HECO Chain

Arbitrum

Harmony One X

Avalanche C-Chain

Polygon

StarkNet

BNB Smart Chain

TKX Chain

Ethereum

Boba Network

Fantom Opera

Solana

Bitkub Chain

Moonbeam

Bitkub Upgrades Blockchain Network

Inspex บริษัท Blockchain Audit น้องใหม่สัญชาติไทยที่ Audit มูลค่ารวมแล้วกว่า 7 หมื่นล้านบาท

มุมมองโลก DeFi จาก Inspex บริษัท Security Audit ในวงการ Blockchain

Oracle    Oracles are data feeds that bring data from off the blockchain (off-chain) data sources and puts it on the blockchain (on-chain) for smart contracts to use. This is necessary because smart contracts running on Ethereum cannot access information stored outside the blockchain network.  —  ethereum.org   Different oracles differ in their approach to solving the oracle problem. While no oracle is perfect, an oracle’s merits should be measured based on how it handles the following challenges:  - Correctness: An oracle should not cause smart contracts to trigger state changes based on invalid off-chain data. For this reason, an oracle must guarantee the authenticity and integrity of data—authenticity means the data was gotten from the correct source, while integrity means the data remained intact (i.e., it wasn’t altered) before being sent on-chain.  - Availability: An oracle should not delay or prevent smart contracts from executing actions and triggering state changes. This quality requires that data from an oracle be available on request without interruption.  In this article, we will focus on the issues and past incidents with mitigation of the Price Oracle, one of the most common Oracle usages.    SPOT Price   The SPOT price oracle is a decentralized chain oracle. It has promising properties for a decentralized smart contract: it decentralizes and does not rely on off-chain data. It is also easy to implement and understand.  The SPOT price oracle gets the price by calculating the ratio of the reserved assets in the observed pools. For example, in the  OracleSpot  contract below, it has a function named  getPrice() . The function will return the price of the  token1  (assuming the  reserve1  state belongs to the  token1  of the pair).   OracleSpot.sol    interface IUniswapV2Pair {
    function getReserves() external view returns (uint112 reserve0, uint112 reserve1, uint32 blockTimestampLast);
}

contract OracleSpot {
    IUniswapV2Pair public pair;
    uint256 constant PRECISION = 1e18;
    function getPrice() external returns (uint256) {
        (uint112 reserve0, uint112 reserve1, ) = pair.getReserves();
        return uint256(reserve0) * PRECISION / uint256(reserve1);
    }
}    The price from this function comes from dividing  reserve0  with  reserve1 . Therefore, the reserve of the tokens has a direct impact on the price.   Concerns   Since, the price relies on the  getReserves()  from the pool contract. This type of oracle will have one main weaknesses: The reserves of the pools directly affects the price.  The price from the oracle reflcts from the reserves of the observing pool regradless the real price of the asset.     1. The reserve of a pool cannot represent the real value of the assets   Different pools with the same assets cannot guarantee the same ratio of assets. Oracles that observe different reserves in different pools can result in different prices.  Normally, there are entities called  arbitrageur . They are entities that make profits from the price differences. When it detects imbalaced prices in the observed pools, the arbitrageur will trade the tokens between pools until the prices are balanced and gains profits as an incentive.  But in the blockchain, the finalization of the states is cut off at each block, so the balances of the pools at the start of the block can be imbalanced. The attacker can attack the platforms that use the SPOT price oracle that relies on the prices from the imbalanced pool because the prices will still deviate from the normal prices.     Pool A (TokenA:TokenB)
reserveA: 10 000
reserveB:  5 000

Oracle(priceB): 10 000 / 5 000 = 2 tokenA      Pool B (TokenA:TokenB)
reserveA: 15 000
reserveB:  5 000

