Juan
@0xjuaan
Followers
1,463
Following
220
Media
36
Statuses
355
smart contract security researcher • cs+maths undergrad ZK student @Rareskills_io security audit portfolio:
Joined June 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
President
• 4564414 Tweets
Kamala
• 4105374 Tweets
Joe Biden
• 2310328 Tweets
Democrat
• 663462 Tweets
The Loyal Pin Trailer
• 396408 Tweets
#HouseOfTheDragon
• 258037 Tweets
Rhaenyra
• 150009 Tweets
Manchin
• 142225 Tweets
Miguel
• 137754 Tweets
Seasmoke
• 78376 Tweets
#GranHermanoCHV
• 75389 Tweets
東海道新幹線
• 70298 Tweets
#HOTD
• 69849 Tweets
Daemon
• 67570 Tweets
Leah
• 60063 Tweets
Jana
• 56272 Tweets
Mysaria
• 49007 Tweets
Alicent
• 44933 Tweets
Punk
• 43211 Tweets
Kordell
• 43015 Tweets
Heihachi
• 38235 Tweets
#LaCasaDeLosFamososMx
• 35750 Tweets
Addam
• 27331 Tweets
ポポロ休刊
• 24922 Tweets
Kendall
• 23404 Tweets
Aemond
• 22685 Tweets
भगवान शिव
• 21399 Tweets
#ピザBENTO
• 16036 Tweets
Yuhui
• 13011 Tweets
北陸新幹線
• 12179 Tweets
電波人間
• 12113 Tweets
Harrenhal
• 12017 Tweets
Pinned Tweet
🥇 My first time coming 1st place in an audit contest 😎
Firstly I thank God that I chose this contest out of the many that were going on simultaneously, because something about this codebase had me unusually hooked to my screen until 2 AM some nights.
Especially proud of my
🏆
@arrakisfinance
Audit Contest Results 🏆
Congrats to:
1. juaan - $33,195.26🥇
2. cu5t0mPe0 - $10,316.00🥈
3.
@cergyk1337
- $6,429.07🥉
@cergyk1337
made $28,500.00 fixed pay + $6,429.07 from the contest pot!
$90,500.00 rewards ➡️ $8.8M+ paid out in rewards.
5
1
54
92
19
494
Some quick foundry alpha for you all:
When console logging any token amounts, you can use the %e placeholder to display it in exponential form.
No more counting each individual digit like a noob 👍
20
33
363
The drop-off rate in
@PatrickAlphaC
's Foundry course shows how if you just stick to the end, you already beat the majority of people.
The content is free but that doesn't make it easy to learn.
Learning something new is uncomfortable, but thats what makes the outcome valuable.
14
17
204
The only beginner roadmap I will ever post (important learning advice at the end):
I've been getting too many requests for it in DMs, so here it is. (All resource links provided at the bottom)
Step 1. Learn Solidity + how Ethereum works. I did the Cyfrin Updraft Foundry course.
12
38
194
An IN-DEPTH guide on the audit process that I used to achieve multiple top2 finishes (and 1st place) in audit contests.
If your current audit process is not yielding much results, or if you are new and are completely lost when auditing, it would be dumb to not give this a read.
9
33
194
Came 2nd place again 😄
Some stats:
-my first
@code4rena
appearance
-5 total findings (2H, 3M)
- first solo findings (2 solo mediums)
5 months ago, I didn't even know what a storage variable was- i'm extremely grateful for the progress that I've been able to make and hope to
24
6
180
Had some free time so decided to cook up a quick finding breakdown video (cross-contract reentrancy).
I share the exact, step-by-step thought process that led me to finding a bug that paid nearly $1000 USDC.
Vid link:
Was inspired by
@0xOwenThurm
to
16
29
144
How did you learn solidity?
Patrick Collins / Updraft
460
Crypto Zombies
221
Solidity Docs
130
Other (tell in replies)
130
62
13
139
How to make $150 in an hour:
1. git clone the codebase
2. run code coverage
3. realise that contracts/mock/FeeOnTransferToken.sol is completely untested
4. check the code, and realise that the protocol won't work with FoT tokens
5. quick PoC and submit (mine was the 3rd finding)
@GoatTradingDex
@zzykxx
@brandon_shi
@0xRizwann
🏆
@GoatTradingDex
Audit Contest Results 🏆
7. joshuajee - $150.17
7.
@0xjuaan
- $150.17
0
1
2
8
10
125
Wow. 🏅
#7
/257 in my second Sherlock contest. God is good.
In the last post, I said that next up would be a 4-fig payout, now here it is.
