7Block's Red Teaming really puts your protocol to the test by simulating real-world attack scenarios. We're talking about things like rounding errors, unexpected blob fee spikes, that tricky AA mempool griefing, and the ins and outs of L2 fault-proof changes. It's all about making sure your system can handle whatever comes its way! With this approach, you'll be ready to kick off your project with confidence, hit your deadlines, and safeguard your total value locked (TVL). Plus, you'll actually be able to track that return on investment (ROI) you’re hoping for! We make sure our detailed strategies for Solidity and ZK are totally in line with the procurement and compliance goals that are top of mind for your CFO and CISO.

7Block’s “Red Teaming” Service: Testing Your Protocol in the Wild

The concrete technical headache you already feel

Hey there! So, you were feeling pretty confident about your swap math after acing those audits, right? But now you've got this annoying little “tiny rounding” bug popping up during the production risk reviews, and it’s causing quite a stir. Remember that Balancer v2 incident? It’s wild to think that a tiny precision and rounding mistake ended up causing a staggering loss of around $128 million in less than 30 minutes. Just goes to show how crazy things can get in the crypto world! Yeah, that’s definitely not the kind of headline you want to come across.
(research.checkpoint.com). So, your cost model for L2 was really counting on those affordable and steady blob fees once EIP-4844 kicked in. Then, out of nowhere, bam! The first blob congestion events came in, and just like that, base fees skyrocketed to about 650 Gwei for blob gas. Yeah, it’s usually more affordable than calldata, but man, the prices really shot up during those busy times! A budget variance like that can really mess with plans and disrupt the purchasing process. (blocknative.com). Hey there! Guess what? Your thoughts on withdrawals in the OP Stack chain just got a fresh update. Hey everyone! So, now that we've got permissionless fault proofs up and running on the OP Mainnet (that's Stage 1, if you're keeping track), and with more OP Stack chains getting ready for their upgrades, it's the perfect moment to take a fresh look at your L1<->L2 incident runbooks and halting strategies. You'll want to make sure they align with these new challenges and withdrawal situations we’re facing. Let’s get ahead of the game! (docs.optimism.io). So, your plan for account abstraction really hinges on ERC-4337 taking off. But here’s the thing: if your validation process isn't consistent, has some limits, and is isolated according to ERC-7562 guidelines, then bundlers are likely to lose interest pretty quickly. If that's not the case, you're basically just setting yourself up for a denial of service on your mempool. (docs.erc4337.io). Wow, your Solidity stack is really flying past those control gates! It's like it's in a league of its own. With 0. 8. So, with version 31, we're setting "osaka" as the go-to EVM target. We're also introducing CLZ (EIP‑7939) and removing a few outdated features like send/transfer and ABI coder v1. Just a heads-up, you'll have to make some adjustments before we hit version 0. 9. When the clock strikes midnight, be sure to roll some dice or you might find yourself breaking your playbook. (soliditylang.org).

What’s really at risk if you wait

You know, saying “We’ll test it later” usually leads to some stressful quarter-end situations. Imagine it’s 2025. One small mistake--like that Bybit cold wallet hack where they lost about 401k ETH--could send your whole security budget crashing down in an instant. And trust me, that would definitely make your partners nervous when it’s time for the next RFP. (theblock.co).
And you know what? Even if you're not into centralized exchanges (CEX), DeFi still has its own set of challenges to deal with. Investors lost about $2. In just the first half of 2025, we've already seen a staggering $5 billion lost to hacks and scams. Can you believe it? That's a lot of money slipping through the cracks! There were a few big incidents that really pushed those numbers up. Believe me, your procurement committee is definitely paying attention to those stories. (investopedia.com). So, the whole Layer 2 economics really shifted after EIP-4844 came into play, but honestly, it doesn’t always work out in your favor. So, blob markets have rolled out a new fee system that's a bit more unpredictable. And if you're planning on using blobs outside of the L2 or what they’re calling "blobscriptions," you might find yourself getting sidelined during those busy peak times. Just something to keep in mind! If your DA fallback strategy isn't strong, you might end up facing issues when you really need that extra throughput.
(blocknative.com). So, with restaking and cross-protocol coupling becoming a thing, it seems like the risks out there have really broadened. So, EigenLayer has officially rolled out slashing, which means it’s super important to get a grip on things like misbehavior attribution and exposure caps. It’s not just some boring topic to toss around in governance documents anymore; it’s something we really need to consider and understand! If AVS integration isn't done right, it can trigger a whole bunch of penalties. Your risk committee is definitely going to want to make sure there are some controls set up. (coindesk.com).

