Neodyme @Neodyme Twitter profile

Pinned Tweet

Neodyme

@Neodyme

6 months

Introducing Riverguard 🏞️💂 A new security tool for Solana program deployers... 🧵

4

74

89

Last Seen Profiles

@coco_mirumiru

@DAWNmenaorg

@IlluminatiEyes

@melzz4x

@reislin_model_

@donngker

@kakumei_mero

@darksaber64

@merisenug

@dan7dktNFT

@themovies10

@lodiathevoice

@bieIws

@Booth81K

@Twistzz

@Black_Adult_Art

@wastelandwillow

@Specializedgrl

@castletownOPW

@Legend_Hoops

@AlziadiQ8

@hearrtblack

@bianchileiton

@ZuzanneBelec

@ionafootball

@95Sports

@Twistzz

@realtokiw

@Darkx1304

@saqr751

@aleksiswoof

@1__1D

@QueenLoutre

@InsuranceBizAU

@fletchwill_

@citcmancity

Neodyme

@Neodyme

2 years

We recently discovered a critical bug in the token-lending contract of the solana-program-library (SPL). This blog post details our journey from discovery, through exploitation and coordinated disclosure, and finally the fix.

56

155

710

Neodyme

@Neodyme

1 year

When CS:GO clients connected to our server, they got more than a game. We found 3 RCE vulnerabilities to give clients an unexpected 'welcome'. Ready for a deep-dive? 🎮🔧🎆 #InfoSec #CSGO #Exploit

CS:GO: From Zero to 0-day

We identified three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game. Each vulnerability can be triggered when the game client connects to...

neodyme.io

8

159

475

Neodyme

@Neodyme

1 year

Who **actually** controls the largest projects on #solana ? What's the deal with Upgrade Authorities? Are your funds more safu in DeFi contracts than they were on #FTX ? Let's find out 🧵👇

35

94

306

Neodyme

@Neodyme

3 years

Heads up #solana #developers ! Our team has been helping @solana with peer-reviews and we'd like to share what we've learned over the course of our audits:

Solana Smart Contracts: Common Pitfalls and How to Avoid Them

In this post, we want to raise awareness about the five most common vulnerabilities in Solana contracts that we keep finding during our audits. We'll keep the vulnerability descriptions short and...

neodyme.io

13

100

209

Neodyme

@Neodyme

2 years

As such, we’ve written up a dive into how this vulnerability could have been exploited, and how we found it:

How to Become a Millionaire, 0.000001 BTC at a Time

We recently discovered a critical bug in the token-lending contract of the Solana Program Library (SPL). This blog post details our journey from discovery, through exploitation and coordinated...

neodyme.io

6

29

184

Neodyme

@Neodyme

5 months

Technical Analysis of the Ledger Supply-Chain Attack 🧵 We did a brief analysis of today’s attack against the @ledger browser integration. This is what we found. Ledger’s browser integration, Ledger Connect, was attacked via a suspected supply chain attack. The attacker…

5

43

150

Neodyme

@Neodyme

3 years

Are you a #Solana #dev and attending #BreakpointLisbon ? Come join our security masterclass where we'll teach you how to think like an attacker!

11

26

114

Neodyme

@Neodyme

2 years

We believe every software project should clearly communicate its bug bounty policies and how to get in touch regarding security issues. In order to facilitate this, we brought security.txt to Solana:

GitHub - neodyme-labs/solana-security-txt: security.txt for Solana Contracts

security.txt for Solana Contracts. Contribute to neodyme-labs/solana-security-txt development by creating an account on GitHub.

github.com

6

23

110

Neodyme

@Neodyme

2 years

The bug was fixed, and dapps updated promptly to close the vulnerability. We believe the most secure code is open-source, and as auditors we believe one of the best ways to write better code is to understand vulnerabilities.

2

3

92

Neodyme

@Neodyme

2 years

The total TVL at risk was about 2.600.000.000 USD. Some of that value is lent out, and some other low-value coins are not economically viable to steal, but the potential profit was easily in the hundreds of millions.

