Way too many aspiring web3sec security researchers (smart contract auditor beginners) gave up in beginning 2023 & probably beginning 2024 too..
If some were only in it for the money, fair enough, it's TOUGH.
But giving up should never be an option to ever consider if you're
👇
If you're a beginner/junior smart contract auditor/web3 security researcher:
I'm thinking of getting a small team of smart contract auditors together on slack or discord so that we can all experience imposter syndrome together.👀
More experienced auditors are welcome to join.🥷
Thanks
@PatrickAlphaC
for recommending it &
@eth_call
for the seemingly massive effort to setup & write this tutorial.
I totally spent my weekend working through this endless invariant mother fuzzing of a tutorial.👀💪
I'm a junior fuzz-master now.🐥⚔️
How to become a capable smart contract auditoor / web3 security researcher?
Here's a great "roadmap":
Ask
@PatrickAlphaC
, he's got the best answer.
However,
@CyfrinAudits
' top web3sec & solidity foundry based free courses would probably be the best start:
@CyfrinUpdraft
👇
If you're a beginner/junior in the web3 security space, you should be improving your skillz 7 days of the week, this includes weekends...
And this applies to the next 6-12 months minimum...
No days off.
No excuses.
👊
Just under a year ago I was a total beginner and newbie to web3 security & smart contract auditing, didnt even know much solidity either...
Today, the 01/01/2024, I know it was one of the best decisions of my life.
The web3sec community is AWESOME, full of fantastic people.👇
@jordanbpeterson
Covidiot much?
Big fan of yours, but after your horrendous experience & battle with benzo withdrawal now you're going to take a vax with a high rate of extremely adverse side effects?
Do you have any idea how sensitive/susceptible benzos make your system?
Dont be foolish.
Any web3 security beginners or think-about-ers, sitting on the fence & uncertain as to if/when they should jump into actual smart contract audits...
Hear this:
I throw myself into the deep end before I feel ready to swim, every single time.
And each time it was worth it.
@david_r_morgan
@dr_cottrell
@RWMaloneMD
@Johnincarlisle
Is this possible at all? I would think it isn't. At best it's potential genetically modified meat that we will eat, but I highly doubt any of the covid jab shit would enter our bloodstreams via our digestive system? Am I right, or wrong?
Web3 Security ⚔️ Alpha:
Ethereum Smart Contract Auditor Roadmap.
(There's a clickable pdf version too, but I forgot the link.)
Thanks
@razzor_tweet
for this excellent roadmap.👊🥷
I know.. I need to learn Foundry & how to use it for smart contract testing & invariant testing..⚔️
If you're interested to learn too, I suggest you start here, but also check out Cyfrin's content/videos, probably via
@PatrickAlphaC
's youtube vids.
Wow, absolutely fantastic!
My C4 team Audit_Avengers placed 26th in the
@code4rena
Ajna contest.
That's what can happen when junior level auditors collab as a team!
Well done guys!👊
Our focus is to maximize our learning experience while doing our best to hunt the bugz🥷
#DeFi
Alpha:
Flash Loans vs Flash Swaps.
Flash Loans:
Flash loans are uncollateralized, short-term loans that allow users to borrow assets within a single blockchain transaction. The borrowed assets must be repaid in full, along with any fees, by the end of the transaction;
If you're brand new to web3 security / smart contract auditing, and unsure, just ASK, as me, as my network, join my discord channel.
Be proactive. Just ask.
And then, once you have the answers, DO, every day.
Take action, every day.
Learn, but start hunting for bugs asap.
👊
In Dec 2022 I knew absolutely nothing about smart contract auditing or web3 security, just that I needed to check it out EVENTUALLY..
I knew a little solidity & planned to double-down in 2023 to become a capable solidity dev 🦾
Then, Feb 2023 I was ALL IN on web3sec⚔️
👊
For those new to web3 security / smart contract auditing, welcome frens. 🦾
However, dont be like the more than 50% who gave up after barely a month or two in beginning 2023...
Like over 200 joined my discord server back then and today maybe less than 10 are still here! 👀
👇
Worked straight through the night to learn how to create a PoC with foundry, to PoC test a function in a smart contract that uses ancient solidity, added some witch's🧙♀️brew to the mix to get the tests running smoothly & submitted the logic bug report.🥷
Learned a tonne.⚡️
👊
@robinmonotti2
@VictoryDay_Hope
Yes it is, but dont forget, same people/cabal pushing for this coming global communist system, using the plandemic to usher it in fast, are also in total control of the UN, WEF, World Bank, etc etc.
What stops them from changing these laws that protect our rights?
1/7
Algorithmic Market Maker
vs
Automated Market Maker (AMM)
Both are types of market makers, but they utilize different mechanisms to provide liquidity and facilitate trading in the market.
