Security research

Security Research.

Public write-ups on the bugs, patterns, and protocols we audit. Engineer-to-engineer, no fluff.

Filter
Editor's pick
Featured
Who is Zealynx? Why DeFi teams choose our top-tier smart contract audits
Zealynx NewsSep 18, 2025·7 min
Read the write-up

Who is Zealynx? Why DeFi teams choose our top-tier smart contract audits

Zealynx is a founder-led Web3 security firm. 33+ audits across 30+ protocols on EVM and Solana. Smart contract audits, full-stack audits, audit subscriptions, penetration testing, AI security, and the Zealynx Audit Grants program.

This month

Latest.

OWASP ASI07 Explained: Insecure Inter-Agent Communication
Adversarial & AI SecurityJun 23, 2026·13 min

OWASP ASI07 Explained: Insecure Inter-Agent Communication

OWASP ASI07 (Insecure Inter-Agent Communication) explained: how agents trust each other too much, relay malicious instructions, and amplify prompt injection.

Read
OWASP ASI09 Explained: Human-Agent Trust Exploitation
Jun 19, 2026·11 min

OWASP ASI09 Explained: Human-Agent Trust Exploitation

OWASP ASI09 (Human-Agent Trust Exploitation) explained: how AI agents exploit anthropomorphism, authority bias, and confirmation fatigue to drive harmful approvals.

Read
OWASP ASI06 Explained: AI Memory & Context Poisoning
Jun 16, 2026·11 min

OWASP ASI06 Explained: AI Memory & Context Poisoning

OWASP ASI06 (Memory and Context Poisoning) explained: RAG corruption, vector store attacks, persistent context bias. How to defend AI agent memory layers.

Read
Category / smart-contracts

Smart Contract Security.

See all in Smart Contract Security
Hyperliquid Security Checklist for Builders: HyperBFT, HyperCore, HyperEVM Risks Before Mainnet
Smart Contract SecurityMay 20, 2026·13 min

Hyperliquid Security Checklist for Builders: HyperBFT, HyperCore, HyperEVM Risks Before Mainnet

A builder focused Hyperliquid security checklist covering HyperBFT assumptions, HyperCore integrations, HyperEVM deployment risks, and pre audit launch gates before mainnet.

Read
Hyperliquid Security Checklist for Builders: HyperBFT, HyperCore, HyperEVM
Smart Contract SecurityMay 20, 2026·13 min

Hyperliquid Security Checklist for Builders: HyperBFT, HyperCore, HyperEVM

A builder focused Hyperliquid security checklist covering HyperBFT, HyperCore, HyperEVM, order flow, liquidation, oracle, bridge, and pre audit risks before launch.

Read
EIP-7702 wallet security: what auditors check after Pectra
Smart Contract SecurityMay 18, 2026·26 min

EIP-7702 wallet security: what auditors check after Pectra

EIP-7702 lets EOAs become smart contracts with one signature. Here are the 4 attack surfaces — phishing, delegate bugs, replay, ERC-4337 — auditors now check.

Read
Category / protocol-deep-dives

DeFi Protocol Analysis.

See all in DeFi Protocol Analysis
How to Build Compound V2 From Scratch (18 Sections, Line by Line)
DeFi Protocol AnalysisMay 28, 2026·13 min

How to Build Compound V2 From Scratch (18 Sections, Line by Line)

Rebuild Compound V2 from scratch — cTokens, Comptroller, InterestRateModel, and liquidation logic. The second-most-forked DeFi protocol, understood end to end.

Read
Uniswap v4 hook attacks: 4 exploit patterns with PoCs
DeFi Protocol AnalysisMay 25, 2026·25 min

Uniswap v4 hook attacks: 4 exploit patterns with PoCs

The four Uniswap v4 hook attack patterns that cover every public exploit: reentrancy, flag bypass, donation griefing, accounting drift — with minimal PoCs.

Read
Yearn vault security: V2 vs V3 architecture, exploits, and defense patterns
DeFi Protocol AnalysisApr 20, 2026·16 min

Yearn vault security: V2 vs V3 architecture, exploits, and defense patterns

Yearn V2 and V3 vault architecture, exploit case studies (yDAI, yUSDT, Cream), and defense patterns every DeFi auditor and integrator must know.

Read
Category / audit-ops

Audit Operations.

See all in Audit Operations
What Happens During a Smart Contract Audit: Week-by-Week Process
Audit OperationsMay 25, 2026·17 min

What Happens During a Smart Contract Audit: Week-by-Week Process

A senior auditor walks through what actually happens during a smart contract audit, week by week. Pre-audit prep, manual review, findings, fix verification, and final deliverables.

Read
When to audit a smart contract: The 2026 security timeline
Audit OperationsApr 27, 2026·26 min

When to audit a smart contract: The 2026 security timeline

The 2026 security timeline for Web3 protocols: when to audit at design, dev, pre-launch, and post-launch — plus real lead times, audit costs, and launch buffer rules.

