Lead Auditor, World Class Smart Contract Security
@guardianaudits
. $3,400,000,000+ Protected.
Follow for everything you need in the world of Web3 Security.👇
Join the exciting world of Web3 Security and rise in the ranks as a skilled Security Researcher:
→ In. One. Free. Course. ←
20+ hours of EVERYTHING Web3 Security + curated projects & assignments to solidify the knowledge.
With this course, I'm announcing
@intogateway
🧵
At this point I've audited a couple *hundred* Smart Contracts.
Along the way, I've picked up a number of things that more often than not... lead to Critical bugs/vulnerabilities.
So I decided to compile them all and share them with you.
→ 17 Common attack vectors I always try
Everything you need to become a skilled Web3 Security Researcher.
→ 12 MORE hours of the free
@intogateway
Web3 Security Course ←
Totaling 23+ hours of EVERYTHING Web3 Security + curated projects & assignments to solidify the knowledge.
Here's everything in Part 2️⃣ 🧵
If I started doing this sooner I honestly think I would be 5x better at auditing by now...
Here's the simple system I'm using to crystalize my experience.
• Helps me learn, remember, free my mind
• Others get everything I've learned + my audit systems
The "Auditing Brain"🧵
Uniswap V3 is notorious for being one of the most complex DeFi protocols there is.
Here's everything you need to know to understand it, as simply put as possible. 🧵👇
Want to become a more advanced Web3 Developer/Auditor?
Then it's crucial to understand how memory works at a low level.
I compiled exactly what you need to know in just a few tweets 👇🧵
(💫 Takes 117 seconds)
👉 Just getting into Web3 Security? This one's for you 👈
If you're reading this, you're early. The tales of tech newbies making 500k/y within months are true.
Here's a series of videos explaining EXACTLY how you can get in and make this your reality. 🧵 👇
I'm extremely excited to announce that
@GuardianAudits
has now made our Security Researcher roles open to public application!
Interested in joining the Guardian team to usher in a new age of finance with World Class Smart Contract Security?
→ Comment below
→ & Shoot me a DM
This tweet serves as a complete Web3 Security Mini-course
Here's everything you need to know.👇
External Call Attacks
(Reentrancy, DoS, Gas Griefing, Return Values)
Advanced Reentrancy Guide
Frontrunning
I could never fully understand the EVM until I stumbled across this video.
This is the holy grail of EVM alpha. 🏆
Everything you need to know, laid out step by step.
I've had nightmares about AI replacing Security Engineers.
My whole business is security.
Will AI replace Auditors in 8-12 months?
Or is AI just another tool?
Well, I just attended an AI talk from the Ethereum Engineering Group...
Suffice to say, a revolution is coming. 🧵
Finally...
The one vulnerability class that is:
• Ridiculously common
• High severity
• Has netted me dozens of findings
• Nobody talks about it
And it is... 🧵
1/43
How I went from charging just $50 down to $50,000+ per Smart Contract audit.
The ultimate guide to "making it" as a Smart Contract auditor so you can do it too.👇 🧵
When starting out in Smart Contract Auditing, you may feel like all odds are against you:
• You need to master Solidity
• The financial math is complex
• Your first High eludes you
• Audit reports are cryptic
However, here are 7️⃣ advantages you have when just starting out🧵
Want to uncover more findings in contests or simply write better, more secure Solidity code?
I have everything you need. 😌
I've compiled a MEGA-thread of all my past alpha just for you. ❤️
Follow step-by-step and learn from all my past research. 🧵
• 10 Months
• 84 Person weeks
• 7 Reports
• 351 Findings
I am beyond proud to share that the team
@GuardianAudits
has concluded our review of
@GMX_IO
V2! 🎉
Looking forward to launch! 🫡
At this point I’ve audited 27 liquidation functions...
Liquidations are often the most critical/complex area of a protocol.
If I need a quick finding → I focus on liquidations.