Oracle(priceB): 15 000 / 5 000 = 3 tokenA      2. A small pool is susceptible to price manipulation   Normally, liquidity pools provide the ability for users to swap the assets within the pool. Each pool can have different mechanisms for calculating the amount of the swap. But they have one thing in common: the reserve amounts of the pools will be changed after a successful swap.     Pool A (TokenA:TokenB)
reserveA: 10 000
reserveB:  5 000

Oracle(priceB): 10 000 / 5 000 = 2 tokenA

Pool B (TokenA:TokenB)
reserveA: 10 000 000 000
reserveB:  5 000 000 000

Oracle(priceB): 10 000 000 000 / 5 000 000 000 = 2 tokenA   For instance, in pools A and B, we assume that the token has a decimal point of 3. When we swap tokenA for tokenB with the same amount (swap 5 tokenA for 2.5 tokenB) on pools with different liquidity sizes.  On pool A, it has 10 tokenA and 5 tokenB in the reserve. When a user uses 5 tokens, which is 50 percent of the token’s reserve, the ratio of the assets in the pool changes drastically.  Before the swap, the oracle showed the price as 2 tokenA per tokenB.After the swap, the price has changed from 2 to 6, which is threefold higher.     Pool A (TokenA:TokenB)
reserveA: 10 000
reserveB:  5 000

# Oracle price before the swap
Oracle(priceB): 10.000 / 5.000 = 2.000 tokenA

SWAP 5 tokenA for 2.5 tokenB (use a simple price mechanic for the demonstration)

# reserves after the swap
reserveA: 15 000
reserveB:  2 500

# Oracle price after the swap
Oracle(priceB): 15.000 / 2.500 = 6.000 tokenA     On another pool, pool B, it has more reserve than pool A by one million times. When a user also swaps 5 tokenA for tokenB, which is 0.00005 percent of the reserve, the ratio of the reserve is barely changed compared to pool A.  Before the swap, the oracle showed the price as 2 tokenA per tokenB. After the swap, the price will still be 2 (some precision is lost, of course).     Pool B (TokenA:TokenB)
reserveA: 10 000 000 000
reserveB:  5 000 000 000

# Oracle price before the swap
Oracle(priceB): 10 000 000.000 / 5 000 000.000 = 2.000 tokenA

SWAP 5 tokenA for 2.5 tokenB (use a simple price mechanic for the demonstration)

# reserves after the swap
reserveA: 10 000 005 000
reserveB:  4 999 997 500

# Oracle price after the swap
Oracle(priceB): 10 000 005.000 / 4 999 997.500 = 2.000 tokenA   As you can see, a swap affects the reserves of the pool and the reserves affect the price of the SPOT price oracle cascadingly. Any users can manipulate the price from the SPOT price oracle by interacting with the pool directly.  The difficulty of SPOT price oracle’s price manipulation is depended on the size of the reserves in the pools or commonly called the liquidity size.   Related incidents   On 13 November, 2021, Welnance was exploited. The attack is about the flaw in the Oracle contract that used the  getAmountsOut()  function (SPOT sprice). Thus, the attacker used this flaw to manipulate the asset prices and gain profits from the platform. For more details about the incident, you can check it here:  https://inspexco.medium.com/welnances-incident-analysis-wel-price-manipulation-9020617452 .   WelPriceOracle.sol    function getAmountsOut(uint256 _amountIn, address token0, address token1) public view returns (uint256 result) {
    address[] memory pairToken = new address[](2);
    pairToken[0] = token0;
    pairToken[1] = token1;
    uint256[] memory results = IPancakeRouter(routerAddress).getAmountsOut(_amountIn, pairToken);
    result = results[1];
}

function setTokenBUSD (address _tokenAddress) external {
    tokenBUSD = _tokenAddress;
}

function setTokenWel (address _tokenAddress) external {
    tokenWel = _tokenAddress;
}

