pashov @pashovkrum Twitter profile | Pikagi

Pikagi

pashov

@pashovkrum

22,538

Followers

996

Following

202

Media

3,646

Statuses

Smart contract security audits @PashovAuditGrp

https://t.co/b7jn0EfLZn

Joined July 2022

Don't wanna be here? Send us removal request.

Pinned Tweet

@pashovkrum

pashov

5 months

Pashov Audit Group's website is live, showcasing team members' efforts & accomplishments. Trusted by big brands, we try to provide our best possible service, always. The team has quite a few world-class whitehats, some savage audit reports coming soon✌️

Tweet card media

Pashov Audit Group - World Class Smart Contract Security Audits

Smart contract security company with 50+ audits, uncovering 1000+ Critical, High & Medium severity Vulnerabilities. Trusted by 8 & 9 figure TVL (Total Value Locked) protocols.

13

19

231

Last Seen Profiles

@CodeFirstGirls

@TheLastRonin28

@NumojiGames

@toushikitsune

@riferrei

@space_potatoee

@starakaj

@ivQIxmwMgdmjJWs

@WaqarEY

@JSelph05

@carmen_souls

@Natchoumm

@BmoreCityDOT

@ZusuruMiya

@BulletBronson

@levelsnetwork

@Anderso24683531

@natedonavan7

@Annekebro

@shinami11950732

@revormasie

@asianjeff

@GavinRonan

@jyhcnb

@LadyMysteries_

@Dj1McQuarter

@CrawfordAyanna

@towa_nohou

@daniel_blackie

@Paxter_Redwyne

@yangjujuw

@TheEldestRock

@SandraLewi79028

@cpillettiiii

@ad_e8

@KeithLovesMango

@pashovkrum

pashov

9 months

The new Paypal USD stablecoin has an "assetProtection" role which can wipe your balance in two transactions (first `freeze`, then `wipeFrozenAddress`) In smart contract security we call this a "centralisation attack vector"

Tweet media one

313

2K

6K

@pashovkrum

pashov

1 year

If you don’t know Solidity go and watch Patrick Collins course on it, the 32 hour one If you know Solidity but don’t know smart contract security go through the Secureum bootcamp Not sending links to either one of them, both are up on YouTube - you'll have to find them yourself

21

125

944

@pashovkrum

pashov

8 months

I made six figures (~$100k) in profit in the month of August 2023 providing smart contract security services for protocols. I worked like crazy. For years. On a daily basis. It paid off.

71

48

935

@pashovkrum

pashov

1 year

Personal smart contract auditing stats for February: - 8 audits (7 private, 1 with Spearbit) - 6 Critical, 4 High, 15 Medium severity issues found - 95 hours of focused work - $40550 earned in total It was a good month🫡

45

38

859

@pashovkrum

pashov

5 months

Kyberswap exploiter's latest message. This is pure evil.

Tweet media one

126

93

756

@pashovkrum

pashov

1 year

Last week I did my first web3 security coaching consultation. To put it simply: 1. Learn solidity (Patrick Collins YouTube 32hr course) 2. Secureum bootcamp 3. Smart contracts hacking course 4. code4rena & Sherlock - read reports & participate That's about it

30

112

735

@pashovkrum

pashov

1 year

1/ My current skill level with smart contract security is just a bit better than a beginner. Here is my plan to become an advanced researcher📚 A thread on levelling up🚀🔥 I’d appreciate a retweet, spread the knowledge🫡

49

263

730

@pashovkrum

pashov

1 year

I spent ~6 months slowly studying smart contract security from this repository. It paid off. Thanks @TheSecureum , @0xRajeev and @0xTaylor_

Tweet card media

GitHub - x676f64/secureum-mind_map: Central Repository for the Epoch 0 coursework and quizzes....

Central Repository for the Epoch 0 coursework and quizzes. Contains all the content, cross-referenced and linked. - GitHub - x676f64/secureum-mind_map: Central Repository for the Epoch 0 coursewor...

