Antonio Viggiano @agfviggiano Twitter profile | Pikagi

Pikagi

Antonio Viggiano

@agfviggiano

1,920

Followers

1,048

Following

166

Media

2,954

Statuses

I help protocols improve their invariant tests @getreconxyz

https://t.co/BaYjteFlHx

Joined June 2017

Don't wanna be here? Send us removal request.

Pinned Tweet

@agfviggiano

Antonio Viggiano

5 months

2023 Year In Review 👾 Quit my job as CTO of a Web3 gaming company to work full-time in Web3 security. 🔝 Scored Top 2 in two audit contests and Top 4 in one, out of 23 participations. 🐛 Worked on 4 invariant testing engagements. 🐞 Completed 6 solo security reviews. 🐜

10

1

44

Last Seen Profiles

@Braxton_VC

@trashcanonhead

@_ayataka_cos

@HararNation

@SmilingBenedict

@yunkilov

@RWRBonPrime

@vonchuyo

@PodcastLeisure

@Lysa716293Lysa

@reputationstaan

@Pik0PikOo

@_Khuzrin_

@GuardiasApp

@hautesalpes

@Sibruh

@ABishnoi99

@satosikun

@Arashi_Storm

@inv1sibl3string

@Payton_McD_

@bapunabisw19013

@FolkSikkerhed

@auchan

@tlmulroy

@Kalell81

@CharrinCharran

@perucomweb

@indianavenus

@KatkinDrysdale

@RennerRick

@Thembeka_Nxmalo

@zormedits

@sujatas17016657

@RyonPlock

@Moedas

@agfviggiano

Antonio Viggiano

2 years

@MarcoWorms I like this one

Tweet media one

3

7

277

@agfviggiano

Antonio Viggiano

10 months

📣 Introducing: Solidity Audit Report Generator, a VSCode extension that helps you write your reports using templates, ChatGPT, and // @ audit comments.

Tweet card media

Solidity Audit Report Generator - Visual Studio Marketplace

Extension for Visual Studio Code - Solidity Audit Report Generator for Code4rena, Sherlock, Hats, CodeHawks, and user-defined templates

marketplace.visualstudio.com

13

42

273

@agfviggiano

Antonio Viggiano

7 months

I wish I could participate in @paradigm_ctf but fortunately today is my wedding. Wish me luck!

66

17

218

@agfviggiano

Antonio Viggiano

4 months

I'm building a list of Aave/Compound common issues and mitigations for forks. Anything I should add to this list?

Tweet media one

6

28

175

@agfviggiano

Antonio Viggiano

6 months

Between June 21, 2023, and June 23, 2023, I was invited to perform a "diff" review of the @raft_fi smart contracts. During these 2 days, I analyzed each change from the diff, commit by commit, reviewed the full diff side by side, and examined the codebase as a whole in its

@trailofbits

Trail of Bits

6 months

7 new high & mediums were found in an audit competition, and successive teams continued to find new bugs every engagement. This points to 1) the exploited issue being subtle, and 2) the need for testing & verification to prove safety.

Tweet media one

Tweet media two

Tweet media three

1

1

16

9

8

141

@agfviggiano

Antonio Viggiano

2 months

I'm happy to share that I've had the privilege of contributing as a guest writer for @a16zcrypto ! In this article, I explain how you can execute function calls symbolically in a loop to maintain state on a target contract.

Tweet card media

Pro-tip: Implementing stateful invariant testing with Halmos

How to implement stateful invariant testing using Halmos, a symbolic testing tool for EVM smart contracts.

4

10

133

@agfviggiano

Antonio Viggiano

8 months

I'm excited to finally share our key takeaways and best practices from 6 weeks of fuzzing @BadgerDAO 's @eBTCprotocol

8

22

127

@agfviggiano

Antonio Viggiano

1 year

I'm glad to have found my first high severity vulnerability in an audit competition after a top tier review from Trail of Bits. I used to shy away from contests with previous audits, but I guess if you look hard enough you can always find something!

Tweet card media

Attacker can trigger redistributions and liquidate safe positions in a multi-collateral system ·...

Attacker can trigger redistributions and liquidate safe positions in a multi-collateral system Description In PositionManager, it is possible to trigger a liquidation of collateral that is differen...

