Security research

Security Research.

Public write-ups on the bugs, patterns, and protocols we audit. Engineer-to-engineer, no fluff.

Filter
Editor's pick
Featured
Who is Zealynx? Why DeFi teams choose our top-tier smart contract audits
Zealynx NewsSep 18, 2025·7 min
Read the write-up

Who is Zealynx? Why DeFi teams choose our top-tier smart contract audits

Zealynx is a founder-led Web3 security firm. 33+ audits across 30+ protocols on EVM and Solana, smart contract audits, penetration testing, AI security, and the Zealynx Audit Grants program.

This month

Latest.

Gamified Learning in Web3: Why Ranks, Leaderboards, and Lynx Actually Work
Smart Contract SecurityMay 18, 2026·11 min

Gamified Learning in Web3: Why Ranks, Leaderboards, and Lynx Actually Work

Gamification in learning often feels hollow. Here's why Zealynx Academy's rank and leaderboard system is different — and why it produces verifiable reputation, not points for points' sake.

Read
Anthropic MCP SDK Vulnerability (April 2026): Full Analysis
Adversarial & AI SecurityMay 15, 2026·12 min

Anthropic MCP SDK Vulnerability (April 2026): Full Analysis

Inside the April 2026 Anthropic MCP SDK design flaw: STDIO transport allows config-to-command-execution across Python, TypeScript, Java, Rust SDKs — by design.

Read
Inside the ETHSecurity Badge: Recognition from TheDAO Fund and What It Means
Zealynx NewsMay 14, 2026·10 min

Inside the ETHSecurity Badge: Recognition from TheDAO Fund and What It Means

TheDAO Security Fund awarded the ETHSecurity Badge to Ethereum security contributors. Holders get 4x matching impact in the Ethereum Security QF round, open through May 14, 2026.

Read
Category / smart-contracts

Smart Contract Security.

See all in Smart Contract Security
Gamified Learning in Web3: Why Ranks, Leaderboards, and Lynx Actually Work
Smart Contract SecurityMay 18, 2026·11 min

Gamified Learning in Web3: Why Ranks, Leaderboards, and Lynx Actually Work

Gamification in learning often feels hollow. Here's why Zealynx Academy's rank and leaderboard system is different — and why it produces verifiable reputation, not points for points' sake.

Read
Base OP Stack Security Audit: 29 Checks EVM Equivalence Hides
Smart Contract SecurityApr 13, 2026·23 min

Base OP Stack Security Audit: 29 Checks EVM Equivalence Hides

29-point Base L2 audit checklist: block timing exploits, address aliasing, dual gas fees, bridge vulnerabilities, sequencer threats, and fault proof risks.

Read
Layer 2 security under the hood: proof systems, upgrade keys, and what actually protects your funds
Smart Contract SecurityApr 9, 2026·17 min

Layer 2 security under the hood: proof systems, upgrade keys, and what actually protects your funds

Compare Arbitrum, Optimism, and Polygon zkEVM security models. Fraud proofs, ZK validity proofs, upgrade multisigs, and sequencer risks — a data-driven L2 guide.

Read
Category / protocol-deep-dives

DeFi Protocol Analysis.

See all in DeFi Protocol Analysis
Yearn vault security: V2 vs V3 architecture, exploits, and defense patterns
DeFi Protocol AnalysisApr 20, 2026·16 min

Yearn vault security: V2 vs V3 architecture, exploits, and defense patterns

Yearn V2 and V3 vault architecture, exploit case studies (yDAI, yUSDT, Cream), and defense patterns every DeFi auditor and integrator must know.

Read
ERC-3643 vs ERC-1400 for RWA Compliance
DeFi Protocol AnalysisFeb 22, 2026·9 min

ERC-3643 vs ERC-1400 for RWA Compliance

Compare ERC-3643 and ERC-1400 for RWA compliance. See identity checks, partition tradeoffs, ACT risk, forced transfers, and when each token standard fits.

Read
How to Start Your First Uniswap V4 Hook: Essentials, Libraries, and Risks
DeFi Protocol AnalysisFeb 19, 2026·13 min

How to Start Your First Uniswap V4 Hook: Essentials, Libraries, and Risks

Step-by-step guide to building your first Uniswap V4 hook. Learn the essential libraries, contract structure, hook permissions, and critical security considerations for DeFi developers.

Read
Category / audit-ops

Audit Operations.

See all in Audit Operations
When to audit a smart contract: The 2026 security timeline
Audit OperationsApr 27, 2026·26 min

When to audit a smart contract: The 2026 security timeline

The 2026 security timeline for Web3 protocols: when to audit at design, dev, pre-launch, and post-launch — plus real lead times, audit costs, and launch buffer rules.

Read
How to Scope a Smart Contract Audit: What Auditors Need
Audit OperationsApr 23, 2026·23 min

How to Scope a Smart Contract Audit: What Auditors Need

Smart contract audit scoping guide. Seven deliverables auditors need, nSLOC pricing benchmarks, and the Rekt Test — cut your quote 15–30%.

