hexens

It's never been harder to build or raise in crypto. And the teams that need audits the most are the ones just starting out. Hexens Builder Support: real security engagement built around where early-stage protocols actually are. Who qualifies: — Under $1M raised — First security audit (no prior professional audit) — Live or near-launch product (not just an idea) Too many good protocols die before their first audit or ship without one and get exploited. That's why we built Builder Support. To catch the ones worth catching, before anyone else does. Apply: hexens.io/?request-a-quo…

Earlier, Apple announced another significant patch release for macOS (Tahoe 26.4), patching almost 80 CVEs spanning across user-space to kernel modules. Together with dozens of other bright minds, we again had our own contribution, with the credit going to our researcher Gor Aleksanyan (@GorAleksanyann) who co-discovered CVE-2026-28868 and CVE-2026-20695 - kernel address/info leak bugs. Update your devices. Full advisory: support.apple.com/en-us/126794

@DeFiHackLabs @ShutterNetwork @candidelabs @coinspect @__Raiders @opsek_io @block_science @webhash_eth @ConsensysAudits @SEAL_911 @rv_inc @therealgregoAI EVMDecompiler @DefimonAlerts @SourcifyEth @anticapture Verity: Formal Verification for Smart Contracts @theredguild @kelsiemvn @buidlguidl @zodiaceco snekmate @RevokeCash @zksecurityXYZ @FireflyPocket @militereum @breadcoop

Three Hexens engineers voted as badge holders in the Ethereum Security QF round, casting their votes for projects they believe in. Hexens contributed $400 per badge-holding team member to back their participation.

Audit Completed: @kalqix We're glad to have supported @kalqix with a security review of their DEX infrastructure layer, a permissionless exchange engine leveraging zero-knowledge proofs. Our audit covered the EVM contracts, including the bridge and its mechanisms. Wishing the KalqiX team the best as they continue building Full report below:

Apple just released iOS 26.5 and iPadOS 26.5, patching a significant number of security vulnerabilities across core system components - from memory corruption in media handling to sandbox escapes and privacy bypasses. Among the credited researchers: our own Andy Koo (@_nd_koo), who discovered CVE-2026-28974 - a double free vulnerability in Spotlight, found using an AI-augmented fuzzing setup. Update your devices. Full advisory: support.apple.com/en-us/127110

Hexens Builder Support × @elfomo_fi We're glad to have supported @elfomo_fi through our Builder Support program - backing early-stage teams building thoughtful protocols in Web3. Our audit covered Elfomo's vault accounting layer, including the manager architecture and EpochBasedVault implementation. Wishing the Elfomo team the best as they head into launch. Full report below:

Not every "oracle" is an oracle. Some price() functions look legitimate from the outside but internally just return a hardcoded storage variable no Chainlink, no TWAP, no aggregator logic. Whoever has write access to that slot owns the price. It can hide within the function logic. No external calls, no aggregator, just a storage read dressed up as a price feed. From the consumer side a lending pool, a perp DEX, a stableswap collateral valuations and liquidations sit at the mercy of a single transaction. See what it returns: glide.r.xyz/query/7c1a0662…

This is the workflow Glider was designed around. Reconnaissance, finding every contract on every chain that matches a vulnerable pattern, used to be the bottleneck. Now it's a query. Add an LLM for the PoC, and discovery → exploit → report runs end to end with one researcher in the loop. Great work by @SCAuditStudio.

A growing share of major exploits no longer break contract logic. They break ops workflows, infrastructure assumptions, and key management. The recent exploits are another example. The contract code is not the only failure point. This is why our audit practice covers oracle daemons, deployment configurations, off-chain infrastructure, and cloud security, not just Solidity. We are contributing to a piece with @magmadevs on RPC-layer risks, where trust assumptions are often invisible until they are exploited. More soon.

Glad we got to work with the @kalqix team on the security side. Even better to see them live today. Congrats on the launch.

Our Builder Support Program has had a huge response since launch. Тeams are showing up, and the same gaps are becoming apparent with them: the audit is just one piece of what they actually need to ship. So, we're expanding the program. Bringing partners on board across the stack so builders we accept get more than just the engagement with us. What we're adding: — Dev tooling and security platforms — RPC and node infrastructure — Monitoring and observability tools — Marketing and growth services Support for audits is just one piece of the puzzle. The program we're building puts the rest in place too. Partners apply here: forms.gle/bwTkGzBTsU4eG2… Builders apply here: hexens.io/?request-a-quo…

5. The tooling extends reach. Manual review closes the gaps tooling can't reach. Judgment stays with senior engineers. A model authoring findings is a liability. A model that lets a senior auditor see more of the codebase, faster, without losing depth — that is leverage. Security for systems that cannot afford to make mistakes. hexens.io

4. Glider, our proprietary querying engine, lets senior auditors search deployed contract logic by behavior and pattern. Vulnerability classes surface across codebases, not one file at a time. The full offensive security toolchain covers adjacent infrastructure.

1. Earlier this week we posted about Hexens' track record: 300+ engagements, $85B+ secured, zero exploited post-audit. This is the engineering behind it.

4. 90% of Hexens reports surface a critical or high-severity finding. A meaningful share of that code had already passed a prior audit. The engagement continues through remediation. We review the patches. We catch the bugs that only appear once the fix is written. 91% of clients return. Security for systems that cannot afford to make mistakes. hexens.io

3. That threat profile sets the bar for how the review runs. Every engagement fields two independent senior teams. In parallel. Exclusive focus. Where the teams converge, you have confirmation. Where they diverge, you've caught what a single team would have missed.

1. After 5 years in blockchain security, a pattern becomes visible: The code most likely to be attacked tends to end up reviewed by a narrow group of firms. Across 300+ engagements and $85B+ in assets secured at Hexens, 0 have been exploited post-audit.