DeFi & Smart Contract
Security Research Lab

Manual code audits, formal verification, ZKP circuit review, and active fuzzing — from a Berlin-based researcher with a published CVE track record and hands-on DeFi exploit experience.

View Security Plans Request Audit

Recent Security Incidents

April 22, 2026

Rhea Finance Security Incident

Rhea Finance - RektTuesday, April 21, 2026Rhea Finance - Swap Route Exploitation - Input Validation Failure 42 hours of preparation. 123 fake tokens. 5 worker wallets dispatched within 10 seconds of each other. $18.4 million gone from the largest protocol in NEAR's DeFi ecosystem before most of its users had finished their morning coffee.

April 22, 2026

Hyperbridge Security Incident

Hyperbridge - RektFriday, April 17, 2026Hyperbridge - MMR - Proof Verification 1 billion DOT tokens minted, $2.5 million in losses, one missing line of code. Initially reported as a $237k loss, Hyperbridge revised that figure to $2.5 million, citing two separate attacks and users who swapped into artificially cheap DOT after the pools were drained.

April 22, 2026

Drift Protocol Security Incident

Drift Protocol - RektThursday, April 9, 2026Private Key Leak - Drift Protocol - DPRK Credit: DLNews, Drift Protocol, DefiLlama, Mert, Vladimir S., Peckshield, Arkham Intelligence, Lookonchain, Unchained, CCN, CoinTelegraph, Andrew Hong, QuillAudits, wublock, ZachXBT, Specter, Temmy, TheBlock, molu, Fabiano, Omer Goldberg, Hayden Adams, Cube Exchange, BleepingComputer, Halborn, Tayvano, Ariel Givner, CoinDesk, The Hacker News, Mitchell Amador, TRM, Blockworks, Chainalysis, Patrick Collins

April 21, 2026

‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

April 14, 2026

Patch Tuesday, April 2026 Edition

Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed "BlueHammer." Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.

April 10, 2026

Resolv Labs Security Incident

Resolv Labs - RektTuesday, April 7, 2026Resolv Labs - Private Key Leak - Supply Chain Attack Three hundred thousand dollars walked into a protocol holding $141 million. Eighty million unbacked stablecoins walked out. The official post-mortem would later reveal a supply chain attack; the breach began not inside Resolv, but at a third-party project where a contractor had previously worked.

April 7, 2026

Russia Hacked Routers to Steal Microsoft Office Tokens

Hackers linked to Russia's military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

April 6, 2026

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

An elusive hacker who went by the handle "UNKN" and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.

March 23, 2026

‘CanisterWorm’ Springs Wiper Attack Targeting Iran

A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran's time zone or have Farsi set as the default language.

March 20, 2026

Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million hacked Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets -- named Aisuru, Kimwolf, JackSkid and Mossad -- are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

Security Research

vorbis-tools — oggenc 1.4.3

CVE Pending: SIGSEGV in oggenc 1.4.3 (vorbis-tools) via Crafted WAV File

Medium Public
April 10, 2026

A crafted WAV file triggers a null pointer dereference / segmentation fault (SIGSEGV) in oggenc 1.4.3, crashing the encoder unconditionally. Reproducible with a single Python command. No user interaction beyond passing the file to oggenc is required. CVE requested — assignment pending.

CVE — pending assignment
Wings3D 3D Modelling Software — v2.4.1

CVE Unhandled IEEE754 Special Values in Wings3D 2.4.1 OBJ Parser

Medium Public
March 31, 2026

A crafted Wavefront OBJ file containing IEEE754 special float values (nan, inf, -inf) or overflow exponents (1e999) in vertex coordinate fields causes Wings3D to crash immediately on import. Root cause: the Erlang function str2float_2/2 in e3d_obj.erl (line 391) uses pattern matching with no clause for IEEE754 special value strings, raising an unhandled function_clause exception that unwinds the BEAM VM call stack and terminates the import. All unsaved user work is lost. Vendor notified: sourceforge.net/p/wings/bugs/252/

CVE
Scribus Desktop Publishing Software — v1.6.5

CVE : Uncontrolled Resource Consumption in Scribus 1.6.5

Medium Public
March 26, 2026

A crafted .sla project file with extreme numeric geometry values (PAGEWIDTH, HEIGHT, BORDERLEFT, etc.) causes Scribus to enter an infinite loop during layout containment checking, consuming 99% CPU and triggering a system-wide memory pressure cascade. No user interaction beyond opening the file is required. Root cause: geometry fields are read directly into Qt structures (QRect, QRegion) without upper or lower bounds enforcement.

CVE
Actions Semiconductor — USB VID 10D6

CVE: Unsigned Firmware Update in Actions Semiconductor Platform

Medium Public
February 24, 2026

The firmware update tool (RdiskUpgrade.exe / Production.dll) for all devices using Actions Semiconductor VID 10D6 performs zero cryptographic verification before flashing firmware over USB. An attacker with physical access can permanently compromise any affected device. Covers 12 USB Product IDs across multiple consumer brands. CVE submitted to MITRE — pending assignment.

CVE
Shotcut / MLT Framework

CVE-2025-65834: Buffer Overflow in Shotcut 25.10.31

Medium Public
December 14, 2025

Buffer overflow in Shotcut video editor's MLT Framework image processing pipeline. An attacker can trigger out-of-bounds memory access via a crafted media file. CVE assigned by MITRE.

