The log.
Security notes, post-mortems, and observations from the audit floor.
Token Economics and Security: When the Design Is the Vulnerability
Token economic design creates attack surfaces that no amount of code review can eliminate. Vesting cliff manipulation, emission schedule exploits, veToken lock attacks — these vulnerabilities exist at the design level.
Multisig Security: Configuration, Key Management, and Operational Risk
A multisig is only as secure as its signers, their keys, and the operational procedures around both. The on-chain architecture of Gnosis Safe is sound. The failure modes in production are almost always off-chain.
Permit2 and Gasless Transactions: Security From Signature to Execution
Permit2 makes token approvals more expressive and more dangerous. The AllowanceTransfer and SignatureTransfer models introduce new nonce schemes, witness data, and trust surfaces that protocols integrating Permit2 must understand completely.
Concentrated Liquidity Security: Ticks, JIT Attacks, and Fee Accounting
Concentrated liquidity is more capital efficient and more complex than constant product AMMs. The precision requirements, position accounting, and oracle properties introduce vulnerabilities with no equivalent in Uniswap V2-style pools.
Perpetuals and Derivatives Security: Funding, Liquidation, and PnL Invariants
On-chain perpetuals combine oracle dependency, complex accounting, and high leverage. The attack surfaces — funding rate manipulation, oracle-based liquidation, and socialized loss abuse — scale with the protocol's open interest.
The Audit Scope Document: What to Include and What Goes Wrong
A poorly scoped audit is not an audit — it is a review of whatever the auditor happened to look at. The scope document is the contract that determines what was covered, what was not, and who is accountable for both.
Remediation Verification: What It Means and What It Does Not
Remediation verification is not a second audit. It is a focused review of whether specific fixes are correct and whether they introduce new issues. Understanding the distinction matters for what the final attestation can honestly claim.
Gas Griefing: Forcing Transactions to Fail or Waste Gas
Gas griefing is not about stealing funds — it is about forcing transactions to fail or cost more than expected. The 63/64 rule, return bombs, expensive fallbacks, and unbounded iteration are the mechanisms. The impact ranges from nuisance to critical.
L2-Specific Vulnerabilities: What Changes When You Leave Mainnet
A contract that is secure on Ethereum mainnet may be insecure on an L2. Sequencer centralization, timestamp differences, cross-layer message assumptions, and the finality gap in optimistic rollups are not abstractions — they are active attack surfaces.
Stablecoin Protocol Security: Invariants, Cascades, and Peg Mechanisms
A stablecoin protocol's security is its ability to maintain the peg under adversarial conditions. Collateral ratio violations, liquidation cascades, and oracle dependencies are the mechanisms by which that ability fails.