2

4

93

Neodyme

@Neodyme

1 year

Total Loss of Funds The story of Solana's highest-severity bug -- and how we found it back in late 2020. Among other things, it allowed us to: - Mint or steal any amount of any token - Modify any NFT - Delete liabilities in any lending protocol

Nonce Upon a Time, or a Total Loss of Funds - Exploring Solana Core Part 3

This blog post details the first ever loss-of-funds bug we found in Solana Core. The bug would have allowed us to write arbitrary data to any account on the Solana Blockchain. This has many devasta...

neodyme.io

3

22

84

Neodyme

@Neodyme

11 months

> tfw you audit Solana so well, the SEC considers it "security"

Solana Foundation

@SolanaFndn

11 months

The Solana Foundation disagrees with the characterization of SOL as a security. We welcome the continued engagement of policymakers as constructive partners on regulation to achieve legal clarity on these issues for the thousands of entrepreneurs across the U.S. building in the…

253

772

3K

4

10

81

Neodyme

@Neodyme

9 months

Cypher protocol was exploited for over $1 million. But how? Here’s the main idea for what the attacker did, and why it worked 👇🏻

2

24

78

Neodyme

@Neodyme

2 years

1/4 🧵 There's been a lot of fuss around the recent #Solend DAO vote, with lots of discussion about what a protocol should be able to change about its #Solana smart contract.

58

19

69

Neodyme

@Neodyme

2 years

Some Neodimes spawned at #BreakpointLisbon . Talk to a Neodyme member to receive one @SolanaConf

3

10

60

Neodyme

@Neodyme

2 years

Check out our new blog post on our journey of finding and reporting bugs in Solana Core. In this one, we explain a powerful rug pull mechanism that we found about a year ago, and has subsequently been patched:

How a Little-Known Solana Feature Made Program Vaults Unsafe - Exploring Solana Core Part 1

Over the past year and a half, we have spent a lot of time looking at the Solana core code, reporting over 80 bugs of varying severity. This blog post is the first in a series detailing the most...

neodyme.io

10

11

52

Neodyme

@Neodyme

6 months

Solana security won't be the same after this 📅 November 1st, 15:15

2

8

50

Neodyme

@Neodyme

3 months

Read our new blogpost: How to hack a DAO! 😈 You'll learn how small technical details can be turned into powerful social engineering attacks.

How to Hack a DAO

DAOs add a social layer to the otherwise technical execution of blockchain transactions. By exploiting common misconceptions about how they actually work, attackers can 'hack a DAO'.

neodyme.io

2

14

44

Neodyme

@Neodyme

1 year

Many dApps need on-chain #randomness . But how can you efficiently obtain true randomness in a decentralised, trustless system? It turns out that this is an unsolved problem. Current solutions, including Verifiable Random Functions (VRFs), have fundamental issues. 🧵👇

9

14

40

Neodyme

@Neodyme

2 months

If your auditor isn't using Apple Vision Pro, they're probably missing 42% of bugs. Meet us at @mtndao , we'll explain.

3

7

37

Neodyme

@Neodyme

2 years

Check out our newest blog post on one of the critical vulnerabilities we found in Solana's validator code. This bug allowed anyone to inflate their stake to virtually any value, disrupting consensus. It was quickly fixed after we reported it last year.

Stake², or How To Cheat The Staking Mechanism - Exploring Solana Core Part 2

Over the past two years, we have spent a lot of time reviewing Solana core code, reporting over 80 bugs of varying severity. This is the second in a series of blog posts detailing what we found the...

neodyme.io

6

5

38

Neodyme

@Neodyme

3 months

Have you ever pushed a secret to github by accident? Did you try to rewrite history with a quick `git reset --hard HEAD^ && git push origin -f` ?? Well, maybe you should read our new blog post. Let's just say the internet never forgits👀

Hidden GitHub Commits and How to Reveal Them

We have created a tool for GitHub that can reveal commits that potentially contain sensitive information and are not accessible via the public Git history, but that may be of interest or were...

neodyme.io

0

8

38

Neodyme

@Neodyme

6 months

@synthetify got hacked in a DAO attack. The attacker passed a proposal to upgrade the program and stole $230k from the protocol. What happened?

