Andy Koo
145 posts
Andy Koo
@andykoo
Senior Security Researcher @hexensio :)
Katılım Aralık 2019
2.1K Takip Edilen427 Takipçiler
I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity…
I achieved it after a very long debate/argument
And... yet another thing that got buried 🙃
English
Andy Koo retweetledi
Audit Completed: @Zharta
Security review of Zharta's structured credit order book protocol for ERC20 tokens.
Our assessment focused on updated lending contract logic, asset handling, and overall fund safety.
We're glad to support Zharta's ecosystem and look forward to working together again in the future.
Full report below:
English
Andy Koo retweetledi
Andy Koo retweetledi
Live Session | Breaking Down the TSTORE Poison Bug
The highest grade severity bug in Solidity compiler found by Hexens.
Join us as we break down:
• What the bug is & how it works
• How we found it
• How YOU could find it with Glider
Going live Thursday, March 12 at 14:00 GMT right here on the Hexens X account.
English
Our team isn’t just strong in Web3. We’ve also got some incredible Web2 experts on board
hexens@hexensio
We recently completed an Advanced Persistent Threat (APT) assessment with @ChainSafeth. They commissioned us to simulate a real attack against their organization, not a standard security audit, but a covert operation run the way advanced threat actors actually work. Using novel technical tradecraft alongside targeted social engineering, we achieved the objective and bypassed multiple layers of defense, including controls that are widely trusted across the industry. Hats off to the @ChainSafeth team, who's significant defences certainly made our team sweat. They've since used the engagement findings to further harden their security posture. The engagement is a clear reminder that organizations need to be ready for adversaries who don't stop at the first layer of defense but work through them methodically until something gives. That's the threat organizations need to be prepared for.
English
Andy Koo retweetledi
10 years of silence on major SOLC bug front is over
TSTORE Poison: a silent tstore/sstore storage corruption bug
Full explanation:
hexens.io/research/solid…
— This is the opening article of our new Research page. There is more come, so stay tuned.
— TL;DR: delete ; ~~☠️
— Blast Radius discovery is cornerstone of these kind of incident reports, we have used Glider to scan through all the integrated chains additionally we want to thank everyone for help during the IR: @_SEAL_Org @etherscan @dedaub @danielvf
And of course @solidity_lang team for handling the report professionally.
Solidity@solidity_lang
Full bug explainer: soliditylang.org/blog/2026/02/1… Thanks to @hexensio for the discovery and thorough report, @_SEAL_Org and @dedaub for their swift response and help in identifying affected contracts.
English
Andy Koo retweetledi
Audit Completed: @KyberNetwork
We reviewed Kyber’s Smart Intent protocol, enabling highly customizable automation and delegated actions across DeFi.
Our engagement included a review of the protocol’s smart contracts, focusing on intent execution, delegation logic, and overall robustness.
Check out the full report below:
English
Andy Koo retweetledi
Audit Completed: @Zharta
Zharta is a permissionless P2P lending protocol for ERC20 tokens with highly configurable loan terms.
Hexenes completed two independent security audits of the smart contracts, with a strong focus on core lending logic and overall robustness.
Happy to be @Zharta's security partner.
📄 Full reports:
English
Andy Koo retweetledi
Audit Completed: @EverclearOrg
Everclear is a cross-chain intent protocol enabling permissionless, near-instant swaps across blockchains.
Our engagement focused on a full review of the Solana smart contracts, covering core swap logic and security-critical components.
Proud to support @EverclearOrg's security as they scale cross-chain liquidity.
📄 Full report:
English
Andy Koo retweetledi
Great news!
We’re excited to launch Phase 2 of Glider contest starting from Jan 1st 2026.
Best part? It has no end date, more time, more impact. Updated payout amounts:
- Legendary $5,000 per query
- Epic $2,000 per query
- Rare $400 per query with a limited pool of $5K
- Uncommon not eligible for rewards, but still triaged
All submissions made before 1 January will be triaged and paid out according to the rules of Phase 1 (6 Nov - 31 Dec 2025).
English
Andy Koo retweetledi
Over the course of the year, we worked across a wide range of security cases spanning diverse systems and architectures.
This accumulated experience continues to shape and refine our approach to security.
Since our founding, we’ve maintained a record of zero exploited audited projects.
English
Andy Koo retweetledi
One of the contracts of the @retikfinance is vulnerable to oracle manipulation, Where if a token shows stale price by chain link this contract may get manipulated in very rare cases, this was possible to find due to @xyz_remedy 's glider.
English
Andy Koo retweetledi
My article “Introduction to cybersecurity in digital assets and cryptocurrencies” is now published by Oxford University Press (Oxford Law Pro).
Web3 cybersec is fundamentally different from traditional IT security & that difference matters legally.
#Cybersecurity #CryptoLaw
🧵
English
Andy Koo retweetledi
Hexens completed two audits for @glifio for their upcoming launch of GLIF+
GLIF+ is a novel DeFi mechanism that introduces a Loyalty Rewards program for GLIF users, both Liquidity Providers and Storage Providers.
Proud to support @glifio's continued commitment to security. View reports below:
GLIF@glifio
Introducing: GLIF+ 🚀 A loyalty rewards program built on top of the $GLF token, launching first for our @Filecoin users. Read on to learn more 👇👇👇
English
Andy Koo retweetledi
Andy Koo retweetledi
Andy Koo retweetledi
i wrote some thoughts on bug bounties payouts and how we should think about crypto security going forward
samczsun.com/higher-bug-bou…
English
Andy Koo retweetledi
Audit Completed: @KyberNetwork
Our review focused on the upgraded KyberSwap Aggregation Router, validating routing execution, integration behaviour, and upgrade pathways.
KyberSwap remains a core piece of DeFi infra; tightening the security of this router further supports safe, efficient liquidity aggregation across the ecosystem.
English
Andy Koo retweetledi
A practical guide to attacks on threshold schemes implementation bugs from missing checks to oracle attacks.
Keep your eyes peeled for Part 2 hexens.io/blog/mpc-attac…
English
Took 1st place at the AI Cyber Defense Competition held in Korea. 🏆
The event was officially promoted as the “world’s first AI hacking defense competition.”
While the “world's first” claim may be debatable, the dedicated AI category in an attack-and-defense format was genuinely novel.
There is clear room for improvement, but the organizers have announced plans to make it an international competition next year — something I’m very much looking forward to.
Our team: 2 hackers + 2 AI engineers, fun and special experience.
English