24

115

718

@pashovkrum

pashov

1 year

I did an audit for a multiple 7 figures in TVL protocol. Managed to find some issues, got my best paycheck so far and also the client wrote the following in a Medium post:

Tweet media one

42

24

669

@pashovkrum

pashov

1 year

This might be the single best repository to learn about smart contract hacks that happened in the DeFi ecosystem so far and even reproduce them using Foundry. Close to 200 hacks/incidents are listed here. 10x @1nf0s3cpt

Tweet card media

GitHub - SunWeb3Sec/DeFiHackLabs: Reproduce DeFi hacked incidents using Foundry.

Reproduce DeFi hacked incidents using Foundry. Contribute to SunWeb3Sec/DeFiHackLabs development by creating an account on GitHub.

22

173

655

@pashovkrum

pashov

9 months

My June 2023 smart contract security stats: - $61500 earned (best month so far) - 9 critical & high, 13 Medium, 11 Low severity issues found - 6 solo smart contract security audits done for clients - 3 ERC721 based protocols, 2 with staking mechanisms, 1 with ERC4626 vaults

41

31

616

@pashovkrum

pashov

1 year

Exactly four months ago I finished my first solo smart contract security review where I got paid $600. 10s of thousands of lines of code reviewed and +$100k in rewards later I can tell you that choosing to provide value to web3 protocols full-time was my best decision so far🫡

45

23

552

@pashovkrum

pashov

1 year

Yesterday I did my first solo web3 security audit, got paid $100/hr and I did 6 hours of work. Got some cool High and Med finds and when the client applies fixes and I review them I will share my report here! 🚀

29

18

549

@pashovkrum

pashov

1 year

I made $46150 doing 4 solo smart contract security audits in April, finding various critical & High severity issues. I also missed 1 (that I know of) but that’s life as a security researcher. This makes it the 3rd consecutive month doing >$40k in solo smart contract audits

37

22

510

@pashovkrum

pashov

10 months

My past year in smart contract security stats: - Done ~40 security contests, ~33 solo security audits, ~7 team audits - Reviewed over 300 contracts - Found over 50 Critical/High & over 100 Medium severity vulnerabilities - Over 800 hours of highly focused work - Made ~$320k

29

24

502

@pashovkrum

pashov

1 year

I have recently read this great article on "what happens when you send 1 DAI". Even though it might take you ~1hr to read it, it's worth it. It shows off the beauty of the Ethereum nodes & EVM technology and its great property - open source. A must read✌️

Tweet card media

What happens when you send 1 DAI

A journey into exploring the beauty of Ethereum's depths, while trying to make Vitalik 1 DAI richer.

www.notonlyowner.com

26

127

496

@pashovkrum

pashov

1 year

Personal smart contract auditing stats for March: - 3 private audits - 9 Critical, 4 High, 9 Medium severity issues found - 54 hours of focused work - $46500 earned in total Doing security related stuff outside of solo audits, updating you soon🫡

40

24

475

@pashovkrum

pashov

1 year

Yeah sex is cool but have you found a high severity vulnerability in a smart contract audit? It just hits different

29

23

441

@pashovkrum

pashov

7 months

Prior to smart contract security, I was a software engineer for 5 years and I faced a lot of the "best practices" in the industry. Daily meetings, "clean code", code reviews, CI, small teams, big teams, microservices etc Out of all of them I can tell you that there is one thing…

34

36

437

@pashovkrum

pashov

4 months

One of the best ways to learn about previous smart contract hacks, understand them in depth and read the code with which the attack can be executed? Here it is, 10/10 resource

Tweet card media

GitHub - coinspect/learn-evm-attacks: Learn & Contribute on previously exploited vulnerabilities...