12

7

123

@agfviggiano

Antonio Viggiano

7 months

⚠️ Attention security researchers & protocol developers ⚠️ While reviewing @OpenZeppelin Contracts v5, I noticed some footguns that might hurt projects developing upgradeable smart contracts without extra attention. 𝟭. 𝗘𝗥𝗖𝟳𝟮𝟬𝟭 𝗡𝗮𝗺𝗲𝘀𝗽𝗮𝗰𝗲𝗱 𝗦𝘁𝗼𝗿𝗮𝗴𝗲

Tweet media one

Tweet media two

4

23

122

@agfviggiano

Antonio Viggiano

10 months

⛰️ The @summit_defi was truly inspiring! Here's my list of the **TOP 5** presentations that I think every _DeFi protocol_ should watch💰

3

25

110

@agfviggiano

Antonio Viggiano

5 months

2024 Predictions for Smart Contract Security 1. AI tools and static analyzers become so effective that some audit contest platforms remove the QA/Low findings pot completely. 2. Stateless "fuzz" tests become the baseline, with them being implemented in over 50% of protocols. 3.

7

10

93

@agfviggiano

Antonio Viggiano

10 months

I would like to thank everyone who has provided great feedback for my @summit_defi presentation and paper, now available at

Tweet media one

2

16

92

@agfviggiano

Antonio Viggiano

7 months

I'm looking for a technical writer (paid) to help me create content about fuzzing, symbolic testing, and formal verification! The ideal candidate is someone who's beginning their security research journey and likes to share what they learn. DM to apply / RT to spread the word

22

18

85

@agfviggiano

Antonio Viggiano

5 months

How to write (good) invariants? Some tips: 1. Review the project's whitepaper or documentation and try to think about the system specs as invariants. See 2. Go through @CertoraInc list of property categories and brainstorm potential invariants for each

@agfviggiano

Antonio Viggiano

10 months

1. Start writing your system properties based on your whitepaper or documentation. Most projects will have docs explaining how the system should behave, so it's easy to start from there. Here's an example of when I worked with @PodsFinance on their stETHvv invariant tests.

Tweet media one

1

1

9

2

23

83

@agfviggiano

Antonio Viggiano

2 months

Problem: I want to contribute to fuzzers but have no time. Solution: I will start a learning group to fund and coach developers so they can learn go and work full time on Medusa. More info coming soon.

9

3

84

@agfviggiano

Antonio Viggiano

10 months

This week I shared my experience with invariant testing at @opensensepw Here are my tips and best practices on to write robust and efficient property tests for your DeFi protocol 🧵

Tweet media one

4

18

79

@agfviggiano

Antonio Viggiano

3 months

Quick security tips for Solidity developers 1. Explicitly round up/down all mathematical operations using a fixed-point math library. I like solady because it has the 2 versions of mulDiv. 2. Do not attempt to handle all possible scenarios of "weird ERC20" tokens. If your

2

7

75

@agfviggiano

Antonio Viggiano

5 months

The #erc4337 audit checklist has just been updated with many new bullet points, thanks to the great contribution from @gpersoon !

2

10

75

@agfviggiano

Antonio Viggiano

3 months

Now that Uniswap is about to turn fees on, let me share an interesting case of an invariant that will break after the proposal passes: "Withdrawing liquidity always decreases LP token supply" Actually, when the feeTo address is non null on Uniswap v2, withdrawing liquidity can

4

6

72

@agfviggiano

Antonio Viggiano

5 months

Auditors usually only see the final revision of smart contracts, which do not always come in ideal shape as protocols do not have a clear process for building secure code. After working inside a team, I now see many steps that developers can implement to improve the end result:

2

17

70

@agfviggiano

Antonio Viggiano

1 year

I'm happy to share I've been accepted on @yAcademyDAO ZK Auditing Fellowship 🚀 This was probably the 3rd time I applied to yAcademy. This is a lesson for us to to always keep improving and never give up.

Tweet media one

7

2

69

@agfviggiano

Antonio Viggiano

1 year

Today I submitted my first bug report on @immunefi ! Let's see how it goes

12

1

66

@agfviggiano

Antonio Viggiano

3 months

The SR meta of 2023 was to dunk on audit companies. The new meta is to start an audit company, then dunk on contests for not having enough talent.