Found some very interesting bugs (4 High severity vulns), you can find them on my portfolio here:
First contest payout, in my second contest ever 🚀
Next up: 4-figure payout 💵
13
0
86
11
3
103
How this scammer’s fake smart contract stole $10k in the last 2 days 🛑 🔊
It all starts with this sketchy sponsored youtube video on my homepage:
The premise is that you can deploy a contract to earn passive income, but it's insane how legit the entire process could seem to a
9
28
93
Today, the sponsor confirmed my first ever high severity vulnerability found in a contest.
Now, I'll just have to wait until the official results.
Been learning this stuff for less than 2 months, thanks
@PatrickAlphaC
for the incredible courses 🫡
9
4
85
First contest payout, in my second contest ever 🚀
Next up: 4-figure payout 💵
13
0
86
Excited to announce that I'll be learning the magic of ZK with the best educators in the space
@RareSkills_io
Follow for potential ZK content in the future 👀
6
2
78
2 months ago I onboarded a good friend of mine to the space.
Over the 2 months, I shared with him all my tips and tricks/mindsets that helped me to find vulnerabilities in contests.
Today, he received a payout in his first ever contest 🔥
If you're a new auditor: over the
🏅joint
#5
/235 in my first audit contest
Big thanks to
@PatrickAlphaC
and
@CyfrinUpdraft
for the amazing courses that got me started in this space.
I also want to thank
@0xjuaan
for getting me into blockchain security and guiding me on how to get better
4
1
34
10
1
73
i came 6th, out of 257 participants in prelim results for my 2nd
@sherlockdefi
contest.
praying that my findings won't be invalidated 🙏
6
0
58
When starting out, I always had a tiny bit of FOMO that I never did this CTF (because it used to be only on hardhat, and I was too lazy to learn it)
But now it's migrated to foundry, so I would recommend
@CyfrinUpdraft
students to supplement their learning with these challenges.
Dear players of Damn Vulnerable DeFi, rumours are true.
The most vulnerable smart contracts in all web3 have been upgraded. V4 is out! 🔥
This is a major update to the game, packed with new challenges and improvements all around.
29
111
409
5
4
55
Made it to 2nd place!! 🥈
I'm starting to solidify my audit process as I get more and more experience- gaining more confidence in my ability which i'm super grateful for.
My performance was absolutely dwarfed by the LSW
@panprog
, though it's very cool to be able to share the
🏆
@SmileeFinance
Audit Contest Results 🏆
Congrats to:
1.
@panprog
- $38,714.00🥇
2.
@0xjuaan
- $2,188.04🥈
3.
@santipu_
, jennifer37 - $1,402.13🥉
@panprog
made $37,500.00 fixed pay + $38,714.00 from the contest pot!
$95,000.00 rewards ➡️ $7.0M+ paid out in rewards.
2
1
17
9
1
54
The report for the
@revertfinance
contest is finally out.
Was pleased to find out that 4/5 of my valid submissions were selected for report.
Still wishing I was backstage so I could participate in the mitigation review 🥲
Blessed to have this opportunity, thanks
@code4rena
Came 2nd place again 😄
Some stats:
-my first
@code4rena
appearance
-5 total findings (2H, 3M)
- first solo findings (2 solo mediums)
5 months ago, I didn't even know what a storage variable was- i'm extremely grateful for the progress that I've been able to make and hope to
24
6
180
6
1
51
I’m now starting to realise: understanding the codebase doesn't just mean knowing what each function does. Truly understanding it means that you can explain why every line of a function exists.
If you can't yet explain everything, then dig deeper until you can. It's easier said
Wow auditing is way more fun when you’ve got to the stage where you understand the codebase
3
1
17
5
3
44
What is a foundry feature that you wish they implemented?
I'll start:
Being able to run `forge coverage` with `--match-test` to select which test to run, instead of the default which is running every single test in the folder at once.
It would save a lot of run time but also
7
2
43
Since I made this post (less than 2 days ago), the scam has collected another 7 ether (~$20k)
The YT vid is still up, my comments are getting insta-deleted.
This is nuts.
How this scammer’s fake smart contract stole $10k in the last 2 days 🛑 🔊
It all starts with this sketchy sponsored youtube video on my homepage:
The premise is that you can deploy a contract to earn passive income, but it's insane how legit the entire process could seem to a
9
28
93
6
5
34
When calculating shares to burn when withdrawing funds, should you round up or down?
Sometimes the answer isn't as simple as you think.
The hack on Wise Lending is a prime example.