Learn & Contribute on previously exploited vulnerabilities across several EVM projects. - coinspect/learn-evm-attacks

11

92

414

@pashovkrum

pashov

4 months

Personal 2023 quarterly money stats doing solo smart contract audits: Q1: $105k Q2: $153k Q3: $224k Q4: $114k (I started Pashov Audit Group here) There are also +$40k throughout the year for some small gigs that weren't accounted above. Looking forward to 5x'ing this in 2024🫡

35

14

367

@pashovkrum

pashov

6 months

My past 12 months: - Found >300 Critical/High/Medium security vulnerabilities in smart contracts - Reviewed close to 100,000 lines of code - Hit high six figures income Ask me anything.

76

10

365

@pashovkrum

pashov

1 year

The best beginner resource I have read so far on MEV. I even learned the details about some advanced stuff like Poisoned Sandwiching and Just-in-Time (JIT) liquidity attacks, now I understand how they work. Mandatory knowledge for both devs & auditors🫡

Tweet card media

MEV: Maximal Extractable Value Pt. 1

This report is part 1 of a 2-part series focused on Maximal Extractable Value. This is the story of how the Flashboys of tomorrow, called Flashbots, are changing the game of frontrunning on Ethereum....

32

79

363

@pashovkrum

pashov

3 months

50 smart contract security audits. This is the amount of solo audits with published reports I have personally completed. After all of this, I can definitely say - experience does matter. Some good alpha in those reports, here they are:

Tweet media one

7

60

364

@pashovkrum

pashov

5 months

Yesterday marked 1 full year (365 days) of me posting web3 security content here absolutely every single day. Took this as a self-discipline challenge, tried to provide as much value as possible. Should I do another year of posting every single day? I am thinking about it🤔

32

8

342

@pashovkrum

pashov

8 months

A solo smart contract audit client asked me if I have some checklist that they can go through before my review. Even if devs can't be security researchers, they can follow safety checklists. I sent them this, it should eliminate the most common bugs

Tweet card media

GitHub - transmissions11/solcurity: Opinionated security and code quality standard for Solidity...

Opinionated security and code quality standard for Solidity smart contracts. - transmissions11/solcurity

11

58

342

@pashovkrum

pashov

1 year

This is part-2 of the Galaxy's research papers on MEV. I just learned in-depth about what are MEV-Boost, Searchers, Builders, Relays, Validators & PBS (proposer-builder separation). Best advanced MEV post I have read, an hour an a half well spent🙏

12

78

324

@pashovkrum

pashov

10 months

If you see this t-shirt you will have 7 years of good luck and have a chance to discuss solo smart contract security audits ☺️

Tweet media one

22

5

330

@pashovkrum

pashov

10 months

Every audit start - "Fck, I won't find anything here, it's written so clean & well" 2 days later - "Those developer assumptions seem wrong.." 5 days later - "If this & that happens, users can lose 100% of their deposit.." 10 days later - 2 Critical, 2 High, 4 Medium issues🫡

15

23

328

@pashovkrum

pashov

3 months

I made $500 and am donating it to a random person who retweets this and comments below✌️ Found an issue related to using `ERC20::approve` - it always reverts with USDT on Ethereum mainnet (no `bool` returned). Use `SafeERC20`'s `forceApprove` method by OpenZeppelin instead🫡

@pashovkrum

pashov

3 months

I’m betting $500 that I will find at least a single Medium/High severity issue in your Solidity protocol’s code in 24hrs Try me, weak devs, this will be the easiest cash ever😈

Tweet media one

54

15

235

275

243

312

@pashovkrum

pashov

1 year

A must have VS code extension for solo auditors. Why? Because it counts SLOC (source lines of code) for you in just a few clicks, which helps you scope the work & effort needed for a smart contract security review✌️

Tweet media one

7

43

327

@pashovkrum

pashov

2 months

Take advantage of my network. I'd help mostly anyone. I personally know: - Senior web2/web3 developers - Elite security researchers and companies - Angel investors and VCs - Founders of protocols, small and big ones Just ask. Proof of not being a scammer required.

