hexens

10 years of silence on major SOLC bug front is over TSTORE Poison: a silent tstore/sstore storage corruption bug Full explanation: hexens.io/research/solid… — This is the opening article of our new Research page. There is more come, so stay tuned. — TL;DR: delete ; ~~☠️ — Blast Radius discovery is cornerstone of these kind of incident reports, we have used Glider to scan through all the integrated chains additionally we want to thank everyone for help during the IR: @_SEAL_Org @etherscan @dedaub @danielvf And of course @solidity_lang team for handling the report professionally.

@UFarmDigital Great to see our partners handling this well. Glad to be part of your risk stack and looking forward to continued partnership.

The recent rsETH / KelpDAO incident is a reminder that DeFi risk is rarely isolated. It can travel across bridges, collateral paths, and protocol dependencies very quickly. Fortunately, UFarm.Digital and the strategies deployed through our infrastructure were not directly affected by this event. For us, this reinforces a few core principles. First, diversification matters. When capital is spread across multiple protocols and strategies, a failure in one venue is far less likely to become a catastrophic portfolio event. Second, risk management starts before capital is deployed. At UFarm.Digital, every protocol and every vault route must pass our internal checks before it can be used. Our architecture allows parameter-level control over what strategies are permitted to do, which adds an important layer of protection on top of strategy design. Third, security today is not just about audits. It is also about monitoring dependencies and detecting hidden risks early. This is why we are actively testing tools from our friends and auditors @hexens - Glider and Token Risks API, which are designed to analyze smart-contract behavior and identify token-level risk patterns across chains. Finally, market stress can create temporary yield dislocations. We saw stablecoin rates on Aave move sharply higher after the incident as liquidity tightened - a reminder that volatility can create opportunities, but only if risk is managed seriously. DeFi will keep evolving through moments like this. The key question is not whether risk exists - it always does. The key question is how thoughtfully you structure around it.

It's never been harder to build or raise in crypto. And the teams that need audits the most are the ones just starting out. Hexens Builder Support: real security engagement built around where early-stage protocols actually are. Who qualifies: — Under $1M raised — First security audit (no prior professional audit) — Live or near-launch product (not just an idea) Too many good protocols die before their first audit or ship without one and get exploited. That's why we built Builder Support. To catch the ones worth catching, before anyone else does. Apply: hexens.io/?request-a-quo…

The ETHSecurity badges distribution from @thedaofund is finished now. We are proud to share that members of Hexens team are part of this important initiative: @_nd_koo — Lead Security Researcher @p0wn4j — Lead Cryptography Security Researcher @kemmio — CTO & Co-Founder TheDAO's mission is to make Ethereum safer, and ETHSecurity is how they vet the researchers capable of contributing to that work.

Over 75% of recent major exploits had nothing to do with smart contract bugs. Phished developers. Compromised signer machines. Malicious dependencies. Breached infrastructure. Code audits weren't built to catch any of that. APT simulation is. A full adversarial engagement against your team, keys, infrastructure, and operational security. Modeled on the tactics behind the headlines, not a generic pentest checklist. If your protocol holds real value and you've only done code audits, that's your blind spot. Simulate the attack before it’s too late → hexens.io

Builders: you now have access to Hexens audits through the @areta_io $1M Ethereum Audit Subsidy Program. Backed by @ethereumfndn, @chainlinklabs & @NethermindSec. We're excited to be a part of this initiative. Apply here: ethereum.areta.market

Audit Completed: @crosscurvefi Happy to be @crosscurvefi's security parter. Looking forward to working together again in the future.

Glider Contest: Phase 3 starts today Only Epic and Legendary queries get cash rewards now → Epic (2.95–4.49 rarity): $2,000 | min $10k at risk → Legendary (4.50+): $5,000 | min $50k at risk Rare and Uncommon queries are still welcome and will be added as public goods for the community. All submissions before April 7, 12:00 pm UTC gets assessed under Phase 2 rules. Full rules on the contest page. Join us on Discord for questions and help. discord.com/invite/remedy

Hacks break protocols. How you respond is what defines you. @ResolvLabs chose full transparency with a detailed post-mortem. Every team in this space will face hard moments given the kind of adversaries who target them. The ones who face them head-on are the ones worth trusting.

Live Event | Audit Retrospective | Hexens <> Royco x.com/i/broadcasts/1…

Don't miss today's live at 12:00 UTC. Joining @roycoprotocol for an Audit Retrospective: scope breakdown, finding highlights and key takeaways. Right here on X.

Part 2 of our series on Gröbner bases in cryptanalysis is live We turn the Poseidon hash function into a polynomial system over a finite field and run a full preimage attack on a reduced-round instance with SageMath. hexens.io/blog/groebner-…

We're going live with @roycoprotocol for an Audit Retrospective A candid breakdown of how we audited a tranche-based DeFi protocol right before launch. Will cover key findings, mechanism design decisions, and what changed as a result. April 2, 12:00 PM UTC, on Hexens X

Cross-chain bridges remain critical infrastructure, proof verification is the core of their security model. New disclosure on our research page: a vulnerability in the Polygon Plasma bridge that allowed transaction proofs to be forged. At the time of discovery, $800M in POL was at risk, exploitable in a single transaction with no prerequisites. The research covers how the proof verification breaks, how the exploit was built, and what it means for bridge security. Full technical deep-dive: hexens.io/research/polyg…

github.com/Hexens/Smart-C… github.com/Hexens/Smart-C…

Audits Completed: @roycoprotocol Two consecutive security reviews of Royco - a perpetual risk-tranching protocol dividing yield opportunities into senior and junior tranches. Our assessments covered the core protocol contracts, tranche and kernel mechanics, liquidation bonus mechanisms, and RWA integration alignment. We're glad to support @roycoprotocol 's ecosystem and look forward to working together again in the future. Full reports below:

Gröbner bases sit at the heart of many algebraic attacks on modern cryptographic primitives. This post covers the theory from first principles, walking through Buchberger's algorithm step by step and solving a polynomial system by hand hexens.io/blog/groebner-…

Audit Completed: @Zharta Security review of Zharta's structured credit order book protocol for ERC20 tokens. Our assessment focused on updated lending contract logic, asset handling, and overall fund safety. We're glad to support Zharta's ecosystem and look forward to working together again in the future. Full report below: