Comprehensive security from @Nethermind, from audits to formal verification. Book now: https://t.co/dBDIYbokwPnethermind.io/nethermind-sec…Joined September 2024
We completed a security review of @arcxtrade, a yield-decomposition protocol on Starknet that settles across chains by bridging USDC into Wildcat markets through CCTP. The review covered the full Cairo and Solidity codebase, with close attention to the token decomposition model and the cross-chain settlement path. The higher-severity findings were fixed ahead of the beta.
In 2024, an attacker manipulated a lending protocol's oracle into valuing a single token at roughly $1.37 trillion. The oracle worked as designed. It derived the price from a DEX pool, and a flash loan moved that pool for a single block, so the reported price was the one the attacker chose.
Reading a price directly from a pool is the obvious error, and most experienced teams avoid it. The harder failures are the ones that pass review. A staleness threshold set too high, so an outdated price is still accepted as current. An L2 feed that reads as fresh while the sequencer is down. A TWAP that resists cheap manipulation but lags a fast market enough to leave an exploitable window.
Most teams know an oracle can be manipulated. Confirming that the safeguards already in place actually hold is harder, and it's most of what an audit does here.
The codebase was the Bloxchain Protocol by @Particle_CS, a smart-contract framework built so one compromised key can't act alone. Full report: github.com/NethermindEth/…
Everyone's arguing about whether AI replaces security audits. We stopped arguing and ran it: one codebase, three layers, and we tracked what each one actually caught.
AuditAgent (our AI scanner, runs while you build) and AgentArena (independent agents competing to break the same code) cleared the high-frequency stuff early. The bugs that show up in codebase after codebase, gone before anyone senior opened the repo.
So by the time our auditors started, the easy surface was clean. They spent their time on the bugs you can't pattern-match. Things like an external call that ran before the check meant to authorize it. Design-specific, the kind you only find by reasoning through the whole system.
Both camps in this fight are only half right: AI doesn't shrink the audit, it tells the audit where to look. And the audit finds what no scanner ever will.
You don't pick one. You run them in order.
It carries context across scans, surfaces more meaningful findings, and you can review and adjust what it remembers. A pre-audit baseline you run while you build, ahead of a comprehensive audit.
auditagent.nethermind.io
Most AI scanners start every run from zero. AuditAgent now keeps a per-project memory. Each scan builds on what it already learned about your codebase, so repeat runs get sharper instead of repeating themselves.
A ZK circuit can do exactly what it's supposed to and the system around it still gets drained. The risk lives in what the protocol assumes the proof means. Michael Belegris on the bugs our ZK audit team keeps finding: nethermind.io/blog/zk-circui…
Your team takes the break. We take the audit.
A few slots open July 1 — August 15. Adjusted rates. AuditAgent Pro included so the codebase is ready before we start.
Smart contracts and ZK circuits.
nethermind.io/audit-slots
Uniswap ran a free AuditAgent scan, an AgentArena competition on UniswapX, and adopted the AuditAgent Business Plan in three months. Cody Born, Principal Engineer at @Uniswap, on what AuditAgent changed in their development workflow:
@0xKalzak Pre-audit tools handle the surface layer. AuditAgent flags common vulnerability patterns and dead code so the audit goes deeper from day one. Included with audit slots between July 1 and August 15. Reduced rates: nethermind.io/audit-slots
Auditors aren't QA.
When the first days of an engagement go to integration bugs the team would catch on testnet, that's time off the review. When pass one goes to dead code and common vulnerability patterns, that's time not spent on bugs only auditors can find.
@lagoon_finance The work covered pending-state accounting transitions, NAV update timing during synchronous deposits, and economic edge cases at feature interactions.
The most consequential issues became reachable only when new features layered onto existing ones.
Auditing ERC-7540 vaults is different from auditing ERC-4626. Settlement happens in a different block than the request. Bugs in the gap can leave users mispriced, locked out of exits, or settled into the wrong cycle.
Standard audit playbooks miss them.
232 Followers 358 Following“Move not unless you see an advantage; use not your troops unless there is something to be gained; fight not unless the position is critical.” - Sun Tzu
1K Followers 748 FollowingWeb3 dev/Builder, contributing to open source, host @ Ecogist. wolf🐺. Building @sfdstacks, @shieldedhq, @ipayx_hq. Dm is open for partnerships. Tea or coffee?
5K Followers 5K FollowingDeFi Product Architect. I build products that resist hype and survive volatility. Systems first. Incentives aligned. Execution over
1K Followers 2K Followingsnr devrel @Nethermind // i build crypto + ai tooling and explain how it works // onchain infra & perps // code hard, shitpost harder
29K Followers 2K FollowingBuilding a robotics startup at @hf0 Summer 2026. Hiring AI-native engineers.
Ex-Co-Executive Director at the Ethereum Foundation |
Founder @nethermind
308 Followers 151 FollowingIdle stablecoins mean missed opportunities.
Why not keep them liquid while earning real-time yield?
Explore DeFi, simplified 🧪
Audited by @HalbornSecurity
70K Followers 980 Following✦ The Superapp for AI driven crypto signals ✦
Proprietary agentic signals
Any token, any chain
Advanced tooling
For $FYI holders only
432K Followers 1K FollowingRekt News is a global investigative intelligence firm focused on cybersecurity, AI, digital assets, and critical infrastructure.
621K Followers 470 FollowingConnecting all VMs.
Interact with applications from any VM while staying on your favorite chain.
Backed by @HashKey_Capital @SeliniCapital @NomadCapital_io
73K Followers 0 FollowingThe EF is a non-profit that supports Ethereum. We work alongside the wider ecosystem to improve the protocol, grow our community, and advocate for Ethereum.
235 Followers 322 FollowingFormal Verification Engineer and BD Lead (@NethermindSec). Program analysis, photography, singing, tennis, mental health. All views are my own.
967 Followers 583 FollowingBlockchain Security Researcher @Nethermind | Lead-judge @codehawks | Auditor at @PashovAuditGrp | Working on 5G x Blockchain
73K Followers 3K FollowingA fun #DAO focused on @arbitrum and purely run by donations! We help all $ARB new startups to build their communities! ✉️ DM help! (💙,🧡)
12K Followers 28 FollowingThe world's largest blockchain vulnerabilities database.
Explore reports, findings, and bugs from top web3 security firms.
Powered by @cyfrin
1K Followers 288 FollowingPre-deployment security infrastructure for on-chain systems with real economic risk. $155B in assets secured & counting. Proactive. Automated. Verifiable.
35K Followers 260 FollowingAgentic Continuous Offensive Security Platform. SWARM breaks your AI agents, APIs, and apps before attackers do, continuously.
32K Followers 961 FollowingLeading blockchain infrastructure and research company building secure systems for Ethereum, AI, and verifiable digital identity