So here’s the deal: when things get delayed, we end up missing our launch windows, scrambling to make last-minute changes while we’re in audit freeze mode, and gearing up for that dreaded Board briefing that nobody looks forward to.

7Block’s Red Teaming methodology (built for Solidity + ZK, measured for ROI)

We combine a bit of edgy engineering with some seriously impressive results. Our “attack-to-assurance” loop really puts everything to the test--think protocol logic, rollup plumbing, devops, and governance--under actual tough conditions. It’s like a trial by fire for all the crucial components! Once we wrap that up, we'll beef up your code and runbooks with some focused pull requests and configuration tweaks. Plus, we'll make sure everything’s backed by strong evidence that can stand up to any procurement review.

Phase 0 -- Targeting & rules of engagement (ROE)

Scope: We're diving into a bunch of different areas like contracts, the L2 bridge, the proof pipeline, oracles, governance, and operators.
Constraints: Just a friendly reminder to keep those pause windows in mind, along with your allowlists. And don't skip over those “break-glass” procedures--you’ll definitely want to sort those out with your Legal and Compliance team!
What We Need: We're looking for a risk register that lines up with the SOC2 and ISO 27001 controls--stuff like change management, incident response, and key management. Oh, and it should connect to our product OKRs too!

Useful Add-ons

Let’s team up our Red Team services with our security audit offerings! By doing this, we can merge all our findings into a single, easy-to-understand remediation plan. Plus, we’ll put together an attestation package that your procurement team will find super handy. It’ll make everything a lot smoother for you! Hey there! If you're interested, take a look at our security audit services for more info. We’ve got some great stuff lined up!

Phase 1 -- Adversarial code analytics (Solidity focus)

Alright, so let’s jump into the world of static and semantic diffing in the latest compilers, shall we? We’re talking about the current range here, and it’s pretty interesting stuff! 8. 24-0. 8. 31) Just keep an eye out for: EIP-6780 changes things up a bit with its SELFDESTRUCT rules, which kind of throws a wrench in the works for the CREATE2 “redeploy to the same address” tricks.

Deprecations in 0.

8. So, number 31 is all about a couple of changes, like getting rid of the send/transfer function and moving on from ABI coder version 1. Plus, there’s this interesting bit about how CLZ comes into play with bit operations.

Let’s take a look at the patterns in EIP‑1153 (TLOAD/TSTORE). They can really help you cut down on gas usage while steering clear of any pesky reentrancy problems. Feel free to take a look at it here.
Let’s talk about symbolic and fuzzing techniques: Hey! So, we’ve got the Foundry invariants up and running, and the Diligence Harvey fuzzer is all set too - plus, we’ve added some cheatcodes for extra fun! More on that here. Oh, and you know what? Halmos concolic runs are actually a pretty neat way to transform your existing Foundry tests into formal-style safety proofs. It's a cool tool to have in your toolkit! Feel free to check it out here!

You’ll get a prioritized list of potential exploit ideas, complete with repro harnesses and estimated costs for fixes. If you’re thinking about expanding or updating your project, feel free to get in touch with our smart contract development and web3 development services. We’re here to help!

