Pyro | 0x3b
@0x3b33
Followers
2,224
Following
718
Media
130
Statuses
1,777
Smart contract auditor. Reach out at
Somewhere in polygon
Joined February 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#Fittingข้ามฟ้าเคียงเธอ
• 422207 Tweets
THE NEXT PRINCE
• 241820 Tweets
Army Day
• 197522 Tweets
#WWERaw
• 160610 Tweets
石丸構文
• 150308 Tweets
KIM TAEHYUNG
• 133107 Tweets
Kaveh
• 123588 Tweets
FURIA ES GRAN HERMANO
• 121760 Tweets
Mami
• 104310 Tweets
#RIPCartoonNetwork
• 82746 Tweets
Tucumán
• 61353 Tweets
#IRIAMメンテ中のフォロー祭り
• 58506 Tweets
Rhea
• 54770 Tweets
Hobi
• 41846 Tweets
カーヴェ
• 34874 Tweets
Kendall
• 32222 Tweets
プール中止
• 25269 Tweets
#sandy
• 24880 Tweets
OneDrive
• 21586 Tweets
Sneako
• 20019 Tweets
Viva la Patria
• 17222 Tweets
Feliz Día de la Independencia
• 17096 Tweets
Edey
• 15623 Tweets
アランナラ
• 12856 Tweets
अखिल भारतीय विद्यार्थी परिषद
• 12451 Tweets
Foundry has recently released a new tool, and it's a lifesaver 🚀🛠️
`forge clone <address>`
This will download all the code and dependencies you need to run a live contract of your choice!
12
35
259
A great article about how compound works🤓
2
32
170
One great method that can improve your learning is a feedback form 📝.
It helped me WIN my first
@code4rena
contest back in November 🏆
And it helped me get a chance to work with
@GuardianAudits
, auditing some of the biggest names in crypto 💼.
This isn't a technique to do
10
21
167
I wish someone had told me this back when I was starting:
❗️ Good auditors work 5x, if not 10x, harder than you
❗️ You can be either good at Twitter or good at auditing
❗️ It takes more time than you expect
❗️ Learn as much as you can from each audit
❗️ Posting proof of
3
15
165
Here is a great article, not for auditing, but
about focus and learning faster.
"Give me six hours to chop down a tree and I will spend the first four sharpening the axe" - Lincoln
1
33
150
What I've learned from doing a million-dollar contest
🥳 The
@cantinaxyz
results for
@Blast_L2
are out! 🥳
From doing the contest and analyzing the findings, I can help you make a lot of 💰 money 💰 by sharing the lessons I've learned. Feel free to use these tips for
16
6
149
How did I end my year?
My 9 months of full-time web3 security earned me:
- ~20k
- ~25 H
- ~20 M
The stats are not amazing. I am in the lower half of the competitive space, however, progress is still progress, no matter how small😉.
13
1
124
Yesterday I talked with my grandpa, his eyes were full of disappointment.
I don't have a job.
I don't make money.
I don't study at a collage.
I don't have a girlfriend.
Yet I had nothing to say, he was right and I need to prove myself.
Motivation is not always nice talks.
26
4
125
If it's hard for you, it's hard for everybody.
Don't quit. The closer you get to the end, the less competition there is.
This is advice that I learned in c4, that applies to everything.
3
15
112
I am currently reading🤓:
Uniswap V3 Development Book
If you need a deeper knowledge of V3, check it out:
7
24
110
Are you a beginner auditor 🕵️?
If I could go back a year and give my younger self any tips, I would offer the following 🧵👇.
9
16
109
How to Reflect on Your Mistakes
Even though I got 6th place 😕in the recent Teller contest in
@sherlockdefi
(which is quite good, considering I spent < 20 hours 😄)
I still reviewed the full report and everything I missed. This review led me to find one critical thing about
8
1
102
Why ToB found only 1 Low on Blast, when Spearbit found 6 Crit, 6 H, 11 M and 14 L ?
They were on the same commit 👀
16
9
95
My friends was here yesterday watching me audit for hour and a half. His reaction was, "Man I thought hackers are cool, you just sit here looking at the screen😕".
10
5
97
How Merkle trees work🧐?
Seemingly complex, but they are quite easy to understand🕵️♂️!
Below you can see a simple pattern resembling a tree. The "root" of this tree is 5xd3, and everything else is called a "leaf."