function getUnderlyingPrice(WLToken wlToken) public view returns (uint) {
    if (compareStrings(wlToken.symbol(), "wlWEL")) {
        return getAmountsOut(1000000000000000000,tokenWel, tokenBUSD);
    } else if (compareStrings(wlToken.symbol(), "wlBNB")) {
        IStdReference.ReferenceData memory data = ref.getReferenceData("BNB", "USD");
        return data.rate;
    } else {
        uint256 price;
        BEP20Interface token = BEP20Interface(WBep20(address(wlToken)).underlying());

        if(prices[address(token)] != 0) {
            price = prices[address(token)];
        } else {
            IStdReference.ReferenceData memory data = ref.getReferenceData(token.symbol(), "USD");
            price = data.rate;
        }

        uint decimalDelta = 18-uint(token.decimals());
        return price.mul(10**decimalDelta);
    }
}    Time-Weighted Average Price   TWAP (time-weighted average price) is a mechanism that was developed to defend against the price tolerance of the SPOT price oracle. The most renowned TWAP oracle is UNISWAP’s TWAP oracle. In practice, TWAP is just a concept, it has many variations depending on the platform’s business design. So, now we will use the UniswapV2’s TWAP oracle as a base to illustrate the basic concept of the TWAP oracle.  TWAP oracle observes a liquidity pool and uses the asset reserve data to calculate the SPOT prices. Then, it accumulates the prices and uses the average over a time window as the oracle price.   ref:  https://docs.uniswap.org/contracts/v2/concepts/core-concepts/oracles   The pair that supports that price cumulative function must implement the cumulative price update mechanism every time the reserves are updated in the pool.   Concerns    1. The time-weighted average price is slower than the actual price   The price-calculating mechanism of the TWAP oracle is not as straightforward as that of the SPOT price oracle. The TWAP oracle used the average of the cumulative price (not a SPOT price) of the configured time window. There are many variations of TWAP that affect the oracle prices within the window. The oracle price, in some variation, is the same throughout the time window.  Suppose that the TWAP oracle has a 1-hour time window. It means that the price from the TWAP oracle will be updated every hour. Then, the price of the observed asset spiked 50 percent due to any circumstances. Unless we reach the next time window, the oracle price in this time slot will not change.   
TWAP Oracle (simplified)
# Oracle updated
Price(tokenB)  = 10 tokenA
TWAP Oracle(tokenB) = 10 tokenA

# Next 30 minutes
Price(tokenB)  = 15 tokenA // Some event occurred, tokenB has a high demand.
TWAP Oracle(tokenB) = 10 tokenA // Price from the oracle still same

# Next 30 minutes (Oracle updated)
Price(tokenB)  = 15 tokenA   // Suppose the price still be high
Oracle(tokenB) = 12.5 tokenA // Since the price change at the half of the time slot,
                             // the updated price will only be as half as effective 
   As you can see, though the TWAP oracle price has been updated, it still does not catch up with the real price. This property can be both good and bad. An attacker could use the TWAP price accuracy to gain profits from the platform that relies on the TWAP oracle price.   2. The trade-off between the price accurary and the price manipulation resistance   The TWAP oracle has price manipulation resistance, but at a cost. By increasing the time window of the TWAP oracle, it is harder to manipulate the price of the TWAP oracle. The bigger time window also causes the TWAP oracle price to be updated slower and catch up to the real price slower.  The cost of manipulating the TWAP oracle is linearly scaled with the size of the time window. e.g., to have the next price rise 50 percent more than the normal price, the manipulator has to maintain the manipulated price for the whole period. If there are arbitrageurs who are normalizing the price, it is harder to maintain the manipulated price.   Related incidents    Inverse Finance’s oracle (and a rich attacker)   On April 2, 2022, Inverse Finance was exploited by a rich attacker. The attack is about manipulating the price of $INV, which is used as the collateral asset of the platform, to be higher. Then the attacker borrows assets for profit. For more details, you can look at our incident investigation at  https://inspexco.medium.com/inverse-finances-incident-analysis-inv-price-manipulation-b15c2e917888 .  As we’ve aforementioned, TWAP oracle has many variations but originated on the Uniswap. This oracle stores the cumulative prices in the  observations  state. The platform will get the price through the  current()  function. At line 97, it takes the last observations as the reference. In this attack, the attacker manipulated the price and then updated the observation in the next block, resulting in the attacker being able to manipulate the asset price.   Keep3rV2Oracle.sol     function _computeAmountOut(uint start, uint end, uint elapsed, uint amountIn) internal view returns (uint amountOut) {
    amountOut = amountIn * (end - start) / e10 / elapsed;
}