Phase 2 -- Pool math and oracle manipulation playbooks

Stable/volatile pool invariants: We're diving into some things like bias and those rounding sweeps that happen around wei boundaries. We're also looking into EXACT_OUT batch paths, internal balances, and those tricky conditions you hit when joining or exiting the pool. Hey, just a quick reminder to keep an eye on fee-on-transfer tokens! These issues are really just a repeat of the problems we faced back in 2025. If you're curious for more info, take a look at this article: (research.checkpoint.com). It’s got some really interesting insights!
Oracle attack surface: It's important to stay vigilant about aspects like those thin-liquidity time bands, any delays in updates, and how L2 and L1 can get out of sync when there's a lot of traffic. Oh, and keep an eye out for those cross-DEX "median of one" traps! They can really catch you off guard.
Governance capture: We need to keep an eye out for tricky situations like borrow-vote-borrow, those annoying timelock interlocks, and the spots where delegatecall and admin-proxy come together.

If your project focuses on bridging value, you should definitely consider partnering with us for our blockchain bridge development or our cross-chain solutions development. Teaming up could really enhance your protocol! Let’s dive into the plumbing instead of just crunching the numbers!

Phase 3 -- L2/DA pressure tests (EIP‑4844 realities)

Blob fee volatility drills: Let's run some simulations to mimic those surprising spikes in blob demand that come from sources other than L2. It's super important that we figure out how to switch back to calldata without any hiccups or downtime. Also, let’s go ahead and set up some budgets and alert thresholds so we can keep track of when those blob discounts start to dip. (blocknative.com).
Throughput and latency in fee markets: Just a quick note--keep in mind that your expectations around user experience can really take a hit if delays start to climb, even if the fees are getting lower. After the 4844 upgrade, a few rollups experienced some increased delays.
(emergentmind.com).
Sequencer issues and forced inclusion: We’re exploring situations where we might have to hit pause and then kick things back into gear. This means tackling backlogs and figuring out how to handle those lengthy L1 windows. We really need to make sure that those delayed withdrawals and message relays are kept safe and secure.

We created some canary dashboards that keep an eye on blob base fees and queue depth. That way, our Ops team can swoop in and tackle any issues before the app begins to lag.

Phase 4 -- Rollup proof-path and AA mempool hardening (ZK + AA)

OP Stack: Great news! We’ve successfully launched those permissionless fault proofs, and with Stage 1 in the rearview mirror, we’re now gearing up to enhance your experience with withdrawals and bridging. We're going to run your system through a few challenge-path chaos drills and take some notes on what the Security Council backstop means for how things operate. (docs.optimism.io).
ZK ecosystems: With Scroll's “Euclid” and “Curie,” we’re really diving into some interesting stuff. We're learning a lot about prover swaps, MPT state commitment, zstd blob compression, and the effects of dynamic block times on things like indexers and fee quotes. It's pretty exciting to see how all these components work together! (docs.scroll.io). So, with Starknet, we’re diving into Cairo-native execution and checking out their unique triple gas model, which includes L1, L2, and blob. On top of that, we're taking another look at their pre-confirmation roadmap and putting those fee and latency assumptions to the test at your endpoints. (docs.starknet.io). Hey, just a heads-up! There’s been a change in zkSync’s prover roadmap. Airbender is taking over from Boojum now.
They're setting their sights on hitting a target of zero dollars. 0001 per transfer. That’s great news for the unit economics! We're definitely going to make sure that your proof submission and settlement process still feels smooth and user-friendly. After all, keeping the experience top-notch is super important to us! (zksync.io).
Account Abstraction (ERC‑4337/7562): We’re going to run our bundler-acceptance tests to make sure that validateUserOp is working perfectly--meaning it’s reliable, has limits, and keeps its state separate. Hey everyone! Just a quick reminder--let’s keep it friendly and steer clear of any griefing. Also, we’ll make sure not to spill any cross-op state info. Thanks for keeping it cool! (docs.erc4337.io).

Hey there! If you’re thinking about making some big changes or diving into some serious integrations, our blockchain development services and dApp development teams are totally here to help. We've got your back! We've got you covered when it comes to the patches and benchmarks you need!

Phase 5 -- Human-layer adversary simulations

Key material: We've got some really important things coming up! We're talking about multisig rotation drills, a tabletop exercise to tackle hardware signer compromise, and timing audits for your runbook that align perfectly with your SOC2 controls.
Social engineering & governance ops: We're excited to kick off some controlled phishing tests and vendor impersonation campaigns for the folks who have given us the thumbs-up. On top of that, we’re also going to run some “delegate rug” simulations for DAOs that can hit the brakes in case of emergencies.

