Audit Company
Hacken
Hacken is a cybersecurity company with a focus on Web3, founded in 2017. The company was created in Kyiv and quickly gained attention by winning the HackIt cup. That same year the HKN token was listed. In 5 years the company became an internationally recognized tier-1 auditor and security tools developer.
Among its values, Hacken lists ethics, honesty, and mutual respect for the Web3 community.
Among its values, Hacken lists ethics, honesty, and mutual respect for the Web3 community.
DSA presents a unique series of reports on the smart contract and blockchain app auditor market. This report is published for the first time and is not affiliated with any specific vendor. The DSA expert team has performed an in-depth analysis of the blockchain security providers in the market. For that, a methodology was developed, and specific criteria were selected. The data provided in the report are actual for November 2022.
Contents
The main criteria for auditor review
1
Trustworthiness
At this point, we analyze the team, key players, as well as the experience of the company in the field.
2
Media Presence
In this paragraph, we analyze the social networks of the project, the engagement rate, and media publications.
3
Speed and service
In this paragraph, we analyze the speed of the audit as well as the speed of the team's response to the request.
4
Expertise
At this point, we analyze the company's experience with different networks, technological advancements, as well as additional services.
5
Price
In this paragraph, we analyze prices and additional services (We send the same sample contract to every auditor), sales, promo offers, bonuses, discounts, and legal transparency.
6
Quality
In this paragraph, we analyze audit quality, report analysis, and user experience.
Categories and sub-categories
6 categories are present in the review and each may be divided into sub-categories. Each category is evaluated to receive from 1 to 10 points. The same rule applies to each sub-category and the arithmetic mean value of the sub-categories will become a result of the main category. The main result will be calculated in the same manner.
Trustworthiness
- Team members' separate experiences in the field
- Current team’s experience in the field
- Company experience (years of service, date of the first audit)
Media Presence
- Social media (engagement rate, further – ER)
- Media publications
Speed
- Audit speed
- First response speed (from a real person)
- Follow-up response speed
Expertise
- What blockchains does the company audit (rare chains and language get an additional point)
- Technological advancements (developments, tools, automated tools)
- Services (KYC, Incident research, marketing)
Price
- Prices and additional services (We send the same sample contract to every auditor)
- Sales, promo offers, bonuses, discounts
- Legal transparency
Quality
- Audit quality, report analysis
- User experience
Detailed analysis
6 categories are present in the review and each may be divided into sub-categories. Each category is evaluated to receive from 1 to 10 points. Same rule applies to each sub-category and the arithmetic mean value of the sub-categories will become a result of the main category. The main result will be calculated in the same manner.
Trustworthiness
Average score 9/10
1
Team members' separate experiences in the field
The leadership team consists of 5 people:
Dyma Budorin Co-Founder and CEO
Yevheniia Broshevan Co-Founder and CBDO
Oleg Bevz Marketing Director
Andrii M. CTO
Every member of the leadership team possesses considerable experience of over 7 years in their respective fields.
Dyma Budorin Co-Founder and CEO
Yevheniia Broshevan Co-Founder and CBDO
Oleg Bevz Marketing Director
Andrii M. CTO
Every member of the leadership team possesses considerable experience of over 7 years in their respective fields.
2
Current team’s experience in the field
Aside from the key team members (CEO, CTO, COO, etc), the company’s LinkedIn page contains an employee list with 106 names. The staff includes technical specialists and auditors as well as HR, recruitment, and marketing specialists.
3
Company experience (years of service, date of the first audit)
According to the LinkedIn page, the company was founded in 2017. Key employees experience ranges from 5 to 5,5 year (from the founding to this day). The company doesn’t present a repository with public audit but all reports are published on the website. The date of the first report is Jan 17,2020.
Media presence
Average score 8,17/10
1
Social Media
The company’s social media are active, Twitter is updated regularly and the company interacts with its audience even via tweets.
2
Media publications
The company’s articles are regularly published and the company's mentioned in the top online media. Among others, their media presence is established through Coindesk, The Times, The Washington Post, The Wall Street Journal, Cointelegraph, Forbes.
All data is actual at the time of compiling the report in November, 2022.
