bogo @xb0g0 Twitter profile | Pikagi

Pikagi

bogo

@xb0g0

1,345

Followers

379

Following

87

Media

882

Statuses

Making Your Smart Contracts Secure 👉

On-chain

https://t.co/eNyQYuZCaK

Joined July 2022

Don't wanna be here? Send us removal request.

Pinned Tweet

@xb0g0

bogo

9 days

2nd 🏆WIN🏆 in a ROW If an oracle (a real one 😅) has shown me this in his 🔮, it's up to debate if I would have believed it. But then, there's facts👀 Stats: 🧨solo and the only HIGH 🧨4 Mediums - 2 selected for report 🧨Found 4 of the 5 newly introduced vulnerabilities

Tweet media one

26

8

158

Last Seen Profiles

@SnowyPackel

@antonia_yamin

@uttonz

@John_aka_Alwayz

@EleazarManzano_

@KatieLusso

@MB_Farrelly

@topfan_thorsten

@cypurrpunk

@TabbieTalks

@token_summit

@WarnerMusicPH

@Jazeeratalsaif

@VocaSynthFails

@letsjas

@CarltonHouseton

@MVPMELSBELLS

@PalmettoFBall

@marriya_malik

@Prim_Tyrants

@ArtexLtd

@JanTurinski

@moo_moo_live_

@trillnae

@MirthaTanj76296

@CaesarsSports

@kartheekpathuri

@h0neymooncherry

@FallonSavage

@El_Machico_Diez

@yunuki

@llaurynne

@MrBrownNFT

@klossfilms

@mikvylla

@TeachersInKenya

@xb0g0

bogo

1 month

Last night, I didn't sleep. Actually, I haven't slept enough for many weeks. This time, however, it was out of excitement. I finally 🏆WON🏆 my first competition. Some stats: 🏇6th competition ⌛️ 3rd month of contesting 🏅59th on the 90 day leaderboard 🏅377th on the all-time

Tweet media one

73

11

374

@xb0g0

bogo

6 months

If you write smart contracts (like me) or try to break them as an auditor(like me), you probably heard about fuzz/invariant testing After 3 full days of research I finally managed to grasp the practical implications and benefits of it I've created a map so you can do it in 1🧵

7

38

284

@xb0g0

bogo

4 months

I analyzed the report of a contest I participated in on @code4rena . One specific finding by @milotruck taught me a LOT. It was so simple, yet only 3 out of 125 auditors found it. WHY ? - They asked the right questions!! I'm doing a breakdown of the mental model that empowered

10

24

179

@xb0g0

bogo

3 months

I just finished watching @milotruck video, where he talks about auditing 😱It has a LOT of ALPHA!😱 But it is a lengthy video (~1h 30min) I'm compiling the key ALPHAS for all of you that don't have that time, because it is a knowledge WORTH having🧵

11

20

126

@xb0g0

bogo

4 months

I dedicated my single day off from auditing this month to do a deep dive in a new web3 concept! 👉 Account Abstraction (ERC-4337) I invested 9 hours, read 26 articles and went through 3 threads(X & Reddit). All that experience I’ve compiled into a short guide with only a few

9

25

116

@xb0g0

bogo

1 month

I spent the day analyzing the security implications of the 63/64 gas rule in Ethereum. The occasions where it can lead to exploits are rather rare, but they still exist. In case your protocol has logic depending on gas calculations it's important you're aware of it. This

5

15

118

@xb0g0

bogo

5 months

In the last 3 months of 2023 I've managed to: 📌Get into web3 security 📌Do 3 shadow audits 📌Participate in 4 contests 📌Find my 1st bug 📌Do my first team audit 📌Audit my first big protocol - 4K sloc 📌0 -> 360 followers 📌Connect with awesome auditors For 2024, the goal is

11

8

96

@xb0g0

bogo

24 days

Writing smart contracts with upgradeability in mind is tricky. Thankfully @OpenZeppelin has streamlined most of the process. But regardless of the brilliant docs, I'm noticing that a lot of devs don't understand the _disableInitializers() safety mechanism. It is a very costly

6

15

97

@xb0g0

bogo

2 months

Summary of my first 40 days of active auditing: 1. Ethereum Credit Guild (team) - 295$ (1 H 3M) 2. Ubiquity - 372$ (ranked 14/257) (1M) 3. reNFT (team) - 7$😅( 3M) 4. Salty - 120$(1 H 3M) ---------------- 💸Total $: 794 $ 💥Total vulnerabilities: 2H 10M 🧐Grinding continues,