CVE-2025-65834 — assigned by MITRE

Recent Audits

April 2026  ·  butterswap.io

Butter Network — Smart Contract Ecosystem Audit

BSC, Base, Arbitrum, Optimism, Polygon, Linea, zkSync, MAP Relay Chain
Public
8
Total Findings
2
High
5
Medium
1
Low
$1.5M (at time of report)
TVL
Key Finding
swapAndBridge() silently bypasses all fee collection across 7 chains — zero bridge fee revenue since deployment.
Scope: butter-router-contracts, butter-mos-contracts
View Full Report →

Our Services

🔍

Smart Contract Audits

Manual line-by-line review of Solidity, Rust, Move, Cairo, and Motoko contracts. Covers reentrancy, access control, oracle manipulation, flash loan vectors, donation attacks, and economic logic flaws.

DeFi Protocol Security

Deep-dive audits for AMMs, lending protocols, bridges, and yield strategies. Specialized detection of TWAP manipulation, exchange rate inflation, cross-chain replay, and liquidation logic errors.

🔐

Cryptography & ZKP Audits

SDK-level cryptographic implementation review covering signature schemes, key derivation, RNG, and threshold cryptography. ZKP circuit audits for constraint soundness and under-constrained signal detection.

🧮

Formal Verification

Mathematical proof of critical protocol invariants — AMM pricing formulas, interest rate models, liquidation conditions. Custom specs in Certora, TLA+, or Coq depending on your stack.

🎯

Fuzzing Campaigns

Active fuzzing with custom harnesses using AFL++, Echidna, and Foundry invariant tests. Full coverage report and reproducible corpus delivered. Particularly effective for parser bugs and boundary conditions.

🌐

Backend & API Security

Security review of backend systems and APIs powering Web3 protocols — authentication, authorization, injection vulnerabilities, and business logic flaws in the off-chain layer.

Security Subscription Plans

🔒 Ongoing Security Coverage for DeFi Teams

Three plans built around what DeFi protocols actually need — from automated baseline scanning with human triage, to full expert coverage including ZKP audits, formal verification, and active fuzzing campaigns. Plans start at $499/month.

View All Subscription Plans →

Prefer a one-time engagement? We scope every audit individually — no fixed packages, no cookie-cutter reports.

Request a Custom Quote

ISO 27001 Readiness Assessments

EU-Based Security Compliance Services

Specialized readiness assessments for European organizations seeking ISO 27001 certification. We evaluate your information security management systems, identify compliance gaps, and provide actionable recommendations to achieve certification faster. Our assessments cover all 114 controls across 14 domains, including risk assessment, access control, cryptography, and incident management.

Gap Analysis

Comprehensive evaluation of current security posture against ISO 27001 requirements with detailed remediation roadmap.

Control Assessment

Systematic review of all 114 security controls with evidence collection and documentation support.

Implementation Support

Practical guidance on implementing missing controls and building compliant security management systems.

Supported Compliance Frameworks

ISO 27001
Global
Information security management
BSI IT-Grundschutz
Germany
Federal security baseline
NIS2 Directive
European Union
Critical infrastructure
DORA
European Union
Financial sector resilience
Cyber Essentials
United Kingdom
UK government-backed scheme
NIST CSF
United States
Enterprise risk framework
SOC 2 Type II
United States
SaaS trust criteria
GDPR Art. 32
EU / UK
Data processor obligations
Request a Compliance Quote Ask a Question
Get Started

Request a Security Audit

Tell us about your project. We scope every engagement individually — no fixed packages, no cookie-cutter reports.

24h Response
Custom quote turnaround
NDA First
Confidentiality guaranteed
Fixed Price
No surprise billing
audit@bytescan.net

We typically respond within 24 hours with a custom quote based on your project scope and requirements.

Frequently Asked Questions

What smart contract languages do you audit?
We audit Solidity (EVM chains), Rust (Solana, ICP), Move (Sui, Aptos), Cairo (Starknet), Motoko (ICP), and other blockchain-specific languages. We also review the off-chain backend and API layer that interacts with your contracts.
How long does a typical audit take?
A focused smart contract audit typically takes 1–2 weeks depending on codebase size and complexity. Engagements that include formal verification or a full fuzzing campaign run 2–4 weeks. We always scope before committing to a timeline.
What's included in a security audit?
Every audit includes manual code review, automated static analysis with false-positive triage, DeFi-specific vector checks (oracle manipulation, flash loans, donation attacks, reentrancy), CVSS-scored findings, and a written report with remediation guidance. Patch review is included — we verify your fixes before final delivery.
Do you support Immunefi bug bounty programs?
Yes. Our audit reports are formatted to be compatible with Immunefi program setup. We can also help you structure your bounty scope, set severity tiers, and triage incoming reports as part of the Full Spectrum Security plan.
What's your responsible disclosure policy?
We follow industry-standard responsible disclosure: 90-day private disclosure period, coordinated public disclosure with the project team, and proper CVE assignment when applicable. We never publicly disclose vulnerabilities without vendor coordination.
Do you offer subscription-based ongoing coverage?
Yes — our subscription plans are designed for teams shipping continuously. The Security Baseline plan ($499/month) covers automated scanning with human triage. The Expert Review plan ($1,499/month) adds manual audit hours. The Full Spectrum plan ($3,499/month) includes unlimited work, formal verification, and a dedicated analyst.

Contact Us

General inquiries, partnerships, or media requests.

Email
audit@bytescan.net
Reply within 24 hours
X / Twitter
@Bytescan_
Latest research & updates
Based in
Berlin, Germany
Serving EU, UK & US clients
Response time
Under 24 hours
Mon–Fri, CET timezone