Phase 6 -- Remediation, ROI, and procurement artifacts

Share some code PRs that highlight the differences and show proof of gas savings. We're talking about smart tweaks, like adjusting transient storage, using safe assembly practices, and applying unchecked math when it makes sense. It’d be great to see how these changes translate into real dollar savings in today’s blob and call markets!
Quick overview: We're diving into how to lower TVL-at-risk and looking ahead at our expected MTTD (Mean Time to Detect) and MTTR (Mean Time to Repair). Plus, we'll outline our runbook SLAs and give you a roadmap for SOC2 evidence.
Just a thought: why not plan a "test day" where you can try out your fixes in a separate fork first? That way, you can see how everything works before you go ahead and roll them out in production. Plus, you could use allowlists to control who gets access to the new features initially. It might make things smoother!

Why not team this up with our DeFi development services? That way, you can launch features that actually come with solid security proofs--no more empty promises!

Fix for the "Rounding Bias" Issue in Stable AMM. Context: So, composable pools are utilizing internal balances and those exact-out batches. Action: We tapped into the Halmos-guided invariant and combined it with Foundry's fuzzing tool to whip up some micro-swap constructors. It turned out they were just the thing to tackle those annoying wei-boundary underflows! Great news! We were able to recreate that Balancer-style rounding drift in our local setup. After that, we whipped up a quick fix in just two lines. We simply replaced mulDown with mulUp in the upscale path and threw in some invariant guardrails during the batch settlement process. Easy peasy! Outcome: This totally fixed the drift issue! We also threw in a regression test for “8-9 wei” and put a kill-switch in place to catch any threshold deviations. Oh, and we also created a handy incident playbook for handling pause windows and downstream forks. It’s designed to help us navigate those situations more smoothly! (research.checkpoint.com).

2) Blob Volatility Runbook

Context

Alright, so here's the scoop: we're diving into protocol budgeting for blob DA. We're keeping things simple with a baseline of 1-10 wei, and we're totally skipping the calldata fallback for now.

Action

We went ahead and recreated the original blobscription surge profile by using some synthetic order flow. What we discovered was quite intriguing! We noticed some temporary surges in blob base fees. You know, even when we turned 13... It turns out that the blobs usually ended up being cheaper, even when you factor in that the execution base fee was three times higher. But hey, those discounts have really narrowed down, which is making us rethink our fee assumptions a bit.
To handle this, we created a “flip risk” alert and set up an automatic calldata fallback for those important messages. If you want to dive deeper into the topic, you can find more details right here: (blocknative.com). Happy reading!

3) OP Stack Withdrawals with Permissionless Fault Proofs

Context: We're kind of stuck in the old mindset of relying on the “trusted messenger” approach in our runbooks. Action: We decided to put the L2 to L1 message passing and challenge cycles through their paces on the OP Mainnet fork. We took the time to really check out the permissionless initiate and challenge paths, and we’ve put together some notes on what the Security Council can do if anything goes wrong. On top of that, we've gone ahead and refreshed our status pages and the SLAs that you see as a user. If you want to dive deeper into the details, feel free to take a look here: docs.optimism.io. It’s got a lot of useful info!

4) AA Mempool Griefing Fix

Context: When things got really hectic, the bundlers started rejecting UserOps. Action: We rolled out the ERC-7562 validation rules, putting a big emphasis on deterministic validation. We also kept the opcodes to a minimum and made sure that storage reads were handled separately. We’ve also thrown in some pre-simulation tags. Thanks to this, we skyrocketed our inclusion rate from 78% all the way up to an impressive 99%! Plus, we managed to dodge any DoS issues, even during the busiest times. Pretty amazing, right? Oh, and by the way, we also took the time to jot down the mempool SLOs for our partners. For more info, just head over to this link: docs.erc4337.io. It’s got all the details you’ll need!

