Checking on-chain data...
Could not determine address type.
Smart contract security insights, tutorials, product updates, and research from the Sigvex team.
How WebAssembly enables coverage-guided smart contract fuzzing directly in the browser, without a backend dependency — the engineering decisions behind a browser-native fuzzer.
How to follow call chains across multiple contracts to detect multi-hop attack paths, composability vulnerabilities, and cross-protocol data flow that single-contract analysis misses.
How Sigvex goes beyond static findings to automatically generate and validate working exploits against detected vulnerabilities, turning theoretical alerts into confirmed attack scenarios.
A step-by-step walkthrough of how security researchers discover and exploit flash loan vulnerabilities, from initial reconnaissance to proof-of-concept execution.
A guide to Solana-specific vulnerability patterns — arbitrary CPI, missing signer checks, account validation gaps, type cosplay, and PDA seed collisions — and how bytecode analysis detects them in deployed programs.
How symbolic execution explores program paths using constraint solvers to find inputs that trigger vulnerabilities—and why it's both powerful and challenging for EVM analysis.
A deep dive into fuzzing techniques for smart contracts—coverage-guided fuzzing, property-based testing, stateful fuzzing, and how modern fuzzers find bugs that static analysis misses.
How lifting bytecode through multiple IR levels—LIR, MIR, HIR, and AST—supports progressively deeper security analysis while preserving semantic fidelity.
A technical walkthrough of analyzing Ethereum Virtual Machine bytecode—understanding opcodes, control flow recovery, data flow analysis, and the techniques that power modern smart contract security tools.
Beyond 'it looks right'—quantitative metrics for evaluating decompiler output quality, semantic preservation, and security analysis utility.
How bytecode analysis can identify contracts vulnerable to MEV extraction, frontrunning, and sandwich attacks—turning a mempool problem into a detectable code pattern.
Storage collisions, uninitialized implementations, upgrade-time storage breakage, and selfdestruct in proxy implementations. Why the proxy pattern's complexity translates directly to attack surface.
An exploration of why security tools built on source code assumptions fail in the EVM ecosystem, and how bytecode-native analysis provides ground truth that source code cannot.
Token mechanics create a different class of bugs than reentrancy or overflow. Decimal mismatches, fee-on-transfer accounting errors, rebasing token incompatibility, and missing slippage protection have collectively drained hundreds of millions from DeFi protocols.
How proxy initialization bugs and unprotected delegatecall have cost over a billion dollars — and what the bytecode patterns actually look like.
An analysis of why the formal verification vs. fuzzing debate misses the point, and how combining constraint satisfaction, static analysis, and dynamic testing creates defense in depth.
Technical analysis of the May 2023 Level Finance attack where an attacker exploited unchecked referral logic to repeatedly claim rewards, and how bytecode analysis catches reward calculation bugs.
Why instant AMM prices are trivially manipulable, what TWAP windows actually buy you, and how to validate Chainlink feeds properly.
Flash loans don't create vulnerabilities — they remove the capital requirement for exploiting ones that already exist. Here's what that means for detection.
Analysis of the May 2023 Tornado Cash governance attack where a malicious proposal granted an attacker 1.2 million votes, enabling complete protocol control through hidden exploit code.
Technical breakdown of the February 2023 Platypus Finance exploit where an attacker manipulated debt positions using flash loans, and how bytecode analysis reveals the vulnerable collateral logic.
How Avraham Eisenberg manipulated the MNGO oracle price 24x in 20 minutes to borrow $114 million against phantom profits—then publicly took credit for it.
Analysis of the three major Cream Finance exploits in 2021 totaling over $190 million in losses, examining flash loan attacks, oracle manipulation, and reentrancy through token hooks.
Analysis of the December 2021 BadgerDAO hack where attackers injected malicious scripts via a compromised Cloudflare API key, tricking users into granting unlimited token approvals.
Analysis of the August 2021 Poly Network hack where an attacker exploited cross-chain contract permissions to steal $611 million across three blockchains—then returned it all.
Technical analysis of the September 2022 Wintermute exploit where attackers cracked a vanity address private key using a known vulnerability in the Profanity tool, stealing $160 million.
How North Korean attackers compromised 5 of 9 Ronin validator keys to steal $625 million from Axie Infinity's bridge—undetected for six days.
How an attacker used a deprecated Solana function to bypass Wormhole's guardian signature verification, minting 120,000 wETH without locking a single real token.
A routine upgrade accidentally made the zero hash a valid Merkle root in Nomad's bridge. Within two hours, ~300 addresses had copied and pasted their way to $190 million.
A technical breakdown of the 2016 DAO reentrancy attack—how it worked, why the code failed, and the hard fork that divided the Ethereum community.
How two Parity multisig wallet vulnerabilities in 2017 resulted in $30 million stolen and $280 million frozen forever—both caused by mishandled delegatecall proxy patterns.
Technical breakdown of the March 2023 Euler Finance flash loan attack that exploited a missing health check in the donateToReserves function.
Analysis of the July 2023 Curve Finance hack caused by a Vyper compiler bug that broke reentrancy guards, resulting in $70 million in losses across multiple DeFi protocols.
A technical breakdown of the three reentrancy vulnerability classes — classic, cross-function, and read-only — with real exploit patterns and bytecode-level detection strategies.
Solidity 0.8 added overflow checks by default. Here's what it missed — and why bytecode analysis still finds real arithmetic vulnerabilities in modern contracts.
A practical guide to understanding EVM bytecode, how decompilation works, and why bytecode-native analysis catches vulnerabilities that source-level tools miss.
Technical analysis of the April 2022 Beanstalk Farms exploit where an attacker used $1 billion in flash loans to hijack governance and steal $182 million, exposing critical DeFi governance vulnerabilities.
Sigvex is a Rust toolkit for decompiling and analyzing smart contracts across EVM and SVM runtimes. This post covers the architecture, the 361 security detectors, and the design decisions behind building bytecode-native analysis.
Sign in to access the blog
Use the Sign In button in the navigation bar.
On Mac, use Cmd instead of Ctrl
Let's take a quick tour to help you get started with multi-runtime blockchain security analysis.