I am looking for a fullstack dev that wants to learn how to audit smart contracts.
I will personally be your mentor and you will also be able to audit with me.
I am looking for someone that already has experience with solidity/vyper and some EVM stuff. (No CS needed)
If you
The best alpha I gave on the auditing session is definitely:
It scans all the source code from any ethereum smart contract to the point where you can search whatever piece of code you want. Hidden Gem.🤠 Specially useful for bug bounties
I made it big today. 6th position 6k USDC. Let me know if you want a write-up once the report it's out.
The effort to the contest: 5-8hours, I do not remember exactly.
Happy to be in the space🫡
The
@KyberNetwork
hack raises some questions.
- They had a somewhat strong security pipeline (~3 audits)
- They paid a +1M bounty on the past
Why they got exploited?
They got ~9 figs in TVL but only a 200k max bounty on Immunefy (around 0.2% of their TVL)
It is clear that
Currently improving my fuzzing skills. These are some of the best resources I could find:
- All about fuzzing from
@vn_martinez_
- Fuzzing with echidna from
@SpearbitDAO
- Invariants with
@agfviggiano
.
To anyone that has had a bad experience with any project not paying, I encourage you to add it to:
Let's make the list helpful for any researcher that wants to find a project where not to look at. If we bring no shame, this will continue to happen.
Today is my 20th birthday😁
Some goals for next year:
- Master the control of my mind.
- Greatly impact any protocol I work with.
- Enjoy more. No point in making money if you don't enjoy it.
- Get closer to the 7fig/yr mark.
- Continue learning from others and their mistakes.
If you struggle to learn the EVM opcodes and how values are pushed to the stack and store in memory, definitely try:
A playground to test your skills, learn and see the outputs of your operations🫡
So, you want to be a Lead Senior Watson in
@sherlockdefi
?
This is the best opportunity you will get in a while.
Let me break it down for you.
@tapioca_dao
is running a 3-week contest in Sherlock starting on the 21st Feb.
If you read Sherlocks docs about how points work:
-
If you are doing or planning to do
@immunefi
you should check out the following repo from
@sayan_011
which includes write-ups from past researchers. Great resource!
Link to the yt video of my auditing methodology where I explain and give tons of tips for smart contract auditing and bug hunting.
It got very good reviews so it might be worth watching :)
.
I am looking for a fullstack dev that wants to learn how to audit smart contracts.
I will personally be your mentor and you will also be able to audit with me.
I am looking for someone that already has experience with solidity/vyper and some EVM stuff. (No CS needed)
If you
I am giving away 1000$ of my own money to the top 3 solo findings that "save our a*s" in
@tapioca_dao
contest in
@sherlockdefi
and
@code4rena
I will rank the findings and the splits will go as follows:
- 500$
- 300$
- 200$
Additionally, the top performers from both
I have been too busy to tweet lately, some updates:
- Have finished a 5 week private audit (~13k nsloc)
- Moved to the UAE
- Answered +600 DMs for the mentorship. (If you haven't been reached out yet, most likely you will get somehow selected)
-
@ambitfinance
smart contracts
Usually, I do not have time to do c4, but here is the last result:
I only could dedicate 2 hours, but it seems like it was worth it. I found a solo finding which brought the reward amount up.
Sometimes the bugs are in the least thought places
Noticing all of your DMs and replies.
Next steps:
- I will leave 32 hours ish until I start reaching out to people.
- All of you will get an answer from me
- Will have a round of interviews with several selected people
- Even if you are not selected for this specific
I am happy to start open sourcing the reports of some of my security reviews. The first report is from Lexer Markets V2. The codebase was around 13000nsloc and uncovered 49 issues. I would like to thank
@0xkato
for co-auditing with me.
Please find the link to the report below.
Tomorrow is the day. I will be auditing live in
@opensensepw
Almost 50 persons have signed up.
I am going to give as many alphas as I can.
- shortcuts, webistes, repos, databases, auditing process, resources, personal experiences...
Are you going to lose it?
🎉 Kudos to the eagle-eyed White Hat owner of wallet 0xE...F92 for spotting a Low severity bug in
@hoprnet
Bug Bounty program!
A big thanks to the HOPR team for their swift and responsible response. 🙌
🛡️ Check out the reward details here:
And this is why you need a Security Researcher on your team.
@tapioca_dao
was the audit more packed with talent over all the other reviews by far.
We had over 20 elite people audit our code between Sherlock and C4, when other protocols had maximum 1 elite guy, paying over 5
Despite tens of competitive audits running at the beginning of March, the competition for
@TapiocaDAO
was cutthroat.
Several elite SRs showed up, making the chances of scoring solos slimmer.
The bet was finding a single solo H/M, and I'm proud to announce I found 6 solo Medium
Just looked at my
@opensensepw
interview from May, 6000 views 😳 The amount of people that might onboard to the space from that video is exiting!