40

15

329

@pashovkrum

pashov

5 months

The web3 security course by @CyfrinAudits is now accessible for anyone, no code needed, fully open-sourced. All of you who are asking "How to become a good auditor" - this is your answer right here. Thank you @PatrickAlphaC and Cyfrin team! Link:

Tweet media one

10

41

323

@pashovkrum

pashov

7 months

The best 3 web3 security video courses at the moment (alphabetical order): 1. @0xOwenThurm 's advanced web3 security course (free) 2. @RealJohnnyTime 's smart contracts hacking course (paid) 3. @TheSecureum bootcamp course (free)

10

67

316

@pashovkrum

pashov

10 months

This book will bump your IQ with 10-15 points just by reading it most probably. While not directly cybersecurity related, being mindful of cognitive biases and how your brain works (and how it tricks your own self sometimes) will do wonders in your security research

Tweet media one

17

25

320

@pashovkrum

pashov

1 year

Questions I regularly ask myself while on an audit: 1. What if I provide 0 as an input value here 2. What if I call this method right before this other one 3. What if this ERC20 is non-standard 4. What if this external call reenters 5. What am I doing with my life (jk)

22

23

317

@pashovkrum

pashov

10 months

Currently the best tool (received same feedback from multiple sources) for studying smart contract security vulnerabilities. Mostly better than reading code4rena/Sherlock reports directly on their platforms. Great filtering & querying options🫡

Tweet card media

Solodit is a platform that aggregates all findings from popular audit platforms.

6

48

321

@pashovkrum

pashov

9 months

Nice Solidity clean code guidelines. Poorly written code is always 10x more attractive to blackhats. Follow best practices and write clean code, it's quite worth it.

Tweet card media

Professional solidity code style

The purpose of this article is not to rehash the official Solidity Style Guide, which you should read. Rather, it is to document the common deviations from the style guide that come up in code...

www.rareskills.io

6

59

315

@pashovkrum

pashov

6 months

🚨JUST IN: Gas Optimizoors losing their jobs Solidity v0.8.22 just came out with a breakthrough feature: Unchecked Loop Increments. Basically, your "put `++i;` in unchecked block" gas optimization findings will be no longer valid. RIP🪦

Tweet media one

31

40

306

@pashovkrum

pashov

1 year

January was my 8th month doing smart contract audits & I did only solo ones this month. It resulted in $18010 for 70 hours of focused work, which is my best one so far. Clients are noticing the improvement in my service and they are happy with the results & value they are getting

23

11

308

@pashovkrum

pashov

4 months

If you are doing a smart contract security audit and see this `require(token.balanceOf(address(this)) == ….` You’ve most probably found an issue. Anyone who can get 1 wei worth of `token` can send it to the contract as a front-run attack, forcing the method call to revert

19

22

304

@pashovkrum

pashov

8 months

This is the single best article I read that can do ELI5 on Lending/Borrowing DeFi applications - why they exist, what's their use case, how do they work. The liquidations explanation is 10/10. I'm in crypto for ~3 years now and I learned some things🙏

Tweet card media

Understanding Compound’s Liquidation - Zengo

Understanding Compound’s Liquidation Zengo is the first keyless bitcoin and cryptocurrency wallet — the most simple and secure way to manage your crypto assets.

6

53

303

@pashovkrum

pashov

5 months

Solidity developers, pls know that when you use `ERC20::approve` it won't work with USDT/BNB because Solidity has return data length checks and they do not return a bool on an "approve" call. Use `forceApprove` from OpenZeppelin's `SafeERC20` library

12

29

299

@pashovkrum

pashov

9 months

The token also has 6 decimals and uses Solidity compiler version 0.4.24. It also doesn't implement EIP712 as the standard expects you to.