5

3

67

@agfviggiano

Antonio Viggiano

6 months

Developing a protocol with security in mind, Part 1: Document the state variable changes of your functions to help with invariant tests later.

Tweet media one

1

3

63

@agfviggiano

Antonio Viggiano

19 days

The most interesting bugs are economic attacks They usually can't be found with - pattern-matching, - invariant tests, and - diffs between the spec/docs & implementation. Only those who understand the protocol design in-depth can find them.

1

1

64

@agfviggiano

Antonio Viggiano

5 months

In October, I was interviewed by @hake_stake and said I wished there was a tool that could speedup the development of invariant tests. Now, I'm building it. "DM for one-click invariant tests."

@GalloDaSballo

Alex the Entreprenerd

5 months

Imagine getting all of your invariants scaffolding setup with a couple of clicks Or reach out and see it for yourself!

Tweet media one

2

4

58

7

4

61

@agfviggiano

Antonio Viggiano

2 months

Security Research Interview Question for You A common vulnerability in lending protocols (eg Compound/Aave), involves the "donation attack." This occurs when there's an absence of liquidity, enabling attackers to acquire a substantial amount of liquidity by manipulating the

4

5

58

@agfviggiano

Antonio Viggiano

10 months

I'm building an open-source VSCode extension to automatically generate audit reports for @code4rena @sherlockdefi @HatsFinance @CodeHawks using platform-specific templates, ChatGPT, and // @ audit comments. What are the top features you'd like to see on it?

7

0

57

@agfviggiano

Antonio Viggiano

7 months

It was a pleasure to share our experience with this community. Feel free to reach out if you want to talk more about property-based testing!

@SpearbitDAO

Spearbit

7 months

We're excited to released our seminar with @agfviggiano on: Complex Fuzzing Techniques with a practical case study example on the eBTC protocol. Dive into some deep fuzzing alpha (link below)👇

Tweet media one

1

18

84

4

5

55

@agfviggiano

Antonio Viggiano

6 months

I am reviewing an account abstraction wallet and will soon release an "auditor checklist" for ERC-4337. Stay tuned.

@pashovkrum

pashov

6 months

Smart contract security auditors most common fears, ordered: 5. Snakes 4. Ghosts 3. Poverty 2. Lending protocols 1. ERC4337

9

5

141

4

2

53

@agfviggiano

Antonio Viggiano

6 months

🚀🚀🚀 Introducing All Things Fuzzy 🚀🚀🚀 Today marks the launch of a newsletter dedicated to exploring the depths of fuzzing, invariant testing, symbolic testing, and formal verification! 🙇 Over the past few months, I've been working closely with

Tweet media one

2

16

52

@agfviggiano

Antonio Viggiano

7 months

Solo auditors earn more, but traditional auditing firms get to review the coolest pieces of Ethereum infrastructure. Agree or disagree?

8

1

50

@agfviggiano

Antonio Viggiano

1 year

I was accepted to speak at the ⁦⁦ @summit_defi ⁩ ! If you're interested in fuzz tests, come watch me.

Tweet media one

5

2

52

@agfviggiano

Antonio Viggiano

11 months

1/ I'm happy to share that, as part of the @yAcademyDAO ZK Fellowship, I am releasing circom-mutator, a mutation testing tool for circom

GitHub - aviggiano/circom-mutator: Mutation testing tool for circom

Mutation testing tool for circom. Contribute to aviggiano/circom-mutator development by creating an account on GitHub.

5

4

51

@agfviggiano

Antonio Viggiano

10 months

Today I'll share my invariant testing experience at @opensensepw , here's the gist of what we're going to talk about

Tweet media one

5

5

50

@agfviggiano

Antonio Viggiano

9 months

I've just dropped a new version of the Solidity Audit Report Generator VSCode extension with two cool features - Automated report generation with predefined tags - Report summary that generates a markdown table with all your findings PRs are welcome!

Tweet media one

Tweet media two

2

8

48

@agfviggiano

Antonio Viggiano

5 months

Any reason why inscriptions didn't compress the calldata further? Why "op" and not "o"? Why json and not binary? If you're going to reinvent the wheel, at least create a better wheel.

