0x73696d616f
@0xSimao
Followers
1,017
Following
560
Media
25
Statuses
405
Head of Security @threesigmaxyz . LSW Sherlock #26 Cantina
Joined September 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#Fittingข้ามฟ้าเคียงเธอ
• 351795 Tweets
THE NEXT PRINCE
• 202397 Tweets
#WWERaw
• 154509 Tweets
石丸構文
• 143297 Tweets
FURIA ES GRAN HERMANO
• 120099 Tweets
KIM TAEHYUNG
• 118786 Tweets
Kaveh
• 114212 Tweets
Mami
• 105306 Tweets
#喫茶ファミマへようこそ
• 97490 Tweets
Parkinson
• 92349 Tweets
進次郎構文
• 72248 Tweets
#RIPCartoonNetwork
• 71223 Tweets
Tucumán
• 58244 Tweets
Rhea
• 51252 Tweets
#IRIAMメンテ中のフォロー祭り
• 49973 Tweets
CHAE CENTURY OF LOVE
• 42605 Tweets
カーヴェ
• 33070 Tweets
Kendall
• 32306 Tweets
プール中止
• 23405 Tweets
バックアップ
• 21592 Tweets
OneDrive
• 19117 Tweets
ROCKSTAR DP VIDEO
• 19034 Tweets
Braves
• 18739 Tweets
Sneako
• 17166 Tweets
Edey
• 15072 Tweets
Viva la Patria
• 14902 Tweets
Feliz Día de la Independencia
• 14199 Tweets
PRENDAM BOLSONARO AGORA
• 10916 Tweets
アランナラ
• 10025 Tweets
Pinned Tweet
The results of roughly 30 full days of work (averaging 12+ hours / day) on auditing contests since January:
@Code4rena
34,500 USD
@cantinaxyz
29,000 USD
@sherlockdefi
21,000 USD
5 top3 placements out of 7 audits.
Hard work really pays off.
37
16
377
Summary of auditing contests.
@code4rena
and
@sherlockdefi
allocate a % of the pool to top performers. Sherlock requires grinding to get this %.
@HatsFinance
amd
@immunefi
pay the first submission only (not boosts).
@Cantina
/
@CodeHawks
don't reserve a % of the pool.
3
10
110
1st place Exactly Protocol.
Really happy for this, thank you
@sherlockdefi
for the opportunity!
🏆
@exactlyprotocol
Audit Contest Results 🏆
Congrats to:
1.
@0xSimao
- $16,494.76🥇
2.
@santipu_
- $9,380.78🥈
3.
@Trungore
- $5,684.99🥉
@Trungore
made $17,000.00 fixed pay + $5,684.99 from the contest pot!
$69,000.00 rewards ➡️ $8.5M+ paid out in rewards.
1
2
14
14
0
74
This is probably the best piece of advice I have gathered from over a year of auditing contests:
When short on time, focus on specific parts of the codebase. Knowing 1 or 2 files well is much better than having a high-level understanding of the entire codebase.
3
1
71
Must read for anyone auditing merkle proofs
Intermediate nodes may be interpreted as leaves if devs are not careful. This is dangerous because info is stored in the leaves, so it would be like faking a deposit was made or an airdrop allocation
1
6
63
We should stop for a moment and appreciate web3.
If it wasn't for it, I would probably be making €40k / year and struggling.
It's a game changer, especially for less developed countries where very talented people receive low wages.
5
1
120
An important aspect of auditing that is often overlooked is finding out how to enter deep focus.
This state is different for everyone and each person must find out what works for them and what doesn't
3
1
55
Happy to share my latest
@chainlink
Staking V2 results on
@code4rena
.
8th place, feel like the judging could have gone more in my way, but that's how things work.
Anyway, 3 valid mediums, glad to help the Chainlink ecosystem!
2
0
47
It's very important to always read the same pieces of code several times, even when you're confident of its purpose.
For some reason the human mind does not always see the obvious so we need to force ourselves to not let this happen.
3
2
49
Results are out for my first
@code4rena
invitational with
@InitCapital_
, 2nd place.
Here are the findings .