function current(address tokenIn, uint amountIn, address tokenOut) external view returns (uint amountOut, uint lastUpdatedAgo) {
    (address token0,) = tokenIn &lt; tokenOut ? (tokenIn, tokenOut) : (tokenOut, tokenIn);

    Observation memory _observation = observations[length-1];
    uint price0Cumulative = IUniswapV2Pair(pair).price0CumulativeLast() * e10 / Q112;
    uint price1Cumulative = IUniswapV2Pair(pair).price1CumulativeLast() * e10 / Q112;
    (,,uint timestamp) = IUniswapV2Pair(pair).getReserves();

    // Handle edge cases where we have no updates, will revert on first reading set
    if (timestamp == _observation.timestamp) {
        _observation = observations[length-2];
    }

    uint timeElapsed = timestamp - _observation.timestamp;
    timeElapsed = timeElapsed == 0 ? 1 : timeElapsed;
    if (token0 == tokenIn) {
        amountOut = _computeAmountOut(_observation.price0Cumulative, price0Cumulative, timeElapsed, amountIn);
    } else {
        amountOut = _computeAmountOut(_observation.price1Cumulative, price1Cumulative, timeElapsed, amountIn);
    }
    lastUpdatedAgo = timeElapsed;
}    Off-Chain Feed Price   Another type of price oracle is the type that leverages the price data from off-chain and feeds it into the blockchain. They are not as decentralized as the SPOT price oracle or the TWAP price oracle. They need entities to collect data from multiple sources, such as centralized exchanges (CEX), and feed it into the on-chain smart contracts. The on-chain contracts are the interfaces for other smart contracts to get the oracle prices, for example,  Chainlink price oracle.    Concerns    1. The data feed are from off-chain entities   The main security concern of this type of oracle is that the price data are fed from off-chain entities. If the entities can purposely feed malicious price data, the oracle without any mechanisms to handle this case will provide the manipulated oracle price.   2. Self-managed data feed   Some data-fed oracles rely on data from an off-chain entity that is also the owner of the platform that uses the oracle. The platform that can control the price oracle completely can create a situation that is disadvantageous to the users and also steal the users’ assets.   3. Key management of the data feed entities   The entities that feed data to the on-chain contracts need to have the EOA address to interact with the contracts. Even though the smart contract can apply an authorization such as a whitelist EOA group to prevent malicious entities from updating the malicious price, a lack of private key management can allow the attacker to use the key to feed malicious price data into the oracle contracts and affect the platforms that use the oracle price.   Related incidents   Rug pull is a word for a platform that tricks users into investing in their platform, with the owners suddenly disappearing with all the users assets (and hope?). Left the users there with the platform’s worthless assets. From our observations, there haven’t been any incidents related to reputable price feed oracle providers misbehavior. But the self-managed price feed oracle could be a sign to allow the owner to bypass the security mechanism in the smart contracts and do a heinous crime to the users: rug pull.   General Mistakes of Using Price Oracle    Token decimal Handling   ERC20 token has  decimal  state to determine the amount of the digits that will be treated as the decimal part. The tokens commonly have 18 decimals but not necessary.  Price oracles usually have to deal with many ERC20 tokens. The oracle must always assume that the tokens can have different amount of decimal and can handle them in the arithmetic operations gracefully. An oracle that does not handle the difference in decimal will face an issue when they are arithmetically operated. For example, 1x10e18 wei worths 1 token on a token with 18 decimal but it will worth 1 billion token on a token with 9 decimal.    External Source   Since the price oracle relies on data sources from liquidity pools on the blockchain, the Oracle must create an external contract with the pool. If the pool contract’s address is not a constant variable in the contract, it can be changed into a malicious pool that returns malicious reserve data to the oracle.  There was once an incident with the wrong pool addresses on an Oracle contract. Having a constant pool address on the oracle is good for transparency but bad for recovering from configurations with wrong addresses.      TLDR   1.Do not use SPOT price oracle, ever!  2.TWAP oracle from the pools with small liquidity can be manipulated  3.Use price feed oracle from reputable providers          About Inspex      Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.  For any business inquiries, please contact us via   Twitter  ,   Telegram  ,   contact@inspex.co     REQUEST A QUOTE:    https://inspex.co/form

