Access Control Bypass
Maintained by Sigvex TeamReviewed
How attackers exploit missing or improper access restrictions on critical functions — responsible for over $1.3 billion in DeFi losses including the largest hack in history.
Read MoreSecurity detectors, exploit generators, attack patterns, and remediation guides for EVM, Solana, and Zero-Knowledge smart contracts.
Maintained by Sigvex TeamReviewed
How attackers exploit missing or improper access restrictions on critical functions — responsible for over $1.3 billion in DeFi losses including the largest hack in history.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe admin key handling including hardcoded keys, missing validation, and single points of failure.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing or incomplete Anchor account constraint validation that could allow unauthorized account substitution.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe Anchor program upgrade patterns and missing security controls.
Read MoreMaintained by Sigvex TeamReviewed
Detects cross-program invocations (CPI) where the target program ID is user-controlled and not validated, allowing attackers to redirect calls to malicious programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-20 transfer and transferFrom calls where the recipient or amount is user-controlled without access control, enabling token theft.
Read MoreMaintained by Sigvex TeamReviewed
Detects external calls to user-controlled addresses without validation, enabling attackers to redirect execution to malicious contracts.
Read MoreMaintained by Sigvex TeamReviewed
Detects JUMP or JUMPI instructions where the destination is derived from user input, enabling control-flow hijacking.
Read MoreMaintained by Sigvex TeamReviewed
Detects functions that write to storage slots determined by user-controlled input, enabling attackers to overwrite any state variable.
Read MoreMaintained by Sigvex TeamReviewed
How attackers forge, replay, or bypass cross-chain bridge messages to mint unauthorized assets — responsible for over $1.2 billion in losses across the bridge ecosystem.
Read MoreMaintained by Sigvex TeamReviewed
Detects vulnerabilities in cross-chain bridge implementations including missing message verification, replay attack exposure, unauthorized relay functions, weak finality assumptions, and protocol-specific issues in a major cross-chain messaging protocol, Axelar, and Hyperlane integrations.
Read MoreMaintained by Sigvex TeamReviewed
Detects account closure patterns that leave residual lamports accessible to the program or allow the account to be drained without proper authorization.
Read MoreMaintained by Sigvex TeamReviewed
Detects storage slot collisions in proxy contracts that occur only under specific execution paths or conditions, leading to intermittent state corruption.
Read MoreMaintained by Sigvex TeamReviewed
Detects security validations placed inside conditional branches that can be bypassed through alternate execution paths.
Read MoreMaintained by Sigvex TeamReviewed
Detects privileged accounts being passed to unvalidated programs via CPI, enabling authority hijacking.
Read MoreMaintained by Sigvex TeamReviewed
Detects CPI return data used for critical operations without independent on-chain state verification.
Read MoreMaintained by Sigvex TeamReviewed
Detects false signer claims in cross-program invocations where accounts were not actually signed in the original transaction.
Read MoreMaintained by Sigvex TeamReviewed
Detects CPI calls to critical system programs without explicit address validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects reentrancy attacks that exploit multiple functions sharing the same state, where an attacker re-enters a different function before the original call completes its state updates.
Read MoreMaintained by Sigvex TeamReviewed
Detects signals wired between template instances where the constraint chain is broken, leaving inter-template data flows unconstrained.
Read MoreMaintained by Sigvex TeamReviewed
Detects arithmetic operations that mix values with different decimal precision without normalization, causing massive over- or under-payments.
Read MoreMaintained by Sigvex TeamReviewed
Detects DeFi-specific reentrancy patterns where external calls occur before state updates in vault, lending, and staking operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects protocol patterns that are susceptible to flash loan price manipulation — specifically, reliance on on-chain spot prices that can be manipulated within a single transaction.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing repayment validation in flash loan patterns, allowing borrowers to avoid repaying borrowed funds.
Read MoreMaintained by Sigvex TeamReviewed
Detects vulnerabilities in DAO governance mechanisms including flash loan-based voting, timelock bypass, quorum manipulation, delegation exploits, treasury drain, and emergency action abuse.
Read MoreMaintained by Sigvex TeamReviewed
Detects modifications to storage variables that should be immutable, including constructor-set values modified by public functions and view-named functions that write to storage.
Read MoreMaintained by Sigvex TeamReviewed
Detects initialization functions that were intended as constructors but became callable public functions due to naming errors in Solidity 0.4.x contracts.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing validation that the transaction sender has authority for privileged operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects unauthorized lamport transfers where an account's SOL balance is transferred without proper signer, key, or owner authorization checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects liquidity pool manipulation vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects token minting operations without proper mint authority validation, enabling unauthorized token supply inflation.
Read MoreMaintained by Sigvex TeamReviewed
Detects account data reads where the account's program owner is not verified, allowing attackers to pass maliciously crafted accounts with arbitrary data.
Read MoreMaintained by Sigvex TeamReviewed
Detects privileged operations — lamport transfers and account data writes — performed without verifying that the involved account has signed the transaction.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing authority validation when invoking Solana native programs.
Read MoreMaintained by Sigvex TeamReviewed
How attackers manipulate price oracles to exploit lending protocols, inflate collateral, and drain DeFi platforms — the most costly attack class in DeFi history.
Read MoreMaintained by Sigvex TeamReviewed
Detects smart contracts that rely on manipulable on-chain price sources, such as DEX spot prices or single-source price feeds, without time-weighted averaging.
Read MoreMaintained by Sigvex TeamReviewed
Detects PDA signer seeds that can be extracted or predicted by attackers, enabling PDA authority bypass.
Read MoreMaintained by Sigvex TeamReviewed
Detects Noir private (witness) inputs of type Field that are not referenced in any assertion, allowing the prover to set them to arbitrary values.
Read MoreMaintained by Sigvex TeamReviewed
Detects loop iteration bounds that depend on unconstrained signal values, allowing the prover to choose how many iterations execute.
Read MoreMaintained by Sigvex TeamReviewed
Detects view functions that read shared state mid-execution of a mutating call, allowing attackers to observe and exploit inconsistent intermediate state without modifying it.
Read MoreMaintained by Sigvex TeamReviewed
Detects functions that transfer Ether or call external contracts before completing state updates, allowing attackers to recursively re-enter and drain funds.
Read MoreMaintained by Sigvex TeamReviewed
How attackers exploit external calls that execute before state updates to recursively drain funds from smart contracts.
Read MoreMaintained by Sigvex TeamReviewed
Detects privileged operations with signer checks but no authority role validation, allowing any signer to execute admin actions.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing safeguards in governance implementations that enable proposal manipulation and flash governance attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects integer overflow vulnerabilities in token delegation amount calculations.
Read MoreMaintained by Sigvex TeamReviewed
Detects mint authority vulnerabilities including missing validation and unlimited minting.
Read MoreMaintained by Sigvex TeamReviewed
Detects proxy storage layout collisions where the implementation contract's variables overlap with the proxy contract's administrative slots, enabling state corruption and privilege escalation.
Read MoreMaintained by Sigvex TeamReviewed
Detects programs reading sysvar data from accounts without validating the account key matches the canonical sysvar address.
Read MoreMaintained by Sigvex TeamReviewed
Detects token operations that violate balance invariants such as mint without supply update or burn without supply decrease.
Read MoreMaintained by Sigvex TeamReviewed
Detects token transfers and swaps with mismatched decimals without proper conversion.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe handling of the Token-2022 permanent delegate extension, which grants an authority unconditional power to move or burn tokens.
Read MoreMaintained by Sigvex TeamReviewed
Detects external calls where the target address is user-controlled and not validated against known-safe addresses, enabling call redirection attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects unchecked arithmetic in fee and rent calculations that can overflow or underflow, leading to fund loss.
Read MoreMaintained by Sigvex TeamReviewed
Detects subtraction operations without underflow protection that can wrap around to a large value, bypassing balance checks and enabling fund theft.
Read MoreMaintained by Sigvex TeamReviewed
Detects component instantiations where outputs are read but inputs are not wired, leaving the sub-circuit unconstrained and enabling proof forgery.
Read MoreMaintained by Sigvex TeamReviewed
Detects Circom divisions whose divisor signal appears in no constraint at all, giving a malicious prover full control over the divisor and the result.
Read MoreMaintained by Sigvex TeamReviewed
Detects circuit output signals that lack any constraining assignment or explicit constraint, allowing the prover to set outputs to arbitrary values.
Read MoreMaintained by Sigvex TeamReviewed
Flags Noir functions that return a value derived from private inputs without any assertion binding the output to those inputs.
Read MoreMaintained by Sigvex TeamReviewed
Detects public input signals that are used in computations but never appear in any constraint, enabling the prover to forge the claimed public input value.
Read MoreMaintained by Sigvex TeamReviewed
Detects signals assigned via unconstrained assignment without any corresponding constraint, allowing the prover to set them to arbitrary values.
Read MoreMaintained by Sigvex TeamReviewed
Detects UUPS upgradeable proxy contracts where the implementation contract is deployed without calling the initializer, leaving the proxy's ownership and upgrade authority unset.
Read MoreMaintained by Sigvex TeamReviewed
Detects functions that transfer Ether without verifying the caller's authorization, allowing anyone to drain the contract's ETH balance.
Read MoreMaintained by Sigvex TeamReviewed
Detects comparison operators used in unconstrained assignments, producing prover-controlled boolean values with no verifier check.
Read MoreMaintained by Sigvex TeamReviewed
Detects delegatecall operations where the target address is user-controlled or loaded from storage without authorization, enabling complete contract takeover.
Read MoreMaintained by Sigvex TeamReviewed
Detects unauthorized vault state modifications and missing invariant checks in DeFi vault operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects rounding direction errors in ERC-4626 vault share calculations that allow attackers to extract value through precision manipulation.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing wrapped token supply vs collateral parity validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects banned opcodes and storage access violations in ERC-4337 validation phase that cause bundler rejection.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing or improperly implemented access controls on privileged functions, allowing unauthorized callers to execute restricted operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects security issues in ERC-4337 account abstraction implementations including validation phase violations, paymaster abuse, and bundler manipulation.
Read MoreMaintained by Sigvex TeamReviewed
Detects when the same account is passed in multiple positions with incompatible role requirements, enabling an attacker to bypass security checks through role confusion.
Read MoreMaintained by Sigvex TeamReviewed
Detects incomplete account close operations where lamports are drained but account data is not zeroed, enabling account resurrection attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects account closes without discriminator zeroing, enabling resurrection attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects race conditions from account close/reopen between transactions.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing executable flag validation before using accounts as program IDs in cross-program invocations.
Read MoreMaintained by Sigvex TeamReviewed
Detects account array access without bounds validation, a vulnerability that appears in 30% of recent Solana audit findings.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe iteration over account arrays without bounds validation, which can lead to out-of-bounds panics or buffer overflows.
Read MoreMaintained by Sigvex TeamReviewed
Detects account deserialization without version validation, which can cause silent data corruption when account structures are upgraded.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing account list size validation for programs that expect a fixed number of accounts.
Read MoreMaintained by Sigvex TeamReviewed
Detects account owner validation issues across CPI boundaries where ownership assumptions break after cross-program invocations.
Read MoreMaintained by Sigvex TeamReviewed
Detects account reallocation data corruption vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe account reallocation patterns that can corrupt data.
Read MoreMaintained by Sigvex TeamReviewed
Detects accounts that could be resurrected after closure via PDA re-derivation.
