Curve, Mango, Inverse, Bonq.
eMBA (2)
Monitoring Beats the First Audit: How Ronin Lost $624M Undetected for Six Days
Ronin Bridge was exploited and the loss went undetected for six days. With basic monitoring on cross-chain transfer volumes against a 24-hour rolling baseline, the alert fires within 90 minutes. Here's the budget allocation that follows.
The Audit Paradox: 91.96% of Hacked Smart Contracts Were Audited
AnChain.ai, Olympix, and Halborn data show audited contracts get hacked nearly as often as unaudited ones. Euler had 10 audits from 6 firms before losing $197M. Audits are necessary, but a strategy needs more.