Neyro's non-custodial model places a single smart contract directly between users and their USDT. Before opening that contract to the public, Neyro ran it through both stages of Hacken's Dual Defense, a full smart contract audit followed by a crowdsourced audit on HackenProof. The audit identified and remediated every deposit-logic and access-control issue that could disrupt operations or trap funds. The crowdsourced phase, run by 43 independent researchers, introduced no additional vulnerabilities beyond those already identified during the Hacken audit phase.
What is Neyro?
Neyro is a non-custodial AI trading platform where users deploy personalized agents that execute strategies on-chain 24/7 while capital stays in the user's own wallet. Users connect a Web3 wallet, define their own risk rules, and let agents such as Quantum Alpha, Neyro's first live agent, run structured strategies through smart contracts.
The security-critical component is deliberately narrow: a role-based liquidity depositor on BNB Smart Chain that holds user USDT and, on operator command, deposits it into a preconfigured PancakeSwap V3 position with slippage protection. Because user funds remain governed by that contract rather than a custodian, its correctness is the platform's trust boundary.
The Challenge
The contract is minimalist, with a small attack surface, but it holds user funds and interacts with an external PancakeSwap V3 PositionManager. The relevant risk areas are the contract's assumptions about token ordering and single-sided liquidity provision, its slippage handling under normal price movement, the scope of token approvals granted to the external contract, the concentration of admin and operator privileges, and fund recoverability under edge conditions such as USDT blacklisting, position-NFT ownership, and accidental token transfers.
How Hacken Delivered
1. Smart Contract Security Audit
Hacken conducted a full code review and security analysis of Neyro's liquidity contract, then re-verified every fix against the updated deployment. The audit produced 16 findings, none of them Critical or High severity. Two Medium and three Low issues were identified and addressed, with the remaining observations either mitigated or formally accepted with documented reasoning.
2. Deposit-Logic Findings
The most significant findings were in how the contract added liquidity, the kind of logic errors that cause user-facing failures with no attacker involved. The contract assumed a fixed ordering for the two tokens in its PancakeSwap position. When the pool's ordering differed, deposits would fail outright and user USDT would add zero liquidity and idle in the contract instead of being put to work. Hacken flagged it, and the fix now detects the correct ordering automatically and rejects any pool that does not include USDT.
Two further issues affected reliability. The contract allowed no slippage at deposit time, so ordinary price movement between submission and execution would cause deposits to revert and leave funds undeployed. Hacken introduced a 0.5% tolerance to keep deposits working under normal market conditions. Separately, the contract discarded the confirmation data returned after each deposit, meaning a failed or partial deposit could go unnoticed. The fix records the result of every deposit so it can be verified off-chain.
3. Access Control and Fund-Recovery Review
The contract granted the external PancakeSwap contract unlimited permission to move its USDT, with no way to revoke it. Any future compromise of that dependency could have drained the full balance in a single transaction. Hacken replaced this with a pattern that approves only the exact amount needed for each deposit and resets it immediately afterward.
Beyond individual fixes, Hacken documented the contract's centralization and recoverability profile so Neyro could operate it deliberately: a single admin key with no timelock or multisig, permanent binding to fixed external addresses, and several edge conditions under which funds could become unrecoverable, including token blacklisting, position-NFT ownership ambiguity, and accidental transfers with no rescue path. Each was mitigated or formally accepted with the reasoning recorded.
Results: Zero Critical and High Severity Findings

Neyro completed both stages of Dual Defense with no Critical- or High-severity vulnerabilities. Every Medium finding was fixed or formally accepted, most Low findings were fixed and re-verified, and the crowdsourced audit produced no additional critical findings. No finding was left unaddressed.
Key changes delivered:
- Deposits no longer fail when the pool's token ordering differs; the contract now detects it automatically
- Deposits stay reliable under normal price movement instead of reverting on any change
- The external contract's access to funds is now limited to each deposit rather than unlimited and permanent
- Every deposit is recorded so a failed or partial one can be caught
Read the full Neyro Smart Contract Audit report
Dual Defense: Crowdsourced Validation
An audit certifies the code under one expert team. Dual Defense tests that conclusion against many independent security researchers with a reward pool of up to $4,000. The remediated contract was opened to a HackenProof crowdsourced audit scoped to Critical severity, with a working proof-of-concept required for every submission.
The program engaged 43 researchers and produced 69 reports. HackenProof triage reviewed all of them and confirmed that every finding corresponded to an issue or risk already identified in the Hacken audit. No critical vulnerabilities were found and no valid bugs were escalated.
What This Means for Neyro Users and Partners
For users: the contract handling deposited USDT has been reviewed against concrete attack scenarios by Hacken and independently re-tested by external researchers.
For the Neyro ecosystem and partners: a completed Hacken audit and a crowdsourced audit together form a publicly verifiable security record for the platform's core execution contract.
For the broader market: layering an independent crowdsourced review on top of a completed audit sets a higher bar for verifying non-custodial contracts before they hold user funds.
About Hacken's Dual Defense
Dual Defense combines a Hacken smart contract audit with a HackenProof crowdsourced audit, applying both expert review and adversarial breadth to the same code.



