The log.
Security notes, post-mortems, and observations from the audit floor.
Threat Modeling for Smart Contracts: Before the First Line of Code
A threat model identifies what you are protecting, who might attack it, and how. Done before development, it shapes architecture. Done before audit, it sharpens scope. Done after deployment, it is too late for most of its value.
Oracle Manipulation: Every Attack Vector
Spot price oracles, stale Chainlink feeds, missing circuit breakers, and the subtle assumptions that turn a price feed into an attack surface. Oracle security is not one problem — it is a category.
Competitive Audit Platforms: Code4rena, CodeHawks, and Sherlock Compared
Competitive audits distribute review across dozens of independent researchers. The incentive structures, judging quality, and payout models differ significantly between platforms — and determine what gets found and what does not.
Cross-Chain Message Security: Beyond Bridges
General message passing is not just token bridges. LayerZero, Wormhole, CCIP, and Axelar introduce message replay, ordering assumptions, executor trust, and destination-chain gas risks that every cross-chain protocol must address.
Post-Deployment Monitoring: Forta, Defender, and On-Chain Alerts
An audit reviews code at a point in time. Monitoring watches behavior continuously. The two are complements — monitoring catches what slips through review, detects exploit attempts in progress, and enables faster incident response.
The Anatomy of a Flash Loan Attack
Flash loans do not create vulnerabilities — they amplify assumptions. The assumption that a price cannot move 4x in one transaction. That governance power cannot be borrowed. That collateral values are stable within a block.
CosmWasm Security: Rust Contracts, Actor Model, and Common Vulnerabilities
Rust prevents memory safety issues. It does not prevent reentrancy via submessages, state inconsistency across message boundaries, or access control gaps in the execute handler. CosmWasm has its own vulnerability taxonomy.
AI-Assisted Auditing: What LLMs Find, What They Miss, and How to Use Them
LLMs find known vulnerability patterns quickly and miss novel attack paths consistently. The value is in augmenting auditor throughput on well-understood problems — not in replacing the judgment that finds the interesting ones.
Cross-Chain Bridge Security: Where the Risk Lives
Bridges are the most exploited category in DeFi. The vulnerabilities are not exotic — they are message replay, validator manipulation, and finality assumptions that hold on one chain and fail on another.
Supply Chain Attacks on Smart Contract Projects: Dependencies, Pipelines, and Key Compromise
The audit covers the code. It does not cover the build pipeline that compiled it, the npm packages that the test suite depends on, or the developer whose laptop has a keylogger. Supply chain attacks target the gaps between what was audited and what was deployed.