Data has become the vigor of the digital age, powering industries, economies, and societies worldwide. Whether personal information, financial records, intellectual property, or trade secrets, data is the driving force behind decision-making, innovation, and business operations. However, data security has emerged as a paramount concern with the increasing digitization of our lives and businesses.

Data & Threats

Data, by default, is not secure. It can face many different types of threats!

Phishing, malware, and everything in between

Malicious actors continually evolve their tactics to exploit vulnerabilities in data systems. The threat landscape is dynamic and relentless, from phishing scams to sophisticated malware. It can be something as simple as an email that looks legitimate but tricks you into revealing personal information, like your login details. Or they could use sophisticated software that sneaks into your computer when you download seemingly harmless files.

Data Breaches: A Trust-Tumbling Avalanche   

Imagine your favorite store suddenly losing your credit card information to cybercriminals. These breaches aren't just a blip on the radar; they can lead to severe financial losses and even tarnish a company's reputation, making customers hesitant to trust them again.

Data Integrity

Imagine a digital contract - once you've signed it, you want to be absolutely certain that no one can secretly alter the terms. Any unauthorized changes can create confusion, lead to wrong choices, and erode trust in the digital realm. It's like having an unbroken seal on your important documents, ensuring their reliability. Ensuring the integrity of data is critical.

Centralized Systems 

Think of centralized data storage systems like a fortress with a single gate. When a hacker manages to break through that gate, they can potentially wreak havoc on everything stored inside. It's like having all your valuables in one easily accessible room. A breach in such a system can be catastrophic, leaving everything exposed to theft or damage.

Data & Security

As we've explored, data is under a constant barrage of threats in the section above. From phishing schemes that trick the unsuspecting to data breaches that leave us vulnerable, our personal information often hangs in the balance. However, blockchain technology's a shining beacon of hope amidst this sea of vulnerabilities.

Blockchain offers immutability, transparency, and hence, security with which we can

  1. Shield data against threats because of immutability and transparency
  2. It’s transparent and distributed nature can defend against phishing and malware
  3. Immutability also guards the data Integrity
  4. Dismantle Centralized Vulnerabilities because of Blockchain's decentralized nature.

IT Governance produced data breach reports, and from the stats, the most valuable sector is healthcare. Not only does it hold the largest percentage, but the percentage of breaches increased by 5% in a year!

Cyber attacks and data breaches

Cyber attacks and data breachers by sector, Q2 2023

Healthcare Data: Precious records of one’s life

In the world of medicine, data assumes a role of unparalleled importance, serving as the foundation upon which patient care is built. Healthcare data encompasses a wide range of information crucial for delivering effective and safe medical care. It is the backbone of modern medicine, underpinning the following vital aspects.

Blockchain in healthcare data

Eliminating Insurance Discrimination

Imagine securely locking your medical information in a digital vault that only you control. This means that you hold the key when it comes to your health history. No one else—especially not insurance companies—can peek inside without your permission.

Data Privacy and Fairness
By encrypting and securing healthcare data on a blockchain, individuals can have greater control over their medical information. Insurance companies will no longer be able to discriminate against individuals based on pre-existing conditions or sensitive health history.

Equitable Premiums

With a safeguarded medical history, patients will be treated fairly, as premiums will reflect a more balanced view of health risks. It's like ensuring that everyone pays a reasonable price for their insurance, no matter their health journey.

Fast-Tracking Medical Breakthroughs

Imagine if researchers and pharmaceutical companies had a secure, transparent, and lightning-fast way to access patient data. It's like a high-speed highway connecting them directly to the information they need. They can work more efficiently, like Formula 1 racers zooming to the finish line.

Secure Data Sharing

Blockchain's secure and transparent data-sharing capabilities can revolutionize clinical research by allowing researchers and pharmaceutical companies to access patient data securely. This can expedite drug development and improve patient outcomes.

Incentivized Participation

Through blockchain-based smart contracts, patients can be compensated for sharing their health data for research purposes while maintaining control over who accesses their information.

Supply Chain Management

Imagine a world where you can trace the journey of every medicine, like tracking a package you ordered online. From the moment a pill is made to the second it lands in your hands, its entire history is recorded. It's like an unbreakable chain connecting every step, ensuring no impostor medicine sneaks in.

Drug Traceability

Supply chain management ensures that the medication you take is the real deal. It's like a digital guardian for your health, making sure you're safe from counterfeit drugs and putting your well-being front and center.

Telemedicine and Remote Patient Monitoring

Imagine every detail from your virtual doctor's visits being sealed securely in a digital vault. It's like having a time capsule that holds your health story, ensuring it stays exactly as it was when you left your virtual appointment. You can have a doctor's appointment from the comfort of your home, and all your health data is sent securely through a virtual tunnel. It's like having a high-tech, invisible shield around your personal information.

Secure Data Exchange

With this security in place, healthcare providers can confidently offer you top-notch remote services, knowing your privacy is locked up like a fortress. It's like having a private consultation room at your fingertips, all thanks to blockchain.

Immutable Medical Records

Patient records generated during telehealth consultations can be stored on a blockchain, ensuring their integrity and availability for future reference.

Healthcare Fraud Prevention

Think of your medical bills as a ledger, like a record of all your expenses. Now, imagine that the ledger is super secure, like a locked vault. Every time there's a transaction, it gets recorded in this vault, and no one can tamper with it.

Billing Transparency

Blockchain can improve transparency in healthcare billing by recording every transaction securely. This doesn't just protect you but also insurance companies. When everyone can trust the billing process, it's a win-win for patients and insurers, making healthcare costs more transparent and fair. With blockchain, we can ensure no hidden fees or surprises in your medical bills.

No More Paper Prescriptions

Think about when you travel, and you need proof of your prescriptions to carry your medicines. It's like needing a permission slip for your pills. Now, imagine if you could have this proof securely stored online, like a digital passport for your medications.

Cloud prescriptions

With cloud prescriptions, you wouldn't have to deal with paper hassles or worry about losing them. It's like having a magic wallet that keeps your prescription records safe and easily accessible.