Security Concern on Price Oracle

Without a proxy, how can a smart contract be upgraded?

<h1>Introduction to End-to-End DApp Security Assessment Service</h1>For Decentralized Applications (DApp), developing smart contracts securely is one of the most critical parts. Nevertheless, off-chain components are also frequently used together with smart contracts to provide further functionalities for the users.In many occurrences, even when the smart contracts are properly assessed or audited, the platform can still be attacked through insecure off-chain components, causing massive damage. This can be seen in multiple past incidents, such as: Ronin Network being attacked through the validator RPC nodes, causing over $624,000,000 in damage (<a href="https://roninblockchain.substack.com/p/community-alert-ronin-validators" rel="noopener noreferrer nofollow">https://roninblockchain.substack.com/p/community-alert-ronin-validators</a>)BadgerDAO being attacked through the creation of unauthorized API key, causing over $121,000,000 in damage (<a href="https://badger.com/technical-post-mortem" rel="noopener noreferrer nofollow">https://badger.com/technical-post-mortem</a>)PancakeSwap being attacked through DNS Hijacking (<a href="https://medium.com/pancakeswap/dns-incident-recap-36a183a2aee6" rel="noopener noreferrer nofollow">https://medium.com/pancakeswap/dns-incident-recap-36a183a2aee6</a>)Pirate X Pirate being attacked through an insecure implementation of an off-chain conversion feature (<a href="https://medium.com/@PirateXPirateNFTsGame/pxp-statement-regarding-the-hacking-incident-and-remedies-44dc97ee0352" rel="noopener noreferrer nofollow">https://medium.com/@PirateXPirateNFTsGame/pxp-statement-regarding-the-hacking-incident-and-remedies-44dc97ee0352</a>, <a href="https://twitter.com/BlockSecTeam/status/1501474711599198211" rel="noopener noreferrer nofollow">https://twitter.com/BlockSecTeam/status/1501474711599198211</a>) In order to perform a security assessment to cover the smart contracts and all off-chain components from end-to-end, security professionals with understanding and experience in all of the components are required. If any of the components are left unchecked, that part can be a room for the attacker to exploit and cause damage to the platform and its users.Inspex, as one of the leading Blockchain and Smart Contract Security firms, was founded by a team of cybersecurity experts highly experienced in various fields of both off-chain and on-chain cybersecurity. We are providing the End-to-End DApp Security Assessment Service to support DApp projects on all sides, making sure that the platform is safe from both on-chain and off-chain attacks.<h4> What is End-to-End DApp Security Assessment Service?</h4>End-to-End DApp Security Assessment Service is a service that combines Smart Contract Audit Service with Penetration Testing Service.The Smart Contract Audit Service covers the on-chain components, which are the smart contracts of the platform. Whereas the Penetration Testing service covers other off-chain components, including website, server, API, or other services being used on the platform.With the coverage of all components, we can inspect and determine the risks from all possible angles in order to provide the best solutions to resolve or mitigate those risks for our clients. <h4>What Will You Get From Using Our End-to-End DApp Security Assessment Service?</h4>The clients of Inspex’s End-to-End DApp Security Assessment Service will have a security assessment performed on their platform by cybersecurity professionals at the highest quality. This assessment will cover all the agreed components of the platform, including the smart contracts and off-chain components.After the first assessment is finished, a preliminary report, with detailed descriptions of the risks and the recommendations to resolve those risks, will be provided. During the remediation of the issues by the project team, consultation with Inspex’s professionals can always be done in order to make sure that the solution used is best suited for our clients.When the issues are fixed, Inspex will perform a reassessment to make sure that the risks found in the first assessment are properly fixed and resolved without any complications. A full report will then be prepared and delivered to our client. <img src="https://public.inspex.co/articles/2023-07-13t06-40-49-349z-png"><img src="https://public.inspex.co/articles/2023-07-13t06-41-31-291z-png">Moreover, if issues with medium severity or above are all resolved, that project will be marked as “Verified by Inspex”, and a badge will be issued to confirm that the components within the assessment scope are properly secured for the users.<img src="https://public.inspex.co/articles/2023-07-13t06-42-16-191z-png">Furthermore, Inspex can help our clients announce the assessment result publicly through Inspex Library, allowing the platform users to access the information about the assessment and view the report.<h4>What Will You Get More From Using Our Smart Contract Audit Service?</h4>Inspex can help our clients announce the assessment result publicly through our social, community and Inspex Library, allowing the platform users to access the information about the assessment and view the report.Inspex Library: <a href="https://app.inspex.co/library" rel="noopener noreferrer nofollow">https://app.inspex.co/library</a><img src="https://public.inspex.co/articles/2023-07-13t06-52-05-269z-png">Additionally we can make real-time monitoring with The Inspex Explorer Lighthouse,&nbsp; the ultimate dashboard for investigating and monitoring DApps' security incidents. As a Decentralized project owner, you can now rest easy knowing that the Inspex Lighthouse has got your back when it comes to the security of your project. Inspex Lighthouse: <a href="https://app.inspex.co/lighthouse" rel="noopener noreferrer nofollow">https://app.inspex.co/lighthouse</a><img src="https://public.inspex.co/articles/2023-07-13t06-52-18-138z-png"> <img src="https://public.inspex.co/articles/2023-07-13t06-52-35-347z-png">