Read
Post-audit security: why the audit is a commit hash, not a security posture
Audit OperationsApr 22, 2026·21 min

Post-audit security: why the audit is a commit hash, not a security posture

Audits attest to a commit hash, not protocol safety. Learn how monitoring, invariants, runbooks, and OpSec close the gap — with Euler, Nomad, Ronin, and Radiant case studies.

Read
Category / adversarial-security

Adversarial & AI Security.

See all in Adversarial & AI Security
Anthropic MCP SDK Vulnerability (April 2026): Full Analysis
Adversarial & AI SecurityMay 15, 2026·12 min

Anthropic MCP SDK Vulnerability (April 2026): Full Analysis

Inside the April 2026 Anthropic MCP SDK design flaw: STDIO transport allows config-to-command-execution across Python, TypeScript, Java, Rust SDKs — by design.

Read
OWASP ASI04 Explained: Agentic Supply Chain Attacks
Adversarial & AI SecurityMay 12, 2026·12 min

OWASP ASI04 Explained: Agentic Supply Chain Attacks

OWASP ASI04 (Agentic Supply Chain Vulnerabilities) explained: MCP Impersonation, malicious tools, trojanised connectors. Real CVEs, attack patterns, mitigations.

Read
MCP Vulnerabilities 2025-2026: 16+ CVEs & Breach Index
Adversarial & AI SecurityMay 8, 2026·13 min

MCP Vulnerabilities 2025-2026: 16+ CVEs & Breach Index

Complete MCP vulnerability index: 16 disclosed breaches and 14+ CVEs since April 2025 across Anthropic, Cursor, Postmark — with OWASP ASI04 patterns. Updated weekly.

Read
Category / web3-attack-vectors

Web3 Attack Vectors.

See all in Web3 Attack Vectors
Flash loan attacks: anatomy of nine-figure DeFi exploits
Web3 Attack VectorsApr 29, 2026·37 min

Flash loan attacks: anatomy of nine-figure DeFi exploits

How flash loans amplify oracle, donation, and reentrancy bugs into $200M+ DeFi exploits — Cetus, Penpie, KyberSwap, UwU Lend case studies plus defenses that hold.

Read
DAO governance attacks: how flash loans and vote manipulation drain treasuries
Web3 Attack VectorsMar 23, 2026·21 min

DAO governance attacks: how flash loans and vote manipulation drain treasuries

How attackers exploit DAO governance with flash loans, EVM opcode injection, and quorum exhaustion — plus audit strategies and defense architectures.

Read
Oracle manipulation in DeFi: how price feeds become attack vectors
Web3 Attack VectorsMar 18, 2026·11 min

Oracle manipulation in DeFi: how price feeds become attack vectors

How attackers exploit oracle price feeds in DeFi using flash loans, AMM imbalances, and governance subversion — with defense patterns for protocol architects.

Read
Category / industry

Industry and Compliance.

See all in Industry and Compliance
The Web3 Founder's Survival Guide: Everything No Engineering Curriculum Teaches
Industry and ComplianceMay 11, 2026·16 min

The Web3 Founder's Survival Guide: Everything No Engineering Curriculum Teaches

Most Web3 founders are technical and ship great code, then watch the protocol die to non-code problems. Tokenomics, fundraising, governance, regulatory, GTM — this is what kills teams.

Read
OWASP Smart Contract Top 10 2026: changes and audit guide
Industry and ComplianceMay 4, 2026·29 min

OWASP Smart Contract Top 10 2026: changes and audit guide

The 2026 OWASP Smart Contract Top 10 elevated business logic to #2 and added proxy & upgradeability at #10. Here's what changed and how to audit.

Read
EthCC 2026 Cannes: Security Guide for Web3 Builders
Industry and ComplianceMar 19, 2026·9 min

EthCC 2026 Cannes: Security Guide for Web3 Builders

Your complete guide to EthCC 2026 in Cannes. Key dates, side events, networking tips, and how Web3 builders can make the most of the conference.

Read
Category / zealynx-news

Zealynx News.

See all in Zealynx News
Inside the ETHSecurity Badge: Recognition from TheDAO Fund and What It Means
Zealynx NewsMay 14, 2026·10 min

Inside the ETHSecurity Badge: Recognition from TheDAO Fund and What It Means

TheDAO Security Fund awarded the ETHSecurity Badge to Ethereum security contributors. Holders get 4x matching impact in the Ethereum Security QF round, open through May 14, 2026.

Read
Pre-audit readiness engine: how Krait catches 12 findings that cost teams 30% more
Zealynx NewsMay 12, 2026·16 min

Pre-audit readiness engine: how Krait catches 12 findings that cost teams 30% more

Krait is the Zealynx pre-audit readiness engine. Catch the 12 finding categories that inflate smart contract audit quotes by 30% — locally, free, before booking.

Read
Shadow Audits: How to Learn Web3 Security by Breaking Real Protocol Forks
Zealynx NewsApr 29, 2026·15 min

Shadow Audits: How to Learn Web3 Security by Breaking Real Protocol Forks

Shadow audits replay past public security contests on real protocol forks. Learn Web3 security the way top auditors did: reviewing graded contests, fast.