Read MoreMaintained by Sigvex TeamReviewed
Detects accounts used in conflicting roles or deserialized as the wrong type, enabling attackers to substitute one account type for another.
Read MoreMaintained by Sigvex TeamReviewed
Detects reads or writes to accounts after they are logically closed.
Read MoreMaintained by Sigvex TeamReviewed
Detects incomplete account verification chains where accounts undergo partial validation, allowing attackers to bypass security checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe use of Address Lookup Tables without authority validation, allowing attackers to substitute malicious accounts.
Read MoreMaintained by Sigvex TeamReviewed
Detects when Anchor account constraints are checked in incorrect order.
Read MoreMaintained by Sigvex TeamReviewed
Detects Time-of-Check-Time-of-Use vulnerabilities in Anchor constraint validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing or incorrect Anchor discriminator validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects inconsistencies between Anchor IDL and program implementation.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe account initialization and closing patterns in Anchor programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects dangerous opcodes, unchecked calls, unsafe memory access, and unguarded arithmetic inside inline assembly blocks.
Read MoreMaintained by Sigvex TeamReviewed
Detects reachable assert() statements that indicate invariant violations and potential logic bugs in smart contracts.
Read MoreMaintained by Sigvex TeamReviewed
Detects non-atomic multi-step state updates where intermediate consistency checks are missing between storage writes.
Read MoreMaintained by Sigvex TeamReviewed
Detects multi-hop CPI authority chains where delegated signing authority is not validated at each intermediate hop, allowing an attacker to abuse implicitly inherited authority from a PDA signer.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that assume transfer amounts equal the actual balance change, failing to account for fee-on-transfer, rebasing, or deflationary tokens.
Read MoreMaintained by Sigvex TeamReviewed
Detects batch operations that lack atomicity guarantees, allowing partial execution failures to leave the contract in an inconsistent state.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe bit shift operations where the shift amount is user-controlled or exceeds the operand width, causing silent data loss.
Read MoreMaintained by Sigvex TeamReviewed
Detects user-controlled bump seeds in PDA derivation without validation against canonical values.
Read MoreMaintained by Sigvex TeamReviewed
Detects PDA operations using potentially non-canonical bump seeds via create_program_address, which can enable PDA collision and address confusion attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects violations of protocol-specific invariants — conditions that must always hold true for the protocol to operate correctly — including incorrect reward calculations, fee logic, and state transition rules.
Read MoreMaintained by Sigvex TeamReviewed
Detects Cairo functions that write storage after an external call, leaving the contract open to reentrancy through a violated checks-effects-interactions ordering.
Read MoreMaintained by Sigvex TeamReviewed
Detects state mutations after external calls that may trigger callbacks, violating the Checks-Effects-Interactions pattern.
Read MoreMaintained by Sigvex TeamReviewed
Detects excessive owner privileges, single points of failure, and centralization patterns that enable rug pulls or administrative abuse.
Read MoreMaintained by Sigvex TeamReviewed
Detects combinations of individually lower-severity issues that together form exploitable attack chains.
Read MoreMaintained by Sigvex TeamReviewed
Detects Bubblegum/compressed NFT Merkle proof and authority vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects resource issues that could exhaust Solana compute unit budget.
Read MoreMaintained by Sigvex TeamReviewed
Detects ownership checks that can be bypassed through conditional logic, allowing unauthorized access.
Read MoreMaintained by Sigvex TeamReviewed
Detects improper state initialization in constructors of upgradeable contracts where state is invisible to proxies.
Read MoreMaintained by Sigvex TeamReviewed
Detects unbounded dynamic arrays that can grow without limit, enabling denial-of-service through gas exhaustion on iteration.
Read MoreMaintained by Sigvex TeamReviewed
Detects CPI calls without proper account list validation, enabling privilege escalation.
Read MoreMaintained by Sigvex TeamReviewed
Detects circular cross-program invocation patterns that could cause infinite loops or resource exhaustion.
Read MoreMaintained by Sigvex TeamReviewed
Detects CPI calls with potentially tampered instruction data from untrusted sources.
Read MoreMaintained by Sigvex TeamReviewed
Detects CPI calls inside loops that can cause compute exhaustion and denial of service.
Read MoreMaintained by Sigvex TeamReviewed
Detects Cross-Program Invocations where the target program account key is not verified against the expected program ID, allowing an attacker to substitute a malicious program that accepts the same instruction format.
Read MoreMaintained by Sigvex TeamReviewed
Detects Solana programs that modify state after making a cross-program invocation, allowing the called program to invoke back before the state update completes.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe signer propagation in nested CPI calls without re-validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects CREATE2 deployments where salt values can be predicted or brute-forced, enabling address collision attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects integer truncation in security-critical operations including lamport transfers, account storage, and access control.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing validation of relationships between related accounts in CPI operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects tainted data flowing from untrusted external calls into security-critical operations like access control checks or transfer amounts.
Read MoreMaintained by Sigvex TeamReviewed
Detects cross-instruction state desynchronization vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects accounts used after CPI without re-validating initialization state.
Read MoreMaintained by Sigvex TeamReviewed
Detects state inconsistencies and race conditions across CPI boundaries.
Read MoreMaintained by Sigvex TeamReviewed
Detects delegatecall patterns where user-controlled input can specify the target address or data, potentially redirecting execution to a malicious contract.
Read MoreMaintained by Sigvex TeamReviewed
Detects storage slot collisions between facets in EIP-2535 diamond proxy contracts, where independent facets may unknowingly share storage locations.
Read MoreMaintained by Sigvex TeamReviewed
Detects division and modulo operations where the divisor may be zero, causing transaction reverts that lock funds or enable denial of service.
Read MoreMaintained by Sigvex TeamReviewed
Detects division and modulo operations where the divisor may be zero, causing runtime panics and DoS vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects divisions and modulo operations where the divisor has no non-zero binding, yielding undefined witness behaviour exploitable by the prover.
Read MoreMaintained by Sigvex TeamReviewed
Detects potential denial-of-service via unbounded compute unit consumption.
Read MoreMaintained by Sigvex TeamReviewed
Detects denial of service vulnerabilities where external calls in loops lack error handling, allowing one failed call to block entire batch operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing validation when interacting with durable nonce accounts, enabling replay attacks or transaction reordering.
Read MoreMaintained by Sigvex TeamReviewed
Detects Ed25519 signature verification without canonical signature checks, allowing signature malleability attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects vulnerabilities in EIP-7702 delegation targets where EOAs temporarily delegate to smart contract code.
Read MoreMaintained by Sigvex TeamReviewed
Detects external calls to user-controlled addresses without verifying that the target has deployed code, where silent success masks failed interactions.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-1155 contracts missing receiver callbacks, batch array-length validation, ERC-165 support, or required functions.
Read MoreMaintained by Sigvex TeamReviewed
Detects insecure ERC-1271 contract signature verification including missing magic value checks, reentrancy during verification, and gas griefing.
Read MoreMaintained by Sigvex TeamReviewed
Detects security issues in modular smart account implementations including plugin validation gaps, execution hook bypass, and module isolation failures.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-721 contracts missing required functions, safe-transfer callbacks, ERC-165 support, or zero-address checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects access control checks using EXTCODESIZE that can be bypassed by calling from a contract's constructor, where code size is zero.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that assume the received token amount equals the transferred amount, failing to account for fee-on-transfer tokens.
Read MoreMaintained by Sigvex TeamReviewed
Detects circular signal dependencies in circuit constraints that prevent deterministic witness generation.
Read MoreMaintained by Sigvex TeamReviewed
Detects arithmetic that may wrap the finite field prime, producing field-correct but semantically wrong results for circuits modelling bounded integers.
Read MoreMaintained by Sigvex TeamReviewed
Detects unconstrained subtractions between signals where the result may wrap around the field modulus, turning a small negative difference into an enormous value.
Read MoreMaintained by Sigvex TeamReviewed
How attackers use uncollateralized flash loans to manipulate prices, exploit protocol logic, and drain funds within a single transaction.
Read MoreMaintained by Sigvex TeamReviewed
Detects functions with colliding 4-byte selectors that can cause incorrect function dispatch or proxy confusion.
Read MoreMaintained by Sigvex TeamReviewed
Detects external calls that forward insufficient gas or allow callers to specify gas amounts that cause downstream operations to fail.
Read MoreMaintained by Sigvex TeamReviewed
Detects initialization patterns vulnerable to frontrunning attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects hash collision vulnerabilities in cryptographic operations including weak algorithms, truncated hashes, and merkle proof misuse.
Read MoreMaintained by Sigvex TeamReviewed
Detects implicit instruction ordering dependencies not enforced on all control flow paths, enabling authorization bypass through path-selective attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects confusion between the XOR operator (^) and exponentiation (**) in Solidity arithmetic expressions.
Read MoreMaintained by Sigvex TeamReviewed
Detects proxy initializer functions that make external calls before setting the initialized flag, enabling re-initialization attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing validation of user-controlled inputs including instruction parameters, account data fields, and system call results in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing instruction data length validation before unpacking, the most common source of runtime panics in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe fallback logic for unrecognized instruction discriminators that may allow attackers to execute unintended code paths.
Read MoreMaintained by Sigvex TeamReviewed
Detects hardcoded instruction index comparisons that can be bypassed by attackers who control transaction structure.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe instruction introspection with missing bounds or length validation when accessing transaction instructions via sysvar.
Read MoreMaintained by Sigvex TeamReviewed
Detects incorrect ordering of validation checks and sensitive operations, where state modifications or CPIs occur before authorization.
Read MoreMaintained by Sigvex TeamReviewed
Detects account data access without sufficient length validation, which can cause buffer overflows or runtime panics.
Read MoreMaintained by Sigvex TeamReviewed
Detects lamport operations without sufficient balance validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects arithmetic operations that may overflow or underflow, producing incorrect values that can lead to fund theft or unexpected behavior.
Read MoreMaintained by Sigvex TeamReviewed
Detects unchecked arithmetic operations on user-controlled values in Solana programs that may overflow or underflow, enabling fund manipulation.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe integer type casts that may truncate data, causing loss of significant bits and security vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects Layer 2-specific vulnerabilities including sequencer dependency, L1-L2 message replay, and gas price oracle manipulation.
Read MoreMaintained by Sigvex TeamReviewed
Detects lamport conservation violations where balances are not properly maintained.
Read MoreMaintained by Sigvex TeamReviewed
Detects confusion between native SOL (lamports) and SPL token operations leading to incorrect value calculations.
Read MoreMaintained by Sigvex TeamReviewed
Detects lamport transfers that may exceed available balance, causing underflow, account closure, or rent-exempt violations.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that can receive ETH but have no code path that sends it out, permanently trapping funds.
Read MoreMaintained by Sigvex TeamReviewed
Detects loops without proper iteration bounds where the count can be influenced by external input, causing DoS via block gas limit exhaustion.
Read MoreMaintained by Sigvex TeamReviewed
Detects AMM and DEX liquidity pool contracts vulnerable to first-depositor inflation attacks where an attacker manipulates the share price to steal from subsequent depositors.
Read MoreMaintained by Sigvex TeamReviewed
Detects unbounded memory allocation patterns that can cause out-of-gas denial of service attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects insecure Merkle proof verification patterns vulnerable to second preimage attacks and proof malleability.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe metadata authority transfers without proper verification of the new authority.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that can be destroyed and redeployed at the same address with different code using CREATE2 and SELFDESTRUCT.
