👋 Welcome to the November Edition
In this November edition of Quill Sentinel, we uncovered 65 vulnerabilities across eight major chains, analyzed a key DeFi exploit, launched the Real-World Assets Handbook, and expanded collaborations aimed at strengthening the global security ecosystem.
Here’s everything you need to know from the month, from research shaping DeFi and RWA security to the latest attacks, audit insights, and community partnerships.
From the Quill Research Desk
Our latest research focused on protocol design, DeFi infrastructure, and the evolving architecture of Real World Asset tokenization, including on-chain settlement and redemption flows and emerging standards shaping compliant RWA systems.
Real-World Assets Handbook Launch
This month, we introduced the Real-World Assets Handbook, a comprehensive, end-to-end guide to bringing real-world assets on-chain. It breaks down how RWA systems are built in practice, covering tokenization standards, custody and settlement workflows, ecosystem architecture, and global regulatory considerations.
Built for developers, auditors, founders, and institutions, the handbook offers a clear and practical framework for navigating the technical and compliance challenges of tokenizing real-world value.
➡️ Read the RWA Handbook: https://www.quillaudits.com/research/rwa-development
Our research explored how real-world assets move on-chain in practice, focusing on settlement, redemption mechanics, and the architectural trust assumptions behind compliant RWA systems.
RWA Settlement & Redemption: This deep dive breaks down how tokenized RWAs are settled and redeemed across custodians, issuers, and on-chain contracts, highlighting critical failure points, off-chain dependencies, and security considerations that arise when bridging legal ownership with programmable settlement flows.
Understanding ERC-7943: We analyzed ERC-7943, a minimal, compliance-aware interface for tokenized real-world assets, explaining how it standardizes freezes, enforcement transfers, and authorization checks while preserving DeFi composability, making it a key building block for interoperable, regulated RWA protocols.
The Future of Solidity: We published a deep technical analysis on Solidity’s transition toward Core Solidity, outlining the most significant shift in the language since its creation. The piece breaks down why Classic Solidity is being re-architected, what upcoming breaking releases (0.9 and beyond) mean for developers, and how Core Solidity aims to improve safety, formal verifiability, and long-term maintainability for smart contracts across Ethereum and L2s.
Hack Watch
November underscored how both protocol design flaws and key management failures continue to dominate the threat landscape. Yearn Finance suffered a $9M loss on Ethereum due to a protocol logic vulnerability, highlighting how complex yield strategies and legacy assumptions can still break under edge conditions. Balancer experienced the largest incident of the month, losing $128M after a critical flaw in its protocol logic was exploited, reinforcing the systemic risk posed by invariant and accounting errors in highly composable AMMs.
Beyond DeFi-native exploits, private key compromises remained a persistent attack vector. Upbit lost $36M on Solana after an EOA compromise, while GANA Payment suffered a $3.1M loss on BNB Chain, once again demonstrating how centralized key custody remains a single point of failure. Moonwell was also impacted by a $1M oracle manipulation attack on Base, exposing how weak price validation and oracle dependencies can be abused in lending protocols.
Yearn’s yETH weighted stableswap pool was compromised when an attacker manipulated the pool’s iterative fixed-point solver to mint excessive LP tokens, breaking the invariant and triggering an arithmetic underflow that drained roughly $9M in LSTs and WETH. The exploit stemmed from unresolved numerical weaknesses and a lack of strict domain checks in the legacy yETH implementation, allowing extreme imbalance inputs to cascade into a full pool drain.
Balancer V2’s Composable Stable Pools were devastated by a precision-based exploit in the protocol’s scaling math, where asymmetric rounding during upscaling vs. downscaling allowed tiny truncation errors to systematically erode pool invariants. This precision loss was weaponized through carefully constructed swaps that depressed the invariant and enabled discounted BPT redemptions, leading to over $128M in drained assets across chains.
QuillAudits Stats
A quick look at our November audit activity and how we helped secure the Web3 ecosystem.
Community Highlights
November was all about collaboration, sharing security insights, mentoring founders, and empowering the next wave of Web3 builders to build safely and scale confidently.
CEX vs DEX Perpetuals - Can On-Chain Perps Finally Compete?
Last month, we hosted a Twitter Space on whether on-chain perpetuals can compete with CEXs at scale. We discussed the core trade-offs around latency, liquidity, and liquidations, and how improvements in oracles, risk engines, and protocol design are steadily narrowing the gap.
➡️ Listen to the full Space: https://x.com/i/spaces/1lPKqvpqaDEGb/peek
Strengthening Audit Integrity with Hypersign
We partnered with Hypersign to integrate KYC directly into our audit lifecycle, strengthening trust, transparency, and compliance across the projects we review. This collaboration enables faster, fraud-resistant onboarding while reducing regulatory risk, an important step for teams building scalable DeFi, RWA, and Web3 infrastructure.
Audit-to-Monitoring Security Partnership with Guardrail
QuillAudits partnered with Guardrail to deliver end-to-end Web3 security coverage. While our audits establish a strong pre-deployment security foundation, Guardrail’s real-time on-chain monitoring adds continuous post-deployment protection. Together, we enable projects to detect threats as they emerge and stay secure throughout their entire lifecycle, from audit to live production.
Wanna partner up w/ us or want to get your project audited? |
|
|
Have a great day,
Team QuillAudits