In an era driven by data, security and integrity are paramount. Blockchain technology offers a revolutionary solution to the challenges faced by data in our increasingly digital world. From protecting against cyber threats to ensuring fairness and privacy in healthcare, blockchain's potential is vast.

Patients can regain control of their medical information, insurance discrimination can be eliminated, medical breakthroughs can be accelerated, and data sharing can become seamless and secure. Blockchain ensures transparent supply chains, secures telemedicine, and preserves the integrity of medical records. It also brings transparency to healthcare billing and eliminates the need for paper prescriptions when traveling.

Embracing blockchain is not just adopting a new technology; it's a commitment to safeguarding the core of our digital lives. With BlockApex, get all that is necessary to leverage this technology for the better!


BlockApex (Auditor) was contracted by DeFiGeek Community (DFGC) (Client) for the purpose of conducting a Smart Contract Audit/Code Review of Yamato Protocol. This document presents the
findings of our analysis which started on June 20th, 2022.

Yamato Stablecoin Lending
Audited by
Ethereum | Solidity
Type of review
Manual Code Review | Automated Tools Analysis
Architecture Review | Functional Testing | Property Testing | Computer-Aided Verification
Git repository/ Commit Hash
White paper/ Documentation
Document log
Initial Audit Completed: July 13th, 2022
Final Audit Completed: Sep 5th, 2022


The git-repository shared was checked for common code violations along with vulnerability-specific probing to detect major issues/vulnerabilities. Some specific checks are as follows:

Code reviewCode review Functional review
ReentrancyUnchecked external callBusiness Logics Review
Ownership Takeover ERC20 API violationFunctionality Checks
Timestamp DependenceUnchecked mathAccess Control & Authorization
Gas Limit and LoopsUnsafe type inferenceEscrow manipulation
DoS with (Unexpected)
Implicit visibility levelToken Supply manipulation
DoS with Block Gas LimitDeployment ConsistencyAsset’s integrity
Repository ConsistencyUser Balances manipulation
Style guide violationData ConsistencyKill-Switch Mechanism
Costly LoopOperation Trails & Event

Project Overview

DeFiGeek Community (DFGC) is an open community that develops DeFi DApps and middlewares that contribute to the Web3 era. DFGC develops and envisions multiple DApps.
The first is the Yamato Protocol, a crypto-secured stablecoin generator DApp pegged to JPY. Yamato Protocol is a lending decentralized financial application (DeFi) that can generate Japanese Yen stablecoin "CJPY". It is being developed by DeFiGeek Community Japan, a decentralized autonomous organization.

Yamato Protocol is a crypto-asset overcollateralized stable coin issuance protocol. V1 allows the issuance of CJPY (Japanese Yen equivalent coin) using ETH as collateral. It has the following features:

System Architecture

The idea for the Yamato Protocol is based on Maker and Liquity protocols. Crypto over-collateralized stablecoin render. Token Economics implements the Voting Escrow model with reference to Curve's ecosystem of CRV and veCRV (This will be implemented in a later version).

The initial model will be launched on Ethereum, and by depositing ETH, you can borrow a Japanese Yen stablecoin called CJPY (ERC-20).

As a P2C (Peer to Contract) Lender, it is an epoch-making design that eliminates the need for forced clearing. It is a basic application of web3 as a decentralized application that can borrow Japanese Yen equivalent coins (Convertible JPY (ticker: CJPY)) with ETH as collateral.
In V2, DFGC will implement CUSD and CEUR and further develop as a global stablecoin render.

Methodology & Scope

The codebase was audited using a filtered audit technique. A pair of auditors scanned the codebase in an iterative process spanning over a span of 2.5 weeks.

Starting with the recon phase, a basic understanding was developed and the auditors worked on establishing presumptions for the codebase and the relevant documentation/ whitepaper provided or found publicly.

Furthermore, the audit moved on with the manual code reviews with the motive to find logical flaws in the codebase complemented with code optimizations, software and security design patterns, code styles, best practices and identifying false positives that were detected by automated analysis tools.


Executive Summary

The analysis indicates that the contracts under scope of audit are working properly.
Our team performed a technique called “Filtered Audit”, where the contract was separately audited by two individuals.

After a thorough and rigorous process of manual testing, an automated review was carried out using tools like slither for an extensive static analysis and foundry for property testing the
invariants of the system. All the flags raised
were manually reviewed in collaboration and
re-tested to identify the false positives.


Our Team Found

# of issuesSeverity Of the Risk
1Critical Risk Issues(s)
1High Risk Issues(s)
3Medium Risk Issues(s)
8Low Risk Issues(s)
1Informatory Risk Issues(s)

Key Findings

1.Potential classic frontrunning attackCriticalAcknowledged
2. Ineffectual UpgradeabilityHighFixed
3.Tractable balance accountingMediumFixed
4.Inconsistent non-reentrant patternMediumFixed
5.Incorrect version callingMediumFixed
6.Ineffectual check for ICRPertenkLowFixed
7.Ineffectual check for equalityLowFixed
8.Misplaced logic statementLowFixed
9.Unused variableLowFixed
10.Inexistent Zero Address checkLowFixed
11.Unused and Unnecessary FunctionsLowFixed
12.Inconsistent safemathLowFixed
13.Inconsistent arguments typeLowFixed
14.Inexplicable balances variableLowFixed
15.Additional Informatory IssuesInformatoryAcknowledged

Detailed Overview

Critical-risk issues

Potential classic frontrunning attack

File: contracts/Currency.sol


The race condition issue for the ERC20 approve() function is an exploitable code of the CJPY ERC20 token. The implementation does not follow the SWC-114 requirement properly and thus falls trap to the sandwich attack, commonly known as MEV.

function approve(address spender, uint256 amount)
       returns (bool)
           _msgSender() != spender,
           "sender and spender shouldn't be the same."
       require(amount > 0, "Amount is zero.");

       _approve(_msgSender(), spender, amount);
       return true;


The issue is described in detail in the official SWC registry considered as the industry standard here. Alternatively, you could search on the internet for issue number SWC-114 which stands for Smart Contract Weakness Classification and Test Cases and is an industry-wide, accepted and maintained registry.



