How we investigate
an exploit.

We monitor on-chain signals continuously: large outflows from protocol contracts, unexpected approval calls, flash loan originations followed by unusual state changes, and cross-chain bridge message anomalies. Alerts fire within seconds of an anomalous transaction hitting a block.

We trace the full execution path: from the initial trigger transaction through every internal call, delegatecall, and cross-contract interaction. We reconstruct the attacker's fund flow from origin wallet through bridge hops to final destination, building a directed acyclic graph of every value transfer.

We decompile or verify the source of every contract involved. We identify the exact vulnerable code path — missing access control, incorrect invariant check, reentrancy window, oracle manipulation vector — and trace it back to the specific commit that introduced the flaw. We check all previous audits against the actual deployed bytecode.

For attribution claims (e.g. Lazarus Group, DPRK), we require corroboration from at least two independent sources: on-chain wallet clustering matching known threat actor infrastructure, plus OSINT from official law enforcement or credible security firms. We clearly mark all attribution as either confirmed or assessed.

We publish without sharing drafts with protocols in advance. We do not accept editorial input, corrections before publication, or "off the record" briefings that could influence our analysis. After publication, we accept factual corrections with on-chain evidence and update articles publicly with a correction notice.