Introduction to End-to-End DApp Security Assessment Service   For Decentralized Applications (DApp), developing smart contracts securely is one of the most critical parts. Nevertheless, off-chain components are also frequently used together with smart contracts to provide further functionalities for the users.  In many occurrences, even when the smart contracts are properly assessed or audited, the platform can still be attacked through insecure off-chain components, causing massive damage. This can be seen in multiple past incidents, such as:  Ronin Network being attacked through the validator RPC nodes, causing over $624,000,000 in damage ( https://roninblockchain.substack.com/p/community-alert-ronin-validators )  BadgerDAO being attacked through the creation of unauthorized API key, causing over $121,000,000 in damage ( https://badger.com/technical-post-mortem )  PancakeSwap being attacked through DNS Hijacking ( https://medium.com/pancakeswap/dns-incident-recap-36a183a2aee6 )  Pirate X Pirate being attacked through an insecure implementation of an off-chain conversion feature ( https://medium.com/@PirateXPirateNFTsGame/pxp-statement-regarding-the-hacking-incident-and-remedies-44dc97ee0352 ,  https://twitter.com/BlockSecTeam/status/1501474711599198211 )  In order to perform a security assessment to cover the smart contracts and all off-chain components from end-to-end, security professionals with understanding and experience in all of the components are required. If any of the components are left unchecked, that part can be a room for the attacker to exploit and cause damage to the platform and its users.  Inspex, as one of the leading Blockchain and Smart Contract Security firms, was founded by a team of cybersecurity experts highly experienced in various fields of both off-chain and on-chain cybersecurity. We are providing the End-to-End DApp Security Assessment Service to support DApp projects on all sides, making sure that the platform is safe from both on-chain and off-chain attacks.     What is End-to-End DApp Security Assessment Service?   End-to-End DApp Security Assessment Service is a service that combines Smart Contract Audit Service with Penetration Testing Service.  The Smart Contract Audit Service covers the on-chain components, which are the smart contracts of the platform. Whereas the Penetration Testing service covers other off-chain components, including website, server, API, or other services being used on the platform.  With the coverage of all components, we can inspect and determine the risks from all possible angles in order to provide the best solutions to resolve or mitigate those risks for our clients.      What Will You Get From Using Our End-to-End DApp Security Assessment Service?   The clients of Inspex’s End-to-End DApp Security Assessment Service will have a security assessment performed on their platform by cybersecurity professionals at the highest quality. This assessment will cover all the agreed components of the platform, including the smart contracts and off-chain components.  After the first assessment is finished, a preliminary report, with detailed descriptions of the risks and the recommendations to resolve those risks, will be provided. During the remediation of the issues by the project team, consultation with Inspex’s professionals can always be done in order to make sure that the solution used is best suited for our clients.  When the issues are fixed, Inspex will perform a reassessment to make sure that the risks found in the first assessment are properly fixed and resolved without any complications. A full report will then be prepared and delivered to our client.       Moreover, if issues with medium severity or above are all resolved, that project will be marked as “Verified by Inspex”, and a badge will be issued to confirm that the components within the assessment scope are properly secured for the users.   Furthermore, Inspex can help our clients announce the assessment result publicly through Inspex Library, allowing the platform users to access the information about the assessment and view the report.     What Will You Get More From Using Our Smart Contract Audit Service?   Inspex can help our clients announce the assessment result publicly through our social, community and Inspex Library, allowing the platform users to access the information about the assessment and view the report.  Inspex Library:  https://app.inspex.co/library    Additionally we can make real-time monitoring with The Inspex Explorer Lighthouse,&nbsp; the ultimate dashboard for investigating and monitoring DApps' security incidents. As a Decentralized project owner, you can now rest easy knowing that the Inspex Lighthouse has got your back when it comes to the security of your project.  Inspex Lighthouse:  https://app.inspex.co/lighthouse

