About us | Composable Security

2017

Beginnings of SCSVS

Each of us has been dealing with traditional IT security for over 6 years, cooperating with the largest banks in Poland, fintech, and modern technologies from around the world. Damian, shortly after his first cooperation with a cryptocurrency exchange, became immersed in smart contracts and blockchain technology. As an experienced software engineer, he quickly learned Solidity and noticed that there were no standard thanks to which developers could avoid the common security vulnerabilities that appeared at that time. At the end of the year, he shared the idea of creating SCSVS with Paul and work slowly started as a side project.

Hyperledger and custom blockchain implementations

In the beginning, most of the projects we handled were custom either blockchain implementations or centralized exchanges. The crypto exchanges needed to secure their web and mobile applications, taking into account completely new threats resulting from the nature of blockchain. As we were exploring these threats, we learned more and more about Solidity and blockchain technology itself. We stored knowledge in the form of new checks for SCSVS and published several blog posts about how to secure a crypto exchange and some of the custom blockchain implementation security risks.

2019

SCSVS v1

After over a year of working on the Smart Contract Security Verification Standard, as a side project, we released the first version. That was the first security standard for smart contracts written in Solidity that could be used by both developers and smart contract auditors. We based it on the well-known OWASP ASVS, which we have often used at work. To this day, it is one of the most comprehensive smart contract audit checklists.

We shared knowledge at conferences

From the very beginning, we have made sure to share knowledge and what we have researched ourselves. We have been speakers at conferences such as ETHcc, AppSec Global, ETHWarsaw, Web3 Security Conference, and more. This is an integral part of the work of a smart contract auditor. We were among the first to discuss the importance of threat modeling and shifting left. We observed the best security practices in web2 and what brought results for customers. We want to do the same for web3 projects.

2022

Composable Security creation

Even though the company was founded in August 2022, as you can see we have contributed to the space since 2017. By then, we had already managed to cooperate with many fantastic projects like FujiDAO, Enjin, Tellor, DefiEdge and saved millions of dollars through non-public actions with one of the big exchanges. This is an important date for us because Pawel and Damian have decided to completely devote themselves to smart contract security at this point. This is a completely new challenge that we want to meet while remaining true to our values.

Difficult beginnings

Starting a business turned out to be even more time-consuming than we thought. Wanting to provide very high quality to the customer, actively working on brand recognition, and trying to continue to contribute was a challenge. We currently spend much more time on threat modeling and attack vector detection as it has proven to be very valuable to the projects we work with. Then, we additionally started consulting these attack vectors with teams to search for smart contract security vulnerabilities even more effectively.

2023

First year on our own terms

This year was great. We have helped many projects increase security. However, what makes us most happy is that the customers we have served come back to us. From the very beginning, we have tried to treat the people we work with as team members. Together, we tried to make their project safe so that nothing could stand in their way to success. The fact that they trust us brings great responsibility, but also satisfaction. This assures us that what we do brings value.

War Room Games 1st place

During EthCC, Damian and other Team16 members (@cairoeth, @dgrabec, @danielvf) won first place at War Room Games organized by Tenderly, Yearn, and yAudit. Networking during crypto conferences is great, but hacking together is another level of friendship. A memorable tweet from this event can be found here.

Security Guide publication

Our next big side project apart from SCSVS was the Security Guide. We have noticed that many teams focus only on the security of smart contract audits, which is not always the best solution. We decided that it was worth creating material that projects could use to make decisions being aware of available options. This resulted in the creation of an over 100-page e-book, which you can download for free here.

Research supported by Uniswap Foundation grant.

We are contributing to security research exploring the “malicious design space” of UniswapV4 hooks. The aim of the research is to raise awareness about potential security threats and provide resources that will help understand the threat landscape and analyze the security of the UniswapV4 hooks. Thanks to this, we have created a lot of valuable publications that you can read on our blog and a completely new SCSVS C9 category: Uniswap V4 Hook.