Security research and insights from the Asymmetric Research team.
Pragma is one of Starknet's main oracles, pricing collateral and liquidations for lending protocols holding tens of millions on-chain. This post explains how a missing access-control check could have let anyone disable its core price feeds for a few cents.
On Solana, events are often reconstructed from transaction traces, and failed transactions still emit data. This bug in Across could have allowed attackers to spoof deposit events and trick relayers into filling orders with no real deposit behind them.
CU optimizations come with risks. This post details a critical bug we found in p-token before mainnet, subtle enough to survive in a heavily scrutinized codebase.
When an agent audits your codebase, a common question is: what did it actually read and with what intent? Current tools don't answer that. We built a prototype and open-sourced it.
The most persistent security misinformation doesn't come from obscure corners of the internet, but from official docs, learning resources, and popular LLMs. Learn about the Solana vulnerabilities that aren't, and why they keep spreading.
Pragma is one of Starknet's main oracles, pricing collateral and liquidations for lending protocols holding tens of millions on-chain. This post explains how a missing access-control check could have let anyone disable its core price feeds for a few cents.
For years, a bug sat undetected in the official Solana Stake program. A specific sequence of five instructions could produce
On Solana, events are often reconstructed from transaction traces, and failed transactions still emit data. This bug in Across could have allowed attackers to spoof deposit events and trick relayers into filling orders with no real deposit behind them.
CU optimizations come with risks. This post details a critical bug we found in p-token before mainnet, subtle enough to survive in a heavily scrutinized codebase.
When an agent audits your codebase, a common question is: what did it actually read and with what intent? Current tools don't answer that. We built a prototype and open-sourced it.
With support from Solana Foundation, we're launching STRIDE, a comprehensive security program that sets clear standards for ecosystem projects.
The most persistent security misinformation doesn't come from obscure corners of the internet, but from official docs, learning resources, and popular LLMs. Learn about the Solana vulnerabilities that aren't, and why they keep spreading.
With the launch of DoubleZero’s mainnet, we’re grateful to celebrate alongside our Cohort 0 partners. This milestone strengthens
Relay Protocol's contracts trusted Ed25519 verification without validating offsets, opening the door to forged allocator signatures and potential double-spends. Learn about the bug, the risks it posed to cross-chain liquidity, and how the issue was addressed.
A new instruction broke the flash loan logic, creating a way to borrow without repaying and putting $160M at risk. We explain the vulnerability, potential impact, and how it was fixed.
An attacker posing as a well-known web3 founder messaged one of our engineers via Telegram. Rather than ignoring the attempt, we isolated and analyzed the payload in a controlled environment, turning a live phishing attempt into a learning opportunity.
Some of the most devastating vulnerabilities stem from complexity, inconsistency, and chaos. This post explains why predictable, well-formed code is the foundation of security.
Subscribe to be notified whenever we publish new security research.