Twitter - 70.000 subscribers, ER 0.061%
Approximately the account receives:
31,6 likes per tweet
4,1 comments per tweet
6,3 rt per tweet
Telegram channel - 13.000 subscribers, ER 0.001%
Approximately the account receives:
14,4 reactions per post
LinkedIn - 4.400 subscribers, ER 0.004%
Approximately the account receives:
18,7 reactions per post
0,9 reposts per post
0,3 comments per post
Discord - 2.600 subscribers, ER 0.016%
Approximately the account receives:
40,9 reactions per post
Twitter - 70.000 subscribers, ER 0.061%
Approximately the account receives:
31,6 likes per tweet
4,1 comments per tweet
6,3 rt per tweet
Telegram channel - 13.000 subscribers, ER 0.001%
Approximately the account receives:
14,4 reactions per post
LinkedIn - 4.400 subscribers, ER 0.004%
Approximately the account receives:
18,7 reactions per post
0,9 reposts per post
0,3 comments per post
Discord - 2.600 subscribers, ER 0.016%
Approximately the account receives:
40,9 reactions per post
Speed
Average score 8,66/10
1
Audit Speed
Audits are performed within 10-11 days. Though it may seem long compared to cheaper auditors that deliver results within hours, it’s a fairly normal time frame for large and better-known tier-1 companies. On the contrary, extreme speed in this matter would seem suspicious.
2
First response speed
An answer was received 6 hours after the initial request. The response was provided by a human manager, not a bot.
3
Follow-up response speed
After receiving the response, we provided the required information. The manager was online, so they responded right away and the communication was held in real-time.
Expertise
Average score 10/10
1
What blockchains does the company audit
Officially, the company works in the following chains: Solana, Near, EverscaleTVM, Polkadot, Cosmos, Casper, Optimism, EthereumEVM, Avalanche, BSC, Fantom, Polygon, EOS. As can be seen from this impressive list, the company works with both EVM and non-EVM blockchains.
Aside from Solidity and Rust, they take on Cosmos chain projects on Cosmos SDK on the Go language. The company audits Polygon projects in Golang and Vyper, and EOS projects in C++. The company has no shortcomings when it comes to stack technologies. It’s competent with any blockchain.
Aside from Solidity and Rust, they take on Cosmos chain projects on Cosmos SDK on the Go language. The company audits Polygon projects in Golang and Vyper, and EOS projects in C++. The company has no shortcomings when it comes to stack technologies. It’s competent with any blockchain.
2
Technological advancements
There is a hub where all the company’s developments are presented.
Leading products:
HaaS
HackenAI Bundle
ETD Stablecoin
hPASS
hVPN
In addition, there is a selection of miscellaneous DeFi features such as Staking, LP Farming, HAI Rounds, Education, Social Mining, Governance, Membership. The detailed info about each one is available on the aforementioned hub page.
Leading products:
HaaS
HackenAI Bundle
ETD Stablecoin
hPASS
hVPN
In addition, there is a selection of miscellaneous DeFi features such as Staking, LP Farming, HAI Rounds, Education, Social Mining, Governance, Membership. The detailed info about each one is available on the aforementioned hub page.
3
Services
A notable service is hackenproof - a system of awards for bug finding. The company collaborates with the leading players in the market.
Aside from smart contracts audit, the company offers:
Blockchain Protocol Audit
Web 3.0 Penetration Testing
dApp Audit
Bug Bounty
There are also development solutions:
CEX/DEX
Metaverse & NFT
Launchpad
Startup
Aside from smart contracts audit, the company offers:
Blockchain Protocol Audit
Web 3.0 Penetration Testing
dApp Audit
Bug Bounty
There are also development solutions:
CEX/DEX
Metaverse & NFT
Launchpad
Startup
Prices and additional services
Average score 6,33/10
1
Audit prices, affordability
For a project with a code that’s a little more complex than that of a token, the company set a price of $79k. This price tag is higher than the average on the market, so it’s available only to big or well-financed projects.
2
Sales, promo offers, bonuses, discounts
In addition to the audit report, clients receive a certificate and an option to add an “audited by Hacken” badge to their website. The report is automatically added to the project page on CoinMarketCap, CoinGecko, and Certified. Also, if the project is eligible for the Hacken partnership program, the company may offer an expanded bundle of services that includes marketing support in the Hacken social media with over 100k followers.
3
Legal transparency
The company provides a legal agreement. Payments can be sent via a wire transfer, an invoice, fiat, etc. on demand.
Quality
Average score 7,6/10
1
Audit quality, report analysis
- Issue description (thoroughness, code examples): YES
- Project description and contracts (what do they do): NO
- Conclusions (automatically generated vs written by specialists): NO
- Recommendations: YES
- Manual audits (a large number of automatically generated audits is a disadvantage): YES
2
User Experience
The company can be contacted through a form on the website or direct messages to the admins of their Discord and Telegram channels. This isn’t the most convenient way, since a client has to provide information by hand even to ask a question regarding services.