10

0

45

@agfviggiano

Antonio Viggiano

7 months

The downside of being fully booked is that you have less free time than when you were just starting out. My lists of "things to build" and "things to study" never stop growing. Some recent additions: - @VeridiseInc x @TheSecureum ZK Workshop - "Why and How zk-SNARK Works:

4

4

44

@agfviggiano

Antonio Viggiano

10 months

I'm honored by this recognition from the @yAcademyDAO ZK Fellowship team. I am still a beginner, so being noted for the "Breadth" of my contributions gives me the confidence to keep learning and contributing to the space. I hope I can give back to future ZK enthusiasts soon!

Tweet media one

5

1

43

@agfviggiano

Antonio Viggiano

6 months

You may earn more from a solo audit, but you will learn more from a team audit. Always be aware of whether you're in a situation to EARN or to LEARN.

6

2

40

@agfviggiano

Antonio Viggiano

2 months

Running invariant tests on mainnet 24/7 That's it, that's the tweet

1

1

42

@agfviggiano

Antonio Viggiano

8 months

Fuzz tests can be useful in creating PoCs for manual review findings too. This week I had a hunch that rounding errors could cause a DoS due to complex math, but it was hard to come up with real values, so I decided to use echidna to try to prove it. And it sure did.

Tweet media one

Tweet media two

2

4

42

@agfviggiano

Antonio Viggiano

11 months

Unpopular opinion: private audits are neither a reliable career path nor the best choice for protocols. Despite what CT says, only the top 1% should be doing it. If you're not finding 80% of issues, you shouldn't do it. If you can afford it, you should host a contest.

5

3

39

@agfviggiano

Antonio Viggiano

9 months

It's live! You can now request an invariant testing engagement through @cantinaxyz 🚀 Dive deep into the realm of property-based testing and start working on the continuous improvement of your codebase early on.

3

1

40

@agfviggiano

Antonio Viggiano

1 month

echidna on-chain fuzzing public ankr node vs local reth node

Tweet media one

Tweet media two

3

1

40

@agfviggiano

Antonio Viggiano

11 months

Very good compilation of common developer mistakes when working with price oracles.

Tweet card media

How To Consume Chainlink Price Feeds Safely

Chainlink price feeds are reliable, but it is crucial to have circuit breakers to prevent any issues from a single source. Using a single entity is not ideal from a decentralization perspective as...

3

2

39

@agfviggiano

Antonio Viggiano

19 days

Who are the best ZK independent security researchers? hmu

10

2

40

@agfviggiano

Antonio Viggiano

1 year

It's either just me in a Twitter bubble or we have more auditors than protocols requesting audits in web3

10

1

37

@agfviggiano

Antonio Viggiano

8 months

For my Portuguese-speaking friends, here's the recording of the meetup we had in São Paulo about Account Abstraction. For the general public, I'm writing a series of posts on the subject on @SecurityOak blog: Stay tuned for part 2!

Tweet card media

A deep dive into the main components of ERC-4337: Account Abstraction Using Alt Mempool — Part 1

Account abstraction has been a highly desired feature within the Ethereum developer community for years, and it is seen by many as a…

@ERC55_

ERC55

8 months

O Meetup I também teve a participação do Antônio Viggiano falando sobre Account Abstraction… Assista aqui a Parte 2 👇

Tweet media one

1

2

13

1

8

38

@agfviggiano

Antonio Viggiano

2 months

A well-known rule of thumb in Solidity says you should always round debt up and credit down. If not done properly, however, this can also cause medium/high Denial of Service issues, since a debt reduction operation may underflow your debt tracker and prevent repayments or

0

1

37

@agfviggiano

Antonio Viggiano

18 days

After spending hours fuzzing a tricky function to check for bugs, I remembered Halmos existed. It passed in a few seconds fml

1

2

38

@agfviggiano

Antonio Viggiano

6 months

This month I am doing something different. After a successful v1 review, a protocol invited me to help with the development of their v2, making sure security practices were properly implemented from the beginning. I'll be sharing the process here.

1

0

38

@agfviggiano

Antonio Viggiano

1 year

ZK is hard. There's a lot of maths & CS prereqs before you can even start looking at the code. ZK auditing is even harder, as you don't have as many "checklists" of common vulnerabilities to refer to. My strategy: help out with tests and learn from there

Add gates tests by aviggiano · Pull Request #99 · iden3/circomlib

Add tests for gates.circom circuits.