High-risk issues

Ineffectual Upgradeability

File: contracts/Dependencies/UUPSBase.sol


In the light of our assumptions with the protocol and the understanding of the UUPS Proxy Pattern, the contract UUPSBase should not implement the initializer modifier on the constructor.
The audit team deems this modifier as an anti-pattern practice, according to the industry standards and best practices for the implementation of the Universal Upgradeable Proxy Standard. 

/// @custom:oz-upgrades-unsafe-allow constructor
   constructor() initializer {}


In case of such scenarios that follow any misassumed and authorized usage, the protocol may end up to an unreachable state and the funds locked up.

Note: For a to-the-point understanding and confirmation of the assumed protocol deployment, the audit team requires a walkthrough of the deployment procedure from the devs PoV which is not explicitly described in specs/tests or supported documentations.

Else, the priority remedy is to remove the initializer modifier along with the UUPSBase constructor.

/// @custom:oz-upgrades-unsafe-allow constructor
   constructor() {}



Medium-risk issues

Tractable balance accounting

File: contracts/PoolV2.sol


Although the receive function expects a calling from the onlyYamato authorization, the funds will still be accepted by the contract through self destruct.
This can bring the contract to an unaccounted state for its ether balances, upon which the sendETH and refreshColl functions, that manages the user’s collateral and releasing mechanism, can lose the accounting of the total balance and always assume a wrong balance.

receive() external payable onlyYamato {
       emit ETHLocked(msg.sender, msg.value, address(this).balance);


It is recommended that a minimal data structure be laid out in the Pool contract to manage the user’s balances and collaterals through proper mappings and always let the user pull their right amount of value from the protocol.



Inconsistent non-reentrant pattern

File: contracts/YamatoDepositorV2.sol


The runDeposit() function implements an incorrect checks-effects-interactions pattern in the commented steps 1 and 2 of the codebase. Refer to the following code snippet for detail and the suggested remedy.

           1. Compose a pledge in memory
       IYamato.Pledge memory pledge = IYamato(yamato()).getPledge(_sender);
       (uint256 totalColl, , , , , ) = IYamato(yamato()).getStates();

       pledge.coll += _ethAmount;
       if (!pledge.isCreated) {
           // new pledge
           pledge.isCreated = true;
           pledge.owner = _sender;

           2. Validate lock
           "Those can't be called in the same block."
           pledge.coll >= IYamatoV3(yamato()).collFloor(),
           "Deposit or Withdraw can't make pledge less than floor size."

The collateral amount is added right after the pledge is created which leads to the violation of the infamous checks-effects-interactions pattern. The checks are placed further below in step 2 which leads to an inconsistent pattern for the codebase.


The remedy states that the checks be implemented before creating any effects in the storage so that lesser gas cost along with an optimized codebase is achieved.

           "Those can't be called in the same block."

       IYamato.Pledge memory pledge = IYamato(yamato()).getPledge(_sender);
       (uint256 totalColl, , , , , ) = IYamato(yamato()).getStates();

       pledge.coll += _ethAmount;

           pledge.coll >= IYamatoV3(yamato()).collFloor(),
           "Deposit or Withdraw can't make pledge less than floor size."

       if (!pledge.isCreated) {
           // new pledge
           pledge.isCreated = true;
           pledge.owner = _sender;



Incorrect version calling

File: contracts/YamatoDepositorV2.sol


The runDeposit() function calls fetchPrice() from the V1 interface of PriceFeed whereas the code for the same in V2 has many modifications and changes. This leads to an inconsistent external calling of functions and ultimately the wrongly assumed outcome.

   function runDeposit(address _sender) public payable override onlyYamato { IPriceFeed(feed()).fetchPrice();


It is recommended to change the function such that it inherits and implements the correct IPriceFeed interface or in case this is the correct versioning then comment down the presumptions for the fetchPrice() function.



Low-risk issues

Ineffectual check for ICRPertenk

File: contracts/Dependencies/PledgeLib.sol


The function FR() implements an unnecessary check in the if block [13000 <= _ICRpertenk] for the value of ICRPertenk variable which is already handled in the require statement at the start of the function.

  function FR(uint256 _ICRpertenk) public view returns (uint256 _FRpertenk) {

     function FR(uint256 _ICRpertenk) public view returns (uint256 _FRpertenk) {
       require(_ICRpertenk >= 13000, "ICR too low to get fee data.");
       // if (11000 <= _ICRpertenk && _ICRpertenk < 13000) {
       //     _FRpertenk = 2000 - ((_ICRpertenk - 11000) * 80) / 100;
       // } else
       if (13000 <= _ICRpertenk && _ICRpertenk < 15000) {
           _FRpertenk = 400 - ((_ICRpertenk - 13000) * 10) / 100;  


We recommend that this check be removed to save gas and optimize the function.



Ineffectual check for equality

File: contracts/YamatoWithdrawerV2.sol


The function runWithdraw() implements a check using >= (greater equals) whereas the statement still fails even if the value of both sides is equal.
For instance, a scenario with the value for pledge.getICR(feed()) and uint256(IYamato(yamato()).MCR()) * 100 equal to 13000 will fail.

           pledge.getICR(feed()) >= uint256(IYamato(yamato()).MCR()) * 100,
           "Withdrawal failure: ICR is not more than MCR."


We recommend that checking equality be removed to save gas and optimize the function for edge cases.



Misplaced logic statement

File: contracts/YamatoRedeemerV4.sol


The function runRedeem() stores the argument’s value at a point which is illogical in light of the require and conditional statements.

  _args.wantToRedeemCurrencyAmount = IPool(pool())


The value is recommended to be stored outside the if block as follows.

       vars.ethPriceInCurrency = IPriceFeed(feed()).fetchPrice();
       _args.wantToRedeemCurrencyAmount = IPool(pool()).redemptionReserve();
       if (_args.isCoreRedemption) {
               _args.wantToRedeemCurrencyAmount > 0,
               "The redemption reserve is empty."
       } else {
               _cjpy.balanceOf(_args.sender) >=
               "Insufficient currency balance to redeem."



