Welcome to our second article on Security Considerations for Ethereum Delegated Proof of Stake (DPoS) platforms. As we explored previously, there are multiple security challenges associated with delegated staking, nearly all related to the excessive trust expected by staking platforms. In this post, we’ll delve into what led us to…

We at Coinspect are excited to announce the release of our new code repository, learn-evm-attacks! This repository is an educational resource for anyone who wants to learn more about Ethereum Virtual Machine (EVM) exploits and vulnerabilities. We have reproduced more than 30 attacks on EVM chains: most of them actually…

As the number of platforms offering delegated Ethereum validators as a service grows, so does the interest in evaluating its associated risks. This post aims to help users interested in these services, as well as professionals reviewing or building such platforms. We will discuss the risk associated with: The high-trust…

In September 2021, Tempus engaged Coinspect to perform a third-party source code review of the smart contracts that comprise ther on-chain derivatives marketplace. No high-risk vulnerabilities that would result in stolen users funds were identified. However, one medium-risk issue (high impact, but low likelihood) was reported that could impact user funds if current security assumptions change in the future. Another medium-risk issue was reported related to the power the pool owners possess to update fees without constraints and that could be abused to harm users if the account were compromised.

In February 2021, Incognito engaged Coinspect to perform a source code review of the smart contracts that comprise the Incognito-Ethereum bridge. The main contracts are: IncognitoProxy: stores beacon and bridge committee members of the Incognito Chain, and other contracts can query this contract to check if an instruction is confirmed on the Incognito Chain. Vault: responsible for deposits and withdrawals; it holds assets (Ether or ERC20 tokens) and emits events that the Incognito Chain interprets as minting instructions; and when presented with a burn proof created over at the Incognito Chain, it releases the assets back to the user.

In March 2021, Liquity engaged Coinspect to perform its second third-party source code review of the smart contracts that comprise the Liquity Protocol. Coinspect identified a high risk issue, a missing requirement in a function that allowed attackers to force the system to enter Recovery Mode in order to liquidate…

In August 2020, Aragon engaged Coinspect to perform a series of third-party source code reviews of the smart contracts that comprise their Protocol. Following are descriptions of the scope for several of those reviews: Aragon Protocol is a dispute resolution protocol. It handles subjective disputes that cannot be solved purely…

Executive Summary In February 2020, Horizen engaged Coinspect to audit the security of its blockchain platform. In particular this first engagement focused on reviewing Horizen platform additions to the Zcash protocol implementation including its core consensus rules, network protocols and privacy features. …

Starting in September 2020, Bloq requested Coinspect to review selected parts of Vesper Pool’s source code while the contracts were being developed. Coinspect auditors spent 5 weeks during a period of 5 months. Coinspect published 5 smart contract audit reports detailing the tasks performed. Each report focused on an individual…