7

8

297

@pashovkrum

pashov

2 months

It's amazing how many people don't know about All opcodes, their gas costs, stack inputs/outputs explained in great detail plus a playground to test them 10/10, guy who created it deserves an airdrop

Tweet card media

EVM Codes - Opcodes

An Ethereum Virtual Machine Opcodes Interactive Reference

10

36

304

@pashovkrum

pashov

9 months

This is your monthly reminder to never do `require(tx.origin == msg.sender)` in your smart contracts as it breaks integration with all smart contract wallets and ERC4337 Account Abstraction✌️

18

33

296

@pashovkrum

pashov

1 year

On my first month doing smart contract audits (June) I managed to make $1420.89 total. This is from 3 code4rena contests that I did in 1 weekend (15 hr). I did it by going through the Secureum bootcamp and reading old code4rena reports. Do I share results from subsequent months?

29

16

297

@pashovkrum

pashov

1 year

1/ It's official - I decided to join @RealJohnnyTime 's effort on educating the smart contract security community. I <3 the content I saw in it and I will also be personally adding 2 value-packed lectures to it Get extra $50 off by using my affiliate link

Tweet card media

Smart Contracts Hacking Course

Smart Contracts Hacking Course

smartcontractshacking.com

24

38

288

@pashovkrum

pashov

9 months

Newsflash: USDT & USDC both have similar attack vectors as well. I thought this one might be different, but it's really isn't.

18

32

284

@pashovkrum

pashov

3 months

A MUST READ. Before learning Solidity or smart contract security, I always recommend this book for fundamental blockchain & Ethereum knowledge. Enjoy👇

Tweet card media

GitHub - ethereumbook/ethereumbook: Mastering Ethereum, by Andreas M. Antonopoulos, Gavin Wood

Mastering Ethereum, by Andreas M. Antonopoulos, Gavin Wood - ethereumbook/ethereumbook

17

49

290

@pashovkrum

pashov

9 months

A reminder for smart contract developers to use Solidity compiler version 0.8.19 for now if you want to deploy on multiple chains, as Arbitrum, Optimism, BASE and other EVM-based chains still do not support the PUSH0 opcode which will be in your bytecode if you use solc >=0.8.20

Tweet media one

8

48

280

@pashovkrum

pashov

1 year

If you see a Solidity method that has an argument of type array, always check for 3 things: 1. What if the array length is 0? 2. What if there are duplicated elements in the array? 3. What if there are zero value elements in the array?

10

29

287

@pashovkrum

pashov

1 year

Looks like I will be creating some smart contract security educational content pretty soon, if I were you I'd stay tuned🫡

30

7

281

@pashovkrum

pashov

8 months

Looks like the Gas Optimisations Bible is out and it seems value-packed🔥 I think with this you should be able to make some good money on decentralised Gas optimisation contests (code4rena, sometimes Hats finance ones)

Tweet card media

The RareSkills Book of Solidity Gas Optimization: 80+ Tips

Gas optimization in Ethereum is re-writing Solidity code to accomplish the same business logic while consuming fewer gas units in the Ether

www.rareskills.io

7

59

286

@pashovkrum

pashov

10 months

Now that EthCC 2023 is over, here are my personal 5 key takeaways from it: 1. It's all about side events. All the smart guys I spoke to were going to side events almost exclusively as opposed to staying at the main venue - that's where the alpha is

14

17

276

@pashovkrum

pashov

1 year

Web2/web3 dev jobs - there is the gatekeeper, who would scrap your CV just because you don't have years of experience, a degree or whatever Web3 Security - it's 100% unbiased and value based - if you have valuable skills you jump on C4/Sherlock/Immunefi and you make good money

19

28

277

@pashovkrum

pashov

1 year

Probably the best guide on becoming a smart contract auditor, it's a bit old now but 100% relevant. This has helped so many people, it's unreal

Tweet card media

How to become a smart contract auditor | cmichel

From time to time, I receive messages asking me for advice on how to get started as a smart contract security auditor. While there are…

13

34

271

@pashovkrum

pashov

6 months

If you need a list with all web3 security companies, solo auditors and their reports, here it is. The list also contains a "Comprehensive List of Hacks & Exploits" Thank you @0xNazgul

Tweet card media

GitHub - 0xNazgul/Blockchain-Security-Audit-List: A list of Blockchain Security audit companies,...

