apegurus
91 verified skills
nomad-bridge
Case study of the 2022 Nomad Bridge exploit: initialization bug draining ~$190M
data-ai
audit-workflow
Five-phase Solidity audit workflow covering recon, static analysis, manual review, verification, and reporting.
testing
severity-classification
Impact-versus-likelihood rubric to classify Solidity findings from informational through critical severity.
development
bridges-cross-chain
Cross-chain bridge security guidance for message verification, replay prevention, and validator risk.
testing
smartbugs-examples
SmartBugs curated dataset — 143 annotated vulnerable Solidity contracts organized by DASP vulnerability category
development
fee-on-transfer-tokens
Fee-on-transfer and deflationary token integration pitfalls that break protocol accounting.
tools
lack-of-precision
- Contract performs integer arithmetic (division, fee calculations, reward distributions)
testing
missing-protection-signature-replay
- Contract verifies ECDSA signatures for authorization
tools
unsupported-opcodes
- Contract is intended for deployment on an EVM-compatible chain other than Ethereum mainnet (zkSync Era, Arbitrum, Optimism, Polygon, BNB Chain, etc.)
development
unused-variables
- Contract declares state variables, local variables, function parameters, or imports that are never referenced
tools
euler-finance
Case study of the 2023 Euler Finance exploit: donation attack draining ~$197M
data-ai
parity-multisig
Case study of the 2017 Parity Multisig Freeze: delegatecall + self-destruct exploit freezing ~$150M
research
level-finance
Case study of the 2023 Level Finance exploit: referral code reentrancy draining ~$1.1M
development
mango-markets
Case study of the 2022 Mango Markets exploit: oracle price manipulation draining ~$114M
development
rari-fuse
Case study of the 2022 Rari Fuse exploit: reentrancy in Compound fork draining ~$80M
data-ai
cyfrin-best-practices-upgrades
Cyfrin best-practice checklist focused on proxy, upgradeability, and versioning concerns
testing
cyfrin-defi-core
Cyfrin DeFi checklist covering attacker mindset and protocol-level DeFi primitives
testing
poly-network
Case study of the 2021 Poly Network exploit: cross-chain relay manipulation draining ~$600M
data-ai
cyfrin-defi-integrations
Cyfrin DeFi checklist covering integrations, token standards, and ecosystem-specific risks
testing
cyfrin-best-practices-runtime
Cyfrin best-practice checklist focused on runtime heuristics, cross-chain concerns, and timelock controls
testing
ronin-bridge
Case study of the 2022 Ronin Bridge exploit: compromised validator keys draining ~$625M
data-ai
general-audit
Comprehensive Solidity audit checklist spanning access control, reentrancy, oracles, and integrations.
testing
amm-dex
AMM and DEX security patterns covering pricing, LP accounting, MEV, and swap invariants.
testing
exploit-reference
Reference guide to major DeFi exploits and reproducible Foundry workflows from DeFiHackLabs
testing
staking-vesting
Staking security guidance for reward accounting, lock periods, timing attacks, and withdrawals.
testing
lending-borrowing
Security review framework for lending and borrowing systems including liquidations and accounting.
development
dao-governance
Governance security patterns for voting, timelocks, proposal execution, and quorum safety.
development
arbitrary-storage-location
- Contract has a dynamic array in storage
data-ai
cyfrin-gas
Cyfrin audit checklist — gas optimization and efficiency items for Solidity smart contracts
testing
flash-loan-attacks
Flash-loan attack mechanics, exploit archetypes, and mitigations for capital-amplified threats.
development
floating-pragma
- Deployable contract uses a floating or range pragma (e.g., `pragma solidity ^0.8.0`, `pragma solidity >=0.8.0`)
devops
governance-attacks
Governance vulnerabilities including flash-loan voting, timelock bypass, quorum manipulation, and unprotected proposals
development
insufficient-gas-griefing
- Contract relays or forwards calls on behalf of users (meta-transactions, multisig execution, relayer patterns)
testing
front-running-attacks
Front-running and MEV vulnerabilities including missing slippage protection, deadline manipulation, predictable randomness, and commit-reveal weaknesses
tools
incorrect-inheritance-order
- Contract uses multiple inheritance (`is ContractA, ContractB, ...`)
tools
msgvalue-loop
- `msg.value` is referenced inside a loop (`for`, `while`) or in a function called multiple times within a single external call
tools
missing-parameter-bounds
Protocol parameters are accepted without min/max constraints, allowing invalid or unsafe runtime states.
data-ai
inadherence-to-standards
- Contract claims to implement a standard (ERC20, ERC721, ERC1155, etc.) but deviates from the specification
development
proxy-vulnerabilities
Proxy pattern vulnerabilities including storage collision, uninitialized proxy, and function selector clash
data-ai
reentrancy
Reentrancy attack patterns, real incidents, and defensive coding checks for Solidity protocols.
testing
signature-malleability
Contract uses ECDSA signatures for authorization or deduplication
tools
unbounded-return-data
- Contract makes a low-level `.call()` to an untrusted or user-specified address
development
unexpected-ecrecover-null-address
- Contract uses `ecrecover` directly (not via OpenZeppelin's ECDSA library)
development
unchecked-return-values
Contract uses low-level calls: .call(), .send(), or .delegatecall()
testing
unsecure-signatures
- Contract uses ECDSA signatures for authorization, authentication, or message verification
tools
weird-tokens
Non-standard ERC20 behaviors, integration pitfalls, and token-handling safeguards.
