leastwood @0xleastwood Twitter profile

Last Seen Profiles

@_to6i_

@Michell55703975

@Bentancour89572

@HaMokedRights

@JanaNguyenova00

@ShilProdyu58443

@Coach_Jmanzo

@moritashimpei17

@Jason2017105

@shanemcmahon

@cilacutie

@JoyceLarsow8334

@Taylor151259482

@MaryaMolin52242

@mi_keRG

@apollo1515669

@GraceAngel73265

@nagoyarekishi02

@vichelliaa

@mastia54

@ronniedrum

@AmberBradl12713

@DankowskiDillon

@VirtualGeishaaa

@Mehmet08934614

@cherishlanaeee

@tankurtmanas

@Me4ar

@PaoloRicciuti

@WickedIce12345

@JeanCou36610935

@dylanrlawing

@choctaw

@sharkydaemoness

@MahamudulH41818

@BillMoore20

leastwood

@0xleastwood

1 year

I'm honoured to have been involved with @0xPolygon zkEVM audit. They're one of the best protocols to work with in the space and I have a lot of respect for the team's professionalism.

Polygon Foundation

@0xPolygonFdn

1 year

Every component of Polygon zkEVM (including the prover) has been audited—and those audit reports are available on GitHub. How else could you DYOR? Read the findings from @spearbitDAO ’s security audit 👇🏽

28

272

417

3

19

252

leastwood

@0xleastwood

1 year

I think there are huge untapped opportunities to work in web3 security🔒that aren't EVM specific. Cairo and ZK circuits require two vastly different skillsets, yet there are hardly any proficient auditors in those spaces. 1/6

18

48

259

leastwood

@0xleastwood

1 year

Paid courses in smart contract security are really setting a bad precedent for the industry. Ya'll really be selling people on the idea that they can make a lot of money when the reality is that only very few will. Don't be greedy when the field is already so lucrative.

31

19

215

leastwood

@0xleastwood

1 year

It seems like auditors commonly feel overwhelmed with large and complex codebases. This applies to everyone but especially newbies just getting started on their security journey. Here are some ideas on how I like to approach new codebases. 1/

6

48

204

leastwood

@0xleastwood

2 years

Super stoked to be invited to participate in the Fellowship. Can't wait to meet everyone at @paradigm !!!

14

0

200

leastwood

@0xleastwood

6 months

You’re joking if you think the best path forward is to onboard more auditors. Whitehats are scrappy, unlike most auditors. If you wanna be scrappy, learn to do what’s difficult and don’t be focused on the same shitty vulnerabilities as everyone else. Even if there is a market for

7

10

116

leastwood

@0xleastwood

11 months

Absolutely loving this new @code4rena profile feature!! 🔥🔥

4

1

97

leastwood

@0xleastwood

1 year

To be clear. I'm not entirely against paid courses, but in reality most of them tend to give off the grifter vibe. In an ecosystem which prides itself on open source tech, why do we feel the need aggressively market through MLM and false promises. Your course website lures

9

6

91

leastwood

@0xleastwood

1 year

I often get asked what makes a good auditor great. So here are 3 key skills which I believe are the differentiating factor: 1. Curiosity to understand. 2. Desire to break things. 3. Ability to context switch between smart contracts. 🧵👇

2

14

84

leastwood

@0xleastwood

1 year

I'm excited to share another audit that I did alongside some others at @SpearbitDAO on Maple's V2 protocol. Had a blast working with @lucasmanuel_eth and the rest of the folks at @maplefinance on this one!

2

9

80

leastwood

@0xleastwood

6 months

Truth is, there is no single preventative measure that prevents protocols from being hacked, so stop pretending that there is. It is simply unsustainable to assume that 10% of TVL can be set aside and left unallocated. We need to define new frameworks for web3 hacks as they are

8

3

83

leastwood

@0xleastwood

5 months

auditors genuinely have so much alpha when it comes to investing in this space. countless times have I worked on incredibly promising projects with amazing codebases, only to miss out on putting $ in because I was too hesitant. time and time again I'm reminded to just follow my

5

3

72

leastwood

@0xleastwood

9 months

web3 security is much easier to learn than traditional security. Domain knowledge is pretty small, but the stakes are MUCH higher. Although, I do think it takes a different kind of creativity to catch interesting business logic bugs. Considering how lucrative it is, I wonder

14

0

63

leastwood

@0xleastwood

9 months

Bruh.