6

4

84

@xb0g0

bogo

5 months

Foundry fork testing is awesome🚀 If you want to make your smart contracts safer or try to provide a plausible POC for an exploit - look no further Its genius because: - It's dead SIMPLE to setup - Saves LOTS of time - Uses REAL blockchain data Here is a concrete example👇

3

11

83

@xb0g0

bogo

20 days

I finished analyzing the findings of a contest I won and I got some great insights. The specific thing about this contest was that I experimented with a different auditing approach. My experience from past audits has shown me that I was grinding too much on tiny details,

3

1

80

@xb0g0

bogo

6 months

Today marks the 2nd month of my journey into smart contract auditing - 1 Med - 2 Shadow Audits - 4H & 9M & 4 L - 180+ followers - 140+hours pure grinding/learning My next goal is to test all the newly acquired knowledge into a real contest and see how I progressed

7

2

74

@xb0g0

bogo

4 months

Try/catch statements in Solidity are quite tricky! 💣They are not complex! But more often than not are a source of confusion and depending on the logic that builds up on them can also lead to some security holes. When I initially started writing smart contracts I approached

1

10

76

@xb0g0

bogo

4 months

Just finished a contest & I'm jumping straight into the next one. I think I'm getting quite good at understanding protocols at a deeper level ! 💣It's the second time in a row that I experience the following: At 70% of contest duration I stop looking for bugs, because I don't

3

4

67

@xb0g0

bogo

4 months

Just finished another contest and a repeating pattern keeps revealing itself before me. - You open the protocol, feel overwhelmed and can't comprehend how it is possible that any exploit could be found - A couple of days pass, you get a deeper understanding of it's inner

4

6

65

@xb0g0

bogo

2 months

I'm noticing a repeating pattern when auditing complex protocols Most of the time the bugs do not lie in the complex concept the particular protocol revolves around ( e.g. some Math formula, a novel Reward/Fee distribution technique, token rebasing etc..) Most of the

4

4

60

@xb0g0

bogo

2 months

For weeks, I've been pushing myself hard to shift my auditing approach, and it's starting to yield results. The changes I've made include: - I no longer audit past the point of frustration. I take breaks and allow my brain to breathe - I dig deep, but not too deep - If I find

6

2

57

@xb0g0

bogo

14 days

When you're learning and looking to get into contests one of the best ways to accelerate your progress is by doing shadow audits. 💪It definitely helped me, so It'll help you as well💪 But you're probably not sure how to approach this and which contest to pick. Fear NOT! In

2

6

59

@xb0g0

bogo

2 months

Just finished another contest ( @revertfinance ). 🛠️I've been grinding the last 20 days non-stop, I barely had any time to post here. I'm learning so many things at a fast pace - about auditing, about mental control, about approaches, about fighting exhaustion and lack of

Tweet media one

3

1

56

@xb0g0

bogo

2 months

Auditing is about being creative! I believe creativity is a rare skill, that can be gained in 2 ways: 🔹 you're born with it 🔹 you exercise relentlessly until it becomes 2nd skin If you (like me) are among the second group, I invite you to keep reading. I'll be doing a

5

8

52

@xb0g0

bogo

1 month

I have a couple more days before diving into a competition. This is how I decided to invest my time away from auditing. 1. Open C4 365-day leaderboard 2. Open @SoloditOfficial and start typing all those names from the leaderboard 📌I'm using the following filters - e.g solo

Tweet media one

Tweet media two

2

5

52

@xb0g0

bogo

3 months

Still having a Hangover from @cantinaxyz Blast contest 😵‍💫 It was a 20 day non-stop grinding, reading, deciphering and testing It was the most demanding contest for me so far: 📌A lot of the cross-chain stuff (e.g Optimism) blew my mind initially as it was my first contact with

4

1

50

@xb0g0

bogo

9 days

Finished wrapping up for the @RenzoProtocol contest. I'm taking a break for 3 days, which I'll dedicate entirely to the Uniswap V3 Development Book. The goal is to level up my understanding of concentrated liquidity protocols in order to gain a deeper context when auditing

7

5

48

@xb0g0

bogo

6 months

Scored a Medium finding in my first contest ever. It was the @WildcatFi protocol at @code4rena . Nothing impressive, but it's enough fuel to keep me going till the next gas station (pun intended)😁

