Today is the first day of full web3 security stage of my life. And I still remember signing-off from my last vessel two years back thinking about not to return back again.
This part of my life is called happiness.
Count me in.
I quit my 8 to 5 non-tech job only to focus on web3 security.
I don't have to try to focus only in my free time anymore which I did until now. It was painful.
I feel lighter by taking this step.
Just wish me luck and some more neurons :)
Its already one year since I posted this.
Never looked back, never been happier, never been so satisfied. 🤘
Barely worked at the first 6 months and made over $150k including private audits.
I regret not doing this earlier.
Today is the first day of full web3 security stage of my life. And I still remember signing-off from my last vessel two years back thinking about not to return back again.
This part of my life is called happiness.
I've been presorting the
@code4rena
contest submissions for a couple of weeks. It's like living the heaven and the hell at the same time. While there are amazing quality submissions, there are also low low quality ones. I will prepare a nice thread shortly regarding
We managed to secure in top 3 while we had painful mistakes in this contest with my man
@deliriusz_eth
Some advisory posts will follow sharing what to do and not to do later on.
I knew this was coming.
A client applicant sent their files with many trojans and ghosted me afterwards. They specifically asked for a Windows machine. Lol
Thank god I'm using a different pc for these audits.
I've spotted a niche critical vulnerability in several platforms that causes DOS. Informed all the platforms regarding the issue (one of them is Certik certified).
So far nobody responded.
Funds are safe? Yeah, if the owners respond.
I'm tired boss.
When I was a sophomore in high school, my grades were among the worst in the country - no joke. Because I wasn't interested. A year later, I was solving olympic class geometry problems. Because all I was dreaming was geometry.
TL:DR,
Don't get into auditing unless you have fun.
🏆 The results of the Krystal invitational audit are in!
Congrats everyone who helped secure Krystal, especially Team
@0xDup1337
(
@0xSorryNotSorry
, deliriusz) for taking over half the prize pool!
Shout out to
@KrystalDeFi
for their commitment to security 🫡
Trying to spot the bug that you think exists in the codebase ends up missing the other bugs.
Stefan Zweig once showed this occurrence in his book "The Royal Game".
Every mistake is an experience, but it´s up to you whether you´re educatable, anon.
A nice day to start auditing a giant codebase without any time constraints. I feel like the ring bearer.
As
@1_00_proof
once said; there is only the code and me.
Are you tired of tracking your C4 submissions, status of them including the duplicates?
I don´t care if you are but
@CarrotSmuggler
does :)
A must have tool to track your
@code4rena
submissions:
"C4-Table"
Kill one man, and you are a murderer.
Kill millions of men, and you are a conqueror.
Kill a contract that refunds the all deployment and initialization gas, you are a god.
I'm happy to have met many of you at the DSS and sad about the ones missed to meet. I'd like to include an exhaustive list of pals for my appreciations but it will look like a phishing Optimism airdrop. :) I'll always remember this event as the photo credited to
@TheSmileyDAO
The problem with DeFi is that it's fed by the DeFi users. It's against the first law of thermodynamics.
Eventually all the values will be diluted.
I have the most bizarre idea to change things.
Something is cooking.
Researchers, we've got huge news:
@uniswap
is moving their massive $2.25M bounty over to Cantina!
For anyone savvy enough to crack their codebase, this is the biggest bug bounty opportunity yet on our platform 🪐
Bounty link below.
That tweet aged well.
My first contest on
@code4rena
: Chainlink CCIP ➡️ Another magnificent failure - 0 valid issue.
My second contest on
@code4rena
: Chainlink Administration ➡️ 2nd place 🎉😱🎉😱
Our DSS technical talks ended up like,
Who is 0x52 really, an alter ego of a warden?
Did
@samczsun
come to the C4 event?
It's a pity that
@gogotheauditor
and
@HollaWaldfee100
didn't show up.
Lol
We managed to secure in top 3 while we had painful mistakes in this contest with my man
@deliriusz_eth
Some advisory posts will follow sharing what to do and not to do later on.
