Audit Reports

Security assessments of DeFi protocols, bridges, and smart contract systems.

NexusSwap DEX V2

Ethereum / Arbitrum November 2024
2 Critical 3 High

Security audit of NexusSwap's V2 AMM contracts, including the swap router, liquidity pool factory, concentrated liquidity positions, and fee accumulator. 4,200 lines of Solidity across 18 contracts.

4,200
Lines of Code
18
Contracts
14
Issues Found
14
Issues Resolved

Key Findings

Reentrancy vulnerability in flash swap callback allowing pool drainage
Missing slippage protection in multi-hop swap execution
Fee accumulator vulnerable to precision loss exploitation
Liquidity position NFT can be burned while still holding liquidity
Oracle price manipulation possible via low-liquidity tick ranges
Insufficient validation of tick spacing parameters in pool creation
AK
EP
MC
A. Kim, E. Petrov, M. Chen
View Full Report

VaultGuard Lending Protocol

Ethereum October 2024
1 Critical 4 High

Security audit of VaultGuard's lending protocol with isolated markets, dynamic interest rates, and liquidation mechanisms. Covered the lending pool, interest rate strategies, oracle integrations, and governance timelock.

5,800
Lines of Code
24
Contracts
19
Issues Found
19
Issues Resolved

Key Findings

Flash loan attack vector enables oracle manipulation for bad debt creation
Liquidation bonus calculation underflows when collateral factor is updated
Interest accrual can be skipped by direct token transfers to pool
Governance timelock can be bypassed through emergency withdrawal path
Missing health factor check allows self-liquidation for profit extraction
Interest rate model returns incorrect rates at utilization boundary conditions
SR
MC
S. Rodriguez, M. Chen
View Full Report

Quantum Bridge Protocol

Multi-chain September 2024
3 Critical 5 High

Security audit of Quantum Bridge's cross-chain messaging and asset transfer protocol. Covered validator signature verification, message passing on Ethereum, Arbitrum, Optimism, Polygon, and Base, and token locking/minting mechanisms.

8,400
Lines of Code
32
Contracts
23
Issues Found
21
Issues Resolved

Key Findings

Signature malleability allows replay of validator approvals across chains
Missing chain ID verification in message hash enables cross-chain replay
Validator set update race condition can freeze bridge operations
Token mapping discrepancy allows minting of unmapped tokens
Emergency pause function accessible to single compromised validator
Insufficient nonce validation enables message ordering attacks
Wrapped token contract lacks proper access control on mint function
Rate limiting mechanism can be bypassed through message batching
AK
JW
EP
SR
A. Kim, J. Wright, E. Petrov, S. Rodriguez
View Full Report

Ready for an Audit?

Get in touch to discuss your security needs.

Request an Audit