3

10

36

Neodyme

@Neodyme

2 years

4/4 In our latest blog post, we give you the tools to make informed decisions on how to keep your money safe:

Why Auditing the Code is Not Enough: A Discussion on Solana Upgrade Authorities

Recently, there’s been a lot of buzz around a DAO vote of Solend – one of Solana’s largest lending projects. It seeks to enact restrictions on large positions, and to temporarily take control of an...

neodyme.io

1

2

29

Neodyme

@Neodyme

9 months

We all know vyper's reentrancy locks didn't work. But why? How was it exploited? And why does this account hold more tokens than the total supply? Let's dive in 🧵👇

2

8

32

Neodyme

@Neodyme

1 year

We just pwned the Netgear Router over WAN followed by the HP Printer for the second successful SOHO Smashup entry at @thezdi #pwn2own Toronto 2022!

0

6

31

Neodyme

@Neodyme

1 year

Of the 10 projects analysed, we found the following about their upgrade authorities: (educated guesses) - 3 have a hot wallet 💩 - 2 have a hardware wallet - 5 have a multisig or DAO Many are currently migrating to a mixed solution.

5

1

29

Neodyme

@Neodyme

1 year

If you are running a large project and are still using a hot, or even cold wallet instead of a multisig or DAO, MIGRATE IT!

8

5

28

Neodyme

@Neodyme

2 months

Ever wonder what happens when you let the world's best auditors loose on a program written by Solana OGs? Our audit report for @sanctumso 's Infinity protocol is now public. ♾

3

4

29

Neodyme

@Neodyme

1 year

We gave a talk at #Breakpoint @SolanaConf about this topic last week. Follow us to get notified once it's online!

3

0

27

Neodyme

@Neodyme

6 months

In Amsterdam for @SolanaConf this week? 👀 Today, we're hosting the Neodyme Security Stage at Het Hem! A full day dedicated to securing the Solana Ecosystem. Here's a breakdown of the day! 📅👇 #Breakpoint2023

1

6

22

Neodyme

@Neodyme

6 months

Wow, what a week it has been! It was great to be hosting the security stage at @SolanaConf this year. Thanks to everyone who came to meet us, and a big THANK YOU to the teams at @solana that made this happen. Now, back to auditing. 👋

2

6

25

Neodyme

@Neodyme

2 months

Are you from Munich and interested in Blockchains? We're partnering with @SuperteamDE , @StakingFac , @solanabeach_io , TUM Blockchain Club and @Solana to host the Munich Blockchain Startup & Hackathon Day! 📅 March 9th, 15:30-19:30

Munich Blockchain Startup & Hackathon Day · Luma

Curious about what a Hackathon is and how to win one? Intrigued by the world of web3 & Solana? Join us for an eye-opening event that demystifies startup…

lu.ma

4

7

24

Neodyme

@Neodyme

1 year

We're excited to announce NeodymeGPT. Going forward, you can simply ask NeodymeGPT whether there are any bugs in your software. Subscriptions will start at $1337/mo. We've even decided to open source the code of our Free Tier version:

GitHub - neodyme-labs/NeodymeGPT

Contribute to neodyme-labs/NeodymeGPT development by creating an account on GitHub.

github.com

3

23

Neodyme

@Neodyme

2 years

@m_schneider @aeyakovenko The workshop is gonna be super interactive so it's hard to record anything useful but we'll publish all the resources and some tutorials so you can solve all of the exercises online as well.

3

1

23

Neodyme

@Neodyme

2 years

1/2 Ever wondered how you would go about implementing an on-chain casino on Solana? Our latest series of blog posts is the only guide to on-chain randomness you will ever need! 👇

Secure Randomness: From Zero to Verifiable Delay Functions, Part 1

A secure source of randomness is one of the most critical components of many decentralized applications. However, perhaps surprisingly, there is currently no on-chain source of randomness that is...

neodyme.io

1

5

20

Neodyme

@Neodyme

1 year

We've been pushing for more transparency in upgrade authority handling for some time now. If you see a large project using a hot wallet or hardware wallet, you can help us by asking them why they haven't migrated to a multisig. Stay safe out there.