Introduction to End-to-End DApp Security Assessment Service

Welnance Finance is a platform that provides Decentralized Exchange, Swap, Staking, and Yield Farming Pools, along with other upcoming features such as, Lottery Lucky Draw, rewards and most importantly, Official Welnance Token. 

Welnance

Welnance Coin

Bright Union is the world leading multichain DeFi Insurance marketplace allowing the crypto community to safeguard each other from smart contract failures, hacks and exploits

Bright Union

Bright Union Token

SpeedStar is a simulation game in which users can take on the role of a player in the Starverse universe. In this universe, users can be anything they want. The game is developed by the Hell Factory team and launched on the Harmony One Chain.

SpeedStar

STAR Token

iAM48 is an application that allows participation between fans and Thai idol girl groups under Independent Artist Management (iAM) Company Limited

iAM48

BNK Governance token

Coin98 is a Financial Services builder that creates and develops an ecosystem of DeFi protocols, applications, and NFTs on multiple blockchains. The platform can help people to access DeFi services effortlessly.

Coin98

QuickSwap is a permissionless decentralized exchange (DEX) based on Ethereum, powered by Polygon Network’s Layer 2 scalability infrastructure.

Safeguard

The Decentralized World

Our Services

How can we help you?

DApps Platform

Investor

About Us

The way we work

Inspex Audit Framework

Inspex Security Solution is covering the whole Software Development Life Cycle

Our Products

Inspex Explorer

Inspex Security Solution is covering the whole Software Development Life Cycle

Trusted by leading DApps

We are trusted by the leading platforms to use our services, and we can help you with your next project!

Industry's leading experts

Partners & Investors

In The News