Unused variable

File: contracts/YamatoRedeemerV4.sol


The memory variable reminder in the runRedeem() function is redundant as it stores the value which is never used throughout the local scope of the function.

       vars._reminder = _args.wantToRedeemCurrencyAmount;


We recommend that the unnecessary variable be removed from the data structure and in the function for execution gas and storage optimization.



Inexistent Zero Address check

File: contracts/Currency.sol


The setCurrencyOS(address _currencyOSAddr) function does not validate the input for the param _currencyOSAddr whether a user provides a non-zero address. 

   function setCurrencyOS(address _currencyOSAddr) public onlyGovernance {
       currencyOS = _currencyOSAddr;


It is recommended that a require statement with correct input validations be included in the codebase. 



Unused and Unnecessary Functions

File: contracts/Dependencies/ [Ownable.sol && YamatoStore.sol]


The _renounceOwnership() and __YamatoStore_init_unchained() functions are never called and contain empty code blocks respectively, hence, not performing any valuable activity.

function _renounceOwnership() internal {
       emit OwnershipTransferred(_owner, address(0));
       _owner = address(0);
   function __YamatoStore_init_unchained() internal initializer {}


It is recommended to remove the functions from the codebase in favor of execution risks and storage optimizations.



Inconsistent safemath

File: contracts/YamatoWithdrawerV2.sol


The pledge.coll attribute can be updated using the consistent pattern as in the Depositor and Borrower contracts.

           4. Update pledge
       // Note: SafeMath unintentionally checks full withdrawal
       pledge.coll = pledge.coll - _ethAmount;


It is recommended to utilize a consistent coding practice throughout the Yamato Actions smart contracts.

        pledge.coll -= _ethAmount;



Additional informatory issues and optimizations

Increase test cases and code coverage for a satisfactory upgradeable contracts scenario. The current state of test cases do not engage any kind of upgradeability tests which poses a good deal of threat for a wide range of attack vectors.

This list contains additional coding style guides and best practices for a consistent codebase of the Yamato Protocol.

    Pledge storage p = pledges[_owner];
       if (_p.debt == 0 && _p.coll == 0) {
           _p.owner = address(0);
           _p.isCreated = false;
           _p.priority = 0;
       if (p.coll != _p.coll) {
           p.coll = _p.coll;
       if (p.debt != _p.debt) {
           p.debt = _p.debt;
       if (p.owner != _p.owner) {
           p.owner = _p.owner;
       if (p.isCreated != _p.isCreated) {
           p.isCreated = _p.isCreated;
       if (p.priority != _p.priority) {
           p.priority = _p.priority;


The smart contracts provided by the client for audit purposes have been thoroughly analyzed in compliance with the global best practices till date w.r.t cybersecurity vulnerabilities and issues in smart contract code, the details of which are enclosed in this report. 

This report is not an endorsement or indictment of the project or team, and they do not in any way guarantee the security of the particular object in context. This report is not considered, and should not be interpreted as an influence, on the potential economics of the token, its sale or any other aspect of the project. 

Crypto assets/tokens are results of the emerging blockchain technology in the domain of decentralized finance and they carry with them high levels of technical risk and uncertainty. No report provides any warranty or representation to any third-Party in any respect, including regarding the bug-free nature of code, the business model or proprietors of any such business model, and the legal compliance of any such business. No third-party should rely on the reports in any way, including for the purpose of making any decisions to buy or sell any token, product, service or other asset. Specifically, for the avoidance of doubt, this report does not constitute investment advice, is not intended to be relied upon as investment advice, is not an endorsement of this project or team, and it is not a guarantee as to the absolute security of the project.

Smart contracts are deployed and executed on a blockchain. The platform, its programming language, and other software related to the smart contract can have its vulnerabilities that can lead to hacks. The scope of our review is limited to a review of the Solidity code and only the Solidity code we note as being within the scope of our review within this report. The Solidity language itself remains under development and is subject to unknown risks and flaws. The review does not extend to the compiler layer, or any other areas beyond Solidity that could present security risks.

This audit cannot be considered as a sufficient assessment regarding the utility and safety of the code, bug-free status or any other statements of the contract. While we have done our best in conducting the analysis and producing this report, it is important to note that you should not rely on this report only - we recommend proceeding with several independent audits and a public bug bounty program to ensure security of smart contracts. 

TL;DR: BlockApex is revolutionizing the smart contract audit industry by offering an advanced auditing course for seasoned professionals to learn advanced strategies for blockchain security guardians. With a focus on the Ethereum Virtual Machine (EVM) niche areas, the course skips the basics and provides practical and advanced insights. The article series offers a sneak peek into the course, covering the journey of a smart contract from its Solidity version to bytecode on the EVM. It explores security vulnerabilities at each stage and highlights the importance of thorough auditing. BlockApex aims to enhance the industry and prevent financial losses by equipping auditors with comprehensive knowledge. Join us in the article series and course to stay ahead in the evolving world of blockchain security.

Spilling the Beans

27 months back, code4rena released its first report, showcasing the top 10 auditors who participated in the first-of-its-kind open audit contest. Featuring a bug bounty-hunting approach, code4rena boldly entered the competitive audit industry, going head-to-head with established names like Trail of Bits, ConsenSys Diligence, and Certora. C4 turned the tide when just after two years, we now see a whopping increase in smart contract auditors and security researchers contributing to various security niches of the wider blockchain ecosystem.

What do you deduce then?

We need to remind ourselves of the fact that a smart contract audit serves a mightier purpose beyond just finding bugs; it's about ensuring the security of the application, its users, and the blockchain at large.

So, what exactly is your plan?

At BlockApex, we firmly believe that a standardized auditing approach that exceeds the fundamentals and caters to seasoned professionals in the industry is crucial in today's increasingly competitive landscape.

We at BlockApex are leading the charge in this field. With a specialized curriculum designed specifically for experts is currently in development based on extensive research from in-depth technical grounds supplied with statistics and psychological behaviors, we aim to provide a 401 university-level course that skips auditing basics, focuses on niche areas of EVM with an auditor’s lens, and has a prerequisite of solid practical experience for our potential audience.

Hmm, Tell me more!