Read
Showing 12 of 110

All research.

The ERC‑20 Pitfall: Why It Doesn't Fit Tokenized Securities and RWA Compliance
DeFi Protocol AnalysisDec 18, 2025·8 min

The ERC‑20 Pitfall: Why It Doesn't Fit Tokenized Securities and RWA Compliance

Discover why ERC-20's permissionless nature is a liability for Real World Assets (RWA) and how ERC-3643 enables institutional compliance on public blockchains.

Read
The Pre-Audit Checklist: How to Save 30% on Your Smart Contract Audit
Audit OperationsDec 16, 2025·7 min

The Pre-Audit Checklist: How to Save 30% on Your Smart Contract Audit

Cut smart contract audit costs by 30% with proper preparation. Complete pre-audit checklist for DeFi protocols: testing, documentation, and security tools.

Read
Building RWA Protocols on EVM: ERC-3643, ERC-7540 Vaults, and the SPV Synchronization Problem
DeFi Protocol AnalysisDec 12, 2025·8 min

Building RWA Protocols on EVM: ERC-3643, ERC-7540 Vaults, and the SPV Synchronization Problem

Master Real World Asset tokenization: implement ERC-3643 compliance, ERC-7540 async vaults, and secure SPV architecture. Technical guide for developers building RWA protocols.

Read
Divide and Conquer Auditing: Breaking Down Uniswap V2 to Find Critical DeFi Bugs
Audit OperationsDec 9, 2025·13 min

Divide and Conquer Auditing: Breaking Down Uniswap V2 to Find Critical DeFi Bugs

Learn how elite auditors break down complex DeFi protocols to find critical vulnerabilities. Step-by-step guide using Uniswap V2 as a real-world case study.

Read
Uniswap V3 Explained: Concentrated Liquidity, Tick Math & Security Risks
DeFi Protocol AnalysisDec 4, 2025·15 min

Uniswap V3 Explained: Concentrated Liquidity, Tick Math & Security Risks

Uniswap V3 explained for developers. Learn concentrated liquidity, tick math, JIT liquidity, oracle manipulation, and the security checklist for safe integrations and forks.

Read
Linear Algebra & Calculus Attack Vectors in Large Language Models
Adversarial & AI SecurityNov 29, 2025·16 min

Linear Algebra & Calculus Attack Vectors in Large Language Models

Discover how linear algebra, calculus, probability theory, and statistics create security vulnerabilities in AI systems. Learn the mathematical foundations hackers exploit to jailbreak LLMs and compromise AI models.

Read
Uniswap V2 Security: Fork Safely & Avoid Costly Bugs
DeFi Protocol AnalysisNov 18, 2025·14 min

Uniswap V2 Security: Fork Safely & Avoid Costly Bugs

Don’t fork Uniswap V2 blind. ERC20 pool architecture, TWAP oracle manipulation risks, flash swap exploits, and 7 security pitfalls that cost forks millions.

Read
What Is Hyperliquid Exchange? 2026 Builder Guide to API, SDKs & HyperEVM
Industry and ComplianceNov 10, 2025·11 min

What Is Hyperliquid Exchange? 2026 Builder Guide to API, SDKs & HyperEVM

What is Hyperliquid exchange, how does HyperEVM fit in, and what can developers build on top? Learn the Hyperliquid API, Python and TypeScript SDKs, builder codes, and real project ideas.

Read
Cognitive Psychology Reveals LLM Vulnerabilities: AI Security Foundations
Adversarial & AI SecurityNov 4, 2025·19 min

Cognitive Psychology Reveals LLM Vulnerabilities: AI Security Foundations

Explore the cognitive foundations of AI security in part 1 of our LLM Security Deep Dive. Learn how cognitive psychology uncovers vulnerabilities in large language models and modern AI systems, empowering you to understand and secure advanced neural networks.

Read
Uniswap V1: How the First AMM Worked (& Its Flaws)
DeFi Protocol AnalysisOct 27, 2025·11 min

Uniswap V1: How the First AMM Worked (& Its Flaws)

How Uniswap V1 invented the AMM: x*y=k invariant, ETH-only pools, and the price manipulation gaps that V2 had to fix. Security-first code analysis.

Read
Balancer Security Analysis: Critical Architecture Risks
DeFi Protocol AnalysisOct 17, 2025·14 min

Balancer Security Analysis: Critical Architecture Risks

Deep dive into Balancer V1–V3: vault architecture, weighted pools, flash loan risks, and the critical security vulnerabilities DeFi auditors look for — Zealynx Security.

Read
What Is Curve Finance? StableSwap, crvUSD, Risks, and Security
DeFi Protocol AnalysisOct 10, 2025·37 min

What Is Curve Finance? StableSwap, crvUSD, Risks, and Security

What Curve Finance is, how StableSwap, CryptoSwap, crvUSD, and LLAMMA work, where integrations fail, and which security risks DeFi teams should review before building on Curve.

Read