A list of Blockchain Security audit companies, solo auditors and location of public audits. - 0xNazgul/Blockchain-Security-Audit-List

13

47

273

@pashovkrum

pashov

3 months

3 mandatory checklists to go through before doing a smart contract security audit on your codebase: 1. The Solcurity Standard - 2. Weird ERC20 tokens list - 3. Solodit aggregated checklists -

4

58

274

@pashovkrum

pashov

1 year

Like this tweet if you'd like me to write a thread on what I think it is the best way to read code4rena reports to extract maximum knowledge that you actually understand🙏

14

7

274

@pashovkrum

pashov

10 months

$100k profit a month? In the past few days I've met people making ~$100k monthly providing value to the web3 space with their security expertise. Biggest moneymakers are: - Immunefi Critical severity bug reporters - Spearbit Lead Security Researchers - Sherlock Senior Watsons

10

22

267

@pashovkrum

pashov

1 year

Best intro for beginners to Yul I have read so far. Filled some gaps in my knowledge. Only problem was it says "19 minutes read" but it took me ~1hr lol

Tweet card media

Beginner's Guide to Yul

What is Yul?

9

62

265

@pashovkrum

pashov

9 months

Here is where I spent ~2hrs of my time in the last few days to learn about EVM opcodes and Yul (assembly) in depth. Free memory pointer, memory manipulation etc - great workshop. Thanks @jtriley_eth

Tweet card media

Demystifying Ethereum Assembly by Joshua Riley | Devcon Bogotá

Visit the https://archive.devcon.org/ to gain access to the entire library of Devcon talks with the ease of filtering, playlists, personalized suggestions, d...

www.youtube.com

6

47

268

@pashovkrum

pashov

1 year

This is the best checklist on ERC20 token integration I have used. You easily get Mediums on code4rena with it and also on solo audits. Stay safe when integrating ERC20 into your contracts, it's dangerous✌️

Tweet card media

GitHub - d-xo/weird-erc20: weird erc20 tokens

weird erc20 tokens. Contribute to d-xo/weird-erc20 development by creating an account on GitHub.

14

50

268

@pashovkrum

pashov

1 year

This is a mandatory read for anyone that is auditing Solidity code that integrates with Chainlink's VRF. The chance that the devs have not followed at least one of the considerations here is very high, it's your job to secure the integration🫡

Tweet card media

Blockchain Oracles for Connected Smart Contracts | Chainlink Documentation

Chainlink is the most widely used oracle network for powering universally connected smart contracts, enabling any blockchain to access real-world data & APIs.

docs.chain.link

16

47

266

@pashovkrum

pashov

1 year

Should I post a thread sharing my plan of how to go from Junior to Advanced in smart contract security? Hint: 1st step is completing Secureum bootcamp, second step is mastering Foundry (with the help of Patrick Collins YouTube vids on it and the Foundry book)

21

26

268

@pashovkrum

pashov

4 months

My learning technique has always been "just read 10 articles or watch 5 videos on the topic or more until you understand it" You can go very far with just this, especially by remembering that whatever is hard for you is in most cases hard for others as well

9

33

258

@pashovkrum

pashov

6 months

Too many hacks. I'm tired, boss. I truly believe that if more auditors were concentrated liquidity experts we could've had 1 hack less. That's why @PatrickAlphaC , @0xRajeev , @RealJohnnyTime and @0xOwenThurm are doing god's work, onboarding skilled whitehats is the solution imo.

15

14

262

@pashovkrum

pashov

1 year

Here is what's going down in my DMs: - How do I master web3 security? - Go through Secureum bootcamp - Link? Frens, if you can't find the link to the bootcamp how do you expect to find bugs later🤔 If you want to be a great researcher you'd have to research✌️Go find it yourself

23

13

262

@pashovkrum

pashov

1 year

I am doing private audits only this month (no code4rena/Sherlock contests) and it looks like it is going to be my best month in security so far, financially. This skill certainly pays well, some people are making $50-100k a month...

