Services

Smart Contract Audit

Analyze decentralized application’s smart contracts and the overall operation with static code analysis, dynamic analysis, and manual review to identify vulnerabilities together with technical & business logic flaws that may expose applications to various external risks

Decentralized Application Security Consulting

Provide consultation from design to development of decentralized applications, resolving both technical and business issues with professional support along the product development life cycle, maximizing the security level of smart contracts to protect our clients and their users

Digital Assets Investment Security Consulting

Provide consultation to investment funds and high-net-worth individuals on the security of DeFi projects and earning opportunities in the blockchain ecosystem, focusing on translating vulnerabilities and issues identified to easy-to-understand impact on the deployed capital

Methodology

  • Pre-Audit

    Build up understanding of the overall operations of the related smart contracts. Check for audit targets’ readiness, and make necessary internal preparations for the audit

  • Audit

    Inspect smart contracts using industry-accepted automated analysis tools and manual analysis by a team of professionals to identify both general coding bugs and advanced smart contract vulnerabilities in decentralized application's workflow and logic

  • Preliminary Report

    Deliver preliminary findings with professional suggestions and consultation on how to remediate the identified issues

  • Reassessment

    Verify the status of each issue and re-inspect to ensure there are no additional complications caused by the fixes applied

  • Final Report

    Provide a full final report with the detailed description, risk rating, and status of each identified issue

Researches

Flash Loan/Flash Swap Using UniswapV2-Based AMMs

Flash loan has been one of the most impactful techniques used in smart contract attacks, and it is getting more prevalent.

read more

Introducing: Inspex Explorer & Library

Inspex Explorer is a platform designed to be an all-in-one blockchain & smart contract security platform.

read more

Smart Contract Security Testing Guide

Smart Contract Security Testing Guide (SCSTG) is a risk-based guide for smart contract security professionals and developers to use as a reference in the security testing of smart contracts.

read more

bEarn.Fi Incident Analysis — bVaults Improper Withdrawal Amount Handling

Started from 10:36:20 AM UTC on May 16th, 2021, bEarn.Fi’s BUSD vault was exploited due to improper withdrawal amount handling.

read more

Cross-Contract Reentrancy Attack

In this article, we will show you what Cross-Contract Reentrancy is, how impactful can it be, and how can you prevent it. We also have a hands-on lab that you can follow along to learn about this vulnerability more in detail.

read more

Dopple Finance’s $KUSD and Synthetic Assets Manual Minting Analysis

On Jan 15, 2022, Inspex was contacted by multiple Dopple Finance’s users to investigate suspicious transactions on Dopple Finance prior to the big price crash.

read more

ValueDeFi’s Invalid Share Calculation Exploit In-depth Analysis

Started from 08:13:06 PM UTC on May 7th, 2021, ValueDeFi’s multi-strategy WBNB vault was exploited due to an invalid share calculation exploit.

read more

Inverse Finance’s Incident Analysis — $INV Price Manipulation

On Apr 02, 2022, 11:04:09 AM UTC (block 14506359), the attacker borrowed assets from Inverse Finance using a collateral asset that had less actual value than the borrowed assets.

read more

Eleven Finance’s Incident Analysis — Improper Withdrawal Logic on emergencyBurn() Function

Starting from Jun 22, 2021, 10:58:00 PM UTC, attacks were done on the Eleven Finance’s NeverSellVaults. Two attackers were using the same flaw to attack Eleven Finance.

read more

StarkNet Smart Contract Common Pitfalls

In this article, we will focus on a zk-rollups called StarkNet in terms of the common issues that every StarkNet developer should be concern about.

read more

DeFi Risks 101 — 1: An Insecure Fork of MasterChef

Hello and welcome to the first episode of the DeFi Risks 101. In this series, the Inspex research team will utilize our experience from smart contract auditing service and incident investigations to provide our readers with an in-depth technical analysis of notable issues that introduce risks to DeF

read more

How 20 Million $OP Was Stolen from the Multisig Wallet (Not Yet) Owned by Wintermute

Wintermute was engaged by the Optimism Foundation for liquidity provisioning services on the $OP launch. On May 27, 2022, 20 million $OP was allocated to Wintermute from the Foundation’s Partner Fund. However, Wintermute later found that they could not access these tokens because they had provided a

read more

Cream Finance’s Incident Analysis — $yUSD Share Price Manipulation

Starting from Oct-27–2021 01:54:10 PM UTC, Cream Finance was exploited using a flaw in the share price calculation of Yearn Finance’s yUSD contract.

read more

Poly Network Incident Observations

The following steps are used by Inspex to understand the incident that happened to Poly Network. In this article, we will describe how we investigated the situation from the transaction and our brief observations, not the analysis of the vulnerability or the attack.

read more

Inspex Library Major Update — Better UX/UI and New Features.

Inspex Library is created to allow the decentralized application users that prioritize the security of platforms they are using, whether it’s DeFi, GameFi, Metaverse, or NFT, to quickly and confidently gain access to the audited platforms’ audit information and reports.

read more

How Hackers Can Become “Lucky” in NFT Minting

NFT games (GameFi) have become popular since the end of last year, and the popularity is still growing as more projects are being developed and launched. One thing that most GameFi projects have in common is the use of NFTs with multi-level rarities for in-game mechanisms.

read more

Reentrancy Attack on Cream Finance — Incident Analysis

Starting from Aug 30, 2021, 05:44:47 AM UTC, Cream Finance was affected by a reentrancy attack based on the implementation of $AMP token.

read more

Paradigm CTF 2022 Writeup

There were different types of smart contract challenges, including EVM, Solana, and Cairo, and we were having a great time solving these fun and challenging challenges.

read more

Merlin Lab’s Incident Analysis — Improper Mint Amount Calculation on mintFor() Function

Starting from Jun 29, 2021, 07:24:29 AM UTC, attacks were done on Merlin’s Alpaca Vault due to improper mint amount calculation.

read more