Read MoreMaintained by Sigvex TeamReviewed
Detects transaction ordering dependencies exploitable by miners and MEV searchers, including sandwich attacks, frontrunning, and backrunning patterns.
Read MoreMaintained by Sigvex TeamReviewed
Detects MEV and transaction ordering vulnerabilities in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects DEX and AMM swap operations that lack transaction deadline validation, allowing pending transactions to execute at stale prices.
Read MoreMaintained by Sigvex TeamReviewed
Detects account initialization without validating the account is empty first.
Read MoreMaintained by Sigvex TeamReviewed
Detects upgradeable contracts that lack reserved storage gaps, risking storage collisions when new state variables are added in future versions.
Read MoreMaintained by Sigvex TeamReviewed
Detects msg.value used inside loops where the same ETH value is counted multiple times, enabling fund theft or accounting errors.
Read MoreMaintained by Sigvex TeamReviewed
Detects dangerous multi-hop cross-program invocation chains.
Read MoreMaintained by Sigvex TeamReviewed
Detects multi-signature validation issues including weak thresholds, missing signer verification, and replay vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects native programs deserializing account data without discriminator checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing creator signature verification in NFT metadata operations.
Read MoreMaintained by Sigvex TeamReviewed
A family of checks for Noir-specific hazards: unconstrained functions, oracle responses, Brillig escapes, and assertion dependencies on mutable state.
Read MoreMaintained by Sigvex TeamReviewed
Detects if/else logic inside unconstrained assignments, where the prover can take either branch without any constraint enforcing the condition.
Read MoreMaintained by Sigvex TeamReviewed
Detects ternary and conditional expressions inside unconstrained assignments, where the prover chooses which branch produces the witness value.
Read MoreMaintained by Sigvex TeamReviewed
Flags division in Noir functions where the quotient is an unconstrained witness and the divisor is never validated.
Read MoreMaintained by Sigvex TeamReviewed
Detects nondeterministic operators on the right-hand side of `<--` assignments where no constraint later rebinds the result.
Read MoreMaintained by Sigvex TeamReviewed
Detects off-by-one errors in loop boundaries that can lead to skipped elements or out-of-bounds array access.
Read MoreMaintained by Sigvex TeamReviewed
Detects oracle price usage without staleness validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts with payable fallback or receive functions that accept ETH without proper handling or access control.
Read MoreMaintained by Sigvex TeamReviewed
Detects reuse of the same bump seed value across multiple PDA derivations.
Read MoreMaintained by Sigvex TeamReviewed
Detects PDA usage without ownership validation, allowing unauthorized access.
Read MoreMaintained by Sigvex TeamReviewed
Detects PDA derivations with weak seed patterns that could collide with other PDAs or system addresses, enabling account hijacking.
Read MoreMaintained by Sigvex TeamReviewed
Detects incorrect PDA seed derivation patterns including wrong order, missing seeds, and non-deterministic sources.
Read MoreMaintained by Sigvex TeamReviewed
Detects PDA derivations with weak entropy that could collide with system program addresses.
Read MoreMaintained by Sigvex TeamReviewed
Detects user-controlled input used in PDA seeds without validation, enabling arbitrary PDA derivation.
Read MoreMaintained by Sigvex TeamReviewed
Detects Program Derived Addresses that are used without verifying their seeds and bump, allowing attackers to substitute counterfeit PDAs.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-2612 permit implementations where nonce mismanagement enables frontrunning attacks on gasless approvals.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-2612 permit implementation issues including front-running, nonce manipulation, and deadline bypass.
Read MoreMaintained by Sigvex TeamReviewed
Detects division-before-multiplication and rounding errors in financial calculations that cause systematic fund loss or enable economic attacks through precision manipulation.
Read MoreMaintained by Sigvex TeamReviewed
Detects precision loss and rounding errors in DeFi financial calculations.
Read MoreMaintained by Sigvex TeamReviewed
Detects large swaps without price impact validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects security risks in upgradeable Solana programs including authority validation issues.
Read MoreMaintained by Sigvex TeamReviewed
Detects R1CS quadratic constraints where both multiplicative factors contain only unconstrained signals, breaking proof soundness.
Read MoreMaintained by Sigvex TeamReviewed
Detects potential read-only reentrancy through CPI calls where a callee reads stale state from the caller during a callback.
Read MoreMaintained by Sigvex TeamReviewed
Detects readonly accounts forwarded to CPI calls that may bypass write locks.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that interact with rebasing tokens (like stETH or AMPL) without accounting for balance changes that occur outside of explicit transfers.
Read MoreMaintained by Sigvex TeamReviewed
Detects use of ctx.remaining_accounts in privileged operations without ownership and discriminator validation, allowing attackers to inject malicious accounts that bypass Anchor's type system.
Read MoreMaintained by Sigvex TeamReviewed
Detects rent collection exploit patterns and missing rent-exempt checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects account data writes before rent-exempt funding.
Read MoreMaintained by Sigvex TeamReviewed
Detects account reallocations without rent-exemption lamport adjustments.
Read MoreMaintained by Sigvex TeamReviewed
Detects rent exemption requirement violations in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects partial lamport withdrawals without rent-exemption balance checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects AMM and DEX contracts vulnerable to reserve manipulation via direct balance inflation, enabling attackers to skew prices or drain liquidity.
Read MoreMaintained by Sigvex TeamReviewed
Detects vulnerabilities in staking, yield farming, and reward distribution functions that allow attackers to inflate reward claims through flash loans, timestamp manipulation, or division-before-multiplication precision loss.
Read MoreMaintained by Sigvex TeamReviewed
Detects role-based access control vulnerabilities including missing role checks, escalation risks, and hardcoded permissions.
Read MoreMaintained by Sigvex TeamReviewed
Detects right-to-left override Unicode characters used in Trojan Source attacks to disguise malicious code as benign.
Read MoreMaintained by Sigvex TeamReviewed
Detects DEX swap functions vulnerable to sandwich attacks where missing slippage and deadline protections allow value extraction by MEV searchers.
Read MoreMaintained by Sigvex TeamReviewed
Detects accounts with identity validation (CheckKey) but missing signer validation (CheckSigner), allowing authorization bypass.
Read MoreMaintained by Sigvex TeamReviewed
Detects use of the selfdestruct opcode, which can permanently destroy a contract and forcibly send its Ether balance to an arbitrary address.
Read MoreMaintained by Sigvex TeamReviewed
Detects reentrancy vulnerabilities arising from semantic state inconsistencies rather than direct balance manipulation.
Read MoreMaintained by Sigvex TeamReviewed
Detects race conditions from shared mutable account access where the same account is modified through multiple paths without duplicate checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-20 transfer functions vulnerable to short address attacks where truncated addresses cause the amount parameter to be left-shifted.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe sign extension in type conversions between signed and unsigned integers, where negative values become large positive numbers.
Read MoreMaintained by Sigvex TeamReviewed
Detects self-referential signal mutation inside loops, where prover-controlled iteration counts allow arbitrary final values.
Read MoreMaintained by Sigvex TeamReviewed
Detects signals assigned more than once, including silent unconstrained overwrites that bypass constraint generation.
Read MoreMaintained by Sigvex TeamReviewed
Detects signature verification without chain ID, contract address, nonce, or deadline binding, allowing valid signatures to be reused across transactions, chains, or contracts.
Read MoreMaintained by Sigvex TeamReviewed
Detects signature verification without nonce or deadline replay protection, allowing valid signatures to be reused across multiple transactions.
Read MoreMaintained by Sigvex TeamReviewed
Detects improper ECDSA signature verification patterns including missing checks, incorrect hash construction, and unsafe recovery.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing slippage protection in token swap operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing or insufficient slippage protection in DEX swap and liquidity operations, allowing MEV bots and sandwich attackers to extract value from transactions.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe account close operations including non-empty accounts and rent drain attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing validation in SPL token operations including ownership, mint, and authority checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects improper Associated Token Account usage including wrong ATA, missing derivation validation, and mint mismatch.
Read MoreMaintained by Sigvex TeamReviewed
Detects confusion between token account authorities (owner, delegate, close authority, mint authority, freeze authority).
Read MoreMaintained by Sigvex TeamReviewed
Detects token account closure without validating the close_authority field.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe token delegation patterns including unlimited approvals and missing revocation.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe freeze and burn operations with missing authority validation or balance checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects transfer hook vulnerabilities including bypass, reentrancy, and missing validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects stack and CPI depth limit violations in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects use of cached account data after CPI without reload, leading to stale reads.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that consume off-chain aggregated oracle data without verifying that the price is recent, allowing protocols to operate on outdated prices during network disruptions.
Read MoreMaintained by Sigvex TeamReviewed
Detects storage layout changes during proxy upgrades that could corrupt existing state, including reordered variables and changed types.
Read MoreMaintained by Sigvex TeamReviewed
Flags contracts compiled with Solidity 0.8.13 through 0.8.16 where the Yul optimizer can drop a storage write that precedes a conditional return or stop.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing validation in token swap operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects unverified sysvar account usage that could allow attackers to substitute fake system data.
Read MoreMaintained by Sigvex TeamReviewed
Detects incorrect template instantiation patterns including unused outputs, parameter mismatches, and unconstrained component output reads.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing update authority verification in canonical NFT metadata operations.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing account ownership validation before cross-program invocations, allowing attackers to pass fake token accounts.
Read MoreMaintained by Sigvex TeamReviewed
Detects token account spoofing and aliasing vulnerabilities where fake token accounts can be substituted.
Read MoreMaintained by Sigvex TeamReviewed
Detects Token-2022 extension security misconfigurations.
Read MoreMaintained by Sigvex TeamReviewed
Detects reentrancy through ERC-777, ERC-1155, and ERC-4626 token callback hooks where state updates occur after hook-triggering transfers.
Read MoreMaintained by Sigvex TeamReviewed
Detects Token-2022 confidential transfer vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects Token-2022 CPI transfers that ignore the CPI Guard extension and fail to handle guarded accounts.
Read MoreMaintained by Sigvex TeamReviewed
Detects Token-2022 mints that enable extension combinations with undefined, contradictory, or insecure interactions.
Read MoreMaintained by Sigvex TeamReviewed
Detects Token-2022 extension vulnerabilities including transfer hooks, fees, and confidential transfers.
Read MoreMaintained by Sigvex TeamReviewed
Detects Token-2022 Immutable Owner extension validation issues.
Read MoreMaintained by Sigvex TeamReviewed
Detects token transfers that do not account for Token-2022 transfer fees.
Read MoreMaintained by Sigvex TeamReviewed
Flags contracts compiled with Solidity 0.8.28 through 0.8.33 using the IR pipeline, where a shared zeroing helper can confuse persistent and transient storage on delete.
Read MoreMaintained by Sigvex TeamReviewed
Detects tautological constraints that are always satisfied regardless of signal values, providing no security guarantee.
Read MoreMaintained by Sigvex TeamReviewed
Detects time-weighted average price oracle implementations vulnerable to multi-block manipulation or insufficient observation windows.
Read MoreMaintained by Sigvex TeamReviewed
Detects account data deserialization that reads past the discriminator prefix without first validating it, allowing attackers to pass accounts of a different type.