5) ZK Prover Pipeline Future-Proofing

Context: So, our cost model is tied to an older prover. Action: We dug into zkSync’s Airbender claims and compared them to our current traffic to see how they stack up. We gave our monitoring a fresh update to really hone in on proof latency and batch size. Oh, and we’ve added some handy toggles that will let us tweak things if the proving costs shift around or if any migration windows for provers might mess with finality. If you’re curious and want to dive deeper, you can find all the info here. Happy exploring!

Technical checklist we execute (selected)

Solidity/EVM We're excited to announce that we're now rolling out compatibility with 0!

8. Hey there! Just a quick update from Osaka-- we've been working hard to make sure CLZ (EIP-7939) is on point. We're planning to get rid of the send/transfer functions and also taking a close look at phasing out ABI coder v1. Exciting stuff ahead! Oh, and we’re also diving into an audit of memory-safe assembly. If you’re curious for more info, you can take a look at the details here. Happy reading! Hey, just a quick heads up! From now on, the operations SELFDESTRUCT and CREATE2 redeploy patterns aren’t going to work with EIP-6780 anymore. We've really stepped up our proxy patterns to keep everything secure. If you want to dive deeper into this topic, you can check out more details here. We're really putting our efforts into optimizing gas usage while still keeping safety a top priority. We’re talking about some cool stuff here, like those EIP-1153 transient storage guards, making use of MCOPY, and working with bitmap structures. Plus, there’s the added layer of implementing custom errors. Pretty exciting developments, right?

Pools/Markets
Checking out rounding modes, testing those invariants to see how they hold up when things get close to the precision limits; handling fee-on-transfer and rebasing assets; and making sure we stay on top of internal balance accounting.
Oracles/Governance We're jumping into some important stuff, like figuring out medianization for various venues and chains. We're also looking into delay and liveness bounds, setting up alerts for price bands, running some borrow-vote-borrow simulations, and making sure our pause windows and time-locks are all lined up. It’s a lot to tackle, but it’s exciting work!
L2/DA
Hey! We’ve got some pretty cool things happening with blob base fee telemetry and cutovers. We're also checking out options like fallback to calldata, dealing with sequencer backlogs, and looking into forced inclusion. Also, we're getting into chain reorganization and testing for withdrawal liveness. Sounds technical, right? But it’s really important stuff! If you want to dive deeper into it, just click here! You'll find some interesting insights waiting for you.
ZK Pipelines So, I’m diving into checking if the prover swap is all set to go, kind of like what they’re doing with Scroll OpenVM and zkSync Airbender. I’m also keeping an eye on the circuit versioning and digging into the whole audit lineage thing. Just trying to make sure everything's lined up! And hey, don’t forget, we’ve got those Stage-1 and Stage-2 maturity checks lined up, too! (docs.scroll.io).
Account Abstraction Alright, so we're jumping into ERC-7562. We're going to look closely at validation isolation and what kind of resource limits we have in place. Plus, we'll be experimenting with Paymaster policies and keeping an eye on how bundlers are doing in terms of their accept rates. Should be pretty interesting! If you want to dive deeper into this topic, you can check out more details here.

What “proof” looks like (GTM metrics we commit to)

Quick turnaround for exploit testing: For our top five hypotheses, we can get results in under 10 business days. We’re using Foundry/Anvil harnesses and Halmos traces when it fits the bill. Take a look at it here: GitHub Link. You won’t want to miss it!
Invariant coverage: Our goal is to have at least 80% of the important properties for your vault, pool, and governance modules laid out as checkers rather than just plain, boring text. When it comes to our chaos runs, we're aiming for a mean time to detection (MTTD) of under 10 minutes. We'll be using on-chain telemetry to keep an eye on things like blob base fees, sequencer lag, and bridge queues. It's all about staying on top of the situation, right? More info here: (blocknative.com).
So, when it comes to withdrawal liveness SLOs on the OP Stack, we've put together some straightforward documentation. It clearly lays out the timelines for initiating and challenging transactions, plus we've got rollback playbooks that line up perfectly with Stage 1 fault proofs. You can check it out right here: docs.optimism.io.
Gas optimization ROI: We take a close look at the numbers, analyzing each line both before and after the changes. We compare blob and calldata thresholds, and we even take a peek at the monthly DA budget projections.
Procurement readiness: We’re all good to go with our SOC2 control mapping for change management, access, and incident response. Plus, we’ve updated our ISO 27001 evidence binder and have a slick executive red-team report that’s primed and ready for the Board and our partners.