Following this, BlockApex will share some teasers on the course via an article series, for which the first part will be shared in the upcoming week!

The article series will focus on visualizing what a smart contract looks like as it is compiled and deployed on the blockchain. First, we explicitly go through the shape and form a contract takes from its solidity version to a Yul IR format, finally to the bytecode form, then to be stored as executable opcodes on the EVM. Once the definition is covered, the course steers toward emphasizing the aspects of security that open up potentially weakening windows at each step the contract takes. This will unlock an auditor's mind on what to look for, where to look for, and how to approach such windows only once the atomic stages are well defined.

And what should I expect?

The article's outset offers a mere glimpse of the course, indicating the extent of what will be uncovered later. For instance, defining the smart contract is not going to say that a smart contract is a piece of code that runs on the world computer.

We equally hate that all that basics resurfacing time and again! Come on, peeps! Let's accept it and spread the word that starting off with defining what’s a blockchain is really old school

Instead, here you will see how the contract goes through the compiler's semantic tokenization and how the compiler embraces the tokens to parse the instructions before transpiling it to Yul and Assembly for an intermediate Representation. We further expand on the optimizations the transpiled code goes through as it is converted to the EVM executable bytecode.

The article series dives deeper into exploring the attack surfaces during the stages of smart contract deployment along with the components of blockchain that are prone to impact those stages. The fact that components of the wider blockchain ecosystem are permissionless to interact with allows an adversarial actor with an advanced knowledge set to bring harm to it in any sense that was not unveiled before or that might have been missed, neglected, or stepped over during the security iterations.

Closing Off

We believe that the audit space is expanding like never before, and we are contributing in the way we found it fit. It is high time that we learn more from our previous experiences, not make the same old mistakes and not just keep making people lose their money, trust, hopes, and lives over mere insecure code. See you in the article series and course.

Demystify Smart contracts and Auditing in the first part of our series.


With time, technology grows in almost every field. The inception of the internet has proved to be a significant technological revolution that influenced the world extensively. Talking about today, we have witnessed various phases of the web until now. 

The original web 1.0 was comprised of static pages whereas web 2.0 is more of an interactive version of the web where user-generated content is at its peak. Now we have web 3.0, which uses blockchain technology to create a more decentralized web.  Instead of independent sites hosted on a particular server, Web 3.0 use of the blockchain provides greater resiliency, protection against censorship, and other benefits.

Let’s dive into the concepts of web 2.0 and web 3.0, along with major security differences. 

Web 2.0: 

After the dot-com bubble burst, the constant need for technological advancements expedited the modifications on the internet. Those modifications brought large-scale changes to its usability, functionality, and also its interface.

In 2004, a conference was held, which is now famously known as the Web 2.0 Summit, Tim O’Reilly and John Battelle held the summit. They explained that web 2.0 is not just a mere concept but has a high gravitational core. They visualized web 2.0 as a set of principles and practices that tie together as a solar system. Those solar system components are visible at some distance from its core, making every element essential. 

Web 2.0 emerged as a reading, writing, and creating space where people could interact and collaborate. The web2 brought tremendous changes in the history of the internet. Firstly, the read-only version of the website was molded into a more interactive, updated version. Here, the users could interrelate with the content and even share their points of view in the form of feedback, comments, and suggestions which brought social media platforms to the limelight (e.g., Facebook, founded in 2004). These social media platforms let their users create content (such as blogs, press-release, articles, videos, etc.) which in essence, instill a sense of freedom of expression. Web 2.0 gained high popularity through user-generated content. 

From a Technical POV, web 2.0 expanded tremendously. The basic Html language was improvised by introducing Java, JavaScript, and other languages. That brought enhancement in creativity, improved functionality along with increased collaboration.

Although this new and improved version of the world wide web has paved the way for a plethora of emerging technologies and realized the previously conceptualized freedom, it has also imposed numerous restrictions. Most importantly centralization or censorship which means that there exists a central entity that has concentrated all the power and control within itself. Such kind of centralization creates a facade of “Perceived Freedom”. The platforms have all the control to manipulate things we see online!

Web 3.0: 

To cater to the issue of centralization web 3.0 emanates into the picture. Web 3.0 proposed the concept of decentralization. Decentralization simply means that the power and decision-making processes are passed down from the management to the users. There is no central entity that would control the internet.

The word Web 3.0 was coined by Gavin Wood - Co-Founder of Ethereum and Founder of Polkadot. 

What makes web 3.0 the future of the internet? Well, Web 3.0 is a semantic web where it promises to establish information in a better-existing way than any current search engine can ever attain. Web 3.0 promotes four concepts which mainly are authenticity, i.e., every piece of information existing on the internet is a fact or derived from a fact. Integrity, willingness to abide by moral principles, and ethical values. Transparency, the data present on the internet is accessible for every user to witness. Lastly, Confidentiality which is achieved by Blockchain technology, where every user’s identity is anonymous, making it secure. 

Web 3.0 also entails the use of Distributed Ledger Technology (Blockchain) and Smart Contracts, which protect the information of each of its users creating decentralization. 

Now let’s discuss some of the major differences between web 2.0 and web 3.0 

How Web 2.0 is Different From Web 3.0?

Web 3.0 faces many of the same security risks as Web 2.0.  However, the differences between the two technologies create new security risks and amplify others. 

Identity Governance: 

In the world of web 2.0, giving a real identity is the major focus. Many companies want to sell users’ data so that they could protect themselves from scams. Social media platforms usually ask for authentication so that they could have a list of known and identifiable users. This is also a security benefit because it gives a trail of information and evidence if any scam happens. 

Whereas Web 3.0, which is a blockchain-based system, works on pseudonymous where users could be identified with their public keys or blockchain address. Key management in web 3.0 is a major concern as weak authentication causes easy loopholes to penetrate, whereas difficult to identify the culprit. 

Patching vs Prevention: 

In the traditional IT world, a large amount of security work is responsive. A patch is deployed to call it a safe day when a loophole is discovered. If data on the server is corrupted with ransomware, it could be easily rolled back to the original state. 

Web 3.0 works differently, data is stored on an immutable ledger i.e once the data is deployed no changes can be made. It is highly cardinal to be proactive, and prevention focuses so that all the loopholes are identified before the deployment. 