One of them is a solo high which was found by accident. More on it tomorrow
4
0
46
2nd place Optimism Safe on
@cantinaxyz
.
Fierce competition, was lucky to find the finding with the least dups.
4
0
45
Biggest red flags in smart contracts
- Not using SafeERC20
- Using `.transfer()`
- Wrong proxy setup
- No tests
- Nested ifs, loops, try/catch blocks
- Overcomplicated logic
If you find these, be prepared for a ride
4
6
50
Reporting bugs on
@immunefi
is always worth it. Yes many times there won't be payouts, but you get a deep knowledge of the codebase.
In the
@LayerZero_Labs
bounty I submitted 9 reports, 7 were rejected and 2 frontrunned by another whitehat.
However, I still gained from it 👇
7
2
36
My 2 cents:
Whoever is auditing Size on
@code4rena
gl on your 2 cents.
Actually, this is somewhat mitigated by the introduction of the hunter and gatherer roles, which still pay well.
Now more than ever it's better to spend as much time as possible on a single contest.
6
0
37
Uncovered another vulnerability in the Wenwin contest at
@code4rena
, and it took just 3 hours this time!
Looking forward to showcasing these findings.
At
@threesigma_xyz
, we're dedicated to providing expert audits and code development services. Feel free to reach out!
3
5
34
Found 1 high and 3 medium severity vulnerabilities in my first 3
@code4rena
contests.
Really happy for it given that I entered the blockchain space 5 months ago.
I must thank
@threesigma_xyz
for their training program, which has definitely given me a huge head start.
3
7
33
Ok the zktoken is down 36% since I claimed it, give me one good reason not to sell.
I had fun feeling like a degen for 5 days but it's not fun anymore
11
0
31
1/4
Small description of the solo high I found in the
@InitCapital_
,
@code4rena
contest (warning; alpha at the end).
When repaying debt, the protocol rounded up in its favor, so + 1 debt was repayed. This rounding would decrease the debt/shares ratio of the protocol.
3
0
30
2023 recap.
Finished
@threesigmaxyz
training program on January.
1st Playnance and 2nd Web3Berlin place hackathons.
Achieved
#49
(
#9
90 days leaderboard at some point) place 2023 on
@Code4rena
.
$5k from 2 contests on
@sherlockdefi
.
2024 will be a great year.
5
0
29
I have gone through the same experience recently and these are my exact thoughts.
Arguing so much is so annoying, getting paid 0 or 10k on an issue depending on judges, the list goes on.
I don't think there's a solution to this. It's on us to become stronger mentally.
a small update after doing contests full-time for a month.
although this month was probably one of my best ones financially, it was actually the most soul-draining experience I've had in a while. The contest game sucks and a change is needed.
15
3
155
0
0
29
2 3rd places in a row in contests with huge competition.
Knowing the rules of Sherlock makes such a big difference.
Escalations matter just as much as skill.
@sherlockdefi
still has some room for improvement here.
🏆
@ZivoeFinance
Audit Contest Results 🏆
Congrats to:
1.
@cergyk1337
- $8,704.34🥇
2. BoRonGod - $6,513.93🥈
3.
@0xSimao
- $2,653.85🥉
@cergyk1337
made $24,500.00 fixed pay + $8,704.34 from the contest pot!
$80,000.00 rewards ➡️ $8.4M+ paid out in rewards.
2
3
30
3
0
27
Saying it's a design choice after the contest ends for stuff that is 100% wrong but was not fixed nor documented is so annoying.
If the risk exists, it should be valid.
This disincentivizes finding bugs that are more nuanced, as they depend on the good will of the sponsor.
2
0
25
Can we spread out contests more evenly throughout the year?
We've been spoiled with many contests recently, and now going back to just 3-4 at a time seems rough.
I'm getting FOMO just writing this instead of looking at VS Code
2
0
25
Free medium/high vulnerability when using staticcall.
When staticcall is used, but the destination contract modifies state, the transaction will revert and all the gas forwarded will be spent (63/64 of the remaining gas).
Keep this in mind when you see staticcal usage.
2
1
23
1/
Sharing my first (and only so far, waiting for next results) high vulnerability finding on
@code4rena
.
