Services

Smart Contract Audit

Analyze decentralized application’s smart contracts and the overall operation with static code analysis, dynamic analysis, and manual review to identify vulnerabilities together with technical & business logic flaws that may expose applications to various external risks

Decentralized Application Security Consulting

Provide consultation from design to development of decentralized applications, resolving both technical and business issues with professional support along the product development life cycle, maximizing the security level of smart contracts to protect our clients and their users

Digital Assets Investment Security Consulting

Provide consultation to investment funds and high-net-worth individuals on the security of DeFi projects and earning opportunities in the blockchain ecosystem, focusing on translating vulnerabilities and issues identified to easy-to-understand impact on the deployed capital

Methodology

Pre-Audit
Build up understanding of the overall operations of the related smart contracts. Check for audit targets’ readiness, and make necessary internal preparations for the audit
Audit
Inspect smart contracts using industry-accepted automated analysis tools and manual analysis by a team of professionals to identify both general coding bugs and advanced smart contract vulnerabilities in decentralized application's workflow and logic
Preliminary Report
Deliver preliminary findings with professional suggestions and consultation on how to remediate the identified issues
Reassessment
Verify the status of each issue and re-inspect to ensure there are no additional complications caused by the fixes applied
Final Report
Provide a full final report with the detailed description, risk rating, and status of each identified issue

Researches

Flash Loan/Flash Swap Using UniswapV2-Based AMMs

06/01/2021

Flash loan has been one of the most impactful techniques used in smart contract attacks, and it is getting more prevalent.

Introducing: Inspex Explorer & Library

08/27/2021

Inspex Explorer is a platform designed to be an all-in-one blockchain & smart contract security platform.

Smart Contract Security Testing Guide

04/27/2022

Smart Contract Security Testing Guide (SCSTG) is a risk-based guide for smart contract security professionals and developers to use as a reference in the security testing of smart contracts.

bEarn.Fi Incident Analysis — bVaults Improper Withdrawal Amount Handling

05/16/2021

Started from 10:36:20 AM UTC on May 16th, 2021, bEarn.Fi’s BUSD vault was exploited due to improper withdrawal amount handling.

Cross-Contract Reentrancy Attack

03/31/2022

In this article, we will show you what Cross-Contract Reentrancy is, how impactful can it be, and how can you prevent it. We also have a hands-on lab that you can follow along to learn about this vulnerability more in detail.

Dopple Finance’s $KUSD and Synthetic Assets Manual Minting Analysis

01/24/2022

On Jan 15, 2022, Inspex was contacted by multiple Dopple Finance’s users to investigate suspicious transactions on Dopple Finance prior to the big price crash.

ValueDeFi’s Invalid Share Calculation Exploit In-depth Analysis

10/04/2021

Started from 08:13:06 PM UTC on May 7th, 2021, ValueDeFi’s multi-strategy WBNB vault was exploited due to an invalid share calculation exploit.

Inverse Finance’s Incident Analysis — $INV Price Manipulation

04/07/2022

On Apr 02, 2022, 11:04:09 AM UTC (block 14506359), the attacker borrowed assets from Inverse Finance using a collateral asset that had less actual value than the borrowed assets.

Eleven Finance’s Incident Analysis — Improper Withdrawal Logic on emergencyBurn() Function

06/23/2021

Starting from Jun 22, 2021, 10:58:00 PM UTC, attacks were done on the Eleven Finance’s NeverSellVaults. Two attackers were using the same flaw to attack Eleven Finance.

StarkNet Smart Contract Common Pitfalls

08/08/2022

In this article, we will focus on a zk-rollups called StarkNet in terms of the common issues that every StarkNet developer should be concern about.

DeFi Risks 101 — 1: An Insecure Fork of MasterChef

07/19/2021

Hello and welcome to the first episode of the DeFi Risks 101. In this series, the Inspex research team will utilize our experience from smart contract auditing service and incident investigations to provide our readers with an in-depth technical analysis of notable issues that introduce risks to DeF

How 20 Million $OP Was Stolen from the Multisig Wallet (Not Yet) Owned by Wintermute

06/09/2022

Wintermute was engaged by the Optimism Foundation for liquidity provisioning services on the $OP launch. On May 27, 2022, 20 million $OP was allocated to Wintermute from the Foundation’s Partner Fund. However, Wintermute later found that they could not access these tokens because they had provided a

Cream Finance’s Incident Analysis — $yUSD Share Price Manipulation

10/28/2021

Starting from Oct-27–2021 01:54:10 PM UTC, Cream Finance was exploited using a flaw in the share price calculation of Yearn Finance’s yUSD contract.

Poly Network Incident Observations

08/11/2021

The following steps are used by Inspex to understand the incident that happened to Poly Network. In this article, we will describe how we investigated the situation from the transaction and our brief observations, not the analysis of the vulnerability or the attack.

Inspex Library Major Update — Better UX/UI and New Features.

08/19/2022

Inspex Library is created to allow the decentralized application users that prioritize the security of platforms they are using, whether it’s DeFi, GameFi, Metaverse, or NFT, to quickly and confidently gain access to the audited platforms’ audit information and reports.

How Hackers Can Become “Lucky” in NFT Minting

03/14/2022

NFT games (GameFi) have become popular since the end of last year, and the popularity is still growing as more projects are being developed and launched. One thing that most GameFi projects have in common is the use of NFTs with multi-level rarities for in-game mechanisms.

Reentrancy Attack on Cream Finance — Incident Analysis

09/01/2021

Starting from Aug 30, 2021, 05:44:47 AM UTC, Cream Finance was affected by a reentrancy attack based on the implementation of $AMP token.

Paradigm CTF 2022 Writeup

08/29/2022

There were different types of smart contract challenges, including EVM, Solana, and Cairo, and we were having a great time solving these fun and challenging challenges.