2

3

36

@agfviggiano

Antonio Viggiano

1 year

Introducing judgementalist A faster way to judge @sherlockdefi contests

Tweet card media

GitHub - aviggiano/judgementalist: Judgementalist — judge Sherlock contests faster

Judgementalist — judge Sherlock contests faster. Contribute to aviggiano/judgementalist development by creating an account on GitHub.

6

3

36

@agfviggiano

Antonio Viggiano

11 months

New ERC-777 attack vector discovered by @MixBytes (via @blockthreat )

Tweet card media

One more problem with ERC777

We’ve discovered an intriguing bug that could potentially serve as an attack vector for some DeFi projects. This bug is specifically associated with the well-known ERC777 token standard.

5

6

36

@agfviggiano

Antonio Viggiano

7 months

Yesterday I decided to follow the example of @GalloDaSballo and @0xWeisss by mentoring a couple of web3 devs in security research 🧑‍🏫🧑‍🎓🧑‍🎓. So I must ask: What is the best way to teach auditing nowadays? Is @TheSecureum still the way to go? How would you approach it now anon?

10

2

36

@agfviggiano

Antonio Viggiano

1 year

So you're starting your auditing journey and want to know where to start? Here are some tips to help you navigate @immunefi , @code4rena , @sherlockdefi , @HatsFinance , and make the most of your time:

2

6

36

@agfviggiano

Antonio Viggiano

1 month

Here's the script I've been using to make both Echidna & Medusa work with external libraries. This is useful so that you don't need to manually edit your `cryticArgs` or `deployContracts` config parameters. Also, it converts all external libs to

Tweet media one

0

5

35

@agfviggiano

Antonio Viggiano

4 months

Another benefit of transcribing Echidna/Medusa sequences to Foundry tests is that your invariants may change as the protocol introduces new features during the development process. With simple unit/fuzz tests, you may not notice it, as they generally only check for

1

3

33

@agfviggiano

Antonio Viggiano

1 year

Auditors almost always post the outcome of their findings, but they seldom share their process. I thought I could do something different and explain how I came across this issue during the @raft_fi audit competition from @HatsFinance

@agfviggiano

Antonio Viggiano

1 year

I'm glad to have found my first high severity vulnerability in an audit competition after a top tier review from Trail of Bits. I used to shy away from contests with previous audits, but I guess if you look hard enough you can always find something!

12

7

123

3

4

34

@agfviggiano

Antonio Viggiano

2 years

@mrjasonchoi Amazing! But haven't they heard of Math.random()? /s

2

0

30

@agfviggiano

Antonio Viggiano

3 months

Why do I always have to spend 5 minutes staring at conditionals containing more than 1 argument? if (spender != msg.sender || recipient != msg.sender) { // wtf } I keep using De Morgan's law to simplify it, but it is always confusing.

10

1

33

@agfviggiano

Antonio Viggiano

27 days

Some protocols: refuse to extend the audit contest duration Other protocols: announce it months in advance and release the code earlier Pretty obvious what's better for security

2

1

33

@agfviggiano

Antonio Viggiano

3 months

Rate my setup What's missing?

Tweet media one

5

0

33

@agfviggiano

Antonio Viggiano

1 year

Top 8 from 215 runners on the last @TheSecureum RACE! Thanks @Montyly for the challenge and @CertoraInc for the free @summit_defi ticket.

Tweet media one

3

0

32

@agfviggiano

Antonio Viggiano

1 month

How are you implementing DOS checks on your invariant tests? Any ideas on how to make this less verbose?

Tweet media one

1

2

32

@agfviggiano

Antonio Viggiano

5 months

I'm grateful to have participated in this podcast, which has already featured so many great guests. I'm excited to see what the next year will bring!

@ProofOf_Podcast

Proof Of Podcast

@ProofOf_Podcast

5 months

Looking for an excuse to run away from your family during the holidays? Tune in to hear the latest on everything “fuzzing” with @agfviggiano ! Some of what we cover: 🔴 How To Define Invariants 🔴 Best Testing Framework 🔴 What do Fuzzing engagement look like And much more!

0

3

20

1

4

32

@agfviggiano

Antonio Viggiano

10 months

Tune in if you're interested in writing better invariant tests

@opensensepw

OpenSense ₿

10 months

Join us on Thursday 3rd for a workshop on invariant testing with @agfviggiano , the author of the “Auditor Book” and ZK Auditing Fellow at @yAcademyDAO . Learn how to write better tests and find more bugs using UniswapV2 as an example.