It felt great because I had gotten into solidity/auditing just 2 months before. Was definitely a huge motivation boost.
Let's dive in
2
0
23
I know it makes sense in the literal meaning of the sentence to say the biggest contest ever but platforms truly are squeezing as much as possible out of this fact, starting to become a bit of a meme
The biggest audit contest ever
$1.35M to find bugs in
@MakerDAO
Endgame
🗓️ July 8th - August 5th
📍
75
161
420
3
0
21
Not bad for the first audit on Sherlock!
@perenniallabs
@panprog
🏆
@perenniallabs
Audit Contest Results 🏆
4. Emmanuel - $4,946.64
5.
@bin2chen
- $3,854.21
6. minhtrng - $3,087.81
7.
@3xJanx2009
- $2,609.87
8.
@VagnerAndrei98
- $1,365.53
9. n33k - $1,365.53
10.
@moneyversed
- $1,244.34
0
0
5
1
0
20
Hodling my zk token airdrop.
It's easier to fight the urge to sell when the money is offered like that.
4
1
19
Happy to share this
@sherlockdefi
milestone, 5 High severity issues.
This gamified experience certainly helps grinding contests. It's a very nice touch.
1
1
18
How to deal with work inertia after having paused for some time?
Hard work for few months straight. Then, decreased work volume a lot for roughly 2 weeks. But now, I feel like I have a much harder time jumping to the next audit, but am much more rested.
What is this paradox?
4
0
18
The conflict of interest in
@zksync
's contest on
@code4rena
seems surprising at first, but in reality probably happens more often than what we think.
Had the auditor used another wallet/username and no one would have suspected a thing. IMO KYC in these platforms is necessary.
5
0
17
A great strategy to maximizing profit when few audits are going on is:
1. Try to break a popular protocol on Immunefi.
2. Leverage this knowledge to crush audit contests that depend on the protocol from point 1.
1
0
14
Fuzz tests can be a security trap if not built with high detail.
We've seen recently an exploit that could have been detected by a fuzz test but the input variable was incorrectly limited.
Writing quality fuzz tests is key, please don't do them just to fill checkboxes.
2
1
13
Friendly reminder that solidity reverts when trying to cast uint8 to enum above the enum's limit.
Don't be like me and lose time trying to build POCs around it only to find out it won't work.
2
0
10
Free medium/high on protocols leveraging LayerZero.
The endpoint's behaviour is blocking, if a relayed message reverts, the app will be DoSed.
Thus, if an app does not set a minimum gas limit, it can be DoSed by sending messages with 0 gas limit.
0
2
13
Got 1st place on the GameFi track in the AIBC Hackathon at
@CrowdHackio
by
@Playnancetech
!
Check out the winning game AZWorlds at
Also, thank you
@threesigma_xyz
for this opportunity and guidance!
1
2
13
One of my favourite solidity patterns is storing the hash of some content instead of the content itself. Then, in a function call, the content can be sent as an argument, hashed and compared against the stored hash.
This reduces gas costs significantly and scales very well.
0
1
11
Sometimes I see protocols returning items individually from a struct when they could return the whole struct.
This costs more gas and makes the code unnecessarily bigger.
Check my POC here .
1
3
11
Now is the best time do to contests. People will be taking a break from
@Blast_L2
.
Please don't take comments like this seriously. It's no better than online investment advice.
Truth is the auditor market can not be predicted. You may be lucky sometimes, but that's it.
3
0
12
I have been looking for memory stack implementations in solidity and came across .
I modified the code to a stack implementation and benchmarked it against static arrays at
There is some overhead but it might fit some use cases
0
4
11
1)
I'm delighted to share that I secured 2nd place in the Web3Berlin hackathon, hosted by
@CrowdHackio
and sponsored by the
@XDCFoundation
!
Try out DexBook here
And here is an article revealing the winners
1
2
11
Great read about the return bomb attack
.
Essentially devs expect gas to be left after a call to a smart contract, but if enough bytes are returned, the tx will run out of gas while copying.
0
2
11
4/4
Funny part is, this was caught randomly while doing a POC for a separate finding, as the test was reverting for some weird reason.
Conclusion: always do POCs in contests, it enhances the report quality and may get you some nasty bugs.