17

10

261

@pashovkrum

pashov

1 year

I wrote down your goals for 2023 for you, here they are: 1. Participate in a Secureum RACE test 2. Apply to join yAcademy 3. Apply to join SpearbitDAO 4. Participate in a code4rena and/or Sherlock contest 5. Submit a bug report on Immunefi 😊

12

35

261

@pashovkrum

pashov

2 months

It has never been easier to become a Solidity dev/ security auditor than now. @CyfrinUpdraft have free courses for: - Blockchain basics (start here) - Solidity 101 - Foundry 101 & Advanced Foundry - Smart Contract auditing & Formal Verification It's stupid to not be learning✌️

13

35

259

@pashovkrum

pashov

7 months

A BIG inefficiency is currently present in almost all smart contract security audits, wasting precious time and money of protocols and auditors Have you read reports where there are multiple pages of Informational severity issues or gas optimisations like "use ++i instead of…

16

44

256

@pashovkrum

pashov

2 months

The third largest cryptocurrency is a token on the Ethereum blockchain - USDT. It has a built-in fee-on-transfer mechanism (pictured below). Luckily, currently the value (basisPointsRate) is zero. If USDT flips the fee switch, how much of the current DeFi infrastructure breaks?

Tweet media one

30

31

251

@pashovkrum

pashov

1 year

Good news, I am now a mentor in @TheSecureum 🫡 I truly believe the bootcamp is one of the best things in this space and I have benefitted tremendously from it, so I'll do what I can to give value back to the community. RACE coming soon✌️

Tweet media one

16

8

254

@pashovkrum

pashov

1 year

🤩Just received my early Christmas gift! An Associate Security Researcher role at @SpearbitDAO It was a big goal for me to join probably the best circle of smart contract security masterminds 🧠 2023 will be great, can't wait🚀

Tweet media one

39

6

252

@pashovkrum

pashov

7 months

Top 3 biggest lies in web3 security: 1. Don't be motivated by money (web3 runs on economic incentives) 2. Don't work too hard, rest = best (you might stay mediocre for years) 3. Don't rush it, move slow (you'll watch from the sidelines how new people are crushing it)

17

13

244

@pashovkrum

pashov

1 year

10/10 resource. You can learn a lot of attack vectors that can result in High/Critical issues from here, as well as some Threat Modelling practices that will help you provide a great security service to protocols. Thanks @drdr_zz @wh01s7

Tweet card media

GitHub - ComposableSecurity/SCSVS: Smart Contract Security Verification Standard

Smart Contract Security Verification Standard. Contribute to ComposableSecurity/SCSVS development by creating an account on GitHub.

11

46

249

@pashovkrum

pashov

1 year

Being an independent smart contract security researcher/auditor full-time is the good life

20

3

242

@pashovkrum

pashov

11 months

I now have a big network of web3 developers & security researchers. Reach out if you need anything, I will be glad to contact you with the right people. I already introduced many founders to researchers/devs and vice versa.

11

15

242

@pashovkrum

pashov

1 year

If you are a protocol and you pay $5-10k for a security audit from a solo researcher and it results in 1 or 2 High severity findings I’d say it is pretty worth it, isn’t it?

23

5

239

@pashovkrum

pashov

3 months

I’m betting $500 that I will find at least a single Medium/High severity issue in your Solidity protocol’s code in 24hrs Try me, weak devs, this will be the easiest cash ever😈

Tweet media one

54

15

235

@pashovkrum

pashov

9 months

What powers my solo smart contract security audits: - Github - VS Code - Manual reading through code - Blackhat mindset - Communication with devs What doesn't: - Complex processes - Systems & code tools - Artificial Intelligence Start simple. Add complexity later (maybe).

18

24

237

@pashovkrum

pashov

1 year

December was my 7th month doing smart contract audits (code4rena, Sherlock, solo). It resulted in $17611.35 of rewards for 76 hours of work, so it was my best so far. Just a few months earlier I was making 10 times less. But it's time to get my skills to the next level now.