Tweet media one

7

0

47

@xb0g0

bogo

3 months

Things are gradually getting better with each contest🙏 I also made it to the leaderboard for the @UbiquityDAO contest - ranked 14th out of 257 This was my 2nd competitive contests and my 1st month of active contesting. Maybe there is some hope for me🧐! Who knows 🤷‍♂️ Only

Tweet media one

10

1

45

@xb0g0

bogo

5 months

🧠A materialized view of what happens in your brain when you try to get better at smart contract auditing(or anything else). When you struggle, you must not give up and wait for your brain to make those connections. As you can see it takes a bit of time and push to get them

6

6

45

@xb0g0

bogo

3 months

So things are gradually beginning to take some shape! 🎯First 3 figure sum 🎯First team audit (with @Audinarey ) 🎯Second month of my auditing journey 🎯First 4K sloc codebase & second contest overall The big win for me here is obviously not the 💸, but the fact that even

Tweet media one

3

0

44

@xb0g0

bogo

5 months

⌛️96 Hours(16 days * 5 hours) -> the amount of effort I have invested in my last @code4rena contest ⌛️Took a 3 day break ⌛️Starting today I'm entering a new grinding session -> Audit/Compete >= 4.5 hours daily for the next 1 month Curious to see what I'll be able to achieve💰

6

2

44

@xb0g0

bogo

4 months

3 or so months ago I started my web3 auditing journey with 3 questions: 1. Am I going to achieve something at all ❓ 2. All this time and effort every SINGLE day - is it worthwhile ❓ 3. Does this thing get any easier, less exhausting or at least a bit less stressful❓ I can

2

5

41

@xb0g0

bogo

3 months

reNFT drive-through🏎️ 🗨️ ME: - A double 🍔with🍟and a🍺please 🗨️ Nice Lady behind the counter: - That would be $16 USDC for you sir ! 🗨️ ME - Sh*t, I didn't earned that much. Remove the 🍺 ! ✨Congratulations to everyone that managed to afford the 🍺

Tweet media one

4

2

42

@xb0g0

bogo

3 months

🗨️"Always Round Up in Favor of The Protocol" If you've been developing a protocol with Vault functionality or maybe audited one, you must of heard this at least once. 🧐But what is the problem & why should I solve it? 🧵 I'm dedicating this thread to help you understand the

4

7

41

@xb0g0

bogo

2 months

I spent the last 5 days away from contests to clear my head. However I did not waste that time. I've managed to: - Read the Uniswap V2 book - Write a couple of well researched posts inspired by my experience as an auditor - Read a dozen of articles - Research and follow some

4

1

40

@xb0g0

bogo

4 months

My last audit pushed me really hard to learn about the attack vectors that occur when developing an AMM protocol I researched almost a day & turns out quality information is rather scarce😱 ✨I'm sharing with you the 2 TOP articles I found containing lots of ALPHA!👇

4

2

37

@xb0g0

bogo

4 months

When using DEXes as oracles to get the price of an asset, there is a general rule that every responsible web3 developer should follow 🖊️ Statement: Do NOT use spot prices to determine the price of a token! 👉 Argument: Because spot prices can easily be manipulated! Even though

1

9

35

@xb0g0

bogo

2 months

I recently analyzed the report of a contest I participated in - ECG ( @CreditGuild ) on C4. It was my first big protocol. There were some very interesting insights I gained for myself, like: "Valuable, low duplicate bugs != complex bugs. Which also does not mean they are easy to

5

6

33

@xb0g0

bogo

4 months

Today marks two achievements in my personal record book: 1. I've completed my 30 day non-stop auditing challenge for January. - It is a serious feat for me considering I was at the brink of over exhaustion a couple of times - I managed to compete in 3 different contests - I

5

2

35

@xb0g0

bogo

4 months

Been grinding a 2nd day on the Salty contest at C4 and this is quite the mental challenge for me. It's the first time I'm auditing an AMM-like protocol. The thought that constantly goes through my 🧠is : "Man I should have red @RareSkills_io book on Uniswap " Now I gotta

4

3

34

@xb0g0

bogo

7 months

Today marks exactly 1 month since I've dived into the world of web3 security: - I spent 2 weeks in preparation - 2 contests at @code4rena - 1 medium submit - finishing @LooksRare contest at @sherlockdefi - posting on X every single day about my journey

