Shred Security

Most DeFi protocols don't have an incident response plan. They have a group chat and a prayer. We built the Incident Response Checklist, a production-grade IR standard for Web3 protocols, covering: — Communication — Post-Mortem — Containment — Forensics — Recovery The #1 rule we outlined: Containment BEFORE detailed tweets, until losses are stopped. It’s Free, open-source, and built for real incidents. Star it. Fork it. Add it to your runbook. Your future self at 3am will thank you. Link in the comments below👇

Security is non-negotiable. Shred Security x @RatehopperAI RateHopper has reappeared pursuing one more elite-grade security review! Super excited to have them back as we keep offering strong protection for their expanding setup — a clear sign of our great client retention and ongoing collaboration to build securely. Their beta program is now live, learn more here: ratehopper.ai

He saved your funds again, this time by hunting a Critical Cryptographic bug 🐛

The co-founder of Shred Security, just secured your funds! 🫠🔥

Ship Safely 🚀

Thanks @nooz0x for participating. The issue here is: Using time(dot)Now().Unix() (local system time) in the permit precompile for deadline validation. This is non-deterministic across validators — due to slight clock drift, network latency, and propagation delays, different nodes can get slightly different values from time(dot)Now() when processing the same transaction in the same block. → Different state transitions on different nodes → different state roots → possible consensus failure. Recommendation / Fix: Replace time(dot)Now() with the deterministic block timestamp: block.Header.Time.Unix() (or equivalent chain context time).

Challenge #4: Can you spot the bug in this code snippet?

Shoutout to @Icarus_xB,@nooz0x and @0xkun4l who have solved correctly. The issue here is: Using same address of WETH for both Ethereum and Polygon chain. You can find the next challenge here: x.com/ShredSecurity/…

Challenge #3: Can you spot the bug in this code snippet? Hint: It’s a deployment script, so expect the unexpected!🧐

Shoutout to @nooz0x for solving it correctly and thanks @0xalifweb3, @0xkun4l for participating. The root cause is silent precision loss/truncation on the scaling-down path. Major hacks due to rounding bug: Balancer ($128M) in 2025, zkLend ($9.5M) in 2025 etc. Fix: Implement safe rounding mechanisms in mathematical operations. You can find the next challenge here: x.com/ShredSecurity/…

Challenge #2: Can you spot the bug in this code snippet?

Shoutout to @0xalifweb3, @0zpan, @nooz0x, @0xkun4l who have solved correctly. The root cause is user controlled PDA seed. It can cause PDA seed collisions -- DOS or account mixups. Fix is simple: Use unique seeds with users public key. You can find the next challenge here: x.com/shredscrt/stat…

We’re launching a bug-hunting challenge series for EVM(in Solidity mainly), Solana and Blockchain related vulnerabilities. Challenge #1: Can you spot the bug in this code?

@burraSec @PancakeSwap @0xProbable The report is available here: github.com/burrasec/Secur…

Back in November, we collaborated with @burraSec to audit the @PancakeSwap-backed project @0xProbable. A solid codebase with just 2 lows and bunch of informational findings.🫡 Report is in the first comment.

Our researchers just wrapped up another private audit 🔥 Report dropping soon 🚀 Salute to our brave Shredders for securing another protocol 🫡

At @shredscrt, we're really passionate about fortifying protocols with our layered defense audit suite: AI scans, formal verification, fuzzing, and secure deployment. Secure your project end-to-end. Learn more at shredsec.xyz

Quick stats from the first 2 months of Shred Security 🚀