Read
How to Scope a Smart Contract Audit: What Auditors Need
Audit OperationsApr 23, 2026·23 min

How to Scope a Smart Contract Audit: What Auditors Need

Smart contract audit scoping guide. Seven deliverables auditors need, nSLOC pricing benchmarks, and the Rekt Test — cut your quote 15–30%.

Read
Category / adversarial-security

Adversarial & AI Security.

See all in Adversarial & AI Security
OWASP ASI07 Explained: Insecure Inter-Agent Communication
Adversarial & AI SecurityJun 23, 2026·13 min

OWASP ASI07 Explained: Insecure Inter-Agent Communication

OWASP ASI07 (Insecure Inter-Agent Communication) explained: how agents trust each other too much, relay malicious instructions, and amplify prompt injection.

Read
OWASP ASI01 Explained: AI Agent Goal Hijacking
Adversarial & AI SecurityJun 2, 2026·12 min

OWASP ASI01 Explained: AI Agent Goal Hijacking

OWASP ASI01 (Agent Goal Hijack) explained: how prompt injection redirects AI agent objectives. Direct, indirect, and tool-mediated patterns with mitigations.

Read
Agentic DeFi security: when AI agents control treasury, trading, and liquidations
Adversarial & AI SecurityJun 1, 2026·21 min

Agentic DeFi security: when AI agents control treasury, trading, and liquidations

AI agents now autonomously control DeFi treasuries, execute trades, and trigger liquidations. The cross-layer attack surface that contract audits cannot see.

Read
Category / web3-attack-vectors

Web3 Attack Vectors.

See all in Web3 Attack Vectors
Flash loan attacks: anatomy of nine-figure DeFi exploits
Web3 Attack VectorsApr 29, 2026·37 min

Flash loan attacks: anatomy of nine-figure DeFi exploits

How flash loans amplify oracle, donation, and reentrancy bugs into $200M+ DeFi exploits — Cetus, Penpie, KyberSwap, UwU Lend case studies plus defenses that hold.

Read
DAO governance attacks: how flash loans and vote manipulation drain treasuries
Web3 Attack VectorsMar 23, 2026·21 min

DAO governance attacks: how flash loans and vote manipulation drain treasuries

How attackers exploit DAO governance with flash loans, EVM opcode injection, and quorum exhaustion — plus audit strategies and defense architectures.

Read
Oracle manipulation in DeFi: how price feeds become attack vectors
Web3 Attack VectorsMar 18, 2026·11 min

Oracle manipulation in DeFi: how price feeds become attack vectors

How attackers exploit oracle price feeds in DeFi using flash loans, AMM imbalances, and governance subversion — with defense patterns for protocol architects.

Read
Category / industry

Industry and Compliance.

See all in Industry and Compliance
The Web3 Founder's Survival Guide: Everything No Engineering Curriculum Teaches
Industry and ComplianceMay 11, 2026·16 min

The Web3 Founder's Survival Guide: Everything No Engineering Curriculum Teaches

Most Web3 founders are technical and ship great code, then watch the protocol die to non-code problems. Tokenomics, fundraising, governance, regulatory, GTM — this is what kills teams.

Read
OWASP Smart Contract Top 10 2026: changes and audit guide
Industry and ComplianceMay 4, 2026·29 min

OWASP Smart Contract Top 10 2026: changes and audit guide

The 2026 OWASP Smart Contract Top 10 elevated business logic to #2 and added proxy & upgradeability at #10. Here's what changed and how to audit.

Read
EthCC 2026 Cannes: Security Guide for Web3 Builders
Industry and ComplianceMar 19, 2026·9 min

EthCC 2026 Cannes: Security Guide for Web3 Builders

Your complete guide to EthCC 2026 in Cannes. Key dates, side events, networking tips, and how Web3 builders can make the most of the conference.

Read
Category / zealynx-news

Zealynx News.

See all in Zealynx News
The Case for Interactive-Only Pedagogy: How Zealynx Academy Teaches Differently
Zealynx NewsJun 1, 2026·14 min

The Case for Interactive-Only Pedagogy: How Zealynx Academy Teaches Differently

Zealynx Academy uses no videos, no slides, no passive content. Every section is interactive. Here's the pedagogical argument for why that works better for Web3 builders — and the specific design patterns behind it.

Read
Why Learning Web3 by Building Beats Watching Videos
Zealynx NewsMay 25, 2026·12 min

Why Learning Web3 by Building Beats Watching Videos

Most Web3 education is video-heavy. Research shows active construction of knowledge produces meaningful skill faster than passive consumption. Here's why build-first platforms matter.

Read
Inside the ETHSecurity Badge: Recognition from TheDAO Fund and What It Means
Zealynx NewsMay 14, 2026·10 min

Inside the ETHSecurity Badge: Recognition from TheDAO Fund and What It Means

TheDAO Security Fund awarded the ETHSecurity Badge to Ethereum security contributors. Holders get 4x matching impact in the Ethereum Security QF round, open through May 14, 2026.