2

1

31

@xb0g0

bogo

5 months

Really challenging thing for me when combining a full-time dev job with smart contracts auditing is the constant context switching Just as in programming, a context switch is💰costly operation and even though I'm a web3 developer, switching is still quite hard Here is what I

Tweet media one

3

1

32

@xb0g0

bogo

2 months

If you're a web3 dev, there is no way you haven't used or at least heard about the safeTransfer method However the word safe can create a false sense of security for your protocol if you don't understand well how it works. In this post I'll explain the behavior and security

2

4

32

@xb0g0

bogo

2 months

Been reading the sherlock report of the optimism bedrock contracts from a month ago🤯 Each finding redefines my concept of creativity Feels like some alien species were sent to planet Earth disguised as smart contract auditors on a mission to get this industry where it's

2

0

31

@xb0g0

bogo

5 months

Just finishing up on another shadow audit. This time I implemented everything learned from the previous one, from 15+ live audit videos & 10+deep dives I felt way more confident, found more complex bugs and learned a LOT I'll be creating a thread soon,because it was worth it💪

2

0

31

@xb0g0

bogo

4 months

For everyone participating in the salty contest at code4rena. I'm sharing a Reddit thread where @danielcota (the guy behind it) gives some insights about the atomic arbitrage, it's purpose and how it was integrated into the protocol. It helped me build more context & get a

5

5

31

@xb0g0

bogo

2 months

This time I'm sharing the 5th spot with a couple of other awesome auditors for the Jala Swap contest I went through the report carefully. My missed bugs were definitely something I could have found. I've analyzed my mistakes and deficits. It's only a matter of time to clear

Tweet media one

3

0

29

@xb0g0

bogo

6 months

You're an aspiring auditor trying to take yourself to the next level? Most of us think about auditing a past contest, but only a few actually do it, because no $ will be made directly and due to FOMO. I just finished such an audit and learned A LOT. I'm sharing my experience🧵

1

3

30

@xb0g0

bogo

1 month

Love @MarioPoneder judge comment on one of the findings for the Unistaker contest on C4 The submission was really interesting and very well argumented, but was still downgraded to QA. This is what I would define as handling things in an ethical manner

Tweet media one

5

1

30

@xb0g0

bogo

2 months

My last five audits were all on protocols that were larger (3.5K+ lines of code) I felt a bit tired and decided to try a couple of smaller ones (below 1K sloc), thinking that: 👉 it would be easier 👉 it would take less time - allowing me to participate in more contests within a

2

5

28

@xb0g0

bogo

5 months

‼️My last contest taught me something very important ALWAYS consider the code is FULL of bugs! I found 2 evident bugs in an already audited(twice) protocol leading to high risk vulnerabilities & it was nothing complex, just parts overlooked by the devs (& auditors apparently).

1

1

27

@xb0g0

bogo

5 months

It's my first time participating in a really long contest. And it helped me reach a critical mindset shift It allowed me to spend a considerable more time analyzing and going deep into the protocol. Iterating n number of times over each smart contract again & again. In the

5

1

27

@xb0g0

bogo

2 months

Last time I visited my @sherlockdefi profile I was at 15%, now I'm down to almost 10%. Getting close to the 1% club. Wait for me guys! 🫡

Tweet media one

0

0

26

@xb0g0

bogo

4 months

What's the morale of the story? ✅ ALWAYS DOUBT EVERY ASSUMPTION made in the code you audit ✅KEEP ASKING QUESTIONS, until you find one that sparks your creativity ✅BE CRITICAL and take nothing for granted, research it

3

0

25

@xb0g0

bogo

4 months

If you're an auditor and this is not a BLAST for you , I dunno what is ?