🧵
This post is meant only for people new to web3 & want to start learning solidity or smart contract auditing(web3 security) right now.
If thats you, then either reply to this post, or DM me. Probably better to DM me.
But make sure you follow me.👈
I will send you what you need.
@CharlesWangP
Function parameters `a` & `b` can cause underflow if `b > a`, and since 0.8.0 contains inbuilt overflow/underflow protection, the function will revert.
So, need to modify as follows:
`return int256(a) - int256(b);`
We submitted our team findings for the Ajna Protocol audit contest on
@code4rena
.
Confident about our Low/QA & Gas reports & hopefully some valid H/M findings!👀
I created 2 teams for C4 contests.
Want to join on future contests? Just DM me.👊
🥷Learn while bug-hunting!⚔️
Dont overcomplicate your web3 security journey.
Take the recommended (mostly free) courses & then aim to become a beast bug hunter with small steps every day.
Be patient, there's no shortcuts.
Just aim to be more skilled today than yesterday.
Do smart contract audit contests.
Today I submitted my audit report for my 3rd smart contract audit contest on C4.
Yet 2 weeks ago I was going to wait until April to start with contests. I didnt wait.
Even if I earn $0 with this 3rd one, the learning experience for me was $invaluable!
Thank you
@code4rena
Didnt pass the fast-paced Spearbit technical exercise challenge today. I will try again in 3 months time.💪
Thanks
@SpearbitDAO
for the opportunity to try.👊
I'll try 🥷 the test next time when I'm stronger and better.⚔️
@TheBirthdayBook
@Spraoi
@IOHK_Charles
LOGIC and high IQs are extremely rare amongst humans.
Most, like yourself, dont have it.
And therefore, you will always disagree with opinions you cannot understand, because you FEEL that your opinion is correct.
Charles is a genius. He can THINK. I would take him seriously.
@LBRYcom
Errr, did we just allow the corrupt criminal SEC to destroy LBRY/Odysee platform which benefited hundreds of thousands of content creators and content consumers?
For what?
Maybe we should stop allowing this to happen...
My Web3 Security journey strategy update:
Early July I'll jump myself into
@sherlockdefi
audit contests &
@immunefi
bug bounties.
I'll continue with awesome
@code4rena
contests too.
Daily focus on max 1 contest & 1 bug bounty at a time + reading audit reports & twitter alpha.👊
To the new/beginner smart contract security auditoors out there:
I've deliberately focused on doing 2 or more audit contests at a time since I started doing contests many many months ago..
Was this a smart strategy? Who the F knows..👀
But, today I decided to stop doing that👇
Are you interested in becoming a smart contract auditor / web3 security researcher?
Join the growing community of Audit Avengers on our Discord server! Our members range from beginners to experts, all collaborating to make the Web3 world safer.
@RichardWellings
@thedoctorxxx
Fascism in Europe had its ending...(fascism comes from the far left, ALWAYS).
Today's nonsense again comes from the far left globalist cabal, pushing for global communist system via their great reset agenda 2030.
The end of THEIR agenda/ideology, will come too.
FACT.
The best experts in anything totally sucked in the beginning. They had no clue what to do.🙈
The start/beginning of anything is the worst & most difficult part. You're grappling with stuff you dont understand, while trying to better understand said stuff.
Keep going >>> 💪👊🫡
If you're a team of web3 security auditoors🥷🥷🥷 (or solo🥷) and you're looking for some extra hands on board to hunt for bugz (for private audit clients), you're welcome to give me a shout, and only pay me for valid C/H/M severity bugz I find...
👊
Web2 Security/Cybersecurity seems mostly under control, thanks to all the whitehats etc there.
But Web3Sec is not under control. It needs more bug hunters, a lot more, and formidable bug hunters.
You'll be hunting for bugz in smart contracts...🥷
Unsure? Just ASK.
👊
As a web3 / DeFi project you should take smart contract security seriously in 2024. Take no shortcuts.
Dont blindly follow what everyone else does... Everyone else gets audited by expensive ^$#$% and *&^*%^^@! "security" firms that charge them ridiculous fees, then complain
👇
@21WIRE
So, exactly the same socialist/communist tactics/oppression & reasoning is at work here as was during nazi germany, and everyone's asleep about it...
It's time everyone starts realising that socialism/communism come from a specific MINDSET, which comes from genetics.
@Spokoiny
@benshapiro
You don't have a very high IQ, probably within the average range at best, otherwise you wouldn't say such unintelligent nonsense which lack ALL signs of logical reasoning abilities...
