EV_om
@0xEV_om
Followers
1,134
Following
380
Media
50
Statuses
502
Web3 Security Researcher | Warden & Validator @code4rena | #6 2024 leaderboard
Joined November 2021
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#Mchoice2024
• 249004 Tweets
Ganesh Chaturthi
• 154881 Tweets
ホームラン
• 64991 Tweets
#マイナビTGC
• 64939 Tweets
ビッグラン
• 19295 Tweets
三千院帝
• 14836 Tweets
九能帯刀
• 14678 Tweets
クリスマスパレード
• 13362 Tweets
#AlonAlbumTracklist
• 11098 Tweets
#PABLOAlonAlbum
• 10736 Tweets
Pinned Tweet
A few weeks ago I shared , an IDE with integrated LLM prompting. What I haven't shared publicly yet is the biggest use case I have for it: report writing.
Contests still suffer from large amounts of low-quality reports, most of which could have been
4
11
73
Honestly not sure how I managed this but the results of the
@autonolas
contest are out and it's:
- my 3rd
@code4rena
contest
- first win
- first 5-digit payout: ~$30k
- first issues selected for report: all 5 valid submissions out of 10 total
- first solo findings: 2 high, 1 med
30
4
225
Found some time to compete solo on
@code4rena
again and I managed to take home almost half the pot in the last
@autonolas
contest 🙌
I also:
- made it to the top 50 in the C4 all-time leaderboard
- had 9/13 findings selected for report
- got Hunter and Gatherer bonuses plus best
24
3
159
2 more top 5s and ~$7k in payouts from
@code4rena
going into the weekend
I'm now ranked
#5
on the 90-day leaderboard after some master chads in the game (screenshotting while it lasts)
First of them is ECG which:
- was my second contest after Shell Protocol
- I didn't feel
25
2
144
Feels incredible to have secured another top 3 finish in a
@code4rena
contest, this time:
- 3 high severity findings, 1 selected for report
- 5 medium severity
- $3.7k payout
- really cool project and some amazing findings by other wardens, I encourage everyone to check out the
14
7
122
Nothing beats working with a great team.
@3DOCsec
and
@Haxatron1
are some of the most talented SRs I know and I am extremely proud of what we accomplished in the Superchain audit. We managed to:
- beat both Pro League teams, earning part of the Dark Horse bonus
- get both
12
4
108
Couldn't be more excited to share that I am now a lookout on
@code4rena
!
Look forward to digging through contest results and getting those sweet "high quality report" labels on YOUR findings 🔥
13
1
92
You guys don't realize how lucky we are
Meanwhile people in web2 are getting paid in trays of redbull for crits
11
6
90
Sad to see this
I worked on this audit with
@PashovAuditGrp
, but that branch was not there yet
Thinking "just this tiny feature doesn't need an audit" is one of the most dangerous and common mistakes we see protocols make
Same as Lifi did just a few days ago
Find a security
Spectra was hacked => $550K loss
The root cause is an arbitrary call in their router contract, which allows the attacker to drain all tokens approved to that contract.
5
23
148
4
4
70
Now that the
@code4rena
report for the
@CreditGuild
contest is out, I've pushed my findings to my audit portfolio:
I caught 7 medium severity issues, 2 of which were selected for report, and placed 5th. This was only my second contest and reading through
4
2
66
Lessons learnt from this contest:
- A large codebase is no reason to be intimidated. It's a tougher challenge, but also a massive opportunity for improvement. Dread will only slow you down
- Never assume bugs will be hard to find. Assume you'll have to be creative and persistent
10
1
56
Super proud to share I came in third and secured a 4-figure payout in my first ever
@code4rena
contest!
There were no H/M findings in this contest and I definitely got lucky to get $4k for a grade-A QA report, but damn, this is a huge motivation 😍
7
0
54
SRs 3 days ago: I'll just focus on Solidity, true mastery requires practice and repetition
SRs now:
8
1
50
Would have loved to work as a team on this rather than compete against each other, but I can't say it would have led to the same results.