Read MoreMaintained by Sigvex TeamReviewed
Detects output signals that are declared but never assigned, leaving the value undefined and open to proof forgery.
Read MoreMaintained by Sigvex TeamReviewed
Detects array accesses without bounds validation, enabling out-of-bounds reads/writes that corrupt storage or cause unexpected reverts.
Read MoreMaintained by Sigvex TeamReviewed
Detects component instances whose inputs or outputs are never wired into the enclosing R1CS, leaving the component's internal constraints disconnected from the proof.
Read MoreMaintained by Sigvex TeamReviewed
Detects CPI calls without return value validation, allowing silent failures.
Read MoreMaintained by Sigvex TeamReviewed
Detects unchecked deserialization of account data that may panic on malformed input.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-20 token operations whose boolean return values are not checked, allowing silent transfer failures.
Read MoreMaintained by Sigvex TeamReviewed
Detects external calls whose boolean return value is not checked, allowing silent failures that leave the contract in an inconsistent state.
Read MoreMaintained by Sigvex TeamReviewed
Detects usage of uninitialized accounts before proper initialization.
Read MoreMaintained by Sigvex TeamReviewed
Detects storage variables and struct pointers used before initialization, where default zero values may cause unexpected behavior.
Read MoreMaintained by Sigvex TeamReviewed
Detects external callback hooks that execute untrusted code without proper validation, gas limits, or reentrancy protection.
Read MoreMaintained by Sigvex TeamReviewed
Detects type casts that silently truncate values when converting from a larger to a smaller integer type.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-4626 tokenized vault implementations that are vulnerable to the first-depositor share price inflation attack, where an attacker manipulates the share price to cause subsequent depositors to receive zero shares.
Read MoreMaintained by Sigvex TeamReviewed
Detects vulnerabilities in vote-escrowed token governance systems including flash-vote attacks, lock manipulation, and decay bypass.
Read MoreMaintained by Sigvex TeamReviewed
Detects governance voting power manipulation vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Detects use of predictable on-chain values — blockhash, block.timestamp, block.prevrandao — as sources of randomness, which miners or validators can manipulate.
Read MoreMaintained by Sigvex TeamReviewed
Detects Solana programs that derive randomness from predictable on-chain sources such as clock timestamps, slot numbers, or account hashes.
Read MoreMaintained by Sigvex TeamReviewed
Detects unconstrained witness expressions that combine several nondeterministic operations, where the constraint set is unlikely to fully rebind the result.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that conflate WETH and native ETH handling, causing stuck funds or incorrect transfer logic.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe zero-copy deserialization patterns that can lead to memory corruption.
Read MoreMaintained by Sigvex TeamReviewed
Detects signature vulnerabilities in account abstraction implementations including missing chain ID, replay across accounts, and malleability.
Read MoreMaintained by Sigvex TeamReviewed
Detects account data writes that lack a prior initialization check, allowing attackers to reset account state or overwrite existing data.
Read MoreMaintained by Sigvex TeamReviewed
Detects account data size violations in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects incorrect space allocation in Anchor account initialization.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe array element deletion that leaves stale indices or gaps, corrupting data structures that depend on contiguous arrays.
Read MoreMaintained by Sigvex TeamReviewed
Detects parallel array operations that assume equal lengths without validation, risking out-of-bounds access or incomplete processing.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that depend on EIP-4844 blob data availability, which is only guaranteed for a limited time window.
Read MoreMaintained by Sigvex TeamReviewed
Detects unbounded Borsh Vec/String length prefix usage that can cause DoS.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts approaching or exceeding the EIP-170 24KB bytecode size limit, which prevents deployment.
Read MoreMaintained by Sigvex TeamReviewed
Detects external, state-mutating Cairo functions that accept parameters but contain no assertions, trusting arbitrary caller-supplied input.
Read MoreMaintained by Sigvex TeamReviewed
Detects division in Cairo functions where the divisor is not asserted non-zero, risking transaction aborts and surprising quotients under field semantics.
Read MoreMaintained by Sigvex TeamReviewed
Detects felt252 arithmetic in state-changing Cairo functions that has no bounding assertion and may wrap silently around the Starknet field prime.
Read MoreMaintained by Sigvex TeamReviewed
Detects external calls inside loops that can cause denial-of-service when any single call reverts or the loop exceeds the block gas limit.
Read MoreMaintained by Sigvex TeamReviewed
Detects programs that read time data from unvalidated accounts instead of the canonical Clock sysvar, enabling timestamp manipulation.
Read MoreMaintained by Sigvex TeamReviewed
Detects Clock sysvar usage in financial logic without staleness bounds, exploitable after network halts.
Read MoreMaintained by Sigvex TeamReviewed
Detects hardcoded compute budget assumptions vulnerable to injection.
Read MoreMaintained by Sigvex TeamReviewed
Detects constraint expressions whose multiplicative degree exceeds the proof system's gate degree, forcing expansion or breaking compilation.
Read MoreMaintained by Sigvex TeamReviewed
Detects cross-account state consistency issues.
Read MoreMaintained by Sigvex TeamReviewed
Detects functions and state variables with implicit visibility that may unintentionally be public.
Read MoreMaintained by Sigvex TeamReviewed
Detects patterns that allow attackers to permanently block contract execution, including unbounded loops, push-payment patterns, and external call failures in critical paths.
Read MoreMaintained by Sigvex TeamReviewed
Detects usage of deprecated Solidity functions and constructs that may be removed in future compiler versions.
Read MoreMaintained by Sigvex TeamReviewed
Detects potential endianness mismatches in data deserialization.
Read MoreMaintained by Sigvex TeamReviewed
Detects arithmetic expressions where division precedes multiplication, causing precision loss from integer truncation.
Read MoreMaintained by Sigvex TeamReviewed
Flags contracts compiled with Solidity 0.6.2 through 0.8.20 on the legacy pipeline, where side effects of an expression before .selector could be silently discarded.
Read MoreMaintained by Sigvex TeamReviewed
Detects when the same account is passed at multiple positions in an instruction where both references are mutable, creating aliasing bugs and undefined behavior.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing or vulnerable emergency pause mechanisms in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that falsely claim ERC-165 interface support, enabling type confusion attacks in routers, marketplaces, and bridges.
Read MoreMaintained by Sigvex TeamReviewed
Detects ERC-20 approve functions vulnerable to the front-running race condition where a spender can spend both old and new allowances.
Read MoreMaintained by Sigvex TeamReviewed
Detects deviations from the ERC-20 token standard including missing return values, incorrect event signatures, and non-standard behavior.
Read MoreMaintained by Sigvex TeamReviewed
Detects transactions where the outcome depends on call ordering, enabling miners or other users to manipulate execution order for profit.
Read MoreMaintained by Sigvex TeamReviewed
Detects hardcoded gas stipends and gas limits that break when EVM gas costs change across hard forks or L2 environments.
Read MoreMaintained by Sigvex TeamReviewed
Detects abi.encodePacked usage with multiple dynamic types that can produce hash collisions via data concatenation ambiguity.
Read MoreMaintained by Sigvex TeamReviewed
Detects silently ignored errors or improper error propagation in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects comparison operators that are likely wrong — using = instead of ==, > instead of >=, or comparing incompatible types.
Read MoreMaintained by Sigvex TeamReviewed
Detects diamond inheritance patterns, conflicting overrides, and overlapping modifier chains that C3 linearization can resolve unexpectedly.
Read MoreMaintained by Sigvex TeamReviewed
Detects unsafe instruction data parsing patterns that may cause panics or errors with malformed data.
Read MoreMaintained by Sigvex TeamReviewed
Flags contracts compiled with Solidity below 0.8.3 where the optimizer can reuse a keccak256 result across two differing input lengths that round to the same 32-byte multiple.
Read MoreMaintained by Sigvex TeamReviewed
Detects lamport dust exploitation vulnerabilities in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects functions that accept user-supplied parameters and use them in sensitive operations without sufficient bounds checking, type validation, or access control enforcement.
Read MoreMaintained by Sigvex TeamReviewed
Detects signals consumed by bit-width-sensitive components without a preceding range constraint, enabling silent overflow of comparators and bit decompositions.
Read MoreMaintained by Sigvex TeamReviewed
Detects functions that accept address parameters without checking for the zero address, risking permanent fund loss.
Read MoreMaintained by Sigvex TeamReviewed
Detects NFT metadata validation issues.
Read MoreMaintained by Sigvex TeamReviewed
Detects NFT royalty enforcement bypass patterns.
Read MoreMaintained by Sigvex TeamReviewed
Detects missing instruction discrimination in non-Anchor Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects Solana programs that rely on unvalidated or manipulable price oracle data, enabling attackers to trigger liquidations, drain vaults, or manipulate DeFi calculations.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts compiled with Solidity versions affected by published compiler advisories, using bytecode metadata for version evidence.
Read MoreMaintained by Sigvex TeamReviewed
Detects PDA derivations without program-specific namespace seeds, risking cross-program collisions.
Read MoreMaintained by Sigvex TeamReviewed
Detects semantic misuse of readonly accounts.
Read MoreMaintained by Sigvex TeamReviewed
Detects cached rent-exempt minimum balances that become stale across epoch transitions.
Read MoreMaintained by Sigvex TeamReviewed
Detects functions where require/assert conditions can be violated through specific input combinations or state manipulation.
Read MoreMaintained by Sigvex TeamReviewed
Detects external calls vulnerable to returnbomb attacks where a malicious callee returns excessive data to cause out-of-gas reverts.
Read MoreMaintained by Sigvex TeamReviewed
Detects NFT marketplace and token contracts where ERC-2981 royalty payments can be circumvented through wrapper contracts or direct transfers.
Read MoreMaintained by Sigvex TeamReviewed
Detects Secp256k1 signature verification without canonicalization checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects redundant equality constraints that create signal aliases without adding security, potentially masking missing constraints.
Read MoreMaintained by Sigvex TeamReviewed
Detects array accesses indexed by an unconstrained signal, giving the prover a free choice of which element is read.
Read MoreMaintained by Sigvex TeamReviewed
Detects ECDSA signature verification that fails to check s-value bounds, v-value validity, or zero-address returns from ecrecover.
Read MoreMaintained by Sigvex TeamReviewed
Flags contracts compiled with Solidity versions affected by the 2022 ABI-encoder calldata re-encoding bugs that can corrupt forwarded calldata.
Read MoreMaintained by Sigvex TeamReviewed
Detects SPL Token standard compliance violations.
Read MoreMaintained by Sigvex TeamReviewed
Detects excessive delegation chain depth that increases attack surface and complexity.
Read MoreMaintained by Sigvex TeamReviewed
Detects metadata validation issues including missing PDA checks, update authority verification, and URI validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects stale sysvar data usage across blocks beyond Clock.
Read MoreMaintained by Sigvex TeamReviewed
Detects comparisons that are always true or always false due to type constraints, rendering conditional logic dead.
Read MoreMaintained by Sigvex TeamReviewed
Detects the Metaplex Token Metadata program metadata standard compliance violations.
Read MoreMaintained by Sigvex TeamReviewed
Detects timelock bypass vulnerabilities, missing delays for critical operations, and timestamp validation issues.
Read MoreMaintained by Sigvex TeamReviewed
Detects reliance on block.timestamp for time-sensitive logic where validator manipulation of the timestamp by up to ~15 seconds can influence outcomes.