Payment Integration: 

In general, stealing money on Web 2.0  involves stealing valuable data such as credit card information or data that can be used for fraud. This way culprit could make out monetizing incentives from it. Also, web 2.0 attacks are mostly ransomware through which the bad actors make millions. 

In web 3.0, money is built onto the web itself in the form of cryptocurrencies. This makes it easier for hackers/cybercriminals to monetize the attacks. That's why it is crucial to consider security to be top-notch. 

Centralized System: 

As discussed above web 2.0 is extremely centralized. This has significant privacy implications but also means that these organizations own their security and can bring significant resources to bear on securing their infrastructure.

Decentralization has many advantages, but it also has security implications.  With decentralization, decisions are made by an open group and no one “owns” the security of the system.  Governance by consensus is slower than centralized voting because consensus must be reached by all participants in an open forum.  It can be more difficult to force nodes to install updates if they cannot block a proposed change simply because they don't care about it.

In a Nutshell: 

Web 3.0 is still in its infancy, and significant development will be needed before it supplants web 2.0. As the technology evolves and matures, some security risks may be conclusively resolved and others may be created. Web 3.0 security is vital to the success and widespread adoption of Web 3.0 technology. 


Blockchain technology is fundamentally used for cryptography, but nowadays, companies are using it to handle distributed databases and even healthcare. So why are they opting for it? Simple! Blockchain assures security through transactions that are made through consensus and decentralization.

Yet blockchain is prone to cyberattacks like London Hard Fork, where the hacker was successful to steal $50 million worth of funds. So here arises another question, how do we keep the blockchain application safe? Let me walk you through some security frameworks for blockchain applications. But first, let's see some cyberattacks.

Blockchain World & Cyberattacks: 

Blockchain is secure but that doesn’t mean it can not be hacked! History has given us a lot of incidents to witness due to cyberattacks. There were trillions of losses in the blockchain world. 

According to the statistics, the 6 most costly blockchains were hacked in 2021. Another survey showed that manipulating decentralized finance (DeFi) protocols was the fastest-growing method to swipe crypto in 2021. More than $1.6 billion has been exploited from DeFi in 2022 thus far!

So what kinds of blockchain security frameworks are there? Keep reading to find out! 

Blockchain Security Framework: 

When creating a blockchain application it is really essential that all the security measures are taken into account. A complete security-controlled framework for applications contains 

Data Privacy: 

Data privacy is the protection of personal information from unauthorised access and use. It ensures the collection, storage, processing, and use of personal data in an appropriate manner.

Smart Contract Security: 

Rigorous analysis of the smart contract allows the security specialists to go through every line of code and identify any loophole present. Smart contract auditors at BlockApex do automated reviews along with extensive execution of the test cases in search of any vulnerabilities to secure the application. 

Identity & Access Management: 

Identity and access management is very essential as it allows people to access the resources, the application should be smart enough to identify appropriate people to access it. 

Advanced Penetration Testing: 

Advanced pen testing involves a deep security assessment and the latest offensive security approach to discover crucial vulnerabilities in applications before they are exploited. It includes pen testing everything from web apps to wallets and Layer1 blockchains and other assets like bridges, cryptocurrency wallets, web apps, mobile apps, digital custody solutions, cloud security, and APIs. 

Key Management: 

Public Key Infrastructure (KPI) is utilized in the blockchain to verify and confirm the transactions made on the blockchain. Securing the key management function could be an obstacle, as an attacker if found the keys by any means like brute force, side-channel attack, physical access to the system, ineffective encryption, replay attack, etc. They can enter and make destructive choices by swiping millions from it. So it's really crucial to protect the keys. 

Complete Security: 

This includes completing and constantly evaluating the company’s most vital assets, pushing maximum automation, and delivering top cybersecurity consulting and implementation every step of the way. This includes security architecture assessment, code audits, security best practices, custom red team engagements, web application pen-testing, cloud provider pen-testing, API pen-testing, technical security compliance, continuous smart contract auditing, blockchain protocol security assessment, and DevOps.

In a Nutshell: 

Taking all these security measures into account it is highly recommended that security should be top-notched so that the Dapp remains intact and funds safe. 

Did you know that your computer must have been spied on with malicious software at some point or another? 

Well! To begin with the story, around the world there are 90% of people whose computers and other technological devices get infected with spying viruses. But the story doesn’t end here! The sad truth about it is that more than half of the time people are not even aware of such things and along the road, they lost valuable assets. 

Now you see how this can be a great issue! So what you can do about it? What anti-viruses can you use to protect your technological devices?

Although various options are available to protect one’s computer, today, we will specifically focus on VPN. Let’s explore! 

What is VPN & How Does It Work? 

Starting from the basics, in layman’s terms a virtual private network or VPN protects your online footprints by encrypting them such as your browsing history, the files/documents you download, login information, and much more. This usually happens when a user is consuming an open WiFi. 

So how the VPN protects us? Well, the VPN uses a private network that helps users mask their surfing history on the internet, hackers even advertisers can’t steal the data and use it for their means. 

Sounds like VPN could be a potential candidate for prevention against spying. Let’s deep dive more and before coming to any conclusion explore its benefits and drawbacks. 

Benefits & Drawbacks of VPN:

Some benefits which a VPN provides are: 

  1. Reliable encryption i.e no one can trespass and see your activity 
  2. No activity log i.e no hacker can access the activities you are doing 
  3. Usually, they are also available on all operating systems. 
  4. Some of the VPN-providing companies also offer 24/7 customer service 
  5. They also offer high-quality speed
  6. A considerable number of servers covering several dozens of countries. 

But, an interesting twist comes when companies offer all these services with a price i.e Paid VPN. Since free cheese is not even granted to a mouse with a trap, a free VPN doesn’t give all these royalties to its customer. 

From the benefits of the VPN list, we can conclude that if it has reliable encryption like AES-256 and does not run an activity log, that VPN can save you from spyware.

You must be having a question! Is it really true? 

Yes and No! 

