Nethermind Security

742 posts

Nethermind Security banner
Nethermind Security

Nethermind Security

@NethermindSec

Comprehensive security from @Nethermind, from audits to formal verification. Book now: https://t.co/dBDIYbokwP

Katılım Eylül 2024
46 Takip Edilen1.6K Takipçiler
Sabitlenmiş Tweet
Nethermind Security
Nethermind Security@NethermindSec·
Your team takes the break. We take the audit. A few slots open July 1 — August 15. Adjusted rates. AuditAgent Pro included so the codebase is ready before we start. Smart contracts and ZK circuits. nethermind.io/audit-slots
Nethermind Security tweet media
English
1
3
11
3.9K
Nethermind Security
Nethermind Security@NethermindSec·
Same proof methodology, three independently built Plonky3 codebases. OpenVM and Brevis Pico (EF-supported) are zkVMs. Plonky3's own Poseidon2 circuit isn't, but the method still applies. For the zkVMs, we prove one equivalence theorem per opcode: a chip's circuit, read through its bus interactions, produces exactly the same state as running that RISC-V instruction. Pico alone has 62 of these for RV64IM, 45 for RV32IM. Poseidon2's constraint expressions ran to billions of nodes, too many for the extractor or Lean to handle directly. We cached shared subexpressions down to around 3,000 named terms. On OpenVM, memory consistency, every read and write to an address agreeing with one history, is derived from bus balance rather than assumed. On Pico, one piece stays outside the proof: byte-level lookup tables are audited, not proven in Lean. Running your own Plonky3 fork and weighing formal verification against building this yourself? We're already having that conversation with a few teams.
Nethermind Security tweet media
English
1
2
1
648
Nethermind Security
Nethermind Security@NethermindSec·
200+ audits completed in 2025. Arbitrum DAO approved us as an audit provider, and we sit on zkSync's security council. We audit Solidity, Cairo, Rust, and Noir. Now extending to Move. Building on Aptos? We cover it.
Nethermind Security tweet media
English
1
0
1
273
Nethermind Security
Nethermind Security@NethermindSec·
We completed a security audit of @particle_cs's Bloxchain framework,an open-source security framework for Ethereum applications designed so sensitive operations use roles, waiting periods, and multi-party control - not a single key acting alone. Our security team reviewed the protocol's smart contract architecture and implementation.
English
2
0
4
405
Nethermind Security
Nethermind Security@NethermindSec·
We completed a security review of @arcxtrade, a yield-decomposition protocol on Starknet that settles across chains by bridging USDC into Wildcat markets through CCTP. The review covered the full Cairo and Solidity codebase, with close attention to the token decomposition model and the cross-chain settlement path. The higher-severity findings were fixed ahead of the beta.
Nethermind Security tweet media
English
2
2
12
1.9K
Nethermind Security
Nethermind Security@NethermindSec·
In 2024, an attacker manipulated a lending protocol's oracle into valuing a single token at roughly $1.37 trillion. The oracle worked as designed. It derived the price from a DEX pool, and a flash loan moved that pool for a single block, so the reported price was the one the attacker chose. Reading a price directly from a pool is the obvious error, and most experienced teams avoid it. The harder failures are the ones that pass review. A staleness threshold set too high, so an outdated price is still accepted as current. An L2 feed that reads as fresh while the sequencer is down. A TWAP that resists cheap manipulation but lags a fast market enough to leave an exploitable window. Most teams know an oracle can be manipulated. Confirming that the safeguards already in place actually hold is harder, and it's most of what an audit does here.
Nethermind Security tweet media
English
1
0
3
286
Nethermind Security
Nethermind Security@NethermindSec·
Everyone's arguing about whether AI replaces security audits. We stopped arguing and ran it: one codebase, three layers, and we tracked what each one actually caught. AuditAgent (our AI scanner, runs while you build) and AgentArena (independent agents competing to break the same code) cleared the high-frequency stuff early. The bugs that show up in codebase after codebase, gone before anyone senior opened the repo. So by the time our auditors started, the easy surface was clean. They spent their time on the bugs you can't pattern-match. Things like an external call that ran before the check meant to authorize it. Design-specific, the kind you only find by reasoning through the whole system. Both camps in this fight are only half right: AI doesn't shrink the audit, it tells the audit where to look. And the audit finds what no scanner ever will. You don't pick one. You run them in order.
Nethermind Security tweet media
English
3
1
10
448
Nethermind Security
Nethermind Security@NethermindSec·
It carries context across scans, surfaces more meaningful findings, and you can review and adjust what it remembers. A pre-audit baseline you run while you build, ahead of a comprehensive audit. auditagent.nethermind.io
English
0
0
1
173
Nethermind Security
Nethermind Security@NethermindSec·
Most AI scanners start every run from zero. AuditAgent now keeps a per-project memory. Each scan builds on what it already learned about your codebase, so repeat runs get sharper instead of repeating themselves.
Nethermind Security tweet media
English
2
1
5
279
Nethermind Security
Nethermind Security@NethermindSec·
A ZK circuit can do exactly what it's supposed to and the system around it still gets drained. The risk lives in what the protocol assumes the proof means. Michael Belegris on the bugs our ZK audit team keeps finding: nethermind.io/blog/zk-circui…
English
1
6
20
1.8K
Nethermind Security retweetledi
Nethermind Security
Nethermind Security@NethermindSec·
Your team takes the break. We take the audit. A few slots open July 1 — August 15. Adjusted rates. AuditAgent Pro included so the codebase is ready before we start. Smart contracts and ZK circuits. nethermind.io/audit-slots
Nethermind Security tweet media
English
1
3
11
3.9K
Nethermind Security
Nethermind Security@NethermindSec·
Uniswap ran a free AuditAgent scan, an AgentArena competition on UniswapX, and adopted the AuditAgent Business Plan in three months. Cody Born, Principal Engineer at @Uniswap, on what AuditAgent changed in their development workflow:
Nethermind Security tweet media
English
3
8
21
2.6K
Nethermind Security
Nethermind Security@NethermindSec·
@0xKalzak Pre-audit tools handle the surface layer. AuditAgent flags common vulnerability patterns and dead code so the audit goes deeper from day one. Included with audit slots between July 1 and August 15. Reduced rates: nethermind.io/audit-slots
English
0
0
0
148
Nethermind Security
Nethermind Security@NethermindSec·
Auditors aren't QA. When the first days of an engagement go to integration bugs the team would catch on testnet, that's time off the review. When pass one goes to dead code and common vulnerability patterns, that's time not spent on bugs only auditors can find.
Nethermind Security tweet media
English
2
1
3
1.1K