2

1

19

Neodyme

@Neodyme

6 months

Swipe by our Lounge at @SolanaConf this week to talk security and claim a Neodime! #Breakpoint2023

3

1

18

Neodyme

@Neodyme

1 year

What are Upgrade Authorities (UAs)? 👮 UAs are the accounts in charge of changing a solana program's code. Naturally, they pose a huge security risk. If you control the UA, you control the smart contract and its funds.

1

0

16

Neodyme

@Neodyme

1 year

For this thread, we analysed the Upgrade Authorities of the top 10 TVL projects on DefiLlama.

1

17

Neodyme

@Neodyme

1 year

If you see a hot wallet, or even a hardware wallet, being used as an upgrade authority for a major dApp, be careful when interacting with it. ⚠️ They potentially have the power to rug pull all of your funds.

2

18

Neodyme

@Neodyme

1 year

Specifically, the top 10 TVL projects we analysed are: - @solendprotocol - @MarinadeFinance - @LidoFinance - @RaydiumProtocol - @ProjectSerum - @TulipProtocol - @orca_so - @QuarryProtocol - @Saber_HQ - @Francium_Defi

2

1

14

Neodyme

@Neodyme

7 months

We'll host a dedicated Security Stage at Solana Breakpoint @SolanaConf this year! Featuring an exciting line-up of Breakpoint's deepest and most technical talks on Security & Solana Core 🤫🤫🔐

Solana Breakpoint ☀️ SINGAPORE Sept. 20-21, 2024

@SolanaConf

7 months

This year at Solana Breakpoint, @Neodyme will host Neodyme Security Stage November 1, covering the latest in IT & web3 security research! 🔐 Join us at the cutting edge of change in Amsterdam from Oct 30 to Nov 3. Get your ticket today:

2

4

33

0

4

17

Neodyme

@Neodyme

6 months

16:35 "Solana RPC 2.0 Roundtable" w/ Max Mango @m_schneider & Noah Prince @redacted_noah & Mert Mumtaz @0xMert_ & Brian Long @brianlong

Breakpoint 2023

Welcome to Breakpoint, the conference hosted by the Solana Foundation. It’s where developers, artists, institutions, and leaders come from around the world to learn about cutting-edge distributed...

conference.solana.com

2

4

16

Neodyme

@Neodyme

1 year

(This is pretty bad tbh)

1

13

Neodyme

@Neodyme

2 years

3/4 There are many different ways of managing your program upgrade authority, and they are all subject to a trade-off between decentralization, security and ease of upgrading.

1

0

15

Neodyme

@Neodyme

1 year

We will be participating in this years #Pwn2Own Toronto! Looking forward to drop some 0days! 👀

Zero Day Initiative

@thezdi

1 year

Behind the scenes as we get set up for the drawing to determine the schedule for #Pwn2Own Toronto 2022. We’ll get started tomorrow (Dec 5) at 3pm Eastern. Watch it live here and on YouTube at

2

7

55

0

6

16

Neodyme

@Neodyme

1 year

Big thanks to @BenjWeso and @bramcohen for answering our questions on this one!

0

1

14

Neodyme

@Neodyme

2 years

2/4 We think the more important question is: Who controls those changes? How can you be sure your funds won't just be taken by an authority or a DAO?

1

0

13

Neodyme

@Neodyme

1 year

Neodyme's @_localo_ @0x4d5aC @r0bre are competing in #pwn2own with 2 entries: In the SOHO smashup category, we will be demonstrating a Netgear Router -> HP Printer exploit chain. In addition, we have a second Netgear WAN exploit in our back pocket!

Zero Day Initiative

@thezdi

1 year

After a herculean effort by the scheduling crew, the agenda for #Pwn2Own Toronto 2022 is now available. 26 contestants. 66 entries. Four days. It should be a great event.

