Cymetrics Tech Blog

I'm honored to have the opportunity to share my journey in certification and learning at CYBERSEC 2025. The Red Team is responsible for simulating real-world attacker behaviors, aiming to test an organization’s defenses, identify potential security weaknesses, and evaluate how well a company can respond under actual attack scenarios.At Cymetrics, services such as external exposure assessments, vulnerability scanning, penetration testing, red team engagements, and even social engineering are all part of the Red Team’s toolkit and testing scope.However, effective Red Teaming goes far beyond intuition. It often demands unconventional thinking, the discovery of hidden attack vectors, and the exploitation of subtle system vulnerabilities. So what else does it take to become a qualified Red Teamer? That’s right, certifications!In many Red Team engagement tenders, the required certifications are clearly listed. Reference guidelines for Red Team operations often specify certifications like OSCP, CPENT, or CPSA as minimum qualifications or mandatory requirements.

In the first half of 2024, significant progress was made in the cryptocurrency space. The U.S. Securities and Exchange Commission (SEC) approved a spot Bitcoin ETF in January, followed by the approval of a spot Ethereum ETF in July.Meanwhile, on April 23, the Hong Kong Securities and Futures Commission (SFC) approved three asset management companies—Bosera International, China Asset Management, and Harvest Global Investments—to issue spot Bitcoin and Ethereum ETFs. These products were officially listed on exchanges on April 30.The DeFi sector subsequently experienced diversified and vibrant development. Driven by market anticipation of regulatory policies, Bitcoin surpassed the $100,000 mark. According to statistics from DeFiLlama, on January 1, 2024, the total value locked (TVL) in DeFi stood at $54.162 billion. As of now (December 2024), the TVL has risen significantly, exceeding $100 billion.These changes symbolize the integration of crypto assets into traditional financial markets, bringing more diversified services, investment opportunities, and potential returns.

In Solidity, randomness is often applied in lotteries, NFT generation, GameFi, and so on, to distribute prizes or determine the rarity and appearance of game items and other characteristics. The authenticity of the randomness used in decentralized applications directly impacts user rights. If the random outcome can be predicted or manipulated, it undermines the principle of fairness pursued by decentralized applications. Using visible information when generating random numbers in Solidity can lead to vulnerabilities related to pseudo-randomness.This article will delve into the issues of randomness in Solidity and its potential risks, providing effective solutions to help developers protect smart contracts from such vulnerabilities.

# What is Access Control ?Access control refers to "who can perform a specific action," which is crucial in the world of smart contracts. The access control of a contract can determine which roles can mint tokens, vote on proposals, freeze transfers, and execute many other essential functions. Properly implementing access control is vital to prevent unauthorized actors from performing actions.In OpenZeppelin, there are two primary ways to implement access control: Ownable and Role-Based Access Control (RBAC).Ownable grants control to the contract owner, making it suitable for simpler applications.When multiple roles or permission levels are involved, RBAC provides more granular control, enabling different roles to perform specific functions.

# What is Denial of Service ?In Solidity, Denial of Service (DoS) is a common vulnerability type that disrupts the expected execution of contract functions by exhausting resources or blocking the contract’s operation. In the blockchain world, code represents the flow of funds or the execution of internal logic. In severe cases, DoS can directly result in asset or fund immobilization, leading to losses for users or protocols.This article will introduce several common DoS scenarios:Unbounded loopIntegration/Logical errorRefund failed

Would you like to understand the pitfalls encountered in developing OpenAI?Would you like to understand how to unlock Embeddings and Retrieval-Augmented Generation to enable GPT models to generate meaningful content, even without the unique know-how of enterprises? Then hurry up and click in, and leave with a wealth of knowledge!

I'm glad that I can share some interesting insights that I've been following daily at CYBERSEC 2023 Taiwan. Red-Blue confrontation happens all the time. Red team uses new vulnerabilities and techniques to attack, while Blue team can use various mechanisms and protection to interrupt the attack. This article will introduce some useful tips and tools.

Content distribution networks (CDNs) are an important part of the modern Internet, providing fast and reliable connections and network resources to users around the world. However, while CDNs offer many benefits, they also introduce new security risks that many people may not be aware of. In this article, we'll explore the hidden dangers of CDNs and examine why CDNs may not be as secure as you think. Explore how to protect yourself and your business from these potential security risks that CDNs might introduce. This article will help you better understand the potential risks involved with CDNs and how to mitigate them.