Every leaf is computed with a keccak256 hash (here I use smaller
2
13
91
Best thing I found out that helped me get multiple mediums🕵️♂️:
I have a notebook with "1 sentence exploit" where I just described the exploit shortly.
Every audit I read it once or twice. Every time I find something I put it inside✏️.
Don't trust your brain to remember
10
2
75
You know the basic ERC20 bugs, but do you know the rare ones too?
❗️ MKR name and symbol are in bytes - most developers call .name and assign it to a string.
❗️ Some ERC20s have 2 addresses (like TUSD) - be creative, this opens many doors.
❗️ C tokens (e.g., cUSDC, cUSDT) have
3
11
76
How Bridges Bridge:
Part 1 - Lock and Mint
Most likely you know that bridges transfer assets cross chain, but did you know how this happens🤔?
Lock and mint bridges, as the name suggests, firstly lock the original asset in a "bank" contract on the first chain and mint the
1
15
72
Yesterday, I was out with my friends and some girls. As always, the girls asked me what I do for work. I told them, "I hack big internet banks, before there is money in them."
The chicks didn't even know what crypto was. What should I have said? 😆
13
3
73
The hard easy bugs and how YOU can spot them
Let me tell you, there are some "hard" bugs that YOU miss audit after audit that are actually really easy to find.
Here are 2 easy-to-spot mathematical bugs 🤓 that were rare in my last
@sherlockdefi
contest.
Why are they rare?
4
3
69
If a smart contract can make approvals, but are not able to remove them, this is major vulnerability, even if the approved contracts are big trusted one. Look what happened to sushiSwap😱.
Next time auditing look how the contract handles approvals👀
2
5
62
A really good way to break bridges🕵️♂️ is to look for inconsistencies between sides. This can be:
1⃣ One side can be paused while the other not.
2⃣ One side can accept only EOA TX while the other can do both contract and EOAs.
3⃣ One side has slippage protection and the other
3
6
62
This is one of the best articles I've ever read! It's not about auditing, but life advice.
1
7
62
Survivorship bias is what brings so many people into web3 and what makes them quit so fast.
We only hear about the people that made it big (rightfully so), as no one knows or cares about the ones that worked hard but didn't make it.
If you are thinking about quitting...
7
9
57
Improve your sleep, or lose to those who do
For as long as I can remember, I’ve had sleeping problems, and I bet many of you struggle with them too.
I’m writing this tweet to save you months, if not years, of suffering from the terrible mental state caused by lack of sleep.
2
5
60
I just realized, WETH is not a wrapper, but a bridge, between ETH and ERC20🤯...
4
2
57
With the money from Lybra, I bought myself this course:
Really good investment!
Advanced Solidity: Yul and Assembly
Understanding what solidity does behind the scenes
www.udemy.com
5
9
59
Careful with enums🕵️♂️!
If an enum is not set, it will pick as default, the first value that is used in it😱. This is a potential vulnerability since if we try to use it on a variable that is not set, it will pick "ACTIVE," although the variable does not exist.
3
15
55
If the protocol you are auditing🕵️♂️ is interacting with AAVE V3, then check this:
One critical vulnerability detail that most projects miss😱 is related to different types of collateral and borrowing assets. Easy HIGH is especially when these types of assets are mixed together.
1
7
57
Took me an hour and a half, but it was worth the read!
0
13
56
Sandwiching oracle updates🕵️♂️
Hard to prevent and you can report it on almost every contest that uses Chainlink.
Bellow you would see how that's done😉!
5
17
55
Who is this msg.sender, and why does he keep calling my functions ?
5
2
53
How Bridges Bridge 🚧🤔💭?
Most likely you know that bridges transfer assets cross-chain, but do you know how this happens? 🤔💭
Bridges generally 🔒 lock the original asset in a "bank" 🏦 contract on the first chain and mint the asset (more precisely, a copy of it) on the
4
3
50
My boy Bob re-entered Alice.
Bro, I thought this could only be done to smart contracts???
16
4
51
UNIv4 is coming, and you still don't know what UNIv3 ticks are🤔?
Here's a great article about them🤓!
2
14
52
Are you interested in optimizing your brain to its fullest potential 🧠?
Well, then you will want to check this 🧵.
3
8
49
What to check for when working with ERC20s🕵️?
1. Fee on transfer / rebase
2. Callbacks
3. Returning false
4. Revert on address(0) / amount of 0
5. No return values
6. Black lists
7. Subsequent non-zero approvals
8. Multiple addresses
9. Upgradeable
10. Flash mintable
11.
