Why Most Web3 Vulnerabilities Come From Design, Not Exploits

Описание: About Zealynx
Zealynx helps DeFi and Web3 teams secure every layer of their projects, from smart contracts to dApps and infrastructure audits. With 50+ clients (including Lido and Uniswap), we offer expert audits, penetration testing, and hands-on support tailored to your needs.
Learn more or request an audit: https://zealynx.io

Smart contract audit explained end-to-end — how security reviewers actually work, what they look for, and why adding security too late destroys Web3 projects.

In this episode of On the Block by Espeo Software, Agnieszka sits down with Carlos (BLOQARL) — founder and smart contract security expert at Zealynx — to break down real-world auditing workflows, the most common vulnerabilities auditors uncover, and how modern security teams think like attackers.

This conversation goes far beyond theory. We cover how audits are performed line by line, why logic bugs are often more dangerous than complex exploits, how fuzzing and black-box penetration testing work in practice, and why Web2 security (frontends, APIs, infrastructure) still matters in Web3.

You’ll also learn how AI is changing security on both sides — empowering auditors, attackers, and developers alike — and what founders and investors should realistically expect from audits today.

💬 Question for you: What’s the #1 security practice your team still postpones — and why? Drop it in the comments.

00:00:00 Intro + why Web3 security decides survival
00:00:40 How a smart contract audit works (process + mindset)
00:02:35 “Follow the money” + finding access control / validation gaps
00:03:27 AI as an auditor’s helper (and why it matters)
00:04:10 Meetings, context gathering & questionnaires before audits
00:07:42 Auditing is more than reading code: project knowledge & scope
00:08:00 Fuzzing explained (tester army analogy)
00:11:32 Most common smart contract vulnerabilities seen in audits
00:13:41 The terrifying one: secrets / private keys in plain text
00:14:32 “Surprising” vulns that break the whole system
00:16:10 Web2 vs Web3: why you need more than a contract audit
00:17:15 Pen testing + TypeScript audits for the Web2 surface
00:18:21 Black-box pen testing (pros/cons + OWASP checks)
00:19:36 Myth: “security means higher gas costs”
00:21:18 Use proven libraries vs reinventing wheels (ERC20, multisig)
00:22:47 Why Carlos shares knowledge publicly (Twitter/YouTube writing)
00:28:07 Web2 testing vs Web3 testing (and why you need both)
00:29:15 Solana vs Ethereum testing complexity (Foundry vs Anchor)
00:30:48 Are clients more security-aware now?
00:32:19 The future of smart contract security (bounties, tooling, AI ideas)
00:34:39 AI: attackers, auditors, and vibe coding — who wins?
00:38:08 Finding & mentoring security talent (interns → hires)
00:43:15 One Web3 security rule to remember