Fascinating to see the how different everyone's contribution was despite the smaller scope.
The contest model does not disappoint 🎯
6
0
48
I've added contest results, payouts and the Olas report to my audit portfolio
I will try to keep it up-to-date with contest results and add my findings as the reports are published
4
0
47
Finally, the results are out. Literally everyone I've spoken to in the past month has heard me talk about this contest, and for good reasons.
Renzo was my first competition in a team and by far the most fun I've ever had in an audit, which is not a coincidence. I'm incredibly
⚡️ The results of the Renzo competitive audit are in!
Congratulations to Team LessDupes (
@3DOCsec
,
@0xEV_om
, &
@sin1st3r__
) for running away with nearly $24K of the prize pool!
Shout out to
@RenzoProtocol
for their strong commitment to the highest security outcomes.
6
6
65
6
1
44
I don't think this is a realistic take.
There are 1000s of people out there who would be insanely good at auditing and just need a platform to develop their skills and reach their full potential. C4 is exactly such a platform.
Not to mention that the high supply in audit
@sockdrawermoney
C4 brought to market untapped talent (cmich, watchpug etc) years ahead of team / solo audits and we're all thankful for that. Now I believe there's no more floating talent to tap so we moved from the challenge zone into the no-go zone, but only time will tell!
5
0
10
5
1
42
10/10 would drain again
🎉 Announcing the winners of the first-ever fully on-chain CTF by
@immunefi
!
Congrat🥇
@3DOCsec
@0xEV_om
And congratulations to all participants for showcasing exceptional skills and pushing the limits of blockchain security!🛡️
Hope to see you next time!
#web3
#web3secuirty
1
2
54
3
1
40
If you're thinking about joining a contest platform with lower standards because the competition will be easier or there will be more low-hanging fruit, consider the price you're paying. You will:
- get used to reading low-quality code
- get used to looking for and submitting
3
2
36
Get all the context from any repo in your prompts with
@cursor_ai
Cursor has been my main editor for a year+ and is by far the most seamless integration of LLMs into an IDE I have ever seen
If you're still copy-pasting into ChatGPT, you're missing out by a large factor
6
4
29
Here's the QA report that netted me $5k in my first code4rena contest
Nothing crazy, just minor findings that I didn't feel were justified high/mediums. Most of the issues are 80-90% written by GPT-4 based on a clear description and persistent prompting.
I'm also using
2
4
31
In 1-2 months, someone will have a very cool finding to share that they submitted to the Cantina competition but was unfortunately ignored before launch
184
169
2K
2
1
29
@bytes032
I cannot believe no one so far is advocating for Code4rena. C4 has imo:
- the most refined process
- most consistent judging and clarity in judging rules
- best comms and community management
- most contests
If all you care about is finding bugs and making money then idk, you
1
0
26
No number of previous audits guarantees the absence of bugs.
you say now:
1
0
25
The "Obront method" is as relevant as ever
We used this approach at LessDupes to collaborate on Renzo and it is unreal how well-suited it is for collaborative audits
Some things to keep in mind:
- keep categories flexible to keep track of leads and findings at the different
Since the
@optimismFND
contest rewards were announced, a bunch of people have asked me about the logistics of working with
@trust__90
.
How did we share information? How did we support each other?
I've experimented with this a lot so figured it might be useful to share publicly.
20
43
247
0
0
25
Realizing that the real reason to spend as much time as possible on each competition is not that you might find nothing otherwise
It's that you can easily find 10 highs and get paid 0 if enough other people submit the same ones
If the code you're auditing is not in great shape
2
3
24
🐎 ENTER THE DARK HORSE ERA OF C4
In the OP Superchain audit, EVERYONE is invited to compete against the 2v2 Pro League teams
The DARK HORSE BONUS lets you maximize your winnings by matching or outperforming one or both teams
How it breaks down 👇
12
5
80
0
0
24
Retweeting this for awareness since he keeps getting followers
@xb0g0
@__rmi__
@Sm4rty_
pls don't get drained
1/ It all started when a verified Twitter account named
@crankibugatti
from
@SOLARIS_MV
👆, having 900+ followers, reached out to me. The feed was full of posts with media and tweet, adding an air of legitimacy. 🌐
3
0
2
6
6
21
TL;DR: It was not.