Read
Showing 12 of 141

All research.

Tokenizing Intellectual Property on EVM: Solidity Patterns for Programmable IP Rights
DeFi Protocol AnalysisFeb 13, 2026·9 min

Tokenizing Intellectual Property on EVM: Solidity Patterns for Programmable IP Rights

ERC-721 and ERC-2981 fail for real-world IP. Learn Solidity patterns for programmable royalty splits, copyright decay, and Ricardian contracts — via Zealynx.

Read
Proxy Security Checklist: 33 Critical Upgradeability Checks
Smart Contract SecurityFeb 12, 2026·22 min

Proxy Security Checklist: 33 Critical Upgradeability Checks

Complete proxy and upgradeability security checklist with 33+ actionable checks. Learn how to prevent exploits in UUPS, Transparent, Beacon, and Diamond proxy patterns. Storage safety, initialization, and upgrade mechanisms covered.

Read
MCP Security Guide: 24 Checks for AI Agents & MCP Servers
Adversarial & AI SecurityFeb 11, 2026·9 min

MCP Security Guide: 24 Checks for AI Agents & MCP Servers

Long-form MCP security guide covering 24 critical checks for AI agents and MCP servers. Learn breach patterns, tool poisoning risks, prompt injection defenses, and hardening priorities.

Read
Moving Averages in DeFi: Security Vulnerabilities and Attack Prevention
DeFi Protocol AnalysisFeb 10, 2026·14 min

Moving Averages in DeFi: Security Vulnerabilities and Attack Prevention

Moving averages power critical DeFi infrastructure from price oracles to AMMs, but create attack vectors for flash loan manipulation and precision exploits. Learn how to identify vulnerabilities in TWAP, SMA, and EMA implementations, plus proven mitigation strategies.

Read
Solana Audit Guide 2026: Firedancer, Token-2022, and Localized DoS
Smart Contract SecurityFeb 7, 2026·9 min

Solana Audit Guide 2026: Firedancer, Token-2022, and Localized DoS

Solana audit guide for 2026 covering Firedancer finality risk, Token-2022 transfer hook reviews, localized DoS pressure, and what auditors check before launch.

Read
MiCA Regulation & Security: What Every Crypto Founder Needs to Know
Industry and ComplianceFeb 5, 2026·12 min

MiCA Regulation & Security: What Every Crypto Founder Needs to Know

MiCA is forcing EU crypto projects to take security seriously. Learn what the regulation actually requires — security audits, penetration testing, smart contract reviews — and how to prepare before regulators come knocking.

Read
Solidity Smart Contract Audit 2026: Pricing, AI & Readiness Manifesto
Audit OperationsFeb 4, 2026·9 min

Solidity Smart Contract Audit 2026: Pricing, AI & Readiness Manifesto

Discover the 2026 Solidity Smart Contract Audit Manifesto. Learn why 'Lines of Code' pricing is dead, explore new smart contract audit costs, AI-driven security, and the essential audit readiness checklist for protocol leaders.

Read
Implement Uniswap v4 swaps & avoid critical mistakes
DeFi Protocol AnalysisFeb 2, 2026·13 min

Implement Uniswap v4 swaps & avoid critical mistakes

Master Uniswap v4's four swap types: zeroToOne, oneToZero, exactInputForOutput, and exactOutputForInput. Learn to implement SwapParams correctly and interpret BalanceDelta results securely.

Read
OpenClaw Security Guide: Prompt Injection, Malicious Skills, Hardening
Adversarial & AI SecurityJan 31, 2026·19 min

OpenClaw Security Guide: Prompt Injection, Malicious Skills, Hardening

OpenClaw security guide for teams deploying personal AI agents. Learn the top risks, prompt injection, malicious skills, exposed admin panels, and the hardening checklist that prevents agent compromise.

Read
Uniswap’s Q64.96 Explained: Essential Security Tips for Hook Developers
DeFi Protocol AnalysisJan 30, 2026·11 min

Uniswap’s Q64.96 Explained: Essential Security Tips for Hook Developers

Q64.96 fixed-point math powers Uniswap V3/V4 pricing. Learn how sqrtPriceX96 overflows happen and how Zealynx auditors catch them before they cost you.

Read
UUPS vs Transparent vs Beacon: Proxy Security Guide 2026
Smart Contract SecurityJan 29, 2026·18 min

UUPS vs Transparent vs Beacon: Proxy Security Guide 2026

EVM proxy pattern security: UUPS, Transparent, Beacon, and Diamond (EIP-2535) compared. Storage collision exploits ($6M+), gas benchmarks, and audit checklist.

Read
Solana Security Checklist: 45 Anchor and Native Program Audit Checks
Smart Contract SecurityJan 28, 2026·15 min

Solana Security Checklist: 45 Anchor and Native Program Audit Checks

Run 45 Solana audit checks for Anchor and native programs, covering signer validation, CPI safety, PDAs, Token-2022, and pre-launch review.

Read