2
0
10
Imagine people who left the auditing space in 2023 or smth, missing the crazy amount of contests/business opportunities.
This is why I am grateful for having started in a bear market, no expectations.
(we don't talk about bull traps or a future bear market)
1
0
10
Was an awesome hackathon!
Really happy with our work, we managed to implement the frontend, backend and smart contracts in just 2 days to 5 chains and it was fully functional.
Thank you
@threesigmaxyz
and
@EthPrague
!
Our team won 3rd place in the Taiko Infrastructure Prize at last week's ETH Prague Hackathon!
Congratulations to both
@0xCarolina
and
@3xJanx2009
on their achievements!
1
0
21
0
1
10
Later on, I saw
@tapioca_dao
on
@code4rena
, which uses LayerZero. This was a great opportunity, as I knew the LZ codebase really well.
I ended up having my first 5 digit payout and 3 solo findings.
In short, even if the reports are not paid, it will be valuable in the long run.
2
1
10
ERC20 tokens require approval for an operator to use transferFrom. If you want to deposit an ERC20 somewhere, you need to approve first, paying 2x the gas fees.
ERC1363 solves this problem with approveAndCall and other functions.
Why isn't this more widely adopted?
1
0
10
More
@LayerZero_Labs
alpha that can land you medium/high issues.
The UltraLightNodeV2 refunds excess msg.value sent when sending cross chain transactions.
Thus, it's very important to set the refund address correctly and ensure it can receive funds.
0
0
9
The mindset for auditing depends greatly on the complexity of the codebase.
Attempting to find bugs right away on a complex codebase might get you demotivated.
The trick is spending some days figuring out everything and only then look for exploits.
What's your approach?
0
1
9
One key piece to achieving great results in auditing contests is improving the quality of submissions.
Often times the quality of a report dictates how the issue will be judged.
Issues may be rightfully overlooked or have the severity decreased due to poor report quality.
0
0
9
Another solid result,
#15
.
I must say the competition on this contest was probably the fiercest I have seen.
Not so obvious high vulnerabilities with 20 duplicates, just crazy.
Found a total of 7 medium + high issues, no unique ones sadly. Better luck next time!
@TokenReactor
@xiaoming9090
@BizzyVinci
@KalyanSingh2401
@berndartmueller
@0xVolodya
@saidamdev
@nobody20185
@VagnerAndrei98
🏆
@tokenreactor
Audit Contest Results 🏆
11.
@0xch301
- $2,368.16
12. duc - $2,303.16
13. Aymen0909 - $2,156.95
14. carrotsmuggler - $2,099.09
15.
@3xJanx2009
- $1,974.22
16. Flora - $1,793.79
17. ck - $1,396.58
1
0
3
1
0
8
Stop using Foundry's expectEmit() and use getRecordedLogs() .
It will give you all the emitted logs in order and its behaviour is much more intuitive.
0
0
8
Small update you may have missed.
Assert does not spend all gas for solidity versions above 0.8.0.
Here is a detailed explanation
0
0
7
Sharing this awesome resource for any1 out there dealing with Uniswap V3 .
Been around for some time now but it's very helpful.
2
1
8
If you have little solidity knowledge this contest is good for you
I highly doubt there's going to be a lot of competition, no one's talking about this. Most auditors will probably ignore it as our knowledge is mostly in solidity.
0
0
7
Check out Lido's withdrawal queue .
Each withdrawal request stores the cumulative withdrawal amount, not its value.
This trick processes batches efficiently by subtracting the first and last requests cumulative amounts.
(Yes I saw this on Blast)
0
0
7
@Asniunjgh
@code4rena
@cantinaxyz
@sherlockdefi
I started learning web3 on October 2022. I have an Aerospace masters, don't think cs is necessary but 100% helps
0
0
6
Thrilled to announce I got 6th place in the
@tapioca_dao
contest at
@code4rena
!
Found 3 solo Highs, in a competition with over 1500 submissions.
I'm now ranked 60 in the 2023 leaderboard, having started auditing in December 2022!
Check out my profile .
0
0
7
Ok but live testing?
Why would someone do that?
