May 24, 2023
Introducing OwLLM: The First Open-Source Large Language Model for Web3
Today, we’re excited to open-source OwLLM v1.0 (colloquially called “Owl LM”), the first Open-source, web3-native Large Language Model. OwLLM has been trained on millions of transactions, has more than 100 million parameters, and is designed to be chain-agnostic.
January 17, 2023
The Secret sec3 Master Plan
The Secret sec3 Master Plan is a four-step plan to make sec3 a decentralized end-to-end security solution provider for DApps in the growing Web3 economy. The plan includes building strong point solutions such as Launch Audits and WatchTower, expanding and building a full suite of solutions to cover the full DApp lifecycle, adding token economics to benefit from decentralization and community creativity, and leveraging sec3's reliable solutions to offer risk-based insurance solutions.
September 19, 2023
Sec3 ranks first in the 2023 MetaTrust CTF Sui track
Last week, our very own senior security researcher Q7 clinched the top spot in the CTF-Sui track of the 2023 MetaTrust Web3 Security CTF. Competing against nearly 600 teams, Q7 aced challenges ranging from Solidity puzzles to Sui Move challenges, securing two first bloods and two second bloods. In this blog post, we dive deep into the intricacies of these challenges, offering detailed solutions and insights
April 6, 2023
All About Anchor Account Size
Smart contracts using Anchor require developers to allocate space for new accounts and specify the account size. Anchor provides guidelines for calculating the size based on the account structure, but many developers use std::mem::size_of instead, as they don’t have to manually update the size when making changes to the account structure. Are they equivalent? In this blog post, we conduct a systematic comparison of the results produced by std::mem::size_of and the Anchor space reference.
January 17, 2023
How do cross-chain bridges work? A case on Wormhole (Part 4)
Following Part 1, 2 and 3, this article focuses on explaining how Wormhole prevents double-delivery of the same message?
January 14, 2023
How Do Cross-Chain Bridges Work? A Case on Wormhole (Part 3)
Following Part 1 and Part 2, this article focuses on explaining how Wormhole ensures the bridged tokens are correct.
January 11, 2023
How Do Cross-Chain Bridges Work? A Case on Wormhole (Part 2)
Following Part 1, in this article we focus on guardian signatures verification in Wormhole on both Solana and Ethereum.
January 9, 2023
How Do Cross-Chain Bridges Work? A Case on Wormhole (Part 1)
In this article series, we will elaborate on the internals of cross-chain bridges, how they are implemented and what their caveats are from the user’s perspective. We will use a state-of-the-art bridge Wormhole as an example.
December 23, 2022
sec3 Ranked First in the Aptos CTF MOVEment 2022
We're very excited to announce that our team scored first place in the Aptos Capture The Flag competition MOVEment with Aptos Dec 2022. We got two first-bloods and two second-bloods in the four challenges except for the sanity check, ranking first in the end.
October 13, 2022
How to Analyze an Attack? A Case Study on the Mango Markets Exploit
In this article series, we will conduct in-depth post-hack investigations on a few representative attacks on on-chain protocols and share the techniques and tools used by the sec3 core team to understand the attacks.
September 29, 2022
Proactive After-Deployment Monitoring: Lessons Learned From an Auditor's Perspective
Besides rigorous internal code reviews and external auditing, we are frequently asked by our customers: what we should do to keep our protocol safe once it's deployed on the chain?
September 23, 2022
Security of Solana Smart Contracts: Two Caveats of the SPL Associated Token Account
The SPL Associated Token Program is used frequently in Solana smart contracts. We reviewed its technical details in a prior article. In this article, we focus on two important caveats of using associating token accounts as learned by the Sec3 core team.
September 6, 2022
Announcing sec3 WatchTower: Smart Threat Monitor for Smart Contracts
sec3 announces the first release of WatchTower: an in-situ threat monitoring service for Solana smart contracts to detect, prevent and stop security attacks in real time.
September 6, 2022
A Review of Recent Hacks on Solana: What Is in Common and How to Prevent Them?
Solana ecosystem has seen super rapid growth while witnessing multiple hacks (involving Wormhole, CashioApp, CremaFinance, Nirvana, and Slope Wallet), which collectively caused close to $400 million losses. In this article, we review the essence of these hacks and aim to find effective solutions to prevent such attacks in the future.
July 6, 2022
Security of Solana Smart Contracts: Why You Should Always Validate PDA Bump Seeds
The same seeds with multiple valid bumps can have crucial security implication: PDAs can be faked if their bump seeds are not validated
June 13, 2022
Bidirectional Rounding: A Common Security Vulnerability in Defi Smart Contracts
If a smart contract has a bidirectional function or functions (e.g., swap between a pair of tokens or mint/redeem a token) and the function uses the same rounding operation over arithmetic results in both directions, then the function is likely vulnerable to two-way trading attacks.
June 5, 2022
On Smart Contracts: Why Solana Is More Secure?
While Solana’s core runtime is still under rapid development, its design of smart contracts has been fairly stable. In this article, I’d like to elaborate why Solana is more secure from the perspective of smart contracts.
May 29, 2022
Solana Programs Part 4: Metaplex Candy Machine
The Metaplex Candy Machine is among the most popular smart contracts used for NFT minting on Solana. Recently, it has even implemented sophisticated logic for detecting and taxing bots. How does the candy machine program work internally? What are its intended use cases and dependencies? How does it detect bots? This article elaborates on these technical details.
May 24, 2022
Announcing sec3 X-ray Security Scanner: General Public Release
sec3 X-ray scanner software is a security scanner specifically designed for Solana smart contracts. sec3 X-ray can detect more than 50 types of security vulnerabilities and can be integrated into the GitHub CI development process. Integrating sec3 X-ray into your protocol's development process can shift security practices left, reduce costly security issues, and speed up time-to-market. sec3 Xray has been adopted at leading Solana Protocols; try it out today!
May 23, 2022
Solana programs Part 3: understanding Metaplex Token Metadata
In this article, we elaborate on the implementation details of token-metadata.