1) This is like saying C was the cause of all bugs ever found in MS Windows in code that was written in C. The root cause is usually more complex than simply pointing at the tool used.
2) In this case, the root cause really had nothing to do with assembly or
Regarding the ParaSwap hack today:
TL;DR: Part of the root cause is Solidity "gas golfing".
ParaSwap v6 contracts are heavily gas optimised, written in assembly.
Gas golfing is dangerous. For security, it's important for the smart contracts source code to "be easy to reason
23
25
191
3
0
21
Half of C4 leaderboard moving on to bounties
The other half too busy w/ private audits
5 platforms now doing contests
Contests in Rust, Cairo, Vyper, Go which almost nobody has ever audited
You think competition for audit contests is getting too cutthroat? Think again, anon
2
1
19
I was just talking to a seasoned security researcher on behalf of a client who is ready to launch and wants to have their smart contracts audited for bugs. He said they could book a security review with Spearbit to get connected to some of the most reputable SRs in the industry,
1
3
19
This is a superb article on sandwich attacks beyond the vanilla swap case
0
3
18
Looking for an S-tier auditing firm? Pick any out of this list
Now think about the level of scrutiny this code's been under considering they've gone and booked an audit with ALL of them. This is insane.
2/
For Euler v2 we're raising the standards in all aspects, including security.
Euler v2 will be subjected to audits by
@OpenZeppelin
,
@CertoraInc
,
@SpearbitDAO
,
@zellic_io
,
@trailofbits
,
@osec_io
,
@Omniscia_sec
,
@yAuditDAO
,
@chain_security
.
But we're not stopping there.
3
0
35
1
2
16
Cheeky one in the 3 days after Blast ended, 4/5 unique issues found and all selected for report
Shoutout to
@rvierdiiev
for the only solo finding 🏆
Awards have been announced for the $25,200 USDC
@ThrusterFi
Invitational! 🚀
Top 4:
🥇 rvierdiiev - $8,741.28 USDC
🥈
@0xEV_om
- $5,210.10 USDC
🥉 oakcobalt - $3,867.92 USDC
🏅 0xDING99YA - $2,880.70 USDC
4
1
17
2
0
17
@PopPunkOnChain
This is actually very smart, he minimized whitespaces so the code takes up less space on the blockchain
5
0
14
Pleasure working together sir🫡
New security audit report published, we audited partial scope of
@spectra_finance
(formerly APWine). Tough one, no Critical/High severity issues found by a 3 auditors team.
Great team to work with, wish them 100% security🫡
Read report below👇
1
12
63
2
0
16
@jack__sanford
@0xKaden
That's some seriously inspirational handling of the situation and debunking of accusations. Great work
0
0
13
@__alexxander_
Hey judge,
I didn't leave comments on
#123
,
#527
and
#372
. Please check all other findings.
0
0
12
Note: for the sake of your sanity, please do NOT try to learn Rust in 2 weeks
4
0
12
Found a bug in geth but only reported it to the L2s because I believe in a rollup-centric roadmap
0
0
10
2
1
10
A week in a contestoor's life 📅
Here's how I spent my time this week, what I did and why I did it:
🎯 Goals for the week
- Finish
@code4rena
's ECG contest: ended up approaching this a bit differently, I was still stumbling on new issues in the days approaching the end of the
1
0
10
This is the way
I have a simple goal for the year: Multiple 1st places in audit contests. Since I started participating in audit competitions I’ve chosen to dedicate myself to one contest at a time. From start to finish. No matter what. No matter how tough the protocol is. No matter that there
3
2
72
0
0
10
@0xDjangoOnChain
@gasbot_xyz
This is like looking for your phone using your phone as a flashlight
1
0
9
@deadrosesxyz
@windhustler
@tapioca_dao
Gotta say your odds aren't looking great given
@windhustler
's track record
2
0
9
We have halted block production on two of our L2s due to L2-specific circumstances. We have no further comments at this time.