Read MoreMaintained by Sigvex TeamReviewed
Detects dangerous dependencies on block timestamps in security-critical logic including access control and randomness.
Read MoreMaintained by Sigvex TeamReviewed
Detects token account initialization race conditions.
Read MoreMaintained by Sigvex TeamReviewed
Detects unbounded account lists in CPI that can cause transaction size DoS.
Read MoreMaintained by Sigvex TeamReviewed
Detects use of tx.origin for authentication or access control, which allows phishing attacks to bypass authorization checks.
Read MoreMaintained by Sigvex TeamReviewed
Detects bytecode patterns left by operator typos: =+ instead of +=, identity assignments, and consecutive operations that cancel out.
Read MoreMaintained by Sigvex TeamReviewed
Detects potentially unsafe account data access patterns without bounds checking.
Read MoreMaintained by Sigvex TeamReviewed
Flags Noir functions that convert a Field input to a smaller integer type without a range check that prevents silent truncation.
Read MoreMaintained by Sigvex TeamReviewed
Detects declared signals that never appear in any constraint or assignment, indicating dead code or incomplete circuit logic.
Read MoreMaintained by Sigvex TeamReviewed
Detects local variables or inherited state variables that shadow declarations in parent contracts, causing confusion about which variable is accessed.
Read MoreMaintained by Sigvex TeamReviewed
Detects PDA derivations with weak seed entropy, enabling prediction and front-running attacks.
Read MoreMaintained by Sigvex TeamReviewed
Detects redundant storage writes where a variable is written twice without an intervening read, wasting gas and potentially indicating logic errors.
Read MoreMaintained by Sigvex TeamReviewed
Detects token operations that may accept zero amounts without explicit validation.
Read MoreMaintained by Sigvex TeamReviewed
Detects Cairo functions that take a felt252 input and return a narrow integer type without a range check, exposing a denial-of-service surface on out-of-range inputs.
Read MoreMaintained by Sigvex TeamReviewed
Detects loops and recursive call patterns that consume compute units without bounds or budget checks, causing unpredictable mid-execution transaction failures.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts that assume their ETH balance equals the sum of deposits, ignoring forcibly sent ETH via selfdestruct or coinbase transactions.
Read MoreMaintained by Sigvex TeamReviewed
A baseline informational hint marking every external, non-view Cairo entrypoint that can change contract state, so reviewers can confirm checks-effects-interactions ordering.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts compiled with a floating pragma version that may produce different bytecode across compiler versions.
Read MoreMaintained by Sigvex TeamReviewed
Detects token operations performed without checking if the account is frozen.
Read MoreMaintained by Sigvex TeamReviewed
Detects hardcoded system program addresses instead of using named constants for program IDs.
Read MoreMaintained by Sigvex TeamReviewed
Detects hardcoded sysvar addresses instead of using proper sysvar::id() derivation functions.
Read MoreMaintained by Sigvex TeamReviewed
Detects critical state-changing operations that do not emit events, reducing transparency and making off-chain monitoring impossible.
Read MoreMaintained by Sigvex TeamReviewed
Detects potential rent exemption issues from lamport transfers.
Read MoreMaintained by Sigvex TeamReviewed
Detects account modifications performed without verifying the is_writable flag, allowing read-only accounts to be silently corrupted or causing runtime errors.
Read MoreMaintained by Sigvex TeamReviewed
Detects program interface compliance issues.
Read MoreMaintained by Sigvex TeamReviewed
Detects attempts to modify accounts that have been verified as readonly.
Read MoreMaintained by Sigvex TeamReviewed
Detects improper rent epoch validation and handling.
Read MoreMaintained by Sigvex TeamReviewed
Detects unchecked arithmetic operations that could silently overflow or underflow in SVM programs.
Read MoreMaintained by Sigvex TeamReviewed
Detects unreachable code paths and unused internal functions that increase bytecode size and may indicate logic errors.
Read MoreMaintained by Sigvex TeamReviewed
Identifies repeated storage reads of the same slot within a function that could be cached in memory to save gas.
Read MoreMaintained by Sigvex TeamReviewed
Detects contracts storing sensitive data in private or internal state variables, which remain readable on-chain despite the visibility modifier.
Read MoreMaintained by Sigvex TeamReviewed
Detects storage slots that are written but never read and local variables assigned but never used, indicating dead state or incomplete logic.
Read MoreMaintained by Sigvex TeamReviewed
Bind smart-account signatures to the EntryPoint-provided userOpHash so they cannot be replayed across chains or accounts.
Read MoreMaintained by Sigvex TeamReviewed
Keep ERC-4337 validation free of banned opcodes and non-associated storage so bundlers can safely simulate the operation.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates missing access control by calling privileged functions from an unauthorized address and checking for storage mutations.
Read MoreMaintained by Sigvex TeamReviewed
How to implement proper access controls on privileged functions using ownership patterns, role-based access, and multi-signature authorization.
Read MoreMaintained by Sigvex TeamReviewed
Keep ERC-4337 validation free of banned opcodes and unrestricted storage, and verify signatures against the EntryPoint userOpHash.
Read MoreMaintained by Sigvex TeamReviewed
How to fix incomplete account close operations that leave data intact after draining lamports.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing discriminator zeroing on account close.
Read MoreMaintained by Sigvex TeamReviewed
How to fix TOCTOU race conditions from account close/reopen between transactions.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing executable flag validation before cross-program invocations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix account array access without bounds validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe iteration over account arrays without bounds validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix account deserialization that lacks version validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing account list size validation for fixed account layouts.
Read MoreMaintained by Sigvex TeamReviewed
How to fix stale owner validation across CPI boundaries.
Read MoreMaintained by Sigvex TeamReviewed
How to fix account reallocation data corruption vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe account reallocation patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent account reinitialization attacks by adding an initialization guard that checks the discriminator or an explicit initialized flag before overwriting account state.
Read MoreMaintained by Sigvex TeamReviewed
How to fix account resurrection vulnerabilities from PDA re-derivation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix account data size violations.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates account type confusion vulnerabilities in Solana programs by simulating an attack that passes a wrong account type to an instruction, bypassing type-based access controls.
Read MoreMaintained by Sigvex TeamReviewed
How to validate account discriminators and use the account-validation framework's typed account system to prevent attackers from substituting accounts of the wrong type.
Read MoreMaintained by Sigvex TeamReviewed
How to fix use-after-close vulnerabilities in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix incomplete account verification chains by adding missing validation checks.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe Address Lookup Table usage by validating table authority and loaded addresses.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe admin key handling, hardcoded keys, and single points of failure.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing or insufficient Anchor account constraints that allow unauthorized account substitution.
Read MoreMaintained by Sigvex TeamReviewed
How to fix incorrect an account-validation framework constraint ordering.
Read MoreMaintained by Sigvex TeamReviewed
How to fix TOCTOU race conditions in an account-validation framework constraints.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing Anchor discriminator validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Anchor IDL and program implementation mismatches.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe Anchor init and close patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to fix incorrect Anchor space allocation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe an account-validation framework program upgrade patterns.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates off-chain data trust vulnerabilities where contracts accept external API data without signature verification, freshness checks, or redundancy — enabling data injection, replay attacks, and single-point-of-failure exploits.
Read MoreMaintained by Sigvex TeamReviewed
How to secure contracts that consume off-chain data by requiring cryptographic signatures, freshness timestamps, and multiple independent sources to prevent data injection and replay attacks.
Read MoreMaintained by Sigvex TeamReviewed
How to validate cross-program invocation targets to prevent attackers from redirecting CPI calls to malicious programs.
Read MoreMaintained by Sigvex TeamReviewed
Add access control to functions that move a contract's tokens so callers cannot redirect the balance to themselves.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate control-flow hijacking by never deriving a JUMP destination from user input — use structured dispatch instead of computed jumps.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates arbitrary storage write vulnerabilities by simulating user-controlled SSTORE operations targeting critical storage slots including the owner address.
Read MoreMaintained by Sigvex TeamReviewed
Stop user-controlled storage slots by writing only through mappings and arrays under access control.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate arbitrary storage write vulnerabilities by removing user-controlled assembly SSTORE operations, using Solidity mappings, and enforcing slot allowlists for unavoidable inline assembly.
Read MoreMaintained by Sigvex TeamReviewed
Exploit generator that validates unchecked arithmetic vulnerabilities in Solana programs where integer overflow or underflow in token balance calculations allows fund theft or state corruption.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent integer overflow and underflow in Solana programs by replacing unchecked arithmetic with checked methods and safe intermediate widening.
Read MoreMaintained by Sigvex TeamReviewed
Remove storage array elements with swap-and-pop so no zero-value gap is left behind for later iterations.
Read MoreMaintained by Sigvex TeamReviewed
Require parallel array parameters to have equal lengths before iterating over them together.
Read MoreMaintained by Sigvex TeamReviewed
Make inline assembly memory-safe, bound returndata copies, and add overflow guards that Solidity would otherwise provide.
Read MoreMaintained by Sigvex TeamReviewed
Validate external inputs with require() and reserve assert() for invariants that should never be false.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unbounded Borsh length prefix DoS vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates cross-chain bridge vulnerabilities including message replay, cross-chain replay, and Nomad-style uninitialized state exploitation.
Read MoreMaintained by Sigvex TeamReviewed
How to secure cross-chain bridge message processing by implementing nonce-based replay protection, chain ID binding, explicit state initialization, and validator threshold requirements.
Read MoreMaintained by Sigvex TeamReviewed
How to fix user-controlled bump seeds in PDA derivation.
Read MoreMaintained by Sigvex TeamReviewed
How to ensure PDA derivation uses the canonical bump seed from find_program_address rather than create_program_address with an attacker-supplied bump.
Read MoreMaintained by Sigvex TeamReviewed
How to add caller and input validation to external, state-mutating Cairo functions so they no longer trust arbitrary caller-supplied data.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates centralization risk findings by classifying the specific privilege type and documenting the trust assumptions and attack scenarios enabled by single-owner control.
Read MoreMaintained by Sigvex TeamReviewed
How to reduce centralization risk through timelocks, multi-signature wallets, on-chain governance, and hard-coded parameter caps that protect users from compromised or malicious admins.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent spoofed Clock sysvar accounts from manipulating time-dependent program logic.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Clock sysvar usage in financial logic to prevent post-halt exploitation.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates close account drain vulnerabilities in Solana programs where accounts are improperly closed, allowing an attacker to steal the rent lamports or reuse the account after closure.
Read MoreMaintained by Sigvex TeamReviewed
How to safely close Solana accounts by zeroing data, verifying authority, and using the account-validation framework's close constraint to prevent rent lamport theft.
Read MoreMaintained by Sigvex TeamReviewed
How to fix compressed NFT Merkle proof and authority vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to make compute costs predictable by bounding loops, batching with cursors, and checking remaining compute units before expensive operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix hardcoded compute budget assumptions.
Read MoreMaintained by Sigvex TeamReviewed
How to fix compute unit budget exhaustion issues.
Read MoreMaintained by Sigvex TeamReviewed
How to fix ownership checks that can be bypassed through conditional logic.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent path-dependent storage slot collisions between a proxy and its implementation by anchoring administrative state in standard EIP-1967 slots.
Read MoreMaintained by Sigvex TeamReviewed
How to ensure security validations execute unconditionally on all paths to critical operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix constraints that exceed the R1CS quadratic degree limit by decomposing into intermediate signals.