So I compiled a list. 🫡
The 1️⃣3️⃣ liquidation vulnerabilities that you have to know.👇
Just recorded 📖 "The Ultimate Guide To Reentrancy".
We covered:
• Classic Reentrancy and the crux of the vulnerability
• Cross-function Reentrancy
• Cross-contract Reentrancy
• Read-only Reentrancy
• ERC721 & ERC777 Reentrancy
• My method for uncovering all Reentrancies
At this point I've worked with dozens of Smart Contract Auditors and seen exactly who performs and why...
Here are the 7 skills I observed that set the difference between auditors who earn $43 in contests and those who earn $23,058.
THREAD
As you progress in your journey as a smart contract auditor it's vital to have a deep understanding of DeFi primitives.
Perhaps the most important of these is the AMM (automated-market-maker).
Here's the ultimate guide to the AMM just for you 👇 🧵
Who wants to see a live pair-auditing mega series? 👀
I audit a complex codebase live, alongside a cybersecurity/blockchain professional with over a decade of experience.
You follow along and have all the context I do.
We uncover bugs and vulnerabilities 🤝😌
I made Read-only Reentrancy as simple as possible!
No longer does this exploit need to be mysterious nor complex.
Read on(ly) to understand exactly what Read-only Reentrancy is and how you can spot it in your next audit.👇🧵
There is one Solidity feature that goes virtually unnoticed in the land of auditing.
This feature is possibly the MOST underrated feature in Solidity.
Let's learn everything about it in this thread 👇
🧵
You might have missed a Reentrancy vulnerability👀
Have you been checking for all variations?
• Classic single-function
• Cross-function
• Cross-contract
• ERC-721
• ERC-777/677
• Readonly
Understand each one and my system to uncover them.👇
Auditing becomes very *very* fun once you're over the hump.
Still trying to break through that barrier?
Just follow these steps in order:
1️⃣ Learn The Basics
I covered it all for you, get all the basics down with the following playlist:
After that,
Excited to announce that
@guardianaudits
has now made our Fuzzing Engineer roles open to public application! 🎉
Want to learn from the best & join the Guardian team to usher in a new age of finance with World-class Smart Contract Security?
→ Comment below
→ & Shoot me a DM
Massive Success vs. Slightly Above Average
$1,500,000/y vs. $150,000/y
Cross-specialization determines which camp you are in.
In any given field the vast majority of participants are running the same race and competing based on the same skillset.
If you are a Web3 Security
Reentrancy attacks are among the most common exploits I see out in the wild.
They come in many forms, some more hidden than others.
I’ve compiled everything I’ve learned about Reentrancy into a 🧵 for you 👇
Struggle with DeFi math??
AMM formulas are perhaps the hardest to initially grasp.
That's why I made it as easy to understand as possible!👇
• What is an AMM
• How do swaps work
• How does liquidity work
• What are the equations & how to use them
⚠️ Over the past 48 hours I’ve explored a novel gas griefing attack that was previously undocumented ⚠️
In this 🧵 we’ll cover the current idea of gas griefing and then explore this new (IMO more fitting) "gas griefing" exploit.
Strap in! ⛽ 💨
🧵 I am delighted to announce that I've joined forces with
@RealJohnnyTime
@pashovkrum
&
@trust__90
to produce the most comprehensive Web3 Security training there is! 🤯
Get $50 off through my referral link 👇
Overwhelmed when you start a contest?🤔
I jumped into a random
@CodeHawks
contest LIVE with 6 security researchers!
See how I like to approach new codebases and get to initial findings ASAP with this 3-hour session🫡👇
Did you know you're just 10 hours away from being a talented Web3 Security Researcher?
I just put together the *only* resource you need to start finding vulnerabilities in contests and getting payouts. 😎
That's it.
Watch this and head straight into contests. 👇
At this point, I've reviewed dozens of DeFi protocols.
With every new protocol, I develop a mental model for that "DeFi archetype".
There are 7 core DeFi archetypes. Master them all and you are a force to be reckoned with.
