Security research, vulnerability deep-dives, and smart contract audit guides.
OpenZeppelin Contracts v5 was a deliberate API redesign — many widely-used helpers were renamed, moved, or removed entirely. This guide walks through the seven changes most likely to break a contract or its audit, with before/after code for each.
Solady 0.1.x introduces EIP7702Proxy, ERC7821, and a redesigned account-abstraction stack. This is what changed since 0.0.x, why EIP-7702 reshapes wallet architecture, and the security pitfalls to watch when migrating.
AI-generated Solidity patches look perfect — until you paste them into your codebase and watch solc reject the imports. Here is why LLMs hallucinate dependency versions, and the two-layer defense (Detect-and-Match + Verify-Compile) that actually delivers PR-ready fixes.
Why airdrop contracts are a favorite target for exploits — merkle tree collisions, unchecked double-claiming, cross-chain replay attacks, and the secure patterns that prevent millions in losses.
Beyond stale prices, Chainlink oracles have subtle edge cases that break DeFi protocols: L2 sequencer downtime, min/max answer circuit breakers, decimal mismatch, and more. Six vulnerability classes with defensive integration patterns.
Classic reentrancy guards miss indirect reentry through other contracts and state-read attacks during reentrant execution. Curve Finance lost millions when read-only functions returned stale prices during a reentrant call.
ERC-4626 tokenized vaults standardized DeFi yield positions but introduced a new attack surface. Six vulnerability classes — vault inflation attacks, share price manipulation via donations, rounding direction bugs, first depositor exploits, and fee-on-transfer token incompatibility.
The major DeFi smart contract exploits of 2025 — root causes, amounts lost, and what each hack reveals about the vulnerability classes that keep draining protocols.
How permit() gasless approvals enable signature replay attacks, phishing, and frontrunning in DeFi. Real exploit patterns, vulnerable code, and detection strategies.
A practical pre-deployment security checklist for Solidity developers. Covering reentrancy, access control, integer overflow, oracle manipulation, and more — with detection tips for each.
An analysis of the five vulnerability patterns responsible for 90% of DeFi exploits, with code examples and automated detection methods for each.
Analyzing AlkemiEarn and SynapLogic cases to understand the risks of business logic vulnerabilities and strategies for prevention using multi-engine security scanning.
MythX is gone. The security tooling landscape is shifting toward multi-engine scanning, AI-powered analysis, and developer workflow integration. Here's what's changing and what ContractScan is building next.
Cross-chain bridges have lost over $2.5 billion to exploits — more than any other DeFi category. Understanding what keeps going wrong, and what the better-designed bridges do differently, is essential for anyone building or auditing cross-chain infrastructure.
MEV bots extract hundreds of millions from DeFi every year by targeting patterns that look completely normal in smart contract code. Here's how front-running works, where it comes from, and what you can actually do about it.
Solidity 0.8 added built-in overflow protection, and most developers moved on. But overflow-related bugs didn't disappear — they evolved. Here's where they still hide.
Price oracle manipulation is behind billions in DeFi losses. Understanding how each oracle type can be gamed — and what makes one harder to attack than another — is essential for anyone building or auditing DeFi protocols.
Upgradeable contracts solve the immutability problem but introduce a new class of subtle, high-severity bugs. Here's what actually goes wrong with UUPS, Transparent, and Diamond proxies — and how to catch them before deployment.
A breakdown of the Drift Protocol exploit, Q1 2026 hack trends, and what smart contract developers can do to protect their code.
MythX (ConsenSys Diligence) shut down in 2023. If you still have pipelines referencing the MythX API or CLI, here's how to migrate to ContractScan — free, fast, and no sign-up required.
A hands-on comparison of Slither, Mythril, and Semgrep — the three leading open-source security tools — covering detection scope, speed, and usability.
A complete guide to automating Solidity contract security scanning in your CI/CD pipeline. Detect vulnerabilities on every PR and block deployments on critical findings.
A deep-dive into the most exploited smart contract vulnerabilities of 2025 and 2026, with real-world examples and prevention strategies.
The most notorious smart contract vulnerability in history. Analyzing how reentrancy attacks evolved from the 2016 DAO hack to Euler Finance in 2023, and how to defend against them.
ContractScan automatically collects DeFi hack incidents and vulnerability data every week. Learn how our live threat intelligence system uses Rekt.news, DeFiHackLabs, and the SWC Registry to keep your scans up to date.
Analyzing the mechanics of flash loan attacks through the bZx, PancakeBunny, and Euler Finance cases, with price oracle manipulation defense patterns.
Access control vulnerabilities rank #1 in smart contract security losses as of 2025. Analyzing the Poly Network, Ronin Bridge, and Nomad Bridge cases — totaling over $1.4B — with defense patterns.
Smart contracts are immutable once deployed. Learn why security must be a core part of development, illustrated with real-world hack case studies.
A practical pre-deployment checklist covering access control, arithmetic, external calls, oracle safety, and more.
Step-by-step breakdown of how reentrancy exploits work, illustrated with a real attack flow and countermeasures.