2

8

65

0

3

15

Neodyme

@Neodyme

1 year

Indirect smart contract risk doesn't get enough attention. Your contract doesn't need to have a bug to be exploited. 🧵👇

1

3

14

Neodyme

@Neodyme

6 months

Ok one more hint @SolanaConf #Breakpoint2023

Neodyme

@Neodyme

6 months

Solana security won't be the same after this 📅 November 1st, 15:15

2

8

50

1

14

Neodyme

@Neodyme

9 months

👾 You play CTF and still need a DEFCON ticket? We've 2 tickets left over and want to give them away! Follow us and comment with your favourite CTF writeup to win! Ends Aug 3rd 12:00 CET #defcon31 #DEFCON

7

3

13

Neodyme

@Neodyme

2 years

Still haven't got a Neodime? Come to the security panel at the sud in 15 minutes to get one. #SolanaBreakpoint

3

0

13

Neodyme

@Neodyme

1 year

However, they are a necessary evil. If you want to fix a bug in a program, or add new features, this is done through UAs. For more info on UAs, check our blog post from June:

Why Auditing the Code is Not Enough: A Discussion on Solana Upgrade Authorities

Recently, there’s been a lot of buzz around a DAO vote of Solend – one of Solana’s largest lending projects. It seeks to enact restrictions on large positions, and to temporarily take control of an...

neodyme.io

2

0

11

Neodyme

@Neodyme

1 year

Awesome first qualifying race driven by one of our auditors @CarryWorm . @buildwithnation #BMR

0

3

12

Neodyme

@Neodyme

2 months

New Blogpost: Learn how Riverguard works and how we used it to find a bug in an on-chain casino 🎰↓

Riverguard: Fishing for Loss of Funds in the Stream of Solana Transactions

Riverguard, the free first line of defense for all Solana contracts

neodyme.io

1

4

12

Neodyme

@Neodyme

6 months

Looking for LPs too supply tokens to our Neodime- @FlashTrade_ Pool 🪙 #Breakpoint2023

1

2

12

Neodyme

@Neodyme

6 months

🎃👩‍💻 Hacks are SCARY 👻🔐 Unmasking the Hacky Halloween Party at #Breakpoint2023 ! Dress up to be safe from the hackers! 🎟️ Access Limited: Hack your way into the guestlist now

0

3

12

Neodyme

@Neodyme

6 months

Reminder: Your Solana upgrade authority should not be a hot wallet

1

3

11

Neodyme

@Neodyme

6 months

12:50 "Security Considerations from RPC Providers" mod by Conrad Greiner-Bechert @Neodyme w/ Brian Long @brianlong & Nicolas Pennie @nick_pennie

Breakpoint 2023

Welcome to Breakpoint, the conference hosted by the Solana Foundation. It’s where developers, artists, institutions, and leaders come from around the world to learn about cutting-edge distributed...

conference.solana.com

2

3

11

Neodyme

@Neodyme

9 months

Congrats to @b2ahex for winning @PwnieAwards Top Desktop Bug category this year! Well deserved. It was a great honor to be nominated for our CS:GO 0day research - thank you!

1

0

12

Neodyme

@Neodyme

11 months

🔐 Learn how to "Hack Cryptography" in our intense 2-day training at @defcon this year You will learn all about common mistakes made in cryptographic implementations and how they can be broken. Secure your spot today! 📅 August 14th - 15th 📍Las Vegas

0

3

10

Neodyme

@Neodyme

11 months

Today at #HackerHouseNYC , @r0bre will teach you how to kick greg out of your 5:5 multisig 👀 (Every Vote Counts: How to Hack a DAO. 2pm)

0

2

11

Neodyme

@Neodyme

6 months

Large amounts of "Neodime" coins have been found to be circulating at #Breakpoint2023

1

0

11

Neodyme

@Neodyme

2 years

Ever wanted to play around with IT Security yourself? We are helping to organize the @C_S_C_G . Visit to learn more and participate.

1

2

11

Neodyme

@Neodyme

6 months

In technical terms, Riverguard is a live transaction fuzzer. It takes real current transactions, modifies them like an attacker, and then tests them in a simulation. 🤖

1

0

10

Neodyme

@Neodyme

1 year

First, you need to find the program address of the dApp you are trying to investigate. There are many ways to do this: Often, it is listed in the docs or open source code.