4

0

60

leastwood

@0xleastwood

8 months

Want to know how the top wardens perform at their best? Well here’s the secret to it all. @code4rena

6

0

61

leastwood

@0xleastwood

8 months

Auditing is easy if you exclusively work with trash clients

6

0

59

leastwood

@0xleastwood

1 year

All the resources to up-skill into this field are already publicly available, you just need to look for them and put in the time to get better.

6

2

55

leastwood

@0xleastwood

2 years

Had a lot of fun competing in my first CTF. Shoutout to @paradigm_ctf for hosting this. Now to brush up on my Cairo and Solana skills for next year!

1

0

50

leastwood

@0xleastwood

7 months

Name a better duo wen networking: exchanging telegrams🤝never messaging each other

6

2

49

leastwood

@0xleastwood

1 year

Had a blast participating in this interview with @andyfeili Always a pleasure to chat with a fellow Aussie 🇦🇺

0xleastwood: Spearbit Lead Security Researcher talks Web3 Security...

Liam Eastwood, Lead Security Researcher at Spearbit and Judge on Code4rena, sits down for an interview to discuss his rapid rise from a student to a top secu...

www.youtube.com

5

3

49

leastwood

@0xleastwood

9 months

Now that keeping 10% of stolen funds is the new norm, will we start to see protocols introduce intentional bugs, attack the protocol and return 90% of funds to users while avoiding any legal action?

6

2

44

leastwood

@0xleastwood

1 year

Here's a dump of interesting ZK resources that I'm currently making my way through! Thanks for coming to my Ted talk. 6/6

5

4

41

leastwood

@0xleastwood

1 year

In NYC for the next month. Send me a message if you're also around and wanna meet 👋

1

43

leastwood

@0xleastwood

5 months

happy autismas🎄to my auditor's out there with weaponised autism 🔫

4

3

42

leastwood

@0xleastwood

8 months

Pay-per vulnerability audits sound like a great idea on paper and I do think they have their niche. But doesn't it promote seeking out projects that are likely to be riddled with bugs instead of prioritising high impact projects? Also I dislike the idea of having to fight clients

9

2

38

leastwood

@0xleastwood

10 months

Been @huff_language pilled these last couple of days. Can't believe I've been putting this off for so long!

3

2

39

leastwood

@0xleastwood

5 months

spearbit minimum wage got me down bad. I will now be asking my future clients to leave a small but minimal tip of 15% to support my future endeavours.

3

0

38

leastwood

@0xleastwood

2 years

It's Monday morning and the @paradigm_ctf has completely fried my brain.

2

1

38

leastwood

@0xleastwood

2 years

Hyped to compete in the @paradigm_ctf today! LFG @SpearbitDAO team.

1

2

34

leastwood

@0xleastwood

7 months

Pls can we bring bear market back

3

2

32

leastwood

@0xleastwood

9 months

I have 2 invite codes for @cantinaxyz that I'd like to give out to the right security researchers. Reply to this tweet and I'll distribute them later tonight ✌️

18

3

32

leastwood

@0xleastwood

1 year

Excited to take part in this interview later this week!!! Should hopefully have some good conversations 🔥

Andy Li

@andyfeili

1 year

Spearbit lead security researcher and code4rena judge @0xleastwood will be joining me for an interview to share his alpha this weekend. What do you want me to ask him?

26

2

117

0

1

30

leastwood

@0xleastwood

10 months

SEAL 911 is an important initiative with behind the scenes work by prominent individuals in the industry. It's about time we make it easier to contact the right people for when bad guys start doing bad things.

1

6

29

leastwood

@0xleastwood

2 years

Been meaning to write up an interesting and unintended bug I found while working on the @paradigm_ctf Cairo Proxy challenge. Here is my take. 🧵 1/5

3

31

leastwood

@0xleastwood

9 months

Looking to do a free review of some starknet/cairo code, DM me if this of interest to you or point me to a fun project to work with.

6

4

29

leastwood

@0xleastwood

1 year

On the other end, ZK circuits have limited learning resources, but there is growing demand for anyone who is willing to spend the time to understand Circom and/or Halo2 circuits. 5/6

1

2

29

leastwood

@0xleastwood

8 months

Just realised my DMs have been closed to non-verified users this whole time. Let's hope I don't regret opening them up ...