Yesterday´s
@RektHQ
post ends with a perfect summary of web3 space especially why the DAOs are doomed;
¨But first and foremost, should we accept that humans are political creatures in the first place and that no system will ever be perfect until we perfect ourselves?¨
The
I wasn't aware of how well
@bytes032
's
@FindAudit
channel was organized until today.
It's definitely a promising spot if your budget isn't sufficient for big security firms and you want to have the option of max applicants to audit your codebase.
A marketplace for auditors that hate marketing
Problem
- I'm getting ~2-3 leads for audits/day
- I cant take all that work
- I'm not interested in building an agency
- You might be a better auditor than me
Solution
- Im giving away my leads for free, no commissions, no fees 👇
One of the mysteries of humankind is people believe in themselves when they have no success and lose faith even if they have succeeded before.
or is it related to entropy at all?
Losing your common sense is the worst thing that might happen during auditing.
The nastiest bugs occur in simple forms that are visible to the ones not losing it.
Tomorrow I am going to interview the
@code4rena
OG Warden and Lookout
@0xSorryNotSorry
.
It's going to be an inspiring interview full of insights, especially because he doesn't come from a tech-heavy background!
What would you like me to ask him?
I strongly disagree with the idea that a platform offering less bounty is prone to be hacked rather than taking the bounty.
You just can't change the mind of a blackhat guys. Raise the bounty, and they'll ask more anyways as they see 10% of the TVL as the bounty. Who's providing
New phishing DM pattern,
Don't fall into this 👇
Woman profile photo ✅
Handle name ends with numbers ✅
Spammer claims that she's a member of {x} ✅
Spammer wants to interview with you(!) ✅
Spammer profile is full of retweets from {x} ✅
None of your followers follow her ✅
Blockchain is unbreakable and secure.
Meanwhile;
A reentrancy causes ETH to be hard forked,
A precision loss causes 9 figures loss,
A MEV bot steals your profit,
An owner siphons the funds.
This should not be the tradeoff of the blockchain is an unbreakable argument
⛵️
#TrustX2023
"Cruising Bosphorus, Securing Ethereum" over great conversations!
🙏 Thank you
@cantinaxyz
for co-sponsoring this wonderful Bosphorus cruise
The bot owner who poisons block scanners with fake token transfers;
Please DM me, I want to upgrade to pro and pay you just to exclude my addresses from your service.
"Is this what you do with the eternity?"
This Groundhog Day quote changed my approach in the life.
At the end we're all trying to hit the hat to pass the day. What a waste of time. But not for me anymore.
A Recap of Certik vs Kraken👇
1.Certik discovered a critical bug in Kraken and
they waited 5 days to disclose the vulnerability.
2.They ran "tests" and withdrew $3M in the process.
3. In their defense, Certik claimed they were testing
Kraken's defense system, which failed to
Hey
@Immunefi
, consider requesting deposits from projects. It could help ensure commitment, especially when a project promises a $400k bounty but backs out after receiving a valid report. Maybe 10% of the max bounty as a security?
I recently had a disclosure to a project and they stated that they discourage users using the referenced function in the reported flow. Ok :) I have a zero day then
It’s natural to get amazed by seeing the amount of money web3sec researchers made by starting their career two years ago
But guess what, someone starting two years from now will say the exact same thing for you
The best time to start your web3sec journey is RIGHT NOW🎯
The Shieldify team completed another DEX Protocol Audit, which was 2500 nSLOC 🫡
The Findings Summary is:
Critical/High: 5
Medium: 13
Low: 11
The audit report is coming soon!
He only deserves respect at the wake of the recent things. Would you rather be waking up to a morning with your swept funds? He's one of the brightest assets of this ecosystem, but crypto Twitter adores the drama as always.
People are saying all kinds of terrible things while being uninformed so allow me to share more details.
I've initiated coordination privately with Immunefi officials 3 hours before the white-hack. 90 minutes later, I realized the asset is currently used by the frontend and