0
9
49
How an underflow lost Velocore 6.8 million
This technical explanation is simplified and short, so even non-technical people can understand it.
📌 The System
During withdrawals, Velocore charges a fee. Withdrawals are marked as ":" and deposits as "?".
Notice how for
0
3
51
To those who hunt on
@immunefi
:
> What are some important lessons that you've learned?
> Any tips and tricks?
> Anything you want to share with people who want to start?
Let's make this tweet useful so everyone else who wants to start can learn the lessons without the pain.
3
1
47
> find a bug
> start PoC
> 30 min in, almost done, but it's reverting
> spend 3h trying to debug it
> no success
> take a 10 min break
> come back refreshed
> realize that for your user to withdraw, you need to put `vm.prank(user)`, or else the test contract will withdraw🤦
4
0
45
When you work with
@GuardianAudits
, you slowly realize that Owen's videos, although sounding simple, are what is needed to become an excellent auditor.
It's that simple, just stick to the basics and you will be in the top 10%.
2
1
45
Everyone is hyping solo findings, and they are good when competing in open platforms, however nobody is giving credit to the guys who finds 80% of the bugs.
They will be great for a solo auditors or working in firms, as it's better to find 8/10 than 2/10 with one solo.
5
3
41
Who are better hackers?
> The guys with unreadable names
or
> The ones with anime pics
13
2
43
Amazingly good Uniswap article about X96, ticks and price.
2
3
43
Did you know that ETH Chainlink feeds have 18 decimals (stETH/ETH, AAVE/ETH...) while USD feeds have 8 decimals (ETH/USD, DAI/USD...).
Might be useful in an audit🕵️♂️!
1
4
42
Here's a really common 🐛 bug🐛 in projects that integrate with AAVE V3:
Mixing collateral and borrowing assets together, even if these assets are from siloed borrowing or in isolation mode.
1
2
42
If you're doing only contests and can't find other work, whether solo or in a team for audits, there are two possibilities:
1. You are a hidden gem.
2. You need to improve.
In either case, you should participate in more competitions and connect with people who can help you grow
2
1
40
6 months in and already winning 2 contests in a row 🤯
2nd 🏆WIN🏆 in a ROW
If an oracle (a real one 😅) has shown me this in his 🔮, it's up to debate if I would have believed it.
But then, there's facts👀
Stats:
🧨solo and the only HIGH
🧨4 Mediums - 2 selected for report
🧨Found 4 of the 5 newly introduced vulnerabilities
26
9
168
0
0
39
A lot of people share resources for learning on Twitter, but have they actually used them 🤔?
Or did they simply find them and decide to tweet about it 🧐?
7
1
37
Searching for bugs:
> feels like 2 hours
> is 20 min
Debugging POC in foundry:
> feels like 20 min
> is 2 hours
1
0
35
OZ Bug That You Probably Don't Know About 😱
GovernorVotesQuorumFraction, a name so long you cannot read, is the governor contract for the voting scheme standardized by OZ.
The bug lies in the fact that if the percentage of needed votes is lowered (e.g., from 50% to 40%), old
2
5
38
Did you know that UNI V3 has a feature that enables you to trade without paying a fee?🧐
You can even earn some yourself!
It's not the most convenient way, but due to the new system that UNI V3 uses, which resembles limit orders, you're able to place a trade just below the
1
3
36
How can you spot🕵️♂️ an infinite loop in smart contracts?
Here below is a short code that you can look into. Try to discover the vulnerability on your own. The headline should provide you with enough knowledge to make it easier.
Did you find it? If not, solution is here.👇
5
5
36
Here's how to break deposit/borrow limits
PLAN 📝
1 Look at where the limit is implemented and what values it restricts.
2 Understand how it restricts them:
- Fixed max limit on deposits (e.g., 200k max deposits) 💰🚫
- Fixed max percentage of borrows on deposited
0
2
36
Sleep and how to be better at it!
Everything in this life is a skill, even sleep! So here are some good concepts that can improve your sleep.
(1) Go to bed and wake up at the same time every day. It takes 3-7 days for your body to adjust when you change the schedule. So go to
1
4
36
Audits hit hard, especially if you found something.
When you are looking for 2-3 days and it finally hits you with that high, the feeling is amazing.
3
0
34
Getting good actually takes more time than I originally though...
6
1
36
How to make sure you never succeed🤔?
1⃣ You are not good.