In the Telegram channel, the admin/manager contacts are not pinned, which is inconvenient. In the common chat, we had to wait for several hours for a response. If a question like “do you work with fiat and invoices” occurs, there’s nowhere to address it. This is a serious disadvantage for the company. In the end, we created a request in Discord and received a response 8 hours later.
In the Telegram channel, the admin/manager contacts are not pinned, which is inconvenient. In the common chat, we had to wait for several hours for a response. If a question like “do you work with fiat and invoices” occurs, there’s nowhere to address it. This is a serious disadvantage for the company. In the end, we created a request in Discord and received a response 8 hours later.
Additional Information
Post-audit hacks and attacks
All information is gathered from an open source. Consider that because the company is well-known and audits large, notable projects, the possibility of a hack is increased compared to smaller projects. We are reviewing only the attacks that resulted in the loss of over $100k.
The amount of the lost funds - $8,480,000
The amount of the lost funds - $8,480,000
On May 26, 2021, at 03:59:05 +UTC less than 48 hours after a hacker attack on the Autoshark protocol, Merlin Labs (a PancakeBunny fork) was attacked in a similar fashion to Autoshark and Bunny.
Hackers made away with ~240 ETH (~680K USD).
Transaction details on BscScan.
1: A small sum is added as a deposit to the LINK-BNB Vault.
2: 180 CAKE are sent to the LINK-BNB Vault contract – the key leading to the attack.
3: getReward function is performed with the help of the deposit made to the LINK-BNB Vault from p.1.
4: Because of a large number of the CAKE tokens in the vault’s contract wallet the profit becomes bigger. As a result, the system minted 100 MERL to reward the hacker.
5: This action was repeated 36 times. The attacker received 49k MERL tokens.
6: The MERLIN tokens were then exchanged for 240 ETH and transferred via AnySwap from BSC.
The hacker used the CAKE wallet balance as their profit (performanceFee), that can be easily replaced by sending the CAKE tokens to the vault contract.
Source
Hackers made away with ~240 ETH (~680K USD).
Transaction details on BscScan.
1: A small sum is added as a deposit to the LINK-BNB Vault.
2: 180 CAKE are sent to the LINK-BNB Vault contract – the key leading to the attack.
3: getReward function is performed with the help of the deposit made to the LINK-BNB Vault from p.1.
4: Because of a large number of the CAKE tokens in the vault’s contract wallet the profit becomes bigger. As a result, the system minted 100 MERL to reward the hacker.
5: This action was repeated 36 times. The attacker received 49k MERL tokens.
6: The MERLIN tokens were then exchanged for 240 ETH and transferred via AnySwap from BSC.
The hacker used the CAKE wallet balance as their profit (performanceFee), that can be easily replaced by sending the CAKE tokens to the vault contract.
Source
An account with one ETH transferred to it via Tornado Cash, used the contract that simultaneously exchanged $180M on Uniswap and got a $51M loan on dYdX.
Using this technique, the hacker managed to withdraw $7.8M DAI. They used the fact that Warp.finance relied on vulnerable LP token prices on Uniswap. This allowed the hacker to take a bigger loan than the collateral allowed. As a result, the credit funds in stablecoins were lost.
Source
Using this technique, the hacker managed to withdraw $7.8M DAI. They used the fact that Warp.finance relied on vulnerable LP token prices on Uniswap. This allowed the hacker to take a bigger loan than the collateral allowed. As a result, the credit funds in stablecoins were lost.
Source
Final Score
Considering the results presented in every category, the following points have been assigned:
9/10 Trustworthiness
8,17/10 Media presence
8,66/10 Speed
10/10 Expertise
6,33/10 Prices and additional services
7,6/10 Quality
The Final Score:
8,29/10
8,29/10
This is the analytic report in a series of reports on the smart contract and blockchain apps auditor market. Presented to you by DSA, it’s guaranteed impartial and factual information on the most well-known, new, and obscure players.
Follow us on Twitter and be the first to know about new reports
Follow us on Twitter and be the first to know about new reports
0XGUARD
Top Solana Vulnerabilities
Solana is a widely popular blockchain and attractively low transaction fees are certainly among the reasons developers choose it. Among Solana-based dApps are some of the most popular and valued projects. This is why knowing Solana and its weaker points is now more necessary than ever.
HASHEX
A Developer’s Guide: A Framework setup
Developers often ask how to correctly, efficiently, and securely set up a framework for developing smart contracts. This guide aims to help new developers do it quickly and conveniently.