3

0

27

leastwood

@0xleastwood

5 months

i still don’t get nfts

8

0

27

leastwood

@0xleastwood

6 months

what competitive advantage do traditional audit firms offer over reputable independent security researchers with a proven track record? it seems to me that it has never been easier to build your own brand in this space, so then would it not be fair that the best researchers are

6

0

26

leastwood

@0xleastwood

2 years

Excited to help lead this workshop!

Code4rena

@code4rena

2 years

Bogotá! 10/9/22, C4 Wardens will be sharing their favorite methods for securing smart contracts and participating in Code4rena audit contests. is the first of many global hackathons hosted by @sozuhaus and sponsored by @BitDAO_Official @MetaMask @G7_DAO

5

7

37

1

0

26

leastwood

@0xleastwood

5 months

without shitposting, crypto twitter is just another linkedin

4

1

26

leastwood

@0xleastwood

3 months

listen to the man on the screen, he's got something to say 🙈🙉

eBTC | Get Paid to Borrow Bitcoin

@eBTCprotocol

3 months

Security Matters w/ @0xleastwood & @SpearbitDAO During the development cycle, it is important to get as many different perspectives as possible. Learning from others and understanding what they observe and are thinking about can bolster a projects internal security acumen.

1

3

18

4

1

28

leastwood

@0xleastwood

7 months

my landlord doesn't take payment in crypto, ngmi

4

0

24

leastwood

@0xleastwood

1 year

I forgot to add this in. But looking for untested and undertested areas of code is a super underrated strategy for finding bugs.

1

23

leastwood

@0xleastwood

6 months

I just want a frog hat

3

0

22

leastwood

@0xleastwood

1 year

What an insane crossover!!!

Code4rena

@code4rena

1 year

We’re excited to officially announce that C4 has teamed up with @paradigm to scale our mission. Read more:

5

17

133

0

22

leastwood

@0xleastwood

7 months

+1

ً

@lightclients

7 months

im still going to istanbul

7

5

151

0

1

20

leastwood

@0xleastwood

4 months

look mum! the new security researcher music video dropped, we party just like normal people

Sipan V'artagnan

@Hexen1337

4 months

Crazy people, voodoo people! 🧙‍♂️🧙‍♀️

3

7

32

1

22

leastwood

@0xleastwood

9 months

LFG! We up and up!

Cantina 🪐

@cantinaxyz

9 months

🪐 Cantina Raise Announcement 🪐 Cantina has raised a $7M round to launch our web3 security marketplace: This would not be possible without @hiFramework leading the round as well as: @nascentxyz @1kxnetwork @VoltCapital @Breed_VC @robotventures

19

47

220

0

1

19

leastwood

@0xleastwood

1 year

You still need to keep up-to-date with the types of vulnerabilities you should be looking for. And hence I'd advise you read @code4rena reports. Try your luck auditing an older contest's codebase for a day or two before going through the report. 7/

3

0

18

leastwood

@0xleastwood

2 years

Would be cool if there was an open source tool for security researchers to track protocol upgrades. Whitehats would be able to react quickly to code changes and hopefully focus their efforts "newer code". Maybe this is something @immunefi could build in-house?

4

2

20

leastwood

@0xleastwood

1 year

Under the hood, Cairo is a language used to write provable programs, powered by STARKs. However, Cairo's attack vectors are fairly consistent with other smart contract languages and hence experienced EVM auditors should not find it difficult to migrate over. 2/6

1

0

17

leastwood

@0xleastwood

1 year

Step 4. This is where I start thinking about ways to break any assumptions made by the developers. This is probably where you spend the least amount of time but the time you spend here is most effective. All my best bugs are found in the part of the process! 5/

1

0

19

leastwood

@0xleastwood

5 months

the more degen the auditor’s work setup the better they are at crushing bugs 🐛

2

0

18

leastwood

@0xleastwood

1 year

Improper access control, arithmetic overflow and underflow, storage collisions and signature replay are all common issues found both in EVM and Cairo. Although, some attack vectors may not apply to newer compiler versions. 3/6

1

0

17

leastwood

@0xleastwood

1 year

Step 1. Have a base level understanding of what the protocol actually does before you dive deep into the code. What goals are they trying to achieve? I like to keep this as high level as possible without diving deeper into technical documentation. 2/

2

0

17

leastwood

@0xleastwood

4 months

Good to see my autism points have been nicely distributed

2

0

17

leastwood

@0xleastwood

8 months

@andyfeili 10k a month is a bit of an understatement for independent auditors. I would say that is close to the minimum that most audit firms are paying right now.