Why 7Block vs. “another audit”

We believe in taking a holistic approach to problems. Instead of just dealing with them one at a time, we look at the bigger picture and tackle everything together. We’re always keeping tabs on a bunch of stuff--like how rounding bias is playing out in AMMs, the rollercoaster ride that is the blob market, the latest on AA mempool rules, and those OP Stack fault proofs. It’s a lot to keep track of, but that’s what keeps things interesting! All of these risks are pretty much connected, and we really hone in on testing the spots where actual incidents happen. Hey, you should definitely take a look at this fascinating article about how an attacker managed to siphon off a whopping $128 million from Balancer by exploiting a rounding error. It's a wild story! You can check it out here.

Instead of just firing off PDFs with fixes, we really get in there and make the changes ourselves. Keep an eye out for some paired pull requests and infrastructure updates headed your way! We're excited to roll out our custom blockchain development services and our cross-chain solutions development. Check them out if you're interested!

When we talk about impact, we really like to focus on the metrics that actually count. This means things like lowering our TVL-at-risk, keeping budget variations in check for our DA, speeding up our MTTD and MTTR, and of course, making sure everything goes live right on schedule. It’s all about keeping things on track and delivering results that actually make a difference! ”.

If your plans include anything DeFi-related, like DEXs, lending, restaking, or L2 bridges, it’d be awesome to get in touch with your product leads as soon as possible. Let’s make sure we’re all on the same page! Oh, and make sure to take a look at our DeFi development services! We’ve got a great way to blend security and feature delivery into one smooth plan. It’s pretty convenient!

Implementation cadence and pricing (built for Enterprise procurement)

We're kicking off a 90-day pilot where we'll dig into a couple of key elements like pool math, the bridge, and the AA mempool. We’re also planning an executive tabletop session, plus some hands-on live-fire testing. Just to keep things manageable, we’ll focus on the return on expectations (ROE). Can't wait to see how it all unfolds!

Quarterly Updates: We'll make sure to keep everything fresh by updating it with the latest compiler and EVM versions, along with any changes in the L2 proof systems. Also, we’ll definitely keep our SOC2 evidence and Board materials up-to-date.
Co-source option: Here’s a neat idea: let your engineers join forces with our red team pros! Don't worry, we'll hook you up with some easy-to-use harnesses and CI gates. That way, you won’t end up with any holes where the consultants used to be.

Bundle up with:
Check out our security audit services to help you put together a strong corrective action plan. We’ll make sure you’re covered! Check out our blockchain integration services! We’ve got you covered for everything from oracles to custody solutions, HSM, and monitoring. Whether you need help with one thing or all of it, we’re here to make the process smooth and easy for you. If you're thinking about upgrading your bridge or messaging layer, check out our cross-chain solutions development services! We’ve got you covered.

Final word

Over the last 18 months, we’ve figured out something important: just because you’ve aced your audits doesn’t necessarily mean you’re all set to tackle the challenges out there in the real world. Wow, the landscape has really shifted lately, hasn’t it? With all the precision bugs popping up, those surprising blob fees catching everyone off guard, and the whole deal with permissionless fault proofs, things are looking pretty different. Not to mention the AA mempool rules shaking things up! It’s definitely an interesting time to be following this space. Your defenses have to keep up just as quickly. (research.checkpoint.com). At 7Block, our Red Teaming approach really focuses on those constantly changing targets. We don't just throw together a random security strategy; instead, we create one that's not only easy to test and repeat but also polished enough for board presentations. Plus, we make sure to keep your shipping dates and unit economics totally intact.

Absolutely! Here’s the scoop on how to set up your 90-Day Pilot Strategy Call. Just follow these steps:.