@osec_io
did a brilliant analysis on the key features of this exploit,
Here's a quick summary:
3
4
32
Here's a scrappy diagram I made to clearly understand the cross-chain NFT transferring functionality of
@stakedotlink
's contracts.
It led to me finding my first ever high severity vulnerability involving this exact function of the protocol.
Valuable lesson learned: always
7
1
32
@jack__sanford
Maybe I'm a bit paranoid, but my reasoning for saying no is:
1. Malicious sponsor might submit the bug from a new anon sherlock account
2. They might unknowingly give hints pointing to the vulnerability when competitors ask related questions in private threads
4
0
31
Completed 2 contests on
@CodeHawks
. Pretty sure I've achieved my goal- to find at least 1 H/M vulnerability.
Now i just need to learn a lot from other people's findings/what I missed.
I'm excited to jump back into lesson 7/8 of the
@CyfrinUpdraft
security course!
0
2
31
First solver of
@milotruck
's CTF puzzle 'Escrow' ✅
Very cool challenge, I would highly recommend trying it out!
Now onto the other ones...
Please come solve my CTF challenges, they're pretty simple
Most of them are based off bugs I've seen in real audits
5
23
179
1
0
29
Nothing better than seeing this in your terminal after spending hours working on a PoC 🥹
4
1
26
finally started auditing with 2 monitors.
now I expect 2x the valid findings per contest
3
0
26
Somehow came 12th in the latest
@TheSecureum
race without even looking at Vyper beforehand..
will study the solutions now though
1
0
23
Just completed my favourite (and most challenging) CTF challenge so far.
Learnt a TON while struggling to get the solution right.
(Prerequisites: bit of yul+bytecode understanding)
Would recommend:
0
2
23
Just completed my first audit contest (Footium) at
@sherlockdefi
Submitted a grand total of 1 finding (Medium).
Turns out it was a solo finding, looking forward to see the results after judging.
If you're interested in seeing the finding, DM me and I'll send a link to it.
0
0
20
I'm impressed with how clean this looks from
@sherlockdefi
More wins coming to the portfolio soon 🫡
Unveiling Audit Portfolios: All Your Security Wins in One Spot 🎯
It’s difficult to track all of your auditing achievements across different platforms.
To solve this problem, Sherlock is excited to bring you Audit Portfolios ⬇️
6
13
68
1
0
20
@banditx0x
the barrier to entry for auditing is way lower, i could participate in a public contest and get a feedback loop + rewards straight away
0
0
19
Wow auditing is way more fun when you’ve got to the stage where you understand the codebase
3
1
17
@nisedo_
whenever I think like that I realise that
@zachobront
is the shining example that your background doesn't matter, you just may have to work harder than the rest at the start
3
1
18
"Running delegatecall() in a loop"
If that didn't set off any alarm bells in your head regarding `msg.value`, you probably should read this amazing bug writeup by
@samczsun
:
2
1
16
When you find a bug in a non-upgradeable contract:
Vulnerability found in Apple's Silicon M-series chips – and it can't be patched
4
25
70
0
1
15
I need to stop getting complacent after finding a bunch of bugs in a contest.
In my last contest, I wasted the last few days meandering around the code without strong belief that I would find any more issues.
There's always more bugs to find!!! Just reset and search again
0
0
16
Other than Contests and CTFs, here's the resources I plan to use to level up my web3 security skills:
For EVM Learning:
- The EVM Handbook (by noxx3xxon):
- Ethereum Yellow Paper Course:
Proxies:
- yAcademy Proxies Research:
1
5
15
Does anyone else get paranoid that they accidentally submitted their sherlock submission to the public repo?
I can't help but triple-check the URL every time...
3
0
15
Just wrapped up my first month in web3 security.
✅Progress made:
- Completed
@PatrickAlphaC
's Full Foundry Course
- 11/29 Ethernaut levels
- 40% through
@CyfrinUpdraft
security course
Looking forward to participating in my first competitive audits this coming month.
1
1
14
Tip for
@sherlockdefi
judging contests:
When you come across one of those obviously wrong, low-effort submissions, search the repo for that submitter's name and check all their submissions.
More often than not, you'll be able to quickly invalidate 3-5 more submissions.
0
0
9
@0xJuancito
very relatable- ever since my first audit (Footium) I've never touched a contest involving off-chain parts that we know nothing about (happens especially in gaming protocols)
1
1
9
@tudoratu
@PatrickAlphaC
yes the course is a massively positive public good
i'm talking about how most people are unwilling to stick to it
0
0
9
Currently banging my head trying to deeply understand elliptic curve digital signatures (not the group theory stuff, just what's relevant for ethereum).
