Large contracts are 15x more likely to contain structural vulnerabilities.
structural smart contract verification
Large contracts are 15x more likely to contain structural vulnerabilities.
structural smart contract verification
WHAT WE'VE FOUND
We analyzed 18,966 unique bytecodes across 44,121 deployed contracts using deterministic symbolic execution that works entirely from deployed bytecode, with no access to source code.
Contracts above 10KB are 15 times more likely to contain structural vulnerabilities than contracts below 2KB, and the highest-TVL protocols overwhelmingly fall in this category. Among large contracts, 10.6% have elevated or critical findings.
83% of all critical findings involve DELEGATECALL, which means the proxy pattern that enables upgradeability is also the dominant structural risk vector in deployed contracts. Implementations vary dramatically in structural safety.
A single vulnerable bytecode pattern can propagate to 161 deployed contracts through code reuse and factory patterns, and bytecode-level analysis detects the flaw once and identifies every deployment.
635 of 44,121 deployed contracts are backed by bytecodes with elevated or critical structural findings — a low rate in absolute terms, but significant when the contracts in question handle billions in value.
85.5% of unique bytecodes receive a clean verdict with zero structural findings, which establishes the baseline. When a contract deviates from it, that deviation is statistically meaningful rather than noise.
WHY THIS EXISTS
Source code audits have become standard practice, and for good reason — they catch bugs, flag logic errors, and give teams confidence before deployment. But the artifact that actually runs on the EVM is not the source code. It is the compiled bytecode that the compiler produced from it, and that is a fundamentally different object with its own structural properties that no source-level review examines directly.
The singularity-net works at that level. Given only a contract address, the engine fetches the deployed bytecode and performs structural analysis across three progressive depths — opcode profiling, control flow graph reconstruction, and per-function symbolic execution — resolving every execution path, mapping every storage access, and identifying structural patterns associated with known vulnerability classes using only what the EVM itself sees when it executes the contract.
A source code audit asks what the developer intended. A structural bytecode verification asks what the contract does. Both questions matter, and most protocols have answered the first but not the second.
WHAT WE DETECT
A function sends ETH or calls an external contract before updating its own state. The recipient can call back into the same function and drain funds before the balance is written. This pattern caused the $60M DAO exploit.
A function calls another contract and ignores whether the call succeeded or failed. Transfers can fail silently, leaving the contract in an inconsistent state with no revert.
A function modifies contract storage on a path that has no access control check. Any address can call the function and change the contract's persistent state.
A function delegates execution to an external address while preserving the caller's storage context. If the target is attacker-controlled, the entire contract can be overwritten. This pattern contributed to the $130M Cream Finance exploit.
A contract exposes privileged operations to any caller. Functions that should be restricted to an owner or governance address execute without checking who initiated the transaction.
HOW IT WORKS
Provide a contract address and chain. The engine fetches the deployed bytecode directly from the network.
The engine profiles every instruction, reconstructs the full control flow graph, and symbolically executes each reachable function across three progressive analysis levels.
You receive a standalone report with findings, a remediation roadmap, and a function-by-function breakdown. Delivery in as little as 14 hours, up to 14 days depending on contract complexity.
THE EVIDENCE
The engine was given only the deployed bytecode for each contract below. No exploit details, no source code, no prior knowledge of the vulnerabilities involved. It ran the same three-level structural analysis it runs on every contract, and independently identified the patterns that led to $815 million in combined losses across three of the largest security events in Ethereum's history.
46 functions analyzed across 471 code blocks. The engine identified 4 reentrancy patterns, 5 unchecked calls, 12 unprotected storage writes, and zero access control checks — the structural conditions behind the $60M exploit of June 2016.
The engine flagged 9 functions with reentrancy patterns and fully open withdrawal paths, carrying the highest risk classification. These were the structural conditions behind the $625M exploit of March 2022.
26 functions delegate execution via DELEGATECALL and 35 external calls discard return values. The engine flagged the structural exposure that enabled the $130M flash loan exploit of October 2021.
PRICING
$55,555 per verification. One service, one price, everything included.
Any deployed contract on any EVM-compatible chain. The engine profiles every opcode, reconstructs the control flow graph, and symbolically executes every reachable function. You receive a standalone report with findings, a remediation roadmap, and a complete function-by-function breakdown. Delivery in as little as 14 hours for standard contracts, up to 14 days for the most complex protocols.
Not ready to commit? Send a contract address to s-net.net@proton.me for a preliminary structural profile.