Read MoreMaintained by Sigvex TeamReviewed
How to fix CPI calls with unvalidated account lists.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent privileged accounts from being delegated to unvalidated programs via cross-program invocations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix circular CPI patterns that cause infinite loops or depth limit failures.
Read MoreMaintained by Sigvex TeamReviewed
How to fix CPI calls with unvalidated instruction data from untrusted sources.
Read MoreMaintained by Sigvex TeamReviewed
How to fix CPI calls inside loops that can exhaust compute budget.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates Cross-Program Invocation (CPI) reentrancy vulnerabilities in Solana programs by simulating a malicious program that re-enters the victim program during a CPI callback before state is updated.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent Cross-Program Invocation reentrancy by applying the check-effects-interactions pattern and using CPI guards in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent forged CPI return data from influencing critical program operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe signer propagation in nested CPI calls.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent false signer claims in cross-program invocations by validating signer status before CPI calls.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing validation of critical system program IDs before CPI.
Read MoreMaintained by Sigvex TeamReviewed
How to fix integer truncation in lamport transfers, account storage, and access control.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing relationship validation between related accounts.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates cross-chain bridge balance inconsistency vulnerabilities including replay attacks, non-atomic operations, weak proof verification, and finality exploits that allow token supply inflation on the destination chain.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate cross-chain bridge balance vulnerabilities by implementing proof deduplication, deep finality requirements, Merkle proof verification, and the lock-and-mint pattern.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates cross-chain oracle inconsistency vulnerabilities including L2 sequencer downtime, oracle price lag between chains, and missing the off-chain aggregator sequencer uptime feed checks.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate cross-chain oracle vulnerabilities by adding L2 sequencer uptime checks, grace period enforcement, and cross-source price deviation validation before reading any off-chain aggregated price feed on L2 networks.
Read MoreMaintained by Sigvex TeamReviewed
How to fix cross-account state consistency issues.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates cross-function reentrancy vulnerabilities where shared state is inconsistent across multiple functions during an external call.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent cross-function reentrancy by applying the Checks-Effects-Interactions pattern and reentrancy guards to all functions sharing the same state.
Read MoreMaintained by Sigvex TeamReviewed
How to fix cross-instruction state desynchronization.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent account re-initialization through cross-program sequences by re-validating discriminators, owners, and version fields after every CPI.
Read MoreMaintained by Sigvex TeamReviewed
How to fix stale account state after cross-program invocations by reloading accounts and re-checking invariants before use.
Read MoreMaintained by Sigvex TeamReviewed
How to fix broken constraint chains between template instances by using constrained wiring.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates default visibility vulnerabilities in Solidity contracts where missing visibility modifiers default to public, exposing sensitive initialization and admin functions.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate default visibility vulnerabilities by always specifying explicit visibility modifiers on all functions and state variables, and upgrading to Solidity 0.5.0+ which enforces this at compile time.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent DeFi reentrancy by following the checks-effects-interactions pattern in vault, lending, and staking operations.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates unvalidated delegatecall targets by passing attacker-controlled contract addresses and checking for storage slot mutations.
Read MoreMaintained by Sigvex TeamReviewed
How to safely use delegatecall in proxy patterns by validating the target address and using EIP-1967 storage slots to prevent storage collisions.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates DoS vulnerabilities by simulating unbounded loop execution and external call blocking scenarios to confirm contracts can be permanently disabled.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate denial-of-service vulnerabilities by replacing push-based ETH distribution with pull withdrawal patterns and adding maximum batch sizes and pagination to prevent unbounded loop gas exhaustion.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent DoS vulnerabilities in Solidity by replacing push-payment patterns with pull payments and bounding loop iterations.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates unsafe deserialization vulnerabilities in Solana programs where crafted account data causes incorrect state interpretation, type confusion, or panic in the deserialization layer.
Read MoreMaintained by Sigvex TeamReviewed
How to safely deserialize Solana account data by validating discriminators, checking program ownership, and using the account-validation framework's typed account system.
Read MoreMaintained by Sigvex TeamReviewed
How to fix endianness mismatches in data deserialization.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent storage slot collisions between facets in an EIP-2535 diamond by giving each facet its own namespaced storage struct.
Read MoreMaintained by Sigvex TeamReviewed
How to fix division operations where the divisor may be zero, preventing panics and DoS.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent division-by-zero risks in ZK circuits by adding non-zero constraints on divisor signals.
Read MoreMaintained by Sigvex TeamReviewed
How to fix denial-of-service via compute unit exhaustion.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent duplicate mutable account aliasing in Solana programs by adding key equality constraints and explicit address comparisons.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing validation when interacting with durable nonce accounts.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Ed25519 signature verification to prevent malleability attacks.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing or vulnerable emergency pause mechanisms in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to stop a low-level call to a codeless address from silently succeeding, so a contract never records an interaction that never happened.
Read MoreMaintained by Sigvex TeamReviewed
Validate batch array lengths, invoke receiver callbacks, and declare ERC-165 support to make multi-token contracts standard-compliant.
Read MoreMaintained by Sigvex TeamReviewed
Implement safe transfer callbacks, correct events, and ERC-165 support to make NFT contracts standard-compliant.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates ERC20 standard violations by simulating non-standard token behaviors including missing return values, fee-on-transfer tokens, and rebase tokens.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate ERC20 integration vulnerabilities by using SafeERC20 for all token operations, measuring actual received amounts for fee-on-transfer tokens, and handling non-standard token behaviors such as missing return values and rebase mechanics.
Read MoreMaintained by Sigvex TeamReviewed
Track deposits with internal accounting instead of relying on address(this).balance, which can be inflated by forced ETH.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex coverage-guided EVM fuzzing framework with ABI-aware input generation, property-based invariant checking, symbolic execution, multi-contract execution, and transaction sequence fuzzing.
Read MoreMaintained by Sigvex TeamReviewed
Why code-size checks do not reliably distinguish EOAs from contracts, and what to do instead when a function must be restricted to externally owned accounts.
Read MoreMaintained by Sigvex TeamReviewed
Measure the actual received balance after transferFrom instead of trusting the requested amount.
Read MoreMaintained by Sigvex TeamReviewed
How to fix circular signal dependencies that create unsatisfiable or ambiguous constraint systems.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent field overflow in ZK circuit arithmetic by adding range constraints on signals before operations.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent field wrap-around in subtractions by proving operand ordering and range-constraining the result.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate flash loan attack surfaces by replacing manipulable spot prices with time-weighted average prices and adding sanity bounds on price inputs.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates flash loan vulnerabilities by comparing contract execution under normal vs. temporarily-inflated balance conditions.
Read MoreMaintained by Sigvex TeamReviewed
How to enforce flash loan repayment validation to prevent borrowers from defaulting on loans.
Read MoreMaintained by Sigvex TeamReviewed
Pin the Solidity compiler version so deployed bytecode matches what was reviewed.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates transaction ordering vulnerabilities by simulating how different gas prices and transaction sequences affect contract outcomes.
Read MoreMaintained by Sigvex TeamReviewed
How to reduce front-running exposure through commit-reveal schemes, slippage protection, and transaction batching.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing frozen state checks before token operations.
Read MoreMaintained by Sigvex TeamReviewed
Use a transparent proxy pattern or rename functions so admin and implementation selectors never collide.
Read MoreMaintained by Sigvex TeamReviewed
Reserve a gas minimum, forward a bounded amount, and require inner call success so callers cannot starve nested calls.
Read MoreMaintained by Sigvex TeamReviewed
Cache repeated storage reads, pack adjacent variables, and use calldata to cut gas without changing semantics.
Read MoreMaintained by Sigvex TeamReviewed
How to fix initialization frontrunning vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates DAO governance vulnerabilities by simulating flash loan vote acquisition, insufficient quorum scenarios, and timelock bypass.
Read MoreMaintained by Sigvex TeamReviewed
How to protect DAO governance systems against flash loan vote acquisition, low quorum exploitation, and timelock bypass using voting snapshots, mandatory delays, and flash loan-resistant token designs.
Read MoreMaintained by Sigvex TeamReviewed
Forward available gas with call instead of relying on fixed stipends that break across hard forks and L2s.
Read MoreMaintained by Sigvex TeamReviewed
How to fix hardcoded system program addresses by using named constants.
Read MoreMaintained by Sigvex TeamReviewed
How to fix hardcoded sysvar addresses by using proper derivation functions.
Read MoreMaintained by Sigvex TeamReviewed
Use abi.encode instead of abi.encodePacked when hashing multiple dynamic arguments to prevent collisions.
Read MoreMaintained by Sigvex TeamReviewed
How to fix hash collision vulnerabilities caused by truncation, weak algorithms, or small inputs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix implicit instruction ordering dependencies not enforced on all control flow paths.
Read MoreMaintained by Sigvex TeamReviewed
How to fix silently ignored errors and improper error propagation.
Read MoreMaintained by Sigvex TeamReviewed
Choose the boundary-correct comparison operator so checks behave correctly at edge values.
Read MoreMaintained by Sigvex TeamReviewed
How to ensure initialization code runs once at deployment and cannot be re-invoked, using the constructor keyword or a guarded initializer.
Read MoreMaintained by Sigvex TeamReviewed
Replace the XOR operator with exponentiation or scientific notation in scaling calculations.
Read MoreMaintained by Sigvex TeamReviewed
Order base contracts from most general to most derived so C3 linearization resolves overrides as intended.
Read MoreMaintained by Sigvex TeamReviewed
How to properly validate user-supplied inputs in smart contracts to prevent arbitrary fund routing, unbounded operations, and zero-address vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing instruction data length validation before unpacking.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe instruction data parsing patterns that may cause panics or errors.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe fallback logic for unrecognized instruction discriminators.
Read MoreMaintained by Sigvex TeamReviewed
How to fix hardcoded instruction index comparisons that can be bypassed.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe instruction introspection with missing bounds or length validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing authority validation for transaction senders in privileged operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix incorrect ordering of validation checks and sensitive operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix account data access without sufficient length validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing lamport balance validation before transfers.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates unchecked arithmetic vulnerabilities by supplying maximum uint256 values and checking whether the execution reverts.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate integer overflow and underflow vulnerabilities in Solidity by using Solidity 0.8+ checked arithmetic and safe unchecked block practices.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent integer overflow and underflow in Solana programs by using checked arithmetic methods and the account-validation framework checked_math! macro.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe integer type casts that truncate data.
Read MoreMaintained by Sigvex TeamReviewed
How to fix lamport conservation violations in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates lamport drain vulnerabilities in Solana programs by simulating an attack that drains all lamports from an account the program fails to adequately protect, with impact reported as potential SOL loss.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent unauthorized SOL transfers by validating signer authorization and stored authority before any lamport modification.
Read MoreMaintained by Sigvex TeamReviewed
How to fix lamport dust exploitation vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to fix confusion between native SOL and SPL token operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix lamport transfers that may exceed available balance or violate rent-exempt minimums.
Read MoreMaintained by Sigvex TeamReviewed
How to fix liquidity pool manipulation vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Add an access-controlled withdrawal path to contracts that accept ETH, or remove payability the contract does not need.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe metadata authority transfers in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix MEV and transaction ordering vulnerabilities in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to validate mint authority before token minting operations to prevent unauthorized supply inflation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing empty account validation before initialization.