1

0

16

leastwood

@0xleastwood

1 year

Cairo programs typically have two key issues which differ to other smart contract stacks: 1. Finite field math is not intuitive for developers and often leads to mistakes. 2. Imported libraries expose all external functions even if they are not used by the base contract. 4/6

2

0

16

leastwood

@0xleastwood

1 year

Step 2. Look for ways users interact with the codebase when things work the way they intend to. This is the part when you can start thinking about how to mess with certain components but you won't find the gnarly bugs here. 3/

1

0

15

leastwood

@0xleastwood

1 year

@sjkelleyjr no feeling worse than auditing a codebase where you don't find any criticals. that's when you question your sanity as an auditor

1

0

14

leastwood

@0xleastwood

1 year

Step 5. Profit?? It's important to understand that this won't necessarily make you a better auditor, it just makes the time you spend auditing a lot more effective. 6/

1

0

15

leastwood

@0xleastwood

1 year

It's really awesome to see platforms like @code4rena push security in the right direction. Spending $$$ on audits is the most effective way to preserve the future value of a project and it should never be neglected!

@bytes032.xyz

@bytes032

1 year

Inspired by @code4rena annual review, I made a monthly one for Dec 2022. The numbers are crazy $670.000+ paid to ~266 wardens and ~15 teams. 196 high-risk findings (41 unique) 649 med-risk findings (112 unique) Retweet if you want to see more of these.

5

14

76

0

14

leastwood

@0xleastwood

1 year

Step 3. Now I like to go deeper into the technical documentation once I've understood how the system works. This can be tedious and boring but it's 💯 necessary. 4/

1

0

14

leastwood

@0xleastwood

1 year

@HollaWaldfee100 This tool has contributed most to my productivity as an auditor.

GitHub - BurntSushi/ripgrep: ripgrep recursively searches directories for a regex pattern while...

ripgrep recursively searches directories for a regex pattern while respecting your gitignore - BurntSushi/ripgrep

github.com

2

0

13

leastwood

@0xleastwood

5 months

this is also why the big vc players have such talented security researchers working for them. they play two roles, first to perform continuous checks on their portfolio companies and secondly to vet any new investment opportunities.

0

13

leastwood

@0xleastwood

1 year

@officer_cia @opensensepw @mis4nthr0pic That person was also spamming the chats in the spearbit discord too

3

1

13

leastwood

@0xleastwood

5 months

this was truly the most unique and memorable experiences i've had during my time in crypto. I love everyone and everything about @ethaly_io 🫶

Alexis Bed

@solidityslayer

5 months

It's been over a month since the first ever @ethaly_io , and I've been reflecting on what made this experience so unique. This was a special group of people in a magical place, curated with intentional open room for community, relaxation, and mental space to innovate.

5

35

117

3

0

14

leastwood

@0xleastwood

9 months

Bullish!

Cantina 🪐

@cantinaxyz

9 months

We’ve assembled some of the best minds web3 security has to offer for an alpha-packed space on the future of web3 security review models. This Friday at 10:30 AM EST via Twitter Spaces. Be sure to turn notifications on for when we go live!

6

12

92

1

10

leastwood

@0xleastwood

1 year

the vibe be vibin in nyc

3

0

12

leastwood

@0xleastwood

1 year

@0xe8C It was something that irked me for a bit, but it's been getting worse as more people partner up with the course creator. It goes against the whole ethos of this space where code and education should be open sourced.

2

0

12

leastwood

@0xleastwood

1 year

@agfviggiano @TheSecureum @tinchoabbate I think hands on experience is the best path to take. @TheSecureum is already doing a good job at providing the foundations needed for this.

0

11

leastwood

@0xleastwood

1 year

3. Ability to context switch between smart contracts Good smart contract systems are typically modular, however, auditors often have to jump through multiple contracts to understand proper transaction flow. The ability to cache how these functions interact with each other is key

1

0

11

leastwood

@0xleastwood

1 year

2. Desire to break things Thinking from the perspective of an attacker is a skill that a lot of developers do NOT have. Most interesting bugs tend to be related to improper integrations with external protocols or poor assumptions about how systems are intended to function.