It is a 1 hour + video of me expalining my auditing process and giving tons of tips.
My process is not the
Found a critical yesterday in
@immunefi
. Had the PoC working from the night before, but I was waiting to submit it because I was calculating the funds at risk w/
@DuneAnalytics
. Last thing I noticed, project parched the vuln 4 hours prior. Not always you win😂🫡
Thank you guys! We averaged 55 viewers and we arrived to 102 interested researchers. Means a lot.
All the content will be uploaded to youtube. Also, on the coming days, I will be tweeting independently all the auditing alphas from the "interview" .
If you want to learn about Zero Knowledge, I have never seen a better resource than ZKU.
It is a free course 8 weeks long with assignments and all the material that you need to get the basics and a bit more.
To audit and perform at the highest levels, you should keep a great balance between your body and mind. Loving that our industry is full of jacked auditors. Treat your body as you treat your mind.
A video of me running a 2:00 800m when I was a semi-pro athlete:
It's out! Just published my new article about RLP encoding. Useful to learn, for auditors, researchers, and developers. Due to the ongoing audit of zkSync, it is split into 3 parts, which will be released in a week. ENJOY🕵️♀️🫡. Btw, I am for hire, DM ;)
In the field of auditing, it is very important to see how others audit too. It will allow you to create your own style and get to know some of the best practices.
Therefore, I will be auditing live on May 8th in
@opensensepw
discord. Make sure to attend 😉
Happy to announce that my 1 hour auditing video just surpassed 1000 views on yt, more than doubling
@opensensepw
record. We will leave some months in the middle, but expect a second part in the future !!
.
only after completing a month long audit with a genius like
@0xWeisss
do you realize how much more there is to learn
truly one of the most talented SR i know 🫡
Super busy working on auditing
@ambitfinance
codebase. It is one of the best designed protocols (with a security mindset) I have ever seen. This was also part of my talk in
@summit_defi
. We are focusing all our efforts on having a complete bulletproof protocol !
In 6 hours ish I am dropping a new alpha article about RLP encoding that standardizes the transfer of data between nodes. I've spent a week on this one, hope it is valuable for the space and people can learn from it. Understanding RLP encoding will be useful for
@zksync
audit 🕵️♀️
To all the security people that know me. I would love to see you competing in
@sherlockdefi
and
@code4rena
starting on the 21st Feb.
I will be on the lookout for the top spots 🫡
Changing the game very very
#soon
, until then, hello
@code4rena
and
@sherlockdefi
white hats! All setup and ready to go thanks to the newest (and last pre-Genesis) core contributor to Tapioca, the security gigabrain-
@0xWeisss
Did not realize until yesterday. My articles made it to weekinethereum and securitypills newsletters 🤠.
Proud of contributing and sharing knowledge in the space !
Happy to announce that I am the private auditor from
@ambitfinance
. A very strong and talented team treating security as it should. Hoping that more protocols take their route of having independent researchers while the protocol is still in development. Will be updating 🫡
Getting to
@summit_defi
late, as always. Nobody else to blame than the uber driver hahahah. We are in a tense discussion of who is better, Messi or Mbappe.
Feels amazing to get great feedback.
Do not be afraid to ask questions to the devs about the code you are reviewing, it will be more useful for both parties.
Don't be afraid to look dumb.
Have been very busy the past 2 weeks. Btwn leading a contest and curr. doing a 3500 sloc priv. audit, I couldn't find time to tweet. I hope in the future I can show some of the reports :)
Some nice stats from June:
- 4 critics, 6 highs, 9 med
- only a month left for
@summit_defi
@0xnirlin
@KyberNetwork
The amount of exploits would diminish exponentially.
Get 8M, be treated as a whitehat, get all the respect from the space (if wanted), have no legal issues.
Get 10M and get tracked for "life". Not sure how many people would pick the second option, but it has to be pretty low.
The biggest mistake I see while auditing with a team, especially with people you are not used to audit with, is trying to not sound stupid. To me, the best way to do it is to share anything that comes to your mind, even if it seems impossible. 🤠
Anyone who believes or intends to do this, they have no clue about auditing. Chatgpt can catch nothing, might get couple re-entrancy's and overflows, not more. I hope the space doesn't fill up with bad AI reports. Also, for businesses, take care who you hire for priv audits.🫡🤠
I am constantly seeing a lot of security researchers not get paid by bug bounty projects with valid submissions. If something is not changing grey-hacking will increase exponentially. 🤷
+95% of protocols don't understand the game. eBTC does. This is how security has to be taken.
Private audit => Firm => Public audit => Bounty
If you raised funds, do not be cheap in security. At the end, you will pay more in bounties + less people will invest. Make the move.