So weird
1
0
7
Did you know that Uniswap's FullMath.sol
relies on overflow to function properly?
If working with a solidity version above 0.8.0, use FullMath.sol from the 0.8.0 branch
0
0
6
Auditing contests incentivize finding weird bugs rather than obvious mistakes.
Some auditors even prefer not to waste time submitting issues they know will have many duplicates.
Incorrect admin assumptions hidden in the codebase/docs are a good source of unique findings.
0
0
6
3/
The entryPoint address was not part of the create2 salt. Knowing this, malicious users could, for example, spot wallet creations and frontrun them and set themselves as the entryPoint .
If someone sent funds to the wallet, the malicious user could steal them.
1
0
6
If you need to change the default python3 version in your linux environment, you can use update-alternatives. See here .
This might be helpful for people doing the Blast contest, as python3.8 won't work. You need 3.9.
0
0
5
Been seeing a lot this issue lately.
safeApprove() from Openzeppelin SafeERC20 should not be used in most cases, use safeIncrease/DecreaseAllowance instead.
Reason is safeApprove() reverts if the allowance is not 0, which can happen if the spender does not spend all tokens.
1
0
4
@shealtielanz
It's very unlikely someone can come up with all the attack vectors alone. Reading past reports / exploits puts these in our minds so that when the time comes we find it.
1
0
5
@rabuawad_
Finished my masters in Aerospace Engineering and then worked 4 months in web2 making ERP software
0
0
6
@nisedo_
@PatrickAlphaC
@0xOwenThurm
@intogateway
@onlypwner
@nodeguardians
@code4rena
@sherlockdefi
@CodeHawks
are ctfs really worth it though? contest issues are simpler and more rewarding
1
0
5
Using
@SoloditOfficial
filter feature to confirm other auditing firms agree with a certain vulnerability.
For example, should the latest solidity version be used?
Solodit -> filter -> solidity version
Spearbit finding:
0
0
5
4/
That's it.
Feeling confident about future results on 4 submitted reports, hopefully a few high vulnerabilities coming in.
Looking forward to sharing here, stay tuned!
1
0
5
Let's say that a contract is pausable has a whole and has some form of borrowing where users can get liquidated.
A severe price drop after a pause would get users instantly liquidated upon unpausing.
It's something to consider when auditing borrowing protocols.
0
0
5
Have people had success from taking breaks from auditing contests?
I feel like whenever I stop I just lose momentum and then it's harder to get back on track.
5
0
5
Happens everytime
1
0
3
2/4
The protocol had a variable tracking the total interest, which assumed that the debt is monotically increasing.
The problem is that due to rouding up, the debt from the shares would actually decrease right after a repay call by 1, due to the decreased debt/shares ratio.
1
0
4
One thing I like to do is mark 'audit' in suspicious lines of code.
It's really helpful when that piece of code has dependencies in other places of the codebase and I need to understand them first.
Comes in handy after you've gained an understanding of the rest and come back.
0
0
4
2)
DexBook is an on chain order book with off chain order matching.
It boasts a list of price brackets, each pointing to a list of orders. Insertion hints help reducing costs.
A neural network provides price predictions, based on the previous 10 days.
0
0
4
A 𝐻𝑒𝑙𝑙𝑜 𝑊𝑜𝑟𝑙𝑑 solidity tweet.
Solidity supports visibility and mutability modifiers, whose differences are shown in the attached tables.
We can also declare custom modifiers, such as 𝑜𝑛𝑙𝑦𝑂𝑤𝑛𝑒𝑟 from OpenZeppelin.
Source:
0
1
4
My favorite detail that could lead to vulnerabilities is the requirement to set the USDT approval to 0 before changing it, as shown in line 199 at .
What's yours?
0
0
3
@BenBurgerLG
@code4rena
@cantinaxyz
@sherlockdefi
Here is the trick, when short on time, focus on very specific parts of the codebase. Focused hours are also key, not just staring at the monitor mindlessly
0
0
2
3/4
Thus, the next time repayed was called, the same shares were worth less debt, leading to the total interest update reverting (remember, debt monotonically increasing).
Attackers could then frontrun liquidators with a repay 1 call, making the real liquidation tx revert.
1
0
3