Tweet media one

2

2

25

@xb0g0

bogo

4 months

A new milestone🎯 🤩Reached the 500 hundred followers mark Considering I was at ~ 350 3 days ago, it's also quite surprising to me Thanks to everyone for the support and trust As the motto in my bio states: 🛡️I'll keep on grinding DAY & NIGHT, trying to make web3 space RIGHT

4

0

25

@xb0g0

bogo

2 months

Another small surprise during the weekend, after making it to the leaderboard of a contest. I ranked 12th at the last Secureum RACE. Considering I was 40+ 2 months ago, it's definitely showing some progress Let's keep that consistency going💪

Tweet media one

1

1

24

@xb0g0

bogo

3 months

Shadow Auditing was the thing that gave me the biggest boost and confidence in competitions. It's the thing that enabled me to make 3-$$$ 💸 in my 2nd contest. I get asked a LOT about how I approach shadow auditing. I'm giving you the step by step approach I used and got me

3

6

24

@xb0g0

bogo

5 months

Being on-boarded to existing Solidity project or auditing one presents a similar problem - understand how it works Key of the process is to decipher the small parts in order to draw the whole picture I recently found `chisel` which supercharged my ability at building context🧵

1

1

24

@xb0g0

bogo

4 months

A short summary of the exploit: 📌 It's a p2p lending protocol, that has the functionality to sanction lenders/borrowers 📌 When sanctioned an escrow vault is deployed for that account to hold it's funds. If sanction is lifted funds get returned to the account 📌

Tweet media one

2

0

23

@xb0g0

bogo

7 months

For those participating in the @ethena_labs contest at @code4rena - this is a very on-point article explaining the EIP4626 standard and how common vectors related to it work

0

5

22

@xb0g0

bogo

6 months

Dedicating this day entirely to @DevDacian blog. Looks like a good place to learn practical stuff about web3 auditing

Tweet card media

in your storage

In your storage: exploring ethereum, solidity & smart contract security

0

2

22

@xb0g0

bogo

4 months

Just started wrapping up on my last contest for this month! This one really took a toll on me. I struggled a lot, slept little, but also pushed myself to the max! Now that I’m going through all my @audit bookmarks and compiling them to findings it turns out there are LOTs

2

0

22

@xb0g0

bogo

4 months

5 contests in C4, 3 of them are invitational ! Could this be the start of the new normal for future contests? Curious to see how things will unwind in the coming months, but I guess the ever increasing number of submissions could be responsible for this

Tweet media one

4

0

20

@xb0g0

bogo

3 months

I've started submitting my findings to Blast. A curious thing I've noticed in the UI is that there is a counter showing you the number of submissions. According to my calculations from the last 2 days there are roughly 20 submissions every 2 hours. Interested to see how high

3

0

21

@xb0g0

bogo

2 months

If you need inspiration, then this has to be your wake up call. If you want some bonus motivation, read through the comments. Probably the best motivational post I’ve stumbled upon in a while.

@0xvangrim_

0xvangrim

2 months

9 months ago, I decided to turn a new chapter in my life and learn all I could about web3 security. I started by crunching the basics in the @RealJohnnyTime SCH course. 9 months later I am booked with private audits until May...

12

7

136

1

0

21

@xb0g0

bogo

1 month

At least I tried😅

Tweet media one

7

0

20

@xb0g0

bogo

6 months

Wow! 100+ new followers from a single thread in a day. That was my follower count for the previous 1.5 months and 200+ posts. This really motivates me to keep learning and share the useful things I find with everyone. Thank you guys! It means a LOT🙏

@xb0g0

bogo

6 months

If you write smart contracts (like me) or try to break them as an auditor(like me), you probably heard about fuzz/invariant testing After 3 full days of research I finally managed to grasp the practical implications and benefits of it I've created a map so you can do it in 1🧵

7

38

284

1

0

20

@xb0g0

bogo

2 months

I'm auditing a protocol, that does not have proper tests. Setting up tests from scratch to construct a POC is a real pain in the *** and too much time wasted🤯 I decided to skip the POCs this time And I must admit it feels awesome. I should do this more often😊 So much time

4

0

20

@xb0g0

bogo

3 months

Building up motivation before my next audit🤩 🏎Goals keep the engine going🏎

Tweet media one

2

0

19

@xb0g0

bogo

4 months

If you think FE dev skills can't give you an edge when auditing smart contracts, you should take a look at this finding 👇 Different backgrounds impact creativity in a different way! Use that to your advantage🚀 💸 Judging by the leaderboard, this

Bio NFT incorrectly breaks SVG lines and doesn't support more than 120 characters effectively ·...

Lines of code https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-bio-protocol/src/Bio.sol#L43 Vulnerability details Impact Bio NFT incorrectly ...

