Welcome to the October edition of the Zellic Security Roundup, the monthly security-focused newsletter covering valuable security news and analysis in Web3.

This month, we will explore V12, our new autonomous Solidity auditor; the latest Web3 security and regulatory updates; and our recently released audit reports.

Zellic Research & Writing

On September 25, 2025, we introduced V12, our autonomous Solidity auditor. Below is a look into why we created V12 and a representative sample of bugs from real-world exploits that V12 detects but were missed by past audits.

We founded Zellic because audits sucked. In 2021, audits were expensive and slow. Major firms constantly missed obvious, surface-level bugs, like missing access control or reentrancy. Our mission was simple: deliver actually good audits — better, faster, cheaper, no missed bugs.

While we’ve made good on that mission at Zellic (and recently, Code4rena↗ and Zenith↗), there are still no good solutions for teams who need small, quick reviews. This includes teams seeking continuous security — an audit for every pull request — or teams shipping small or incremental changes. There are also no good solutions for teams evaluating third-party contracts (e.g., tokens) for potential integration.

Earlier this year, we noticed some audit providers now underperform frontier LLMs. In general, low-quality auditors 1) suck and miss obvious bugs, 2) have unacceptable turnaround times, or 3) lack a streamlined, consistent customer experience. Meanwhile, these providers often charge $1,000s or $10,000s for small, simple reviews.

LLMs excel at finding surface-level coding mistakes, but they struggle to find deeper vulnerabilities like protocol design or business logic errors. Based on Zellic’s internal statistics from over 1,000 audits, roughly 70% of all bugs are coding mistakes. Drilling down to just critical and high-severity vulnerabilities, the proportion remains similar. Therefore, we hypothesized that it would be possible to build an AI auditing tool that outperforms low-quality audit firms on finding simple but important bugs — while acknowledging that it will never be able to find all bugs or outperform the best providers.

In short, teams want a consistent, good security provider that reliably finds important, straightforward bugs. They want to have some assurance on short notice, though it will not be perfect or at the same level as a high-quality audit.

This is our problem statement for V12. We don’t expect V12 to be perfect, but we want it to be at least as good as the worst auditing firms. We want teams to have a cheap, self-serve experience that makes security feel abundant and constantly accessible, while recognizing that it doesn’t replace a proper audit by a high-quality provider.

High-quality audits are still necessary. AI cannot find all bugs, and the best humans still far outperform even the best AI systems. In crypto, even a single vulnerability can lead to a catastrophic, billion-dollar hack. Thus, teams should still have their code professionally audited by trusted providers. We just want to help teams — especially bootstrapped ones — reduce reliance on low-quality audits.

For a deeper look into examples and case studies of how V12 outperforms existing tools, solutions, and providers, check out our blog post here.

In the News

Hacks

• In the worst year thus far for crypto theft, $2.17B was stolen between January and July in 2025.

• Elliptic revealed that North Korea–linked hackers have stolen over $2B in cryptoassets in 2025. This brings the cumulative known value of crypto stolen by North Korea–linked hackers to $6B+.

• Hackers have stolen ~$21M from a user on Hyperliquid, just a week after another attack took $782,000 from Hyperdrive, a lending protocol built on Hyperliquid.

• The crypto subsidiary of Japan’s SBI Group has been the target of North Korea–linked hackers, with roughly $21M worth of crypto flowing out of the company’s wallets in September 2025.

• Malicious actors minted almost 10T UXLINK tokens, which led to a 90% price drop of the token, and swapped 9.95T tokens for 16 Ether, worth about $67,000. Yet, while the attacker was minting tokens, they also lost over 500B UXLINK tokens through a phishing attack.

• The suspect in the Coinbase hack began stealing confidential customer data starting in September 2024 and kept the stolen data of more than 10,000 Coinbase customers on her phone. The suspect took as many as 200 photos of Coinbase customer accounts a day and was paid $200 per picture.

Research

• The Ledger white-hat team discovered a flaw in Tangem cards that makes brute-force attacks possible — “the Ledger Donjon shared all findings with Tangem through responsible disclosure. Tangem’s position is that the proven flaw does not constitute a vulnerability. However, since Tangem cards cannot be updated, the issue remains”.

• Google announced the Agent Payments Protocol (AP2), “an open protocol developed with leading payments and technology companies to securely initiate and transact agent-led payments across platforms”.

• Deloitte issued a refund to the Australian Department of Employment and Workplace Relations following the delivery of a government-contracted report that contained AI hallucinations, including multiple citations to nonexistent academic reports.