Let's master
#1
, CDPs👇
How to be more effective while auditing:
- Reward yourself for findings
- Turn off the lights
- Listen to music without words
- Drink tea/coffee
- Limit yourself to 90-minute sessions
- Set goals for your sessions
- Close all other apps
- Phone in the other room
- Multiple
The outlook on security researcher Twitter lately has been bleak.
Many folks pontificating that opportunity has been replaced by competition.
Let's talk about it.
Yes, In 2023 there have been more entrants into the realm of Smart Contract security than ever before.
Does this
I just noticed we hit over 20,000 views on the Advanced Web3 Security course!🤯
So glad this could be helpful to anyone looking to break into the space.🫡
Hopefully we can onboard hundreds of skilled Security Researchers as a result!
🔟 Videos queued up coming to you over the next month 🎉
- Complex Codebase Deep Dive | CTF Solution
- Solving a CTF Live!
- Becoming a 10x Auditor
- Guide to writing PoCs (Live PoC)
- 21 Sneaky Smart Contract Bugs
- Complete EVM Guide | Everything you need to know
- Guide to
A lot of people seem to think I'm a solo auditor...
Nonsense, I couldn't do any of this without the kickass team
@GuardianAudits
.
Check out 500+ findings from our team here👇
Passion comes after 2,500 hours.
Enjoyment comes after 1,000 hours.
Everything before that is plain hard work.
When you’re just starting out, don’t seek passion. Find something that’s valuable to others.
Passion will come.
58 Days of straight auditing since I got back from Paris. 🫡
Here's what I found:
19 Criticals
21 Highs
38 Mediums
Many reports dropping soon.👀
Good to have a day of looking at no code to focus on other things now!
With the
@steadefi
GMX V2 integration contest on
@CodeHawks
, I thought I'd release a much more in-depth intro to the
@GMX_IO
system!
Some of these things will be crucial for getting those niche, critical edge cases in the contest 🫡
Access the 2-hour deep dive here 👇
The path to becoming a top-level security researcher is really quite simple.
However: `simple != easy`
I will give you the *only* 4 steps you'll need to become a rockstar security researcher, it is up to you to execute on them.
🧵
There are 5 common upgrade patterns for Smart Contracts:
• Eternal Storage
• Transparent
• UUPS
• Beacon
• Diamond Standard
Do you know all of them??
Get the low-down on all 5 patterns in todays video 😎👇
A Collection of Almost Every Common Bug/Vulnerability
Here it is, if there's one single article that will bring you up to speed with every common bug/vulnerability it's this one.👇
Here is the complete GMX V2 Integration checklist:
(Don't miss any of these edge cases)
Depositing Liquidity
• Consider PnL Factor carefully when estimating GM price
• Handle deposit cancellations
• Ensure only the GMX handlers can call the afterDepositExecution &
🤯 The clearest, most comprehensive thread on signature malleability of all time!
It’s a hefty claim, I know.
But if you give me the chance, I will not disappoint. ✊
🎩🔮 Allow me to demystify this age-old attack 💫
Let’s hop in 👇
When the findings aren't coming, auditing is very hard for me.
So I developed a plan for exactly these situations, and it has rewarded me with 51 Critical/High findings so far this year.
The 3️⃣ pillars of my momentum-based auditing framework, so you can use superstar mode too🧵
You really only need one trait to succeed at anything:
Consistency.
No valuable skill can be mastered in a week.
In a decade, you can master nearly anything.
The easy part is doing it today, the hard part is doing it for the next 10 years.
There is no magic solution.
The only thing we can do: More + Better
More security researchers
More solo auditors
More security firms
More contests
More invariant testing
More bug bounties
Better education
Better tooling
Better incident response
Better systems & standards
It's
Nobody is actively trying to prevent you from reaching your goals.
They're just trying to reach theirs.
Help them with theirs and they'll help you with yours.