Read MoreMaintained by Sigvex TeamReviewed
How to add proper account ownership validation in Solana programs to prevent unauthorized access via accounts owned by other programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing range constraints on signals used in size-sensitive operations.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates missing rent-exempt check vulnerabilities in Solana programs where accounts with insufficient lamport balances may be garbage-collected by the runtime, causing unexpected program failures.
Read MoreMaintained by Sigvex TeamReviewed
How to verify rent exemption when creating or modifying Solana accounts to prevent garbage collection of program-owned accounts.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates missing signer check vulnerabilities in Solana programs by simulating instruction execution without required signatures, confirming unauthorized access to protected program logic.
Read MoreMaintained by Sigvex TeamReviewed
How to add proper signer verification before privileged operations in Solana programs using both native and Anchor approaches.
Read MoreMaintained by Sigvex TeamReviewed
How to add is_writable validation before account modifications in Solana native programs and use the account-validation framework's #[account(mut)] constraint.
Read MoreMaintained by Sigvex TeamReviewed
How to secure multi-hop CPI chains by validating program IDs at every hop, re-validating state between calls, and staying clear of the invocation depth limit.
Read MoreMaintained by Sigvex TeamReviewed
How to fix multi-signature validation weaknesses including thresholds, replay protection, and signer verification.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing discriminator validation in native Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing authority validation for native program CPIs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing NFT creator signature verification.
Read MoreMaintained by Sigvex TeamReviewed
How to fix NFT metadata validation issues.
Read MoreMaintained by Sigvex TeamReviewed
How to fix NFT royalty enforcement bypass patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Noir-specific vulnerabilities including unconstrained function misuse, oracle manipulation, and Brillig escapes.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing instruction discrimination in non-an account-validation framework programs.
Read MoreMaintained by Sigvex TeamReviewed
How to replace if/else logic in unconstrained assignments with constrained multiplexer selection so the proof enforces the branch choice.
Read MoreMaintained by Sigvex TeamReviewed
How to fix ternary operators in unconstrained assignments where the prover controls which branch executes.
Read MoreMaintained by Sigvex TeamReviewed
How to constrain nondeterministic operations in ZK witness generation to prevent prover manipulation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix stale oracle price data usage.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates oracle failure vulnerabilities by testing contract behavior when price feeds return zero, extreme, or unavailable values.
Read MoreMaintained by Sigvex TeamReviewed
How to harden contracts against oracle failure modes — zero prices, extreme values, and feed unavailability — using input validation, bounds checking, fallback oracles, and circuit breakers.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates spot-price oracle manipulation by comparing contract execution under normal vs. artificially imbalanced DEX reserve configurations.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate oracle manipulation vulnerabilities by replacing spot prices with time-weighted averages and using decentralized oracle networks.
Read MoreMaintained by Sigvex TeamReviewed
How to defend Solana DeFi programs against oracle price manipulation through account ownership verification, staleness checks, confidence interval validation, and multi-oracle aggregation.
Read MoreMaintained by Sigvex TeamReviewed
Upgrade to a current pinned Solidity release and verify your build settings do not trigger known compiler advisories.
Read MoreMaintained by Sigvex TeamReviewed
How to fix reuse of bump seeds across multiple PDA derivations.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates PDA (Program Derived Address) manipulation vulnerabilities in Solana programs by simulating an attack that passes a fake PDA to bypass program authority validation.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent PDA substitution attacks by using canonical bumps, storing bump seeds, and verifying PDA derivation with the account-validation framework's seeds constraint.
Read MoreMaintained by Sigvex TeamReviewed
How to fix PDA usage without ownership validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix PDA derivations lacking program-specific namespace seeds.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent PDA seed collisions that allow distinct logical accounts to resolve to the same address.
Read MoreMaintained by Sigvex TeamReviewed
How to fix incorrect PDA seed derivation patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to protect PDA signer seeds from extraction by using domain separation and program-controlled seed components.
Read MoreMaintained by Sigvex TeamReviewed
How to fix weak PDA seed patterns that could collide with system addresses.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unvalidated user-controlled input in PDA seeds.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing PDA address validation that allows attackers to substitute attacker-controlled accounts.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate precision loss in Solidity financial calculations by reordering operations, using scaling factors, and applying explicit rounding direction.
Read MoreMaintained by Sigvex TeamReviewed
How to fix precision loss and rounding errors in DeFi calculations.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates price deviation vulnerabilities by submitting extreme price updates (10x increase, 90% crash) and confirming whether the contract accepts them without bounds checking.
Read MoreMaintained by Sigvex TeamReviewed
How to protect protocols from extreme price movements and flash loan manipulation using deviation bounds, TWAP comparison, circuit breakers, and absolute price range constraints.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing price impact validation in large swaps.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unchecked private inputs in Noir by adding assertions that constrain witness values.
Read MoreMaintained by Sigvex TeamReviewed
How to fix program interface compliance issues.
Read MoreMaintained by Sigvex TeamReviewed
How to fix security risks in upgradeable Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix prover-controlled loop bounds by using constants, template parameters, or constrained signals.
Read MoreMaintained by Sigvex TeamReviewed
How to fix constraint expressions with multiple multiplications that do not decompose cleanly into R1CS form.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates read-only reentrancy vulnerabilities where view functions return stale state during an external call, misleading dependent protocols.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent read-only reentrancy attacks where stale state is observed mid-CPI.
Read MoreMaintained by Sigvex TeamReviewed
How to fix readonly account mutation logic errors.
Read MoreMaintained by Sigvex TeamReviewed
How to fix readonly account write bypass via CPI.
Read MoreMaintained by Sigvex TeamReviewed
How to fix readonly account misuse vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates reentrancy vulnerabilities by simulating recursive drain attacks against withdraw-pattern functions.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate reentrancy vulnerabilities by applying the Checks-Effects-Interactions pattern and using reentrancy guards.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent account role confusion by explicitly validating that accounts in distinct roles have distinct addresses.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent external calls to user-controlled addresses by validating targets against whitelists.
Read MoreMaintained by Sigvex TeamReviewed
How to ensure multi-step state updates maintain invariant consistency using intermediate checks, reentrancy guards, and explicit state machine patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to ensure that delegated PDA signing authority is verified at each hop in a multi-step CPI chain, preventing intermediate programs from abusing implicitly inherited authority.
Read MoreMaintained by Sigvex TeamReviewed
How to protect cross-chain bridge implementations against missing message verification, replay attacks, unauthorized relay, and protocol-specific a cross-chain messaging protocol, Axelar, and Hyperlane integration errors.
Read MoreMaintained by Sigvex TeamReviewed
How to identify and fix business logic errors by enforcing protocol invariants, correctly ordering state updates, and validating edge cases.
Read MoreMaintained by Sigvex TeamReviewed
How to fix state mutations after external calls by applying the Checks-Effects-Interactions pattern and reentrancy guards.
Read MoreMaintained by Sigvex TeamReviewed
How to move state initialization from constructors to initializer functions in proxy-based upgradeable contracts.
Read MoreMaintained by Sigvex TeamReviewed
How to ensure Cross-Program Invocations target the intended program by validating program account keys before invocation.
Read MoreMaintained by Sigvex TeamReviewed
How to normalize token decimal precision before arithmetic to prevent over/under-payment vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent denial of service from unchecked external calls in loops using error handling, pull patterns, and try/catch.
Read MoreMaintained by Sigvex TeamReviewed
How to protect DAO governance mechanisms against flash loan voting, timelock bypass, quorum manipulation, and treasury drain attacks.
Read MoreMaintained by Sigvex TeamReviewed
How to enforce immutability of constructor-set variables using the immutable keyword and initialization guards.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent reentrancy in proxy initializer functions by using OpenZeppelin's Initializable modifier and setting the initialization flag before external calls.
Read MoreMaintained by Sigvex TeamReviewed
How to validate user-controlled instruction data and account fields in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent second preimage attacks and proof malleability by using double-hashed leaves and audited Merkle proof libraries.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent DoS via block gas limit exhaustion by adding maximum iteration limits, pagination, and pull-over-push patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent out-of-gas denial of service by bounding memory allocation size in functions that process untrusted input.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent code replacement attacks by removing SELFDESTRUCT from CREATE2-deployed contracts and using standard proxy patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to fix off-by-one errors in loop boundaries by using correct comparison operators and avoiding length-1 patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent read-only reentrancy by ensuring state is consistent before external calls and protecting price-reading functions from mid-execution observations.
Read MoreMaintained by Sigvex TeamReviewed
How to safely use ctx.remaining_accounts by validating account ownership, type discriminators, and writability before any privileged operations.
Read MoreMaintained by Sigvex TeamReviewed
How to protect staking and yield farming contracts against flash loan pool manipulation, timestamp gaming, and division-before-multiplication precision loss.
Read MoreMaintained by Sigvex TeamReviewed
How to validate off-chain aggregated oracle data freshness by checking the updatedAt timestamp, answer validity, and round completeness before consuming price data.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent reentrancy through ERC-777, ERC-1155, and ERC-4626 callback hooks using the CEI pattern and reentrancy guards.
Read MoreMaintained by Sigvex TeamReviewed
How to protect UUPS proxy implementations from front-running attacks by disabling initializers on the implementation contract.
Read MoreMaintained by Sigvex TeamReviewed
How to protect ERC-4626 vaults from first-depositor share price inflation attacks using virtual shares, dead share seeding, or minimum deposit requirements.
Read MoreMaintained by Sigvex TeamReviewed
How to keep accounts rent-exempt through withdrawals and reallocations by computing minimum balances dynamically and enforcing them on every lamport movement.
Read MoreMaintained by Sigvex TeamReviewed
How to fix improper rent epoch validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix cached rent-exempt minimum balances.
Read MoreMaintained by Sigvex TeamReviewed
How to fix account data writes that occur before rent-exempt funding.
Read MoreMaintained by Sigvex TeamReviewed
How to fix account reallocations without rent-exemption adjustments.
Read MoreMaintained by Sigvex TeamReviewed
How to fix rent exemption requirement violations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix partial lamport withdrawals without rent-exemption checks.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates requirement violation findings by classifying the specific check failure — incorrect comparison, missing validation, assert misuse, or arithmetic overflow — and documenting the exploit path.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate requirement violation vulnerabilities by correcting comparison operators, adding missing input validation guards, replacing assert with require for user-facing checks, and upgrading to Solidity 0.8.0 for built-in overflow protection.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing role checks, privilege escalation risks, and hardcoded role permissions.
Read MoreMaintained by Sigvex TeamReviewed
Query and enforce ERC-2981 royalty payments inside marketplace sale logic so creator revenue cannot be circumvented.
Read MoreMaintained by Sigvex TeamReviewed
Reject bidirectional Unicode control characters in source and CI so code cannot be visually disguised as benign.
Read MoreMaintained by Sigvex TeamReviewed
Enforce minimum-output and deadline checks on swap functions so MEV searchers cannot extract value by bracketing trades.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing signer validation on identity-checked accounts.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Secp256k1 signature malleability vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate selfdestruct vulnerabilities by replacing balance-dependent invariants with internal accounting, protecting library contracts from direct initialisation, and avoiding the SELFDESTRUCT opcode entirely.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates selfdestruct vulnerabilities including unprotected self-destruction, library-based destruction (Parity-style), and forced ETH reception.