I'll make a concise educational thread with my learnings once I'm confident with it.
3
0
9
Auditing tip for VSCode users:
I set my keybind for 'Go back' to CMD+5 and 'Go forward' to CMD+6 to easily switch between different parts of the codebase.
No more scrolling endlessly to find where you left off.
1
0
9
When you find a (likely critical) vulnerability in the testnet version of a protocol (before audit contest) but it turns out they patched it in the contest repo 🫠
1
0
9
Who makes the best medium articles related to web3 security / EVM?
To level up my knowledge I want to do
@pashovkrum
's method of opening a ton of chrome tabs with quality articles and reading whenever I can
0
1
8
For those who want to understand vault inflation, here's a really concise explanation:
A post simplifying vault share inflation attacks so that you can easily identify them in all your future audits.
Q: What is a vault?
It is a smart contract in which users can deposit underlying tokens and in return get minted shares.
Users can later burn their shares to
5
8
73
0
0
7
probably the best analogy anyone could've come up with
@optimizoor
Considering posting on farcaster "onchain activity" is wild.
It prepares you to build crypto apps about as much as taking a shit prepares you to become a plumber.
0
0
2
0
0
7
@PatrickAlphaC
oh true, i noticed that when I was doing them, but honestly I don't think i've done them all either 😅
after thunder loan, i took a long break from the course to participate in Codehawks and found my first real bug
1
0
7
@xuwinniexu
@jack__sanford
Initially I felt it was unfair because the LSWs were getting paid a guaranteed huge sum, but ultimately if any watson performs better than the LSW, they collect points from them and can eventually do the same.
So if the LSW is able to maintain their status through high
0
0
6
@tonyke_bot
they need to learn to use %e for printing numbers:
Some quick foundry alpha for you all:
When console logging any token amounts, you can use the %e placeholder to display it in exponential form.
No more counting each individual digit like a noob 👍
20
33
363
0
0
6
@nfmelendez
yes:
One of the easiest ways to find bugs in an audit is to look where the test coverage is lacking ❌
And this is the best way to have a clear vision of what the tests are covering or not:
1. Download Coverage Gutters:
2. Cmd+Shift+P -> Open Settings (UI)
23
88
408
2
0
6
@abarbatei
@deadrosesxyz
i think it's the PVP nature of escalations that drains a lot of mental energy
1
0
5
@ilchovski98
@pashovkrum
wow
@pashovkrum
is a G for setting up that initiative
and great job
@ilchovski98
by the way!
1
0
5
1
0
5
@Hash01011122
Method 2, but I would say even 3k+ can be considered large
Reading reports is not effective for me since I don't understand the code associated with it.
Focused practice and reflection (in contests) is the best way to improve the skill of auditing in my opinion.
0
0
5
@nisedo_
@giraffe0x
@ScrapingBits
@ProofOf_Podcast
@GalloDaSballo
@bytes032
@PatrickAlphaC
@zachobront
the
@0xriptide
episode was very cool too
0
0
4
@rekxor
@PatrickAlphaC
@CyfrinUpdraft
watch videos from 'Rian Doris' on youtube and try to apply some stuff
0
0
2
Hi
@pashovkrum
, did you end up doing a demo foundry project? If so, out of curiosity what did you build?
6/ Foundry. If you want to be advanced today you have to master it, especially for making clean Proof of Concepts.
Will learn it by reading the Foundry book and watching
@PatrickAlphaC
YouTube tutorials on it. Then I will do a demo project with high code coverage to practice.
1
2
32
0
0
4
@RealJohnnyTime
@0xOwenThurm
Means a lot to hear that from you
@RealJohnnyTime
!
I was first introduced to this space by coming across your interview with Pashov🫡
0
0
4
Prelim results are out- so far there was only one valid submission, and it was from the LSW.
This was a weird one because of the amount of off-chain functionality needed for the project to work.
Anyway, back to grinding and on to the next one 🫡
Just completed my first audit contest (Footium) at
@sherlockdefi
Submitted a grand total of 1 finding (Medium).
Turns out it was a solo finding, looking forward to see the results after judging.
If you're interested in seeing the finding, DM me and I'll send a link to it.
0
0
20
1
0
2
@nisedo_
@WangSecurity_
I hadn't thought of this either, but man that seems like it should be the standard if you want to make sure you actually learn from other people's findings.
Thanks for sharing this nisedo, will be implementing it.
1
0
3
@ParthMandale
@YQ996CO28254695
@cawfree
The only hard one i’ve done is shapeshifter, and i’ve done everything from difficulty 1-3
0
0
3