0

2

19

@xb0g0

bogo

4 months

Yesterday I joined another contest with a fellow auditor and friend @ilchovski98 , which marks the second time I'll be competing in a team. The idea is to build upon my last such audit and gain as much new knowledge as possible I'm constantly switching audit approaches so that

3

0

19

@xb0g0

bogo

6 months

The verdict after my 3rd contest -> I lack efficiency BIG TIME Priority #1 💣 - Increase efficiency -> use x2 less brain power on auditing per unit of effort - Avoid frustration How? - Follow @0xOwenThurm genius advice- cut the feedback loop TIGHT How I'll do it exactly? 🧵

5

5

18

@xb0g0

bogo

6 months

The last report I examined, taught me something VERY important. The way you you “sell” your finding is the way you get “awarded” for it ! Below I’m showcasing how an identical finding ranks both as High and Medium at the same, the only difference being the explanation provided🧵

4

2

19

@xb0g0

bogo

7 months

I'm sharing the concepts I've learned in the recent @ethena_labs contest at @code4rena along with some good resources that helped me understand the protocol 🧵

1

5

18

@xb0g0

bogo

5 months

They say complexity is your ally in smart contract auditing. I'm would say you first have to conquer it before you can make it your ally Overcoming the mental obstacle of size is hard! I'm currently trying to audit a ~4K SLOC protocol and this is what it feels like :

Tweet media one

3

0

17

@xb0g0

bogo

3 months

I've been thinking, while auditing: Did they named the protocol BLAST, because it was supposed to blast your 🧠 🤔

2

0

17

@xb0g0

bogo

5 months

I'll be accomplishing an important goal I have set for this month: 🎯 participate in a contest in team The big names recommend this as the best way to upskill yourself as an web3 auditor Time to put this to the test & see if it holds true I will share my honest feedback👌

2

0

16

@xb0g0

bogo

5 months

Our team is currently implementing Uniswap into a suite of smart contract we're building for a client. It's an enriching experience to have both the dev and the auditor mindset: - makes you think about security when building - helps you understand developers when auditing

3

0

15

@xb0g0

bogo

6 months

3. Now that you know how this thing works, you need a couple of practical and well explained examples, that showcase when and how it can be used in real-life scenarios @DevDacian has the best article on that Read-time: ~1 hours

Tweet card media

Exploiting Precision Loss via Fuzz Testing

Fuzz testing is an invaluable tool for finding & maximizing precision loss vulnerabilities..

1

0

15

@xb0g0

bogo

6 months

A nice website, where you can calculate the gas costs for common trx types on popular EVM chains - token transfers, Uniswap, Curve, Compound, Lido, SushiSwap, etc. operations. It might be useful, when trying to argument a gas related finding in an audit.

Cryptoneur: Empowering Crypto Entrepreneurs

Explore tools like Gas Fees Calculator, discover Web3 Grants, and more for Crypto Entrepreneurs.

www.cryptoneur.xyz

0

3

15

@xb0g0

bogo

1 month

@bytes032 Achievement unlocked ✅ Mr. Bytes032 reposted🔥 Means a lot, thank you bro🙏🙏

1

0

14

@xb0g0

bogo

4 months

I want to say THANK YOU🙏 for all the motivating and positive feedback to my latest thread 🤩It gives so much purpose to all those efforts & It's quite the confidence booster seeing that I actually provided value for others ⛽️This is the best fuel I could get for the long,

Tweet media one

@xb0g0

bogo

4 months

I analyzed the report of a contest I participated in on @code4rena . One specific finding by @milotruck taught me a LOT. It was so simple, yet only 3 out of 125 auditors found it. WHY ? - They asked the right questions!! I'm doing a breakdown of the mental model that empowered

10

24

179

2

0

14

@xb0g0

bogo

3 months

At @sherlockdefi they know how to push your buttons

Tweet media one

0

0

14

@xb0g0

bogo

6 months

Got a dozen DMs from other newbies(like me) sharing they cannot commit to learning because things are going super fast and there is no time for that. Same here, but I’m very mindful of discipline and make it a priority. Whats the point of going fast, when you’re going nowhere?

2

1

14

@xb0g0

bogo

6 months

2. After having build some context, you need a real deep dive that expands upon the basics and introduces you to the various tools this type of testing has to offer @eth_call wrote a brilliant article for that purpose Read-time: ~2 hours

Tweet card media

Invariant Testing WETH With Foundry

Get started invariant testing with this guide to testing Wrapped Ether.

1

0

12

@xb0g0

bogo

3 months

🗨️"Do NOT learn stuff you do NOT need AT THE MOMENT. Only learn them when you find a knowledge gap that needs to be filled" End of ALPHA!