• ZachXBT documented at least 25 instances of North Korean IT workers infiltrating crypto companies to steal funds or extort employees.

Scams

• The Seoul Metropolitan Police Economic Crime Investigation Division announced the arrest of 25 members of “Lungo Company”, a fraud ring that deployed multiple scam tactics.

• ModStealer, a newly discovered malware, is targeting crypto users across macOS, Windows, and Linux systems, which poses risks to wallets and access credentials.

• Bots on Twitter are driving crypto scams, phishing links, and fake token promotions, and despite the efforts to deter spam, “bad actors can still appear to be credible with a simple subscription”.

Legal

• Eurojust has coordinated an operation across Europe to halt an elaborate investment fraud with crypto in which five suspects were arrested, including the main perpetrator who defrauded over 100 victims of at least EUR 100M.

• California Governor Gavin Newsom signed Assembly Bill 1052 into law, which amends the state’s Unclaimed Property Law to include digital finance assets such as crypto. This bill requires that unclaimed crypto assets, dormant for three years on an exchange, be transferred to state custody in their original form, which prevents automatic sale and ensures the assets are held securely by a qualified custodian until the owner reclaims them.

• Kenyan lawmakers have enacted the Virtual Asset Service Providers Bill, which sets out the central bank as the licensing authority for the issuance of stablecoins and other virtual assets, while the capital markets’ regulators will license those who wish to operate crypto exchanges and other trading platforms.

• Japan’s financial regulators are planning to reclassify crypto’s legal status, which will allow Japan’s Financial Services Agency to impose new restrictions and punish insider trading incidents.

• Democrats submitted a counterproposal to the crypto framework bill, which may lead to “stalled progress on the legal clarity for the blockchain industry.”

Crime

• The US Department of the Treasury’s Office of Foreign Assets Control and the Financial Crimes Enforcement Network, in coordination with the United Kingdom’s Foreign, Commonwealth, and Development Office, took action against cryptocurrency-enabled scam networks operating in Southeast Asia. The DOJ also filed a historic $15B civil forfeiture complaint involving approximately 127,000 Bitcoin linked to the fraudulent schemes.

• The Royal Canadian Mounted Police carried out the largest cryptocurrency seizure in Canadian history, where an estimated sum of $56M+ was recovered from TradeOgre.

• “How the Companies Behind Crypto ATMs Profit as Americans Lose Millions to Scams” is an investigation of 700+ criminal cases and complaints that found that crypto ATM companies make money by often marking up the price of crypto by more than 20%–30% on transactions. “The companies have also largely failed to adopt measures that could stifle scammers, such as strict transaction limits, and have heavily lobbied state legislatures to neuter laws that would force them to better protect victims”.

• The Security Alliance unveiled the “Verifiable Phishing Reporter”, which uses a new cryptographic scheme that enables whitehats to inspect websites as they appear to potential victims.

Meet Up With Us

We won’t be traveling in October, but if you’d like to schedule a one-on-one meeting with our team, please reach out to sales@zellic.io for scheduling.

Zellic Auditing Stats

In September, Zellic auditors completed 32 audit engagements where they were able to uncover a total of 117 Critical, High, and Medium bugs:

• 22 Critical-level bugs

  • 20 Coding Mistakes bugs

  • 1 Business Logic bug

  • 1 Protocol Risk bug

• 22 High-level bugs

  • 13 Coding Mistakes bugs

  • 6 Business Logic bugs

  • 3 Protocol Risk bugs

• 73 Medium-level bugs

  • 47 Coding Mistakes bugs

  • 20 Business Logic bugs

  • 6 Protocol Risk bugs

Recent Zellic Audit Reports

• Falcon Finance Audit Report: Falcon Finance is building a universal collateral infrastructure that turns any liquid asset, including digital assets, currency-backed tokens, and tokenized real-world assets, into USD-pegged on-chain liquidity.

• Avon Audit Report: Avon is a decentralized lending and borrowing protocol that combines capital-efficient pools with sophisticated liquidity management.

• Hyperlane - Radix Audit Report: This project is an implementation of Hyperlane for the Radix DLT, designed for seamless interchain communication following the Hyperlane spec.

• Filecoin Services Payments Audit Report: The Filecoin Services Payments contract is a smart contract that implements point-to-point payments with lockup and programmable SLA validation before payment settlement.

About Us

Zellic specializes in securing emerging technologies. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants.

Developers, founders, and investors trust our security assessments to ship quickly, confidently, and without critical vulnerabilities. With our background in real-world offensive security research, we find what others miss.

‍Contact us for real audits, not rubber stamps.