Yes, it would protect you from being traced out and being spied on, on the internet. But your service provider will only have access to your IP address. Generally, the service provider does not breach the privacy of the users and invade it or share it with anyone. 

Now focus on the word generally because in some cases the service providers are obliged to provide this kind of information to the government. So if your country's laws include such aspects a VPN service provider is bound to steal your information. 

Apart from that, you must also be aware that a VPN protects you from being spied but if you accidentally download any malware to your technological device VPN won’t protect you there. In order to be fully protected you need to have antivirus software on your computer. 

So, now we have answered your concern, a VPN protects you from being spied but you should also be aware of the limitations that follow along. 

How Can You Protect Yourself From Spying?

Remember, VPN is a smart option in the market that provides you protection against your surfing activities but it can not prevent any kind of malware, or spyware downloaded on the computer.

Nevertheless, let’s discuss some ways in which you make the service more effective.

  1. Do not connect to over-loaded servers, firstly they won’t provide you high-quality speed, as well as the server, could be so overloaded that it may leak your sensitive information.
  2. Change your passwords regularly and keep every password of applications you use different. Although this is not directly related to VPN but surely would help you protect your identity.
  3. Use VPNs that allow split tunneling, that way you can encrypt traffic coming from a specific app through the VPN, and others would be using regular internet. 

Over To You Now!

Now, we have seen that a normal VPN could save you loads from spying. You just need to be careful with human errors and avoid any kind of malware downloads. 


Let’s go - 0xheading:

Starting all the way from a blockchain engineer’s to an auditor’s internship, half a year later grabbing a junior smart contract auditor position, here at BlockApex, I decided to set out with my current auditing skills in an open market to test the waters. 

One thing happened. It came as a blow.

“Ethereum is a developer’s blockchain, built by developers, for developers.” 

Mastering Ethereum: Building Smart Contracts and DApps 

- Andreas Antonopoulos

My story starts here - Introduction:

As soon as I got into blockchain from the conventional software development universe of the web2, I found myself into a crosshair of what they at term as the Dark Forest. Indeed, exploring the details of EVM and Solidity as a programming language introduced me to sensitive traits and precise characteristics of the blockchain which I would like to call a pure child of Computer Science. 

All the while, it was a constant effort to try and connect the dots with DeFi after learning through different concepts. It still amazes me what many things one can learn and achieve within this fast and growing world of web3 and that too in such a short period of six months. 

How I find auditing - Essence of Audit:

Smart Contract Auditing and Security Review is an uncharted territory where a great landscape needs discovery. But switching into audit even from an expert developer background does not guarantee a potentially successful security researcher’s career. Auditing requires a solid approach to security mindset and for an individual’s Sherlock skills to outperform each time. I confess that even time after time I went through the cycle of audits for various DeFi projects, I would find myself restricted in terms of a comprehensive story building and a proper reconnaissance phasing by looking at the smart contract codes or the documentations.

Whereas, I’d often find my mentor make up stories for some protocol we were auditing in pairs and come to some exploitable hack not just by following the coding/ logical errors but supplying it with a dense knowledge of DeFi and hence, pertaining to the scenario at hand. 

How do I get better at this - Learning Path:

I bear witness to the magic of composable knowledge that auditing demands. It is a constant association and context-switching where one combines the knowledge of economics, finance, blockchain technology and the rational thinking of actors.

Intrinsically, smart contracts being a software program inspire one to get their hands dirty with the building blocks of this ecosystem through a technical roadmap. The fundamentals are composed of getting a deeper understanding of the EVM (Ethereum Virtual Machine) and the working of a public blockchain at lower scientific levels.

Securing this piece of software from most kinds of privacy exploits and monetary attacks starts as a fun ride where you grab the Solidity concepts through courses, blogs, youtube channels and the best one; Documentations. Developing the sophistication of security recommendations and the common vulnerabilities is another great journey where the story building develops through making small exploits here and there, reading upon some famous relevant tweets/ hack analyses, and popular researcher’s works to catch up.

I find auditing as a smooth switch from a development background. One can start right away by solving and attempting challenges/CTFs or the best option in my opinion is Secureum. Secureum encourages such an approach and provides a complete glossary of security based learning and guide to different paths of smart contract audit. Another golden egg is an audit report, loads of insight, information and knowledge captured in just 10-20 pages of publication where a diverse audience is expected.

Interviews can go down - Hope Not Out:

I was set up to meet a really cool person for the auditor’s position interview at one of the top-tier firms in smart contract security who was a web3 security researcher and had a cyber security background. After talking for around more than 1 and a half hours, it was really exciting for me to get to experience the different concepts through a proper auditor’s lens and how things were supposed to be seen in perspective. 

The first question which any auditing interview concerns is mostly regarding what is your preferred audit process? Answers could be subjective, but I like to follow the industry standard as in this ‘Solcurity Standard’ article by Rari-Capital along with the Consensys’ best practices set of guidelines which pave a path for a thorough audit process. 

Summary of my personal process which is kind of mixed up with the one that my senior auditor exercises (and I learned it from him) would be as follows;

Moving up with some generalized questions such as;

A further session was switched into more code focused and best practices formatting where we wandered off towards some factual questions e.g.;

When you attempt a Capture-The-Flag CTF challenge, the goal is to extract sheer ingenuity of an exploit. This way you get an exposure to the unimaginable attack vectors observed in the solution of the challenge. 

Consider the example of a challenge named King Of Ether. Although winning this challenge by becoming the king is a feat, what if you are asked to stay as the king of that contract, persistently? Answer which I learnt that day was something like this; create a fallback in your version of contract that reverts the tx required to become the next king whenever it receives funds to be redeemed for your contract. These ingenious solutions open up a world of possibilities and perspectives for an auditor to let their mind go berserk.

Which one of the following is your favorite CTF to play around?

(forever incomplete) List of Solidity CTFs:

What is my most favorite DeFi hack, technically, ever happened? 

Honestly speaking, I don't know the answer to this yet.
When I read about a hack in a researcher’s tweet, some news reporting handle or any article, I deep dive into the technical perspectives of the motivation behind the devs code writing. My question raised is how as an auditor (had this attack not happened then) would I get to it, prove/verify the severity and report the issue/bug? This cycle keeps on repeating and takes me from one audit report to another, introducing the minor details of how auditors actually come to the understanding of hacks and how in the first place report them as vulnerability within the code. 