20

3

236

@pashovkrum

pashov

1 year

I have been tweeting daily about web3 security for 5 months now, trying to share interesting/valuable stuff with the community and offering my solo smart contract security auditing services. Hitting 10k followers until the end of the week. Ask me anything🙏

51

9

237

@pashovkrum

pashov

4 months

If you deploy smart contracts on multiple chains like Ethereum, Arbitrum, Polygon, Optimism and others you would greatly benefit from this resource. GJ @0xJuancito

Tweet card media

GitHub - 0xJuancito/multichain-auditor: Observations and tips checklist for auditing protocols on...

Observations and tips checklist for auditing protocols on multiple chains 🧐 - 0xJuancito/multichain-auditor

4

49

235

@pashovkrum

pashov

8 months

I got hired by a >$200M TVL protocol to conduct an upgrade/diff security review. Being experienced with such highly scaled projects is very important - the stakes are different & it's not a game anymore. Big protocols are starting to trust solo security auditors more & more🫡

12

10

235

@pashovkrum

pashov

8 months

Been deep-diving into smart contract upgradeability lately, it's a complex matter. Here is a quick checklist I made for a client - it's by no means complete, but serves as as good starting point.

Tweet media one

14

34

231

@pashovkrum

pashov

2 years

Last night I got my first 4 digit payout in a smart contract security contest. This came from submitting 2 High severity & 1 Medium severity findings. It’s a big milestone for me, now off to the next one - 5 digit payout 🚀

Tweet media one

20

6

228

@pashovkrum

pashov

1 year

This is what 6 months of solo smart contract security audits looks like. There are some more unpublished audit reports as well. Most protocols are very happy to get a solo audit and are saying that they will include it in their security check ups from now on✌️

Tweet media one

12

10

231

@pashovkrum

pashov

2 months

Many web3 security researchers will be getting rich in the upcoming months It's a beautiful thing🌹

11

6

231

@pashovkrum

pashov

11 months

In the month of May I did 6 smart contract security audits, totalling 95 hours of focused work and $46000 in payments. There are 6 Critical/High severity findings, all of them will be published on my personal Github. Happy to have the opportunity to provide value to builders✌️

9

10

227

@pashovkrum

pashov

4 months

A great quote valid for web3 security in 2024: ”Free education is abundant all over the internet. It's the desire to learn that's scarce.”

12

28

230

@pashovkrum

pashov

1 year

You have no idea how much solo smart contract audits business is blowing up right now

27

14

229

@pashovkrum

pashov

6 months

Lido has done ~40 security audits/reviews in the past 3 years. I haven't seen another protocol doing this. Maybe this is why they are Top 1 protocol by TVL

Tweet card media

GitHub - lidofinance/audits

Contribute to lidofinance/audits development by creating an account on GitHub.

11

32

215

@pashovkrum

pashov

1 year

I'm about to announce a very cool web3 security partnership that will be of a great benefit to most of you guys who are following me here. So many people here gave me so much value when I was starting out, now it's time for me to give back✌️ Try to guess it if you want lol

31

8

225

@pashovkrum

pashov

1 year

Auditing an Aave V3 fork got me reading their past audit reports. Fun facts: - 9 audits, ~$1.6M in audit fees for the codebase - Certora's Formal Verification found a Crit & multiple High severity issues - A Tier-1 company put `fee-on-transfer tokens` as a High severity issue

11

15

223

@pashovkrum

pashov

1 year

When doing an audit, always check each `transferFrom` call in smart contracts and verify that the `_from` parameter is `msg.sender`. If it isn't, it's quite possible that you are about to find a critical severity issue

9

15

222

@pashovkrum

pashov

9 months

I've now found the same funny Critical severity vulnerability while on a solo smart contract security audit at least 3 times. When your contract has a `receive() payable` method (or `fallback() payable`) always make sure you can get the ETH out of it. If not - it's stuck forever

25

24

215