Read MoreMaintained by Sigvex TeamReviewed
How to fix race conditions from shared mutable account access.
Read MoreMaintained by Sigvex TeamReviewed
Validate calldata length on token transfers so truncated addresses cannot left-shift the amount parameter.
Read MoreMaintained by Sigvex TeamReviewed
Validate the sign of a value before casting between signed and unsigned integer types so negative values cannot become huge positives.
Read MoreMaintained by Sigvex TeamReviewed
How to fix redundant equality constraints that create aliases without adding security.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unconstrained signals used as array indices by using constrained multiplexer circuits.
Read MoreMaintained by Sigvex TeamReviewed
How to fix self-referential signal mutations in loops by using signal arrays with per-step constraints.
Read MoreMaintained by Sigvex TeamReviewed
How to fix signals assigned multiple times by using distinct signals or arrays for each computed value.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates ECDSA signature malleability vulnerabilities by computing the alternative valid s value and confirming that both signatures recover to the same address.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent ECDSA signature malleability attacks by enforcing EIP-2 low-s values and tracking message hashes as nonces instead of signature hashes.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates missing replay protection in meta-transaction and permit functions by testing same-chain, cross-chain, and cross-contract replay scenarios.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent signature replay attacks by binding signed messages to a nonce, deadline, chain ID, and contract address using EIP-712.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent signature replay in Solana programs by including a nonce and deadline in the signed message and incrementing the nonce after each successful verification.
Read MoreMaintained by Sigvex TeamReviewed
Verify ECDSA signatures with EIP-712 typed data, a domain separator, nonce, and a strict signer check to prevent forgery and replay.
Read MoreMaintained by Sigvex TeamReviewed
How to fix privileged operations that check signer status but not authority role.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates single oracle dependency vulnerabilities by simulating primary oracle failure with no fallback, confirming protocols that halt or misbehave when the sole price source goes offline.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate single oracle dependency by implementing multi-source price architectures, cross-validation, and circuit breakers that keep protocols functioning when any individual feed fails.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing slippage protection in token swaps.
Read MoreMaintained by Sigvex TeamReviewed
How to add slippage protection to DEX swap operations by exposing minimum output parameters and bounded deadlines to callers.
Read MoreMaintained by Sigvex TeamReviewed
How to protect governance implementations from flash governance, quorum bypass, and timelock circumvention.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe account close operations in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing validation in SPL token operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix improper Associated Token Account validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix authority confusion between owner, delegate, close, mint, and freeze authorities.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing close_authority validation when closing token accounts.
Read MoreMaintained by Sigvex TeamReviewed
How to fix SPL Token standard compliance violations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix excessive delegation chain depth in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix integer overflow vulnerabilities in token delegation amount calculations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe token delegation patterns in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe freeze and burn operations in Solana programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix metadata validation issues including PDA checks and URI validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix mint authority vulnerabilities in Solana token programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix transfer hook vulnerabilities in Token-2022 programs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix CPI depth limit violations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix stale account data usage after CPI calls.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates aggregated oracle staleness vulnerabilities by executing contracts against fresh, stale (24-hour-old), and incomplete-round oracle configurations.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate stale off-chain price-feed vulnerabilities by validating all latestRoundData return fields, enforcing heartbeat-based freshness thresholds, and adding L2 sequencer uptime checks.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent proxy storage collisions by using EIP-1967 unstructured storage slots for all proxy administrative variables.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex coverage-guided Solana program fuzzing framework with instruction-aware input generation, account state fuzzing, CPI simulation, invariant checking, and crash detection for Solana-specific vulnerability classes.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing validation in token swap operations.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent sysvar spoofing by validating account keys or using the Sysvar::get() API.
Read MoreMaintained by Sigvex TeamReviewed
How to fix stale sysvar data usage.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unverified sysvar account usage that allows data spoofing.
Read MoreMaintained by Sigvex TeamReviewed
How to fix incorrect template instantiation patterns including parameter mismatches and unconstrained wiring.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing update authority verification in standard NFT metadata operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix standard NFT metadata standard violations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing timelock delays, timestamp validation issues, and unprotected cancellation.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate exploitable timestamp dependence by replacing block.timestamp with block numbers, commit-reveal schemes, or off-chain randomness.
Read MoreMaintained by Sigvex TeamReviewed
How to fix dangerous dependencies on block timestamps in security-critical logic.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates block.timestamp dependency vulnerabilities by executing contracts at shifted timestamps (±900 seconds) to detect miner-manipulable randomness and time-lock bypasses.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate block.timestamp dependency vulnerabilities by replacing miner-manipulable timestamp randomness and time-locks with an off-chain verifiable random function service and block-number-based logic.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates cross-chain timestamp coordination vulnerabilities including block time variation, clock drift between chains, and race conditions in time-sensitive cross-chain operations.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate cross-chain timestamp coordination vulnerabilities by replacing exact timestamp matching with nonce-based identifiers and time-window validation that tolerates clock drift and miner manipulation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing account ownership validation before CPI calls.
Read MoreMaintained by Sigvex TeamReviewed
How to fix token account spoofing and aliasing vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to fix token operations that violate balance accounting invariants.
Read MoreMaintained by Sigvex TeamReviewed
How to fix token decimal mismatch vulnerabilities in cross-token operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Token-2022 extension security misconfigurations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix token account initialization race conditions.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Token-2022 confidential transfer vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to handle CPI-Guard-protected Token-2022 accounts so program-initiated transfers do not fail blind or record phantom movements.
Read MoreMaintained by Sigvex TeamReviewed
How to reject or explicitly handle Token-2022 extension combinations whose interaction is undefined, economically exploitable, or privacy-breaking.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Token-2022 extension vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to protect protocol token accounts from owner reassignment by initializing the Token-2022 Immutable Owner extension and verifying it on deposit.
Read MoreMaintained by Sigvex TeamReviewed
How to validate the Token-2022 permanent delegate before trusting a mint, so an issuer cannot silently seize user balances.
Read MoreMaintained by Sigvex TeamReviewed
How to fix Token-2022 transfer fee accounting issues.
Read MoreMaintained by Sigvex TeamReviewed
How to fix transaction size DoS vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to fix constraints that are always satisfied regardless of signal values.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates tx.origin authentication vulnerabilities by simulating a phishing scenario where an intermediary contract calls the victim with the owner's tx.origin.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate tx.origin authentication vulnerabilities by replacing all tx.origin identity checks with msg.sender, which correctly identifies the immediate caller and is not vulnerable to phishing via intermediary contracts.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent type cosplay attacks by validating the account discriminator before deserializing account data.
Read MoreMaintained by Sigvex TeamReviewed
Replace accidental assignments with the intended compound operators and add invariant tests that catch overwrite-instead-of-accumulate bugs.
Read MoreMaintained by Sigvex TeamReviewed
How to fix output signals that are declared but never assigned by wiring them to the circuit's computation with constraining assignments.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unchecked arithmetic operations that could silently overflow or underflow.
Read MoreMaintained by Sigvex TeamReviewed
How to safely handle external call return values in Solidity to prevent silent failures from ignored CALL, SEND, and low-level call results.
Read MoreMaintained by Sigvex TeamReviewed
How to fix component instances with disconnected inputs or outputs that do not contribute to circuit security.
Read MoreMaintained by Sigvex TeamReviewed
How to fix CPI calls that ignore return values, preventing silent failures.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unchecked deserialization vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates unsafe ERC20 token operations by simulating standard, USDT-like, and malicious token interactions to detect missing return value checks.
Read MoreMaintained by Sigvex TeamReviewed
How to safely handle ERC20 token transfers by using SafeERC20.safeTransfer, accounting for fee-on-transfer tokens, and avoiding the token approve-transferFrom race condition.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates unchecked call return values by sending ETH to a contract that always reverts and checking whether the victim's state updates regardless.
Read MoreMaintained by Sigvex TeamReviewed
How to use checked arithmetic in fee and rent calculations to prevent overflow and underflow exploits.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent integer underflow in Solidity by using Solidity 0.8+ default arithmetic, adding explicit balance checks before subtraction, and using SafeMath in legacy contracts.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unconnected component inputs by wiring all sub-circuit inputs to parent signals using constraining assignments.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unconstrained output signals by adding constraining assignments or explicit constraints.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unconstrained public inputs by adding constraints that bind them to the circuit's computation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix under-constrained signals by adding proper constraints to ensure circuit soundness.
Read MoreMaintained by Sigvex TeamReviewed
How to fix uninitialized account access vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates uninitialized storage pointer vulnerabilities by checking whether uninitialized struct or array pointers overwrite critical storage slots including owner and balance variables.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate uninitialized storage pointer vulnerabilities by upgrading to Solidity 0.5.0+ and always assigning storage references to explicit mapping or array slots.
Read MoreMaintained by Sigvex TeamReviewed
How to fix comparison operators in unconstrained assignments by using constrained circomlib comparator components.
Read MoreMaintained by Sigvex TeamReviewed
How to prevent contract takeover via delegatecall by fixing the target address to a trusted, immutable implementation instead of accepting it from callers or unguarded storage.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe account data access patterns.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unused public inputs, unassigned signals, and dead signals in ZK circuits.
Read MoreMaintained by Sigvex TeamReviewed
Remove dead state variables or wire them into the logic they were meant to feed, and confirm off-chain consumers before deleting public state.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates bridge validator and relayer compromise vulnerabilities including low M-of-N thresholds, key management failures, centralized relayers, and missing validator rotation — with the Ronin Bridge ($625M) as the canonical attack scenario.
Read MoreMaintained by Sigvex TeamReviewed
How to harden bridge validator and relayer infrastructure against compromise through high consensus thresholds, hardware key management, validator diversity, rotation schedules, and fraud proof challenge windows.
Read MoreMaintained by Sigvex TeamReviewed
Remove duplicate variable declarations that hide parent-contract or outer-scope state so reads and writes target the intended slot.
Read MoreMaintained by Sigvex TeamReviewed
How to protect DeFi vault state from unauthorized modifications through access control and invariant enforcement.
Read MoreMaintained by Sigvex TeamReviewed
How to fix governance voting power manipulation vulnerabilities.
Read MoreMaintained by Sigvex TeamReviewed
How to fix PDA derivations using weak seed entropy.
Read MoreMaintained by Sigvex TeamReviewed
Sigvex exploit generator that validates randomness vulnerabilities by testing whether contract outcomes change predictably with controlled block environment variables.
Read MoreMaintained by Sigvex TeamReviewed
How to replace predictable on-chain entropy sources with verifiable off-chain randomness from an off-chain verifiable random function service or commit-reveal schemes.
Read MoreMaintained by Sigvex TeamReviewed
How to eliminate weak randomness vulnerabilities in Solana programs by replacing predictable on-chain entropy sources with Verifiable Random Functions (VRF) or commit-reveal schemes.
Read MoreMaintained by Sigvex TeamReviewed
How to fix complex unconstrained witness computations by decomposing into simpler steps with per-step constraints.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing wrapped token supply vs collateral parity validation.
Read MoreMaintained by Sigvex TeamReviewed
How to fix missing zero-amount validation in token operations.
Read MoreMaintained by Sigvex TeamReviewed
How to fix unsafe zero-copy deserialization patterns.
Read More