0
0
9
Time for another weekly report!
🎯 Goals for the week:
- Full focus on ECG: succeeded, but got quite sidetracked on Friday by the Footium results and escalation period, which I didn't account for. Also noticed that I was getting slower and had to deal with mental fatigue towards
0
0
8
2
0
8
@giraffe0x
In case anyone's wondering, this doesn't work the other way around
The EVM won't just pad calldata that is too short with 0s. The call will revert
1
0
7
- a thorough first pass which can take me multiple days, leaving comments on every finding, lead or part of the code that I don't understand
- a second pass to chase down leads and fully grasp every part of the code, as much as time allows
2
0
9
@rekxor
@autonolas
@code4rena
half a year or so, did several months of learning + bounty hunting with 0 success before this
1
0
6
@milotruck
Regardless of the accuracy of these arguments and how much effort went into writing that report, it would be pretty insane for the 3 wardens who submitted that pattern-matched finding to get $200k each assuming the other M is downgraded
1
0
6
What's that, folks? Take a break you say?
Welcome
@Curvance
to the
@cantinaxyz
as we kick off the 2nd largest competition of the year!
💰 $375,000 USDC
🗓️ February 26th, 20:00 PM UTC (6 Weeks)
📍 (Competition Link Provided Below)
Loading...
Need an invite? Details Below 💾🪐
148
14K
14K
0
0
6
Is there a better UI for ? Like a timeline view where you can easily see which bugs affect which compiler versions?
3
0
5
@windhustler
@HollaWaldfee100
@solidityauditor
@GeorgeHNTR
@0xDjangoOnChain
@milotruck
@deadrosesxyz
Right back at ya sir
1
0
4
@bytes032
Tried it once and it failed miserably to build references, is it that much better than ?
2
0
5
@milotruck
@peak_bolt
@windhustler
I just encode the binary into Chinese characters for maximum density
You wouldn't believe how much quicker you can grasp code once you have 65,536 characters mapped to binary in your mind
泵它泵它寶貝我喜歡買代幣 <-- that is all of OZ's ERC20Permit
jk, there's also this
0
1
5
@GalloDaSballo
Hear me out: judging collabs
Introduce lead judge and assisting judge, maybe for large contests
We get faster, more consistent judging and the judges get to share ideas and pass on experience which otherwise never happens
3
0
5
@QiuhaoLi
@hydra_dx
@code4rena
Huge congrats, both on the result and on the new job! Are you able to share details?
1
0
5
@trust__90
> For some reason that detail isn't mentioned in the Solidity docs.
There's this:
> Errors inside the expression are not caught (for example if it is a complex expression that also involves internal function calls), only a revert happening inside the external call itself.
I
1
0
3
- select the model: I've found Claude 3 makes less reasoning errors and avoids much of the boilerplate that makes GPT-4 output tedious to read, but I've also made good experiences with GPT-4o. Experiment with changing the model if you're not quite happy with the output
1
0
5
- getting a report you're happy with can take a few tries. You can add details to your inline comment, iterate on the first output and correct the LLM, tell it to provide a different POC, mitigation, use different arguments or language, etc. Make sure to hit Opt+↵ so the current
2
0
5
1
0
4
2) Here's where Cursor comes in. Its inbuilt prompting is the perfect tool to go from that last comment to a report:
- select the comment and start a new chat with ⌘+L
1
0
4
- copy-paste the template (see mine below) and add any additional context using @. You can add the README or links to any docs (which Cursor will fetch for you), other contracts or a test file with a coded POC. The current file will always be added to the prompt by default
1
0
4
This isn't negligence; it's recklessness
@SenecaUSD
@sherlockdefi
They clearly hid most of the replies
I won't be surprised if my tweet is hidden
3
0
8
1
0
4