The Web3 Security community, aka bug hunters, aka smart contract auditors, aka web3 white hat hackers, play a critical role in the evolution of the entire Web3 space, alongside devs & web3/DeFi innovators.
🥷 + 🧑💻 + 🧠 +💡 = mass adoption of Web3/DeFi.
My two cents in terms of learning Web3 Security:
- Learning: spend couple months max on learning only, both basics and deep dives.
then,
- Auditing: start doing smart contract audits daily: contests, bug bounties, private audits, while you continue studying/learning daily.
👊
Smartest approach in life, at least most of the time:
If you see a deep end, go jump yourself in it immediately.
Bravery to challenge yourself when failure is a high possibility, is not the absence of fear. Fear is there.
Its about believing that you CAN do it, even if it...
@BrightInsight6
When the Earth's axis shifts lots of degrees, maybe around 90 degrees, during a pole reversal event, and suddenly enough too, the oceans do not and can not keep up... The rest of the story is physics 101...
@michaelmalice
@elonmusk
@ClayTravis
@Twitter
@nytimes
Hmm, seems every day my theory gets validated more and more...
The left is the problem. It's biological/genetic, IQ based.
ALL tyrants, all socialists, all communists, all marxists, all hitlers and nazis, have I left out anything?, were ALL far LEFTISTS.
New to web3 security/smart contract auditing?:
There's mainly two approaches:
- understand the protocol as well as possible by reading any/all available docs, asking devs questions, etc, before touching the codebase;
OR
- skip the docs & dive immediately into the codebase...
EVM State Machines for Dummies:
In the realm of Solidity smart contracts, a state machine represents the various states and transitions of a contract's lifecycle. Comparable to a complex system such as a robot or a spaceship, a smart contract navigates through different..
👇
Is anyone else being swarmed with bugs🪲🪲🪲in one of the current
@CodeHawks
audit contests ?
Anyone?
Or just me imagining things at 3:24am in the morning?
🪲👀🪲
Lesson learned:
I joined the Caviar audit contest late & spent too much time reading the docs & making notes.
Managed to submit 3 medium & several low severity findings.
It's a cool protocol.
Will apply my lessons learned next audit contests.
Time management/balance is key.
@ShannenJPEG
No no, not only the Sun. The climate has cycles, due to solar cycles, galactic cycles, and earth's own little tiny cycles. The biggest drivers: our galaxy and solar system.
And we're in for a mother of all changes...
Learn more here Shannen:
Just finished the Axelar Network contest on C4.
I think they've got a good protocol going there. It's nice to see competitors to LayerZero popping up, the more the better. LZ is a formidable protocol, and Axelar seems to be not far behind, taking a completely different approach.
Ok, to all the (solidity, etc) devs out there, please make a mental note of this, above all, please understand this:
when for looping through entire length of an array, we all know how to handle that...cool.
But FFS, when you're returning only a RANGE from the array,
👇
Are you a beginner in Web3 Security / Smart Contract Auditing?
A severely overlooked aspect of the/your LEARNING journey is simply this:
"context seating" or "seating of context".
It's similar to why when taking a break from auditing so that your subconscious mind can process
@DonMauroMetall
@Earstohearyou
They DID exist, and your comment is valid regarding gravity & blood pressure. So, put 2 and 2 together now...
The earth was different enough for them to be able to exist. Question is, what was different. How was the earth different.
My external SSD failed 3 days ago, lost all my web3 security related notes I've been accumulating this year, including all audited repos of past & current contests & bounties I've been auditing & all my audit tags for zkSync contest.🙈
But I'm back ⚡️ after much 🤯🤬😭🤬
🥷
👊
@0xOwenThurm
Yo, just want to say thanks for these vids, they are gems for boosting our learning curves.
Test setup is still a weakness of mine, so tomorrow I'm going to work through your CTF vid and boost my test setup skills.
👊
@KrisApost1
Dive into actual auditing as soon as possible. Audit contests probably best. Fastest way to learn, is by doing.
While doing/auditing daily: continue to learn the basics of solidity, EVM, web3 security, etc, daily too.
The learning journey is constant/never-ending.
👊
I spent the past 12+ years investing in something immensely special to me, building it, protecting it, leading it, a very special & precious part of my life.
Today it was taken away from me, completely undeservedly.
Today is one of the hardest days in my life, but I will right
The best Web3 Security alpha🥷 ever, no contest:👀
Just saying, although the Web3 Security community is awesome as F and every single one of us Web3Sec ninjas are hellbent on helping secure Web3 & DeFi for the future of mankind, many/most of us also have lives outside of...
Spent couple hours writing up a potential H/M finding just to delete everything after I realised what I missed, which invalidates my finding. 🙈
The code is fine, and I learned from my oversight.