> don't review any of your work
> don't learn anything new
> don't practice
> don't take feedback
2⃣ No one knows you.
> don't post on twitter
> don't connect with other members
> don't show your work
> be rude
1
1
35
Only auditing won't make you better.
It's like going to work in your car every day won't make you an F1 racer.
What you need is to focus on deliberate skill improvement. Solve puzzles, review your past audits, talk to other auditors and try to see their viewpoints.
2
1
35
Many people recommend the ZK book by
@RareSkills_io
, but has anyone actually read it? 🤔
I just finished it, and it helped me gain a basic understanding of ZK works. Would recommend it. However, note that it took me about a month while spending 1-2 hours a day on it.
6
0
33
Poor People's Mindset 🤦...
Yesterday, my friend was surprised to find out that I don't wake up at 11 AM, but at 6, and that I work more than just 3-4 hours a day.
They mentioned that, without a boss to dictate my schedule, if they were in my shoes, they would wake up at noon,
4
1
34
A great tool when it comes to math!🧐
I use it for every audit, and it even works with large numbers!
0
6
35
Auditors what do you do to improve focus?
I personally feel more focused after the a hard gym session and a hard pre-workout, although more often I take it post-workout 😅
24
3
34
Hey, I just published an article ( actually 3 😅). If you have some free time, feel free to give them a read, and make sure not to binge-read them 😉.
3
3
34
If a protocol gets hacked, is the hacker the bad guy?
> No
99% of the time, if a protocol gets hacked, it's their fault, as they made inadequate choices regarding development and security.
Is the hacker the one stealing - yes
Does this make him "bad" - yes
However, placing
10
5
34
Recently, I've been tracking my time and I've found out that I am not as productive as I thought I was.
I take too many breaks and have too little focused time. No matter how good an auditor you are, if you spend more time on non-work-related activities, you won't accomplish
12
2
32
I have completed my first payed course, thanks to
@RealJohnnyTime
and his amazing efforts in making this masterpiece! Waiting for part 2!
3
2
34
Do you ever feel like you don't want to work right now🤔?
Recently I had the all too common feeling of "I don't wanna work now🥺".
Most of you probably have experienced it already. It's like an invincible wall preventing you from doing the work🚧. You sit and try to work, but
3
3
33
Why I stopped tracking time, and never will again.
When I first started auditing I liked the idea of tracking time (I used toggle), so for about 3-4 months I tracked, measured, compared and improved on it.
Got average of 40-45 productive hours a week!
But I found something
4
1
33
Have you experienced burnout before 🤔?
I know a way to control it that will get you working the same day👇
Sit or lie on your bed, look at the ceiling, and let your mind wander for 2-4 hours.
Make sure you don't fall asleep, or else you would be taking a nap and not thinking.
9
1
33
Do flash loan attacks exist?
Because to me, it seems like there is a bug, and the attacker uses the flash loan just to extend his leverage. Correct me if I'm wrong.
16
1
33
2 years ago people told me to hold crypto, from there on I've been holding something called USDC.
It's value has not increased since then.
Crypto is a scam!
7
0
30
Front-running liquidations with the help of
@cvetanovv0
🕵️♂️
PS. I have expanded a little bit on the concept😉.
Do you see anything strange with the code below?
If not, let me show you👇!
If the provided amount (that you want to repay) is greater than the actual balance of the
0
4
31
Passion always beats pay!
When you've worked all month with passion and receive no payment, you don't care.
However, when working solely for pay and you don't get paid, doubts start creeping in, and you begin to question yourself.
Was this the right move?
Is this really
4
3
30
How to Make Your Own Roadmap 🗺️
This tweet is for new security researchers, so if you are one, 🚨 make sure you read it all 🚨
Back when I was starting, there were very few resources to help me get up to speed 🐢 .
Now we have the opposite problem - there are too many
4
4
32
If you don't sacrifice for your goals, your goals become the sacrifice.
4
1
30
Do you want to learn anything faster and better 🧠?
Then you might wanna take a look 🧵👇.
4
3
30
Nothing major is bothering you, however you still feel unproductive🤔?
Death by a thousand cuts
This is why most people fail. Simple distractions can cause a massive drop in your productivity. This is when:
- A family member enters your room to tell you something useless.
-
1
2
31
I am amazed at how fast judging is done at
@cantinaxyz
.
SuperForm is not over, and they have already judged some issues. With this strategy, they will be able to significantly reduce judging times.
2
2
31