Tweet media one

3

3

20

1

2

31

@agfviggiano

Antonio Viggiano

6 months

I am not a fan of pomodoro. Sorry folks

15

1

31

@agfviggiano

Antonio Viggiano

3 months

Never use `vm.assume`, always use `bound`

4

1

31

@agfviggiano

Antonio Viggiano

8 months

Great move by the OGs of fuzzing! As I've said previously, invariant testing is one of the best investments a protocol can make from a security standpoint. They remain useful even after changes or updates, unlike audits, which are time-boxed snapshotted security reviews.

@trailofbits

Trail of Bits

8 months

We’re launching a new service: invariant development. We’ll identify, implement, and test security-critical invariants to prevent bugs & secure your codebase over the long term. Plus, we’ll upskill your team to write their own invariants!

6

40

186

1

2

30

@agfviggiano

Antonio Viggiano

2 months

Biggest alpha from @_SEAL_Org 's talk from yesterday: Have presigned pause signatures

Tweet media one

4

0

30

@agfviggiano

Antonio Viggiano

2 months

To facilitate contribution, I migrated this list to

GitHub - aviggiano/security: Security Reviews and Audit Checklists

Security Reviews and Audit Checklists. Contribute to aviggiano/security development by creating an account on GitHub.

@agfviggiano

Antonio Viggiano

4 months

I'm building a list of Aave/Compound common issues and mitigations for forks. Anything I should add to this list?

Tweet media one

6

28

175

2

4

30

@agfviggiano

Antonio Viggiano

4 months

Most H/M issues can be generalized to protocol invariants. Developers or security researchers implementing property based tests can leverage previous audits and run the fuzzer on the same commit to validate specific bugs using generic invariants.

1

2

29

@agfviggiano

Antonio Viggiano

4 months

I'm happy so many open-source individual contributors were contemplated by @Optimism RetroPGF. Only in crypto that's possible.

Tweet media one

2

1

27

@agfviggiano

Antonio Viggiano

24 days

It's a bittersweet feeling that invariant testing doesn't find bugs unless you specify the invariant that must hold (obviously). This means that poorly specified properties might miss important bugs. We need better ways to scale property derivation than brainstorming.

6

0

29

@agfviggiano

Antonio Viggiano

14 days

I just donated to @swissknifexyz @optimizoor @gasliteGG on @gitcoin Today is the last day! There's still time

Tweet card media

Gitcoin Grants Stack

Grants power growth in Web3. Make your voice heard and support open-source software and public goods across the EVM ecosystem

explorer.gitcoin.co

3

2

27

@agfviggiano

Antonio Viggiano

2 years

@nathanweb3 Funny that most of the "EVM weaknesses" are just "UX sucks", and I couldn't agree more. But that's not a problem of Ethereum, but rather of @MetaMask and DeFi dapps in general. We need better wallets and dapps period, that's what I think

8

0

21

@agfviggiano

Antonio Viggiano

2 years

@GbhoyDownUnder @CakedApes 4444

Tweet media one

0

4

25

@agfviggiano

Antonio Viggiano

17 days

@ensdomains @CyversAlerts This could happen with ENS too, it's just a matter of buying a domain similar to the victim. That's what scammers on Twitter do.

2

0

27

@agfviggiano

Antonio Viggiano

2 years

Coming to #GDC was such a great experience! Lots of cool people showing their games, more and more with crypto and NFTs. Meeting the @mousehaunt team & @TheHarvestGame in person was incredible! Hope to come back next year

Tweet media one

Tweet media two

Tweet media three

1

6

23

@agfviggiano

Antonio Viggiano

6 months

ERC-4337 Audit Checklist ## Checklist ### General - [x] How are the audited contracts different from Infinitism's sample contracts? - [x] Can the project be deployed on targeted EVM-compatible chains, e.g. through the correct version of the Solidity

1

5

24

@agfviggiano

Antonio Viggiano

11 months

Now I know why you shouldn't roll your own crypto. The @yAcademyDAO audit for @personae_labs 's efficient ECDSA implementation was particularly challenging. Go check it out!

Tweet card media

GitHub - personaelabs/spartan-ecdsa: The fastest in-browser verification of ECDSA signatures in ZK,...