1

0

8

Neodyme

@Neodyme

1 year

🕵️‍♂️🪙🌆 Guess the mystery city on our 2022 mint Neodime and win an exclusive merch package including our hoodie, tshirt, socks, bag, stickers and a coin! #Breakpoint Submit your guesses at

0

1

10

Neodyme

@Neodyme

6 months

The upgraded program has a new Instruction, “DoSexualAction”. This instruction allows the attacker to withdraw funds from the contract. In 3 transactions, the attacker withdrew about $230k

1

9

Neodyme

@Neodyme

1 year

Come by to meet us this week in Munich! There will be pretzels!🥨

Superteam Germany

@SuperteamDE

1 year

While we're busy in Berlin, our team is taking a Munich trip to host a Solana Blockchain Night in the Bavarian capital. We invite you to join us this Thursday (February 16th), at the Center for Digital Technology and Management in Munich!🥨 See more below🧵👇

2

6

41

0

8

Neodyme

@Neodyme

9 months

If you liked this summary, follow us for more 🫡 To read cypher’s full postmortem with more details, click here:

cypher exploit - 7th august 2023 - post-mortem | Notion

On August 7th, 2023, an attacker exploited cypher’s primary contract by uncovering bugs related to mechanisms involving isolated margin sub accounts, allowing them to end up withdrawing more funds...

cypherlabs.notion.site

2

0

9

Neodyme

@Neodyme

1 year

How to verify this yourself? 🔬 (Note that this only gives you information on how upgrades were handled so far)

1

0

7

Neodyme

@Neodyme

9 months

The smallest errors can have grave consequences. That’s why it’s important to double-, triple- and quadruple-check your code. We will continue to assist cypher protocol in trying to find solutions for the difficult situation they are in.

1

8

Neodyme

@Neodyme

1 year

➡️ Training: Hacking Cryptography Cryptography is hard and error prone. 🧠 Learn how to exploit cryptography and how to properly use it to defend yourself! 🧠 Join us at @HITBSecConf for the onsite training! 📅17th - 19th April 📍Amsterdam

Hacking Cryptography - HITBSecConf2023 - Amsterdam

REGISTRATION CLOSED DATE: 17-19 April 2023 TIME: 09:00 to 17:00 CEST/GMT+2 Date Day Time Duration 17 Apr Monday 0900-17:00 CEST/GMT+2 8 Hours 18 Apr Tuesday 0900-17:00 CEST/GMT+2 8 Hours 19 Apr...

conference.hitb.org

0

3

8

Neodyme

@Neodyme

1 year

Don't get cold feet in this bear market. Get your Neodyme socks at @SolanaConf 🧦

1

8

Neodyme

@Neodyme

6 months

Riverguard does multiple checks like this. On every transaction. And now, after we've already found and reported multiple bugs with Riverguard, we're opening it up for the community! And what's best: Its free! 🎊

1

0

8

Neodyme

@Neodyme

6 months

What does "like an attacker" mean? Well, unlike many fuzzers, instead of just flipping bits, Riverguard uses a set of carefully crafted Fuzzcases. Each Fuzzcase implements a specific potential attack. For example: Missing Singer checks.

1

8

Neodyme

@Neodyme

6 months

If you liked this thread, follow us for more! We'll also release a deep-dive on DAO attacks in the near future.

3

0

8

Neodyme

@Neodyme

2 years

This data helps researchers to get in touch with you, even if they only have your program id. We recently had trouble finding contact information for multiple smart contracts. This project has been born out of that very real frustration.

1

0

8

Neodyme

@Neodyme

9 months

Thanks to everyone who participated and congrats to the winners @HanEmile and @WhNdsSlp ! Check your DM's!

Neodyme

@Neodyme

9 months

👾 You play CTF and still need a DEFCON ticket? We've 2 tickets left over and want to give them away! Follow us and comment with your favourite CTF writeup to win! Ends Aug 3rd 12:00 CET #defcon31 #DEFCON

7

3

13

1

0

8

Neodyme

@Neodyme

1 year

Once you have the program address, you can use any explorer of your choice to find its upgrade authority -- it's listed directly on its explorer page. You can also see the address of the program data and the last slot it was changed.

1

0

7

Neodyme

@Neodyme

2 years

Check out for an example. We've also provided you with bounty policies templates in our repository to make it as easy as possible to get going.