Security Matters 🟣
With over a year of active development, bringing a immutable DeFi protocol to life while upholding the highest security standards is not an easy task.
This is the security rigour the
#eBTC
protocol has gone through.
🧵
I actually got this habit from
@paladin_marco
back then. It really makes you go through every line without "skipping because looks good or it is too complicated" even if boring to do.
one great thing i took from ultimate goat
@0xWeisss
is to comment every single line
"On every line you go through add //ok as a comment at the end once you have reviewed even if boring, it makes you review every line to the dot"
in complex parts of the code i often go one step
Dev teams that get this, are dev teams that are going to make it.
It is great working with
@cainosullivan
helping secure
@ambitfinance
contracts. Great times ahead.
You need to leave your ego at the door and work with top quality auditors to help find the edge cases.
Let's face it, auditors are a wierd bunch, but play an invaluable part in the development process.
Can highly recommend
@0xWeisss
@0xPaladinSec
and
@GuardianAudits
.
If you struggle to find common bugs in smart contracts then, you should definitely check the following 2 websites:
They are 2 databases where you can filter findings from c4 and sherlock.🕵️♀️
I have been preparing a super cool article about bit shifting and bit masking in assembly for the past week. I will release it at the latest tomorrow. Hope all of you get value from it.
It will be free🕵️♀️🫡
Independent researchers helping with time boxed fuzz testing engagements is a very helpful niche for our industry. Rn, the best 2 fuzzooors I know personally, are
@agfviggiano
and
@vn_martinez_
. Let them/me know if you need their help !
The economic growth of paris this weekend is going to be brutal. A bunch of auditooors with lack of sleep and paper copies of highlighted codebases are the ones to blame for it. 🤓😂
@0xcuriousapple
I respectfully disagree. imo security reviews are not only for the protocol. The goal is to signal all the potential threads and to build the most secure software possible. By history, admin keys/privileges have caused the worst losses in the space.
Just hand-wrote the entire contracts bytecode. Why? Well, I want to master all Solidity opcodes, so I will decompile it by hand. Will post the decompiled solution !
Auditing is definitely a space with tons of opportunities, but try to stick with 1 audit at a time. Never more than 3. The ROI on the long term will be much higher if you focus only in 1 codebase. 🫡
Euler was hacked. Around 250M were sitting around and an estimate 190m were stolen. It seems like the attacker is blackhat due to a past exploit of a BSC project.
Some room for thought: They had a bounty of 500k for a 250M. Roughly 0.2%. Will we see +20M bounties in the future?
I have a brain database of helpful security posts that I found on Twitter. Once I see a vuln in the wild, I come back to re-read different resources.
Accounts that posted big alfas:
@gogoauditor
And its signatures posts
@pashovkrum
And its resources to random technical posts
@ShieldifyAnon
Signatures. If not signing correctly certain params you might be able to front-run, get the v,r,s values and add your address as receiver.
Factories too, sometimes is good to add msg.sender as a salt value.
Reward distributions, even though this might fit in the sandwich
Got a bit scammed today. I submitted a critical vuln to a project in Immunefi. The vuln basically stole up to all the assets that any user supplied to the pool, so the impact was the highest. Threat🧵
Announcing the DeFi Security Summit 2023 in Paris, France!
We're back with two full days of programming with top leaders & researchers in the DeFi security space, directly preceding
@EthCC
.
Learn more:
What you can expect 🧵👇
Great working with the
@HyacinthAudits
guys and the
@SybilSamurai
team.
Fun fact, the review was performed on my plane ride to Istanbul for TrustX as it was a ~80 nsloc scope.
Happy Wednesday auditors! Come check out the latest audit report completed on our site!
@0xWeisss
completed the latest bounty on our platform and wrote an audit report for
@SybilSamurai
. You can check out the report here:
Welcome to the largest competition in history with...
@Blast_L2
🪐
💰 $1,200,000 USDC
🗓️ January 30th, 3:00 PM EST / 20:00 PM UTC
📍
Invite only. Don't have one? Details below:
Auditing Tip: Once you have to reference and link to the actual commit where you audited your contracts, just press "Y" on top of the GitHub file, and the "URL" will change and include the current commit 🫡
@gogotheauditor
@paladin_marco
@CharlesWangP
If you combine Charles and Marco the chances of getting a solo high are the same ones as finding a crit in layer0. I audited a protocol with them last month and the only one that got solo high was Marco, humbling experience tbh haha
@0xPaladinSec
Disclaimer: Do not reference the upper tweet as something common. I would say this was the best month since I am into auditing, do not think that everyone makes the same, therefore, I will make the update every month, even if the stats are much lower than currently.
@PaladinCharles
Agree, I literally use slim to non DeFi, having seen so many stuff, the likelihood of a big protocol having an issue is worse imo than an extra 6% APY