The fastest in-browser verification of ECDSA signatures in ZK, using Spartan on the secq256k1 curve - personaelabs/spartan-ecdsa

2

1

24

@agfviggiano

Antonio Viggiano

6 months

@xb0g0 Great content. I'd also recommend @trailofbits fuzzing series on YouTube, it's the best resource available in my opinion.

Tweet card media

Fuzzing Workshop

In this playlist, you will find videos from researchers that will walk you through Echidna, our Ethereum smart contract fuzzer.

www.youtube.com

1

3

23

@agfviggiano

Antonio Viggiano

11 months

I need help deriving more x*y=k AMM properties to test @Uniswap v2 invariants. Here's what I got so far (taken from @technovision99 from ToB)

7

1

24

@agfviggiano

Antonio Viggiano

6 months

Are there any good resources for NFT minting and token sales? A client has asked me to review their code, but I believe this might be reinventing the wheel for the thousandth time. Maybe even a gas-optimized audited version?

7

3

21

@agfviggiano

Antonio Viggiano

7 months

Fuzzing tip of the day: If you're building a quick-and-dirty PoC, it might be faster to do it with Medusa than with Echidna, since you won't run into any Slither issues.

3

2

23

@agfviggiano

Antonio Viggiano

1 month

Hi

Tweet media one

1

0

23

@agfviggiano

Antonio Viggiano

3 months

It was an honor to participate in this journey 👏👏👏

@eBTCprotocol

eBTC | Get Paid to Borrow Bitcoin

3 months

Security Matters w/ @agfviggiano The ideal security process starts with having good documentation. Bad docs make auditors jobs harder. Spend the time and resources to get it right in order maximize value and efficiency down the road.

1

5

18

0

1

22

@agfviggiano

Antonio Viggiano

3 months

Foundry has just merged a new feature that should improve their shrinking algorithm Excited to try it out

Tweet card media

Invariant shrinking does not find the smallest sequence of transactions · Issue #6683 · foundry-r...

Component Forge Have you ensured that all of these are up to date? Foundry Foundryup What version of Foundry are you on? forge 0.2.0 (67ab870 2023-12-28T00:18:11.567460000Z) What command(s) is the ...

0

1

22

@agfviggiano

Antonio Viggiano

2 years

. @orbwagmi UX is great, now we just need everyone there instead of here

3

1

20

@agfviggiano

Antonio Viggiano

4 months

This is why I like the dYdX v2 design (or FREI-PI) 1. validate input 2. execute actions 3. validate final state

@danielvf

Daniel Von Fange

4 months

*Most importantly*, the rounding directions were good, but the checks against bad debt failed because they were not verifying that there was no bad debt, but instead attempted to estimate if any bad debt would be created. Invariant checks are best run against end state. 18/

Tweet media one

2

1

31

2

1

22

@agfviggiano

Antonio Viggiano

11 months

This. How can we improve the current incentive structure from @code4rena ? I find bot races the most awesome & sad thing of all times, and tbh I don't have any good suggestions.

@NoahMarconi

noah.eth

11 months

@thebensams 😤✋ private detection bots ☺️👉 contributing slither detectors

1

3

16

3

0

21

@agfviggiano

Antonio Viggiano

4 months

One of the most interesting "meta" of independent security research is evaluating the EV of your time. Should I compete in the Blast contest? Should I do private audits? Should I do bug bounties? This is an unsolved challenge. Maybe from a Prisoner's Dilemma PoV, we should

3

0

21

@agfviggiano

Antonio Viggiano

22 days

AI auditing doesn't work, until it does.

4

2

21

@agfviggiano

Antonio Viggiano

11 months

Auditors say their jobs can't be automated (yet), so why are so many issues just a poor copypasta? AI can definitely help us here. original same issue in a different contest

4

3

21

@agfviggiano

Antonio Viggiano

11 months

What are your thoughts on projects that begin an audit without any tests? Any recommendations for the developers?

18

0

21

@agfviggiano

Antonio Viggiano

3 months

As a protocol, do you want to know what are the best audit companies? Just ask an independent security researcher. They're the ones reading reports on a daily basis.

2

0

21

@agfviggiano

Antonio Viggiano

2 years

What are the coolest things being built on top of @LensProtocol ?

7

0

19