0xCERTReport incident

Services

What you get when you call us.

Six service lines, all free to constituents during active incidents, all designed for the operational realities of public blockchains.

0xCERT/ir0xCERT/advisories0xCERT/ioc0xCERT/takedown0xCERT/tracing0xCERT/training

0xCERT/ir

Incident Response

24/7 triage and containment for active blockchain incidents.

When a protocol is being drained, a bridge is compromised, or a key is leaked, every block matters. Our on-call team coordinates containment with affected projects, validators, sequencers, and centralized off-ramps in real time.

  • 60-minute initial triage, 24/7/365
  • Coordination with exchanges, custodians, and bridge operators to freeze flows
  • Forensic analysis of on-chain trace, calldata, and storage state
  • War-room coordination with the affected project and downstream protocols
Report incidentSecure contact

0xCERT/advisories

Advisories & Vulnerability Disclosure

CVE-style advisories for smart contracts and Web3 infrastructure.

0xCERT issues numbered advisories (0xCERT-YYYY-NNNN) for vulnerabilities affecting smart contracts, wallets, RPC providers, bridges, and node software, coordinating disclosure between researchers and maintainers.

  • Embargoed coordinated disclosure with maintainers
  • Public advisories with severity, affected versions, and remediation
  • Cross-references to CVE, GHSA, and chain-specific identifiers
  • Researcher acknowledgment and safe-harbor coordination

Recent advisories

0xCERT-2026-0142
2026-05-22
Critical

Reentrancy via fallback in cross-chain settlement adapter

An unchecked external call in a widely deployed settlement adapter allows attacker-controlled tokens to re-enter and double-spend settlement messages. Patched in v2.4.7.

0xCERT-2026-0141
2026-05-19
High

Front-end takeover of a top-50 DEX via compromised CDN bucket

Attackers replaced bundle.js to inject a wallet drainer for ~3.5 hours. Affected users were re-routed to a malicious permit2 signer. IOCs published.

0xCERT-2026-0140
2026-05-15
Medium

Phishing campaign abusing legitimate ENS subdomains

Coordinated phishing campaign using purchased ENS subdomains pointing to drainer kits. Domain list distributed to wallet vendors.

0xCERT/ioc

Threat Intelligence & IOC Feeds

Curated indicators of compromise for the Web3 attack surface.

We publish machine-readable feeds of malicious addresses, contracts, phishing domains, drainer signatures, and compromised front-ends so wallets, RPCs, and security tools can block known threats at the edge.

  • Live feeds of drainer contracts and known-bad EOAs
  • Phishing domain blocklists for wallet vendors and DNS providers
  • Tagged on-chain entities (mixer hops, sanctioned addresses, exploit deployers)
  • STIX/TAXII export for SIEM integration

0xCERT/takedown

Phishing & Drainer Takedowns

Coordinated takedown of malicious sites and front-end takeovers.

We work with registrars, hosting providers, CDNs, and wallet vendors to remove wallet-drainer infrastructure, fake airdrop sites, and compromised dApp front-ends as fast as possible.

  • Registrar and hosting abuse coordination
  • Direct lines into wallet vendor blocklists (MetaMask, Rabby, Phantom, etc.)
  • Front-end integrity monitoring for high-value dApps
  • DNS, IPFS, and ENS abuse handling

0xCERT/tracing

Stolen-Fund Tracing & Recovery Support

On-chain forensics to follow stolen assets across chains and mixers.

Our analysts produce evidentiary tracing reports usable by exchanges, law enforcement, and civil recovery teams, covering cross-chain bridges, mixers, and CEX off-ramps.

  • Cross-chain attribution across L1/L2 ecosystems
  • Mixer demixing where chain analytics permit
  • Evidence packages for law enforcement and exchange compliance
  • Liaison with major exchanges' financial crimes desks

0xCERT/training

Awareness & Training

Tabletop exercises and IR training for protocol and infra teams.

0xCERT runs incident response tabletops, key compromise drills, and threat-model workshops for protocol teams, foundations, DAOs, validators, and security service providers.

  • Tabletop scenarios (key compromise, bridge exploit, governance attack)
  • Runbook authoring and review for protocol teams
  • Threat intel briefings for foundations and DAOs
  • Public quarterly threat landscape reports