0

8

Neodyme

@Neodyme

6 months

The Missing Signer Check Fuzzcase removes all signers from a Transaction, and adds a new signer just to pay transaction fees. If this transaction succeeds, the program in question is potentially missing a crucial Signer check. 🚨

1

0

8

Neodyme

@Neodyme

6 months

@SolanaConf Last thing that the Neodime sees before it goes into your pocket

0

3

7

Neodyme

@Neodyme

1 year

Cryptography is hard. Thankfully, you don't have to learn it all on your own. Our training "Hacking Cryptography" will turn anyone into a codebreaker Alan Turing himself would be proud of 🧠 The 3-day training will be offered April 17-19 at @HITBSecConf :

Hacking Cryptography - HITBSecConf2023 - Amsterdam

REGISTRATION CLOSED DATE: 17-19 April 2023 TIME: 09:00 to 17:00 CEST/GMT+2 Date Day Time Duration 17 Apr Monday 0900-17:00 CEST/GMT+2 8 Hours 18 Apr Tuesday 0900-17:00 CEST/GMT+2 8 Hours 19 Apr...

conference.hitb.org

0

6

Neodyme

@Neodyme

6 months

We hope you've found this thread interesting. Follow us @Neodyme for future updates. Like/Repost the quote below if you can:

Neodyme

@Neodyme

6 months

Introducing Riverguard 🏞️💂 A new security tool for Solana program deployers... 🧵

4

74

89

1

7

Neodyme

@Neodyme

1 year

Once again we are proudly partnering with NFITS to present Germanys premier hacking competition 🪓

CSCG

@C_S_C_G

1 year

#CSCG2023 has started! Happy hacking! 🪓🖥️

0

9

19

0

1

7

Neodyme

@Neodyme

1 year

Was a great race thanks @buildwithnation for organizing. Also big thanks to @osec_io for sharing a cart #BMR

1

0

7

Neodyme

@Neodyme

1 year

@Austin_Federa @bennybitcoins @solanaspaces We can pitch in a free pair of Neodyme socks for this good cause 🙏

1

0

7

Neodyme

@Neodyme

1 year

@thezdi We'll be releasing blog posts about these bugs after they're patched. Follow us at @Neodyme to keep updated!

0

7

Neodyme

@Neodyme

1 year

Who controls your money? Find out at #SolanaBreakpoint : And make sure to look out for our limited edition coins while you're there!

2

7

Neodyme

@Neodyme

1 year

Lets check the UA. If there are many transactions within a few seconds landing in the same slot, the upgrade auth is almost certainly managed by a hot wallet. OTOH, if the upgrades are managed using a multisig or DAO, you can see this by program invocations in the upgrade txs.

1

0

5

Neodyme

@Neodyme

6 months

Since we started auditing Solana 3 years ago, we've encountered some bug classes again and again.

1

0

6

Neodyme

@Neodyme

6 months

And if you're at #Breakpoint2023 come by our Lounge at Het Hem to get onboarded with our team!

1

0

6

Neodyme

@Neodyme

2 years

For those who've been asking, this will be *very* interactive and technical. Most of the time, you'll be reading code and writing exploits for contracts. You should already have some experience writing rust code and ideally also Solana smart contracts.

Neodyme

@Neodyme

3 years

Are you a #Solana #dev and attending #BreakpointLisbon ? Come join our security masterclass where we'll teach you how to think like an attacker!

11

26

114

1

0

6

Neodyme

@Neodyme

1 year

If not, you can try and see if a block explorer like solscan already knows the address of that dApp by its name. Finally, you can also do a test transaction and view the program it interacts with on-chain.

1

0

5

Neodyme

@Neodyme

1 year

Using the explorer, you can navigate to the program data address. The transactions you see are the program upgrades.

1

0

5

Neodyme

@Neodyme

6 months

Here's the recording of our Riverguard announcement at #Breakpoint2023 🍿🎥

Breakpoint 2023: Riverguard: Fishing for Loss of Funds in the Stream...

DISCLAIMERThe content herein is provided for educational, informational, and entertainment purposes only, and does not constitute an offer to sell or a solic...

www.youtube.com

Neodyme

@Neodyme

6 months

Introducing Riverguard 🏞️💂 A new security tool for Solana program deployers... 🧵

4

74

89

0

1

6