tools
zero-address-misconfiguration
Critical addresses are set to address(0), causing hard reverts, fund loss paths, or permanently broken flows.
tools
unsafe-low-level-call
- Contract uses `.call()`, `.delegatecall()`, `.staticcall()`, or `.send()` for external interactions
tools
first-principles
Specialist profile for line-by-line assumption extraction without relying on named bug classes.
testing
invariant
Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.
testing
math-precision
Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.
testing
vector-scan
Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.
testing
execution-trace
Specialist profile for stale reads, parameter divergence, branch ordering, callbacks, and cross-transaction interleavings.
testing
periphery
Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.
tools
access-control-specialist
Specialist profile for roles, modifiers, initialization, upgrade authority, and guard consistency review.
testing
economic-security
Specialist profile for external dependencies, token behavior, incentives, oracle assumptions, and value-flow attacks.
testing
erc4626-exchange-rate-manipulation
ERC-4626 integrations are exploited by manipulating share price or conversion state to mint, borrow, or redeem at distorted rates.
tools
oracle-manipulation
Oracle manipulation techniques, case studies, and secure pricing integration controls for DeFi.
testing
beanstalk-governance
Case study of the 2022 Beanstalk exploit: flash loan + governance manipulation draining ~$182M
development
dao-hack
Case study of the 2016 DAO hack: reentrancy exploit draining ~$60M
data-ai
assert-violation
- Contract uses `assert()` statements
tools
cross-chain-bridge-vulnerabilities
Cross-chain bridge vulnerabilities including missing chain ID validation, cross-chain replay attacks, unverified bridge messages, and hardcoded bridge addresses
development
authorization-txorigin
Contract uses tx.origin for authorization or access control checks (e.g., require(tx.origin == owner))
testing
default-visibility
- Functions or state variables are declared without an explicit visibility specifier
testing
dos-gas-limit
- Contract iterates over a dynamic array or mapping whose size can grow unboundedly
tools
hash-collision
- Contract uses `abi.encodePacked()` to encode data before hashing (typically with `keccak256`)
development
dos-revert
Denial-of-service attacks through unexpected reverts in external calls
tools
incorrect-constructor
- Solidity version <0.4.22 where constructors are named functions matching the contract name
tools
cream-finance
Case study of the 2021 Cream Finance exploit: flash loan + oracle manipulation draining ~$130M
data-ai
harvest-finance
Case study of the 2020 Harvest Finance exploit: flash loan + price manipulation draining ~$34M
data-ai
access-control
Access-control exploit patterns and secure authorization approaches for privileged Solidity functions.
tools
outdated-compiler-version
- Contract is compiled with a Solidity version significantly behind the latest stable release
development
overflow-underflow
Integer overflow and underflow vulnerabilities in Solidity contracts
tools
wormhole-bridge
Case study of the 2022 Wormhole Bridge exploit: missing signature validation draining ~$320M
data-ai
report-template
Reusable smart contract audit report structure with severity IDs, finding sections, and appendices.
testing
curve-reentrancy
Case study of the 2023 Curve reentrancy exploit: Vyper compiler bug draining ~$70M
development
bzx-flash-loan
Case study of the 2020 bZx exploits: oracle manipulation via flash loans draining ~$1M
data-ai
asserting-contract-from-code-size
- Contract uses `extcodesize` or `address.code.length` to check whether an address is an EOA vs. a contract
development
delegatecall-untrusted-callee
Contract uses delegatecall with potentially untrusted callee
development
logic-errors
Protocol logic bug patterns, exploit examples, and invariant-driven review strategies.
tools
off-by-one
- Contract uses loops with boundary conditions, comparison operators at thresholds, or array index calculations
tools
gas-optimization-patterns
Gas optimization patterns including unbounded loops, storage writes in loops, external calls in loops, and unchecked array growth
testing
share-accounting-desynchronization
Asset/share systems drift out of sync across views, transfers, or reward logic, enabling value leakage, bypasses, or protocol lockups.
tools
shadowing-state-variables
- Contract inherits from one or more parent contracts
tools
stateful-parameter-update-drift
Changing live protocol parameters without synchronizing accrued state creates hindsight effects, unfair allocations, or broken invariants.
data-ai
uninitialized-storage-pointer
- Solidity version <0.5.0
data-ai
unsafe-erc20-transfers
Unsafe ERC20 transfer and approve calls that silently fail on non-standard tokens.
data-ai
use-of-deprecated-functions
- Contract uses Solidity functions, keywords, or language features that have been deprecated or removed
tools
unencrypted-private-data-on-chain
- Sensitive data (passwords, secrets, private keys, game answers) is stored in contract storage
data-ai
weak-sources-randomness
- Contract generates "random" values using on-chain data: `block.timestamp`, `blockhash`, `block.difficulty` / `block.prevrandao`, `block.number`, or combinations thereof
data-ai
attack-vector-deck
Compact catalogue of concrete Solidity vulnerability vectors with detection cues and false-positive guards.
testing