This, to me, is like a superpower and leaves me in awe of the beauty of story building, slowly and gradually making up my mind to think and construct in the same patterns and ways to exploit the code during the audit.

On my way - In the end:

If you (a web2 developer) think you have a good imagination and can quickly understand what is going on in the mind of the person across from you, either be a dev or a fellow auditor, then search for Secureum now and start learning auditing. You will be amazed at how easily the resources are available and the number of opportunities present to you on the way. After that, it's just code4rena and you (You’re welcome ;-)).


Lets understand the smart contract storage model in Ethereum and EVM-based chains and how you can access the public and private variables of any smart contract deployed on the blockchain. We can do this by using cast storage. 


// SPDX-License-Identifier: MIT
pragma solidity ^0.8.7;
contract Storage {
address public contractAddress = address(this);
bytes private BlockApex = hex"426c6f636b41706578";
uint256 public Slot = 0;
struct Passwords {
 string name;
uint256 secretKey;
string password;
Passwords[] private passwords;
mapping (uint256 => Passwords) private destiny;

Contract Address (Rinkeby) : 0xfE43d853eBa639c40d071ebd046c9F61fF215ebF

Contract Link :

Let's start: 

| - - - - - - - - - - - -Slot 0 - - - - - - - - - - - -|
address public contractAddress = address(this); 
| - - - - - - - - - - - -Slot 1 - - - - - - - - - - - -|
bytes private BlockApex = hex"426c6f636b41706578";
| - - - - - - - - - - - -Slot 2 - - - - - - - - - - - -|
uint256 public Slot = 0;
| - - - - - - - -No Slot Consumed- - - - - - - -|
struct Passwords {
string name;
uint256 secretKey;
string password;
| - - - - - - - - - - - -Slot 3 - - - - - - - - - - - -| // size will be here
Passwords[] private passwords;
| - - - - - - - - - - - -Slot 4 - - - - - - - - - - - -|
mapping (uint256 => Passwords) private destiny;

Static Sized Variables can be simply accessed with command

Cast storage $ContractAddress slotNumber
cast storage 0xfE43d853eBa639c40d071ebd046c9F61fF215ebF 0

Similarly for the storage slot 1 

cast storage 0xfE43d853eBa639c40d071ebd046c9F61fF215ebF 1

This command will lead you to the data stored in memory slots. . 

The data you receive might be in hex, to make it meaningful try using (cast —to-ascii (hex))


cast storage 0xfE43d853eBa639c40d071ebd046c9F61fF215ebF 1

Result: 0x426c6f636b417065780000000000000000000000000000000000000000000012

cast –to-ascii 0x426c6f636b417065780000000000000000000000000000000000000000000012

Result: BlockApex

Accessing mapping data in solidity is a little bit complex. First you  identify the slot where your mapping currently stands. In our case, the mapping is on the 4th slot. Another important thing to note is since mappings  are hashTables they are only accessed by keys so you need to pass [key + StorageSlot] to the keccak hashing function in order to retrieve the data. 


cast keccak (key + storageSlot) 
cast keccak “0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004

This command will give you the respective hash which is actually the slot of the first element  stored in mapping. To access the 2nd element increment in the key like:


cast keccak (key++  +  storageSlot) 
cast keccak “0x00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000004

It will give you the hash slot of the 2nd item of the mapping, if you iterate through you can access all the items.

Now send this hash (result of keccak) to the cast command as follows 


cast storage $contractAddress hash
cast storage 0xfE43d853eBa639c40d071ebd046c9F61fF215ebF 0xabd6e7cb50984ff9c2f3e18a2660c3353dadf4e3291deeb275dae2cd1e44fe05

This command leads you to the 1st property of the struct that is saved in the mapping and further on as you increment in the key. 

Now the problem is if your mapping contains a struct, you only get the 1st element of the struct which is the string property [name] in our case.


struct Passwords {
string name;
uint256 secretKey;
string password;

To iterate further in the same struct, you need to increment one in your keccak hash, for instance if you get a hash like 

0xabd6e7cb50984ff9c2f3e18a2660c3353dadf4e3291deeb275dae2cd1e44fe05+1 (add 1) 

the next element is held in


Now we send this updated hash to the cast command like 


cast storage $contractAddress hash
cast storage 0xfE43d853eBa639c40d071ebd046c9F61fF215ebF 0xabd6e7cb50984ff9c2f3e18a2660c3353dadf4e3291deeb275dae2cd1e44fe06

This leads you to the second element of the struct which is the secretKey.

Further add 1 again in the hash.


the next element is held in 0xabd6e7cb50984ff9c2f3e18a2660c3353dadf4e3291deeb275dae2cd1e44fe07

Again hit the contract with the updated hash and you will get the password which is the last element of the struct stored in mapping!

Congrats you have unveiled the mystery of Solidity internals!
PS: cast can come handy only if you want.

On Tuesday, 9th August, Curve Finance suffered from a DNS attack causing theft of a whooping $570,000+ USD. 

Curve Finance is a stablecoin decentralized exchange (DEX) that runs on the Ethereum blockchain. 

The attacker targeted the front end where the suspected hacker appears to have changed the domain name system (DNS) entry for the protocol, forwarding users to a fake clone website and approving a malicious contract. The program’s contract remained uncompromised, however.

The team behind the protocol noticed the issue and tweeted to warn the users about the exploit. 

A few hours after the exploit Curve again tweeted confirming both that they have found the issue and also reverted it. They also asked the user to immediately revert any contract they have approved on Curve prior. 

Curve explained that it was most likely that the DNS server provider Iwantmyname was hijacked. On the other hand, the exploit was going on, Twitter user LefterisJP speculated that the alleged attacker had likely utilized DNS spoofing to execute the exploit on the service. 

Other users quickly noticed and tweeted to warn the users that the alleged thief appears to have stolen more than $573,000 USD. 


Designed & Developed by: 
All rights reserved. Copyright 2023