Technical Blogs

In DeFi, oracle failures can cause financial losses within a system that broadly accepts risk. Enterprise DLT operates in a different world. The assets are physical. The counterparties are regulated. The consequences are legal.

A critical vulnerability, CVE-2025-55182, was recently disclosed and carries a CVSS 10.0 (the most critical) severity rating. The issue affects React/Next.js environments. Our security research team has analyzed the vulnerability and detected many applications in the Web3 ecosystem running the affected versions, including several that are actively exploitable.

This article discusses some of the new features of PancakeSwap Infinity, and explores the security considerations related to PancakeSwap Infinity hooks.

In this post, we examine how EIP-7702 reshapes core EVM assumptions, spotlight mocked examples, and provide actionable guidance for developers to assess whether their existing contracts may be vulnerable.

In this article, we look at how oracles work, why they matter, how they can be exploited, and more, with the goal of educating DeFi participants on how to better protect themselves from these types of threats.

This article discusses some of the new features of Uniswap V4, and explores the security considerations related to Uniswap V4 hooks.

This blog offers insights into the differences between traditional Web2 applications and Web3 Dapps, Dapp threat modeling, and unique attack vectors enabled by the integration of blockchain components.

In January 2024, CertiK research team, in collaboration with Confio's security contributors, identified and addressed a high-impact vulnerability affecting App Chains that allow permissionless uploads in the CosmosWasm ecosystem. This vulnerability, designated as CWA-2023-004, enables a remote attacker to submit a malformed contract payload, causing a deterministic failure in every transaction processed by the WasmVM. This ultimately leads to a widespread outage across the validator network.

In this post, we focus on the bug discovery process of our formal verification of zkWasm instructions, examining specific bugs encountered during the process and the lessons learned.

We discovered an XSS vulnerability in WalletConnect's Verify API, which could have been manipulated to create a convincing phishing site.

The Border Gateway Protocol acts as the Internet's postal service, directing how information should traverse between different networks. It has been exploited by hackers to attack multiple Web3 platforms.

Hackers are using a technique known as DNS hijacking to steal Web3 users' seed phrases with sophisticated phishing attacks.