👊
I like the direction
@Uniswap
V4 is going. As long as they tactically strategize accordingly, with hopefully a proper uncensorable DAO or something similar, their V4 ecosystem & everything built on top of it, will be untouchable by the establishment's(SEC's) corrupt tentacles.👊
I'm finally "done" with my learning/studying detour that lasted a couple weeks.
Now back to my primary focus which is daily/regular audits, read audit reports, providing value to the community(via discord & twitter), networking, etc.
Joined the C4 EigenLayer Contest today.💪🥷
It's sunday evening, I'm hunting for bugs 🐛 in a codebase with a very low chance of finding any valid H/M bugs🪲 anytime soon.
All part of the learning journey, the grind. 24/7
👊
@0xOwenThurm
's top free course too.
&
@RealJohnnyTime
's top PAID👀 course.
&
@TheSecureum
.
& all the alpha content on X, posted by the awesome web3sec 🥷🥷🥷community.
And above all, jump straight into audit contests as soon as possible, and leverage
@SoloditOfficial
.
👊
So, we all know the incentives for lenders in the DeFi space. They provide liquidity to borrowers, and in return earn fees for contributing to liquidity provision, etc.
But what about borrowers, why do they borrow?
Here's a quick summary of some of the more common reasons:
...
Here's my advice:
- make sure you take the lead, the initiative, be proactive about your intentions & goals
- dont wait/expect to be spoonfed
- ask as many questions as you want, we're happy to help, but first DYOR.
- web3sec is NOT easy, it's tough, but we're all still early👇
So you know what `block.timestamp` is and how/why it can be used in smart contracts.
Ok cool, so when is `block.timestamp` actually recorded for a new block?
Gotcha! 👀
The `block.timestamp` is recorded at the time of block creation. When a block is created, it includes a
👇
@benshapiro
Actually, the masks don't make much of a difference. However, when your IQ level is within the average range, you usually believe that masking is extremely necessary. It's not.
We should remind ourselves that this is a PLANdemic.
I found arguably a high/critical severity bug in two protocols. Same bug.
One of these protocols is WIDELY used and the dominant player in their niche, and has been extremely well audited so far, and loads of other protocols integrate with them..
Doesnt require an attacker.
The crypto community exists for extremely important reasons, some of them unimaginably important for the future of human species.
If you're going to be feeding off of & exploiting our crypto space like the scum you are, you better hope our paths never cross. My tolerance is low.
🥷Audit Avengers🥷 is assembling a team for
#Web3Sec
audit contests.
A win-win approach that makes sense on many levels.🌐💡
Benefits:
- Supercharge your learning journey 🚀📚
- Boost chances of earning rewards 💎💰
- Open to all experience levels, from newbie🐣 to ninja🥷
...
- a year ago there was almost no web3 security courses, paid or free, now we have like at least 4 or so TOP web3sec courses, and they are all 100% free(except one👀).
- learn the basics as fast as you can, then jump straight into audit contests
- dont give up
- dont give up
👊
@MasonVersluis
Probably doing it for security reasons. This maybe doesn't help in the short-term, but this space is extremely young and immature, so we should expect this as part of the evolution journey of crypto/DeFi et al.
If they have a war-room in place, or something similar, this is why.
@ZubyMusic
If more than 50% of the global population had your IQ level, our civilization would NOT have most of our current problems.
In a world where most people are not smart, zero logic, you cannot make democracy successful, because the stupid people's votes will dominate.
Lets see how this goes...
If you're a web3/DeFi project planning to deploy on mainnet soon enough, you're welcome to DM me for a free smart contract security review, i.e. for a free security audit.
However, only free if I dont find any bad bugs, i.e. medium, high or critical.👇
Web3 Security community, lets give a warm welcome to Anmol
@Anmolvi22924492
, who has some Web2 Security skills and wisely decided to jump into Web3.
I've invited him to join my discord community where he can be assisted on his new learning journey, but please feel free to add
@CodeHawks
It seems one of the current contests is in desperate need of a bug spray assault. I'm sure the army of hawks are busy taking care of it...
👊
🥷🦅🥷🦅🥷🦅🥷🦅🥷🦅🥷🦅🥷🦅🥷🦅🥷🦅🥷🦅🥷🦅
@BrianRoemmele
@sergiomendozaco
Ok allow me to interject here. There is a lot more going on here than most of you probably realise/know...
Extensive independent research has been ongoing regarding this, and ALL your questions can be answered by the research & content of the network led by
@SunWeatherMan
.
👊
@ronin19217435
@BrightInsight6
Probably wanna take a look at this...Seems legit to me...
That serpent isnt a normal snake, I suspect its a dragon... i.e. dinosaur-like serpent/snake but more in line with the myths & legends of real dragons...