1

0

11

leastwood

@0xleastwood

7 months

@agfviggiano Spearbit is the best of both worlds

1

0

10

leastwood

@0xleastwood

2 years

@paradigm_ctf Also thanks to @_hrkrshnn , @alexberegszaszi , @cmichelio and @leonardoalt for being absolute chad team members.

0

10

leastwood

@0xleastwood

2 years

@SpearbitDAO @opensea @code4rena @gpersoon @_hrkrshnn @alexberegszaszi @leonardoalt LFG!!!

0

9

leastwood

@0xleastwood

2 years

@0xngmi @code4rena and @SpearbitDAO are already doing this!

0

1

10

leastwood

@0xleastwood

2 years

And now I'm expected to work???

2

0

10

leastwood

@0xleastwood

1 year

@Sabnock66 lmao, I'm ashamed to say I still point newbies to cryptozombies. idk what else to do 😅

2

0

9

leastwood

@0xleastwood

1 year

@2025Proj Maybe someone's gotta put together a roadmap for this with publicly available content. Although, I'm sure this has already been done. Secureum is a good example of this.

2

0

8

leastwood

@0xleastwood

1 year

1. Curiosity to understand Most of an auditor's time is spent reading docs and understanding how user's interact with the protocol. So it's important that this is something you ultimately enjoy.

1

0

9

leastwood

@0xleastwood

6 months

@cryptofishx I totally agree, the incentives are wacky. We are making this the norm so it is to be expected. White hats would be even more likely to hack and return funds instead of report the bug bounty directly to the team. Understandably, there are good reasons to do this too.

0

8

leastwood

@0xleastwood

1 year

For context, here is what's listed on the course website.

2

0

9

leastwood

@0xleastwood

6 months

@alpeh_v Fuarrr, how did we not think of this before. It’s flawless *chefs kiss*

0

9

leastwood

@0xleastwood

2 years

Considering a bunch of randos were involved in the Nomad hack, I wouldn't want to be caught holding the bag 💰 when chain analysis and exchanges start getting involved. I strongly suggest reaching out to the @nomadxyz_ team and returning stolen funds.

0

8

leastwood

@0xleastwood

1 year

@nauhcner I would not be the best person to answer this but I think you would need a decent grasp on algebra and elliptic curve math. 👇 is a good way to check for any knowledge gaps before getting started.

1

0

7

leastwood

@0xleastwood

1 year

@andyfeili @moise__ @SpearbitDAO love to see this happen!

1

0

8

leastwood

@0xleastwood

2 years

San Francisco here I come 🔥

2

0

8

leastwood

@0xleastwood

1 year

1

0

7

leastwood

@0xleastwood

9 months

@peak_bolt @1_00_proof most talented web3 security professionals are earning 300k+ a year. It's a much shorter time frame to hit the upper echelon of salary in this field than it is in web2.

0

7

leastwood

@0xleastwood

6 months

@dguido @Montyly I'm not advocating for solo audits, I think team audits are still the most effective way to review code. I wouldn't be surprised to see independent security researchers begin to team up more and more like this in the future.

2

0

7

leastwood

@0xleastwood

8 months

@TheBlockChainer @JetJadeja @huff_language

GitHub - RareSkills/huff-puzzles: These exercises were created for our Advanced Solidity Bootcamp...

These exercises were created for our Advanced Solidity Bootcamp and open sourced. Learn EVM bytecode with the Huff Language. - RareSkills/huff-puzzles

github.com

0

1

7

leastwood

@0xleastwood

8 months

Gimme questions!

Proof Of Podcast

@ProofOf_Podcast

8 months

Tomorrow we will be interviewing @0xleastwood !! What questions do you have for him?

4

1

32

1

0

7

leastwood

@0xleastwood

5 months

@bytes032 i mean there is no reason why you couldn’t have dumped the 30k in tokens after being paid right? unless it was super illiquid, then they are really just scamming you lmao

2

0

7

leastwood

@0xleastwood

10 months

@0xz80 They don't seem to be very good at it. They keep blowing up the same balloon for some reason

1

0

7

leastwood

@0xleastwood

6 months

@sockdrawermoney i have so much respect for you, so really nice to hear this from you:)))

1

0

6

leastwood

@0xleastwood

9 months

@StErMi @SpearbitDAO wen Liquity guild?

3

0

6

leastwood

@0xleastwood

8 months

@pcaversaccio Easy to get away with it too if you only audit projects that will never succeed, keeping your reputation is "safe"

0

6