1

1

13

@xb0g0

bogo

4 months

💬"Hmm, those guys are using .codehash to check if a contract was already deployed. Did they research the opcode? Why are they assuming it is always 0?" - See how developer assumptions are questioned from the very beginning 💬"Ok, lets research the EIP for this opcode and check

Tweet media one

Tweet media two

3

1

12

@xb0g0

bogo

4 months

Check the full finding (3 min read time). It's short & you don't need to know the codebase in order to understand it :

1

1

12

@xb0g0

bogo

4 months

👉The first one outlines (while still going into enough detail) the crucial bugs that occur in AMM protocols. Each bug is based on a real exploit that has happened in the past Also there are references to examples and articles that explore the attacks deeper

2

1

12

@xb0g0

bogo

4 months

A comprehensive list of useful resources for different attack vectors in smart contracts

@ShieldifyAnon

Mr Anon

4 months

In one post - Bookmark % Repost 🫡 You must read these papers if you're auditing ________ 1. Lending Protocol - Lending and Borrowing: Link: - Liquidations: Link: - Rewards: Link: - Typical

10

86

258

0

0

11

@xb0g0

bogo

4 months

Success is a rare commodity and as such it costs dearly! Hope I'll eventually get what I'm paying for 🥲

2

0

11

@xb0g0

bogo

6 months

1. The first thing is to get an introduction and a more general explanation of the concept behind fuzz and it's more advanced form invariant testing along with simple examples. @PatrickAlphaC article does exactly that Read-time: ~30 min

Tweet card media

Fuzz / Invariant Tests | The New Bare Minimum For Smart Contract Security

What is fuzz testing? What are invariant tests? We introduce how to use these tools in Web3 & Solidity and explain why they are essential…

patrickalphac.medium.com

1

0

10

@xb0g0

bogo

4 months

👉 The second one actually expands upon the first 🤩This one is a real deep dive Providing charts, code snippets and relevant resources that explain the attack in a very detailed manner

Tweet card media

Typical vulnerabilities in AMM protocols

This article discusses the fundamental security aspects of the AMM (automatic market maker) protocols.

blog.decurity.io

1

0

9

@xb0g0

bogo

5 months

While recovering for a couple of days from my last audit before I get into the next one I intend to fill the gap with a @TheSecureum RACE. It'll be my first, so I'm curious about the experience and if I'll learn something. As always, I will share my honest opinion with you

0

0

9

@xb0g0

bogo

6 months

One of the goals for this month was to take a break for 2-3 days from web3 auditing. This is how I’m spending my time off, building back my energy before the next push. How are you spending your days off? Do you have any🧐

0

1

10

@xb0g0

bogo

5 months

It turns out wrapping up all the findings, you have marked in the codebase you just audited is an endeavour on it's own after having spent almost 2 weeks looking out for them. Next time I would definitely dedicate more time on that phase. I'm presuming the feeling of not

2

0

10

@xb0g0

bogo

6 months

The goals in my 2nd month will remain humble: - take a break for 3 days - I consider it an achievement in this space😁 - spent 70% of the time leveling up my game - participate in 1 contest, dedicate completely and try to find a valid medium I think that’s actually achievable

0

0

10

@xb0g0

bogo

2 months

Finding #1 Title Inability to withdraw funds for certain users due to protocol being paused 🐛The bug 1. Holders of CREDIT can call stake() to start earning yield on it 2. Holders call unstake() to get their CREDIT + yield. However unstake() internally calls mint() to add the

3

1

9

@xb0g0

bogo

2 months

@zachobront @0xOwenThurm summarises it in a single sentence. I quote: “You can absorb years of Web3 Security experience in weeks just by working alongside a security veteran” It’s a clear win for us! Another question is do you think you can also get out something from the experience ?

1

0

9

@xb0g0

bogo

4 months

This is what I was thinking when going through the above code logic: 💬"Hmm, this contract uses .codehash to check if an escrow vault was already deployed for this account. Wait what is .codehash ?" Then I googled it and red the first definition I stumbled upon: - & I though:

Tweet media one

1

0

9

@xb0g0

bogo

4 months

As you can see, there is nothing complex about the exploit, it's dead simple actually. Yet ONLY 2% found it. Let that sink in - 2% PERCENT! WHY? Because they asked the right questions and questioned everything, all the time!

1

0

8