⚠️ Free Stuff Alert
Are you looking to transition into a full-time job in Web3?
If you'd like to work with me 1-1 to master your Web3 development skills to get that Web3 job comment down below.👇
Goal by 2024:
Help 1,000 Web2 developers, cybersecurity experts, and tech newbies learn how to perform the highest tier of security audits and give them a platform to practice, earn money, and provide value to the Web3 community while doing it.
🔁 Reentrancy attacks are perhaps the most widespread devastating Web3 exploit.
You might think that a nonReentrant modifier solves all your problems, but many protocols are still at risk. 👀
The `globalNonReentrant` pattern offers better protection.
Let's dive in 👇
Rounding in Solidity has lead to thousands of findings/bugs/vulnerabilities.
Thousands...
That's why it's absolutely key that you understand how to spot rounding issues in any codebase.
I broke down exactly everything you need to uncover sneaky rounding issues yourself👇
Crazy to think I've been making videos on Smart Contract security for a year now. 🤯
I hope we've prevented at least a couple of bugs/exploits from occurring in production 🫡
It's been a blast, glad folks can find them valuable!
Here's to many more 🥂
Want to become a skilled Web3 Security Researcher?
→ Learn by watching other Security Researchers conduct reviews
5+ hours of live pair auditing here for you to do just that 🤝👇
Lfg!!
In 2024 we are going to:
- Secure 30+ projects
- Grow the team from 6 -> 15
- Release 100 hours of content
- Hands-on train 150 Elite Security Researchers
How to go fast in Web3:
Slow down.
Take an extra week before your audit.
Take an extra week before launch.
Do things right the first time so you don’t end up spending months in recovery.
No matter what, keep your lifestyle low so you have the freedom to make any move you want.
Sometimes to move forward you need to take 3 steps backwards.
Give yourself that room.
Foundry Debugger is goated.
Never again will I console.log a word in memory and spend 3 hours wondering why everything is broken...
Just to realize the console.log pooped all over the memory.
Just released the guide to your first audit! 👀
We covered:
• Auditing Mindset
• Gaining Context
• Audit Tags
• A system to find your first vulnerability!
Watch the full guide here👇
🚀 Excited to share a comprehensive guide to your first audit.
We have four key elements to go through:
🧠 Auditing mindset
📚 System breakdown
🏷️ Audit tags
🔧 Utilizing attack knobs
Let's start with the most crucial part: the mindset.👇 🧵
💡 Foundry Tip
When working with bytecode or assembly I invariably find myself converting hex → decimal. All. the. time.
Me 3 months ago:
> python3
> int("a0", 16)
Me today:
> cast --to-dec a0
Reduce friction by 10% for 10 things you constantly do.
→ Watch efficiency 📈
So many people aren’t even serious about accomplishing what they set out to.
Separate yourself from those. Take action.
No more questions, audit for 1,000 hours -- you will have what you're looking for.
The past 4 weeks, I've been adding every common finding class I come across to my "auditing brain".
Here are 11 that I've added recently that you should start looking out for as well...
1. ERC-721 safeTransfer DoS
2. Phantom functions
3. Duplicate elements in an array
4. Force
I want my YouTube to be the ultimate resource for any looking to get into auditing and really make it.
What videos would help you achieve your goal?
(comment below, making them all)👇
Let's talk about DAO & Governance Attacks...
(Over $200,000,000 stolen)
There are 4️⃣ common ways in which DAOs get hacked.
If you master these, you'll know exactly what to look for when auditing DAO & Governance systems.👇
It's true only a fraction of those who dare to become an auditor will make it in the long run.
Here's how I would take that fact in stride & use it to my advantage:
• 60% will get distracted by something else (MEV, Dropshipping, Rust (gross))
• 20% will give up after not
How I consistently find bugs that no one else does:
• Understand the entire codebase first
• Become convinced there are bugs
• Spend an unreasonable amount of time on the most complex areas (where 90% shy away)
• Build a "second brain" of everything you've seen before