intrus.io
Crypto & Blockchain

Pentest for Crypto, Blockchain and Web3

Offensive security in exchanges, custodians, smart contracts, DeFi, NFT and blockchain infrastructure.

Request an auditSee vectors
90% manual · 10% automated
OSCP · CISSP · CRTO · GPEN
BR · PT · IT · ES · MA · US · AU
OWASP · MITRE · PTES · NIST

Why now

The real pain

Crypto is real money in unrevertable smart contracts. Contract bugs cost billions in recent hacks. A compromised exchange burns customers. CVM has regulated — there are now fines and civil liability for technical failures.

Applicable regulation

Lei 14.478/2022 (Marco Cripto)BACENCVMFATF/Travel RuleLGPD

/attack-surface

Vectors we test in crypto & blockchain

Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.

01

Smart contract

Solidity, Rust, Move. Reentrancy, integer overflow, access control, frontrunning.

02

Exchange and custodian

Hot wallet, cold wallet, MPC, HSM, withdrawal process.

03

Bridge and cross-chain

Message validation, replay, validator failure.

04

DeFi and DEX

AMM, oracle manipulation, flashloan, sandwich attack.

05

Compliance and Travel Rule

KYC/AML, bureau integration, transaction monitoring.

/methodology

Genuinely manual pentest

Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.

01 · Reconnaissance

Target mapping, OSINT, footprint, sector-specific threat modeling.

02 · Discovery

Deep enumeration, complementary scanning, manual exposure identification.

03 · Exploitation

Manual validation with controlled PoC, finding chaining, escalation.

04 · Report

Executive + technical, step-by-step replication, mapped to applicable regulation.

/why-trust

Who has trusted our work

Engagements in regulated crypto markets.

Caixa Econômica Federal
Banco BMG
iFood
ArcelorMittal
Multibanco
Polícia Federal
Fórmula 1
OpenFinance

Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.

DL

Douglas Lopes

Founder · CEO · intrus.io

/faq

FAQ — Crypto & Blockchain

Do you audit smart contracts?

Yes. Solidity, Rust, Move. Static, dynamic and manual code review.

Do you serve exchanges in BACEN/CVM licensing phase?

Yes. The pentest can compose the technical dossier for VASP licensing.

/contact

Ready for a serious pentest in crypto & blockchain?

Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.

Talk to usSee other sectors

Other sectors we cover

/saude

Hospitals & Clinics

/planos-saude

Health Insurers

/fintech

Fintechs

/bancos

Banks & Credit Unions

/consorcios

Consortium Administrators

/seguros

Insurance & Brokers