100proof.org
@1_00_proof
Followers
3,464
Following
394
Media
94
Statuses
1,373
Interested in software correctness. Cryptocurrency security researcher - -
0.0.0.0
Joined July 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
namjoon
• 345951 Tweets
Linkin Park
• 156583 Tweets
Adalet
• 138014 Tweets
FOR ASIA
• 123469 Tweets
BTS PAVED THE WAY
• 84214 Tweets
Chester
• 81106 Tweets
علي النبي
• 79573 Tweets
小泉進次郎
• 59762 Tweets
Hayırlı Cumalar
• 49643 Tweets
#يوم_الجمعه
• 34670 Tweets
エイリアン
• 32686 Tweets
知的レベル
• 30194 Tweets
資さんうどん
• 29932 Tweets
GRABTOUR LINGORM
• 28507 Tweets
すかいらーく
• 27005 Tweets
大阪府警
• 20282 Tweets
MARK TUAN BD FAN MEETING
• 19993 Tweets
ベイマックス
• 17462 Tweets
Milli Savunma Bakanlığı
• 16324 Tweets
フリーランスの田中
• 13709 Tweets
神ちゃん
• 10898 Tweets
#ガラッとチェンジマン
• 10515 Tweets
Pinned Tweet
Some more choice snippets from "The HACMS program" ()
1
3
13
Tomorrow,
@KyberNetwork
will be re-releasing their KyberSwap Elastic Pools. I'm finally able to reveal that I was the whitehat who found and disclosed a critical bug that put over $100M of LP funds at risk...
51
61
410
@0xdoug
@banditx0x
The bug I found was simpler and easier to engineer. That particular bug was fixed. I missed this one and it weighs heavily on me.
10
3
214
Thanks Doug. I've been grinding all day on this. I found the root cause after 8 hours and just minutes before you posted.
But I have to hand it to the
@KyberNetwork
devs for getting there first. I knew they'd already found the root cause but decided to hold off on receiving
1/ Finished a preliminary deep dive into the Kyber exploit, and think I now have a pretty good understanding of what happened.
This is easily the most complex and carefully engineered smart contract exploit I've ever seen...
120
747
3K
1
11
124
Uniswap V2 has been out for ages. It doesn't have any obvious flaws. Recently I dreamed up a fairly basic potential attack which I knew wasn't going work. But I didn't know *why* it didn't work.
So I did some algebra.
I've just published that algebra here:
9
8
106
Prospective bounty hunters, you're gonna have to get used to getting no return on work that deserves it.
I say this as if it doesn't hurt. It does.
This year I successfully landed one bounty out of many attempts.
That said, the ROI is worth it. Stay the path.
10
9
101
I always suspected that my motivation and productivity would improve once I had autonomy and something I truly wanted to work on.
I struggled so long to find this, 15 years or more, that I was really starting to believe it was never going to happen.
For nearly 18 months now
9
1
94
The PoC of the KyberSwap Elastic Pools vulnerability is now available:
It contains the original exploit and a new test showing that the updated pools are no longer vulnerable.
Thanks for waiting so long.
7
19
88
First audit competition in forever. Found a solid unique high which was nice. Number one goal is increasing coverage though.
5
0
83
@tradingMaxiSL
What's the family salary?
Can we please never write "this cost this much in 19xx" without also saying "the average take-home salary was $X per week"?
It's just pointless. Money was worth more back then.
6
0
84
My Discord has exploded with people informing me of the KyberSwap exploit. I'm currently investigating.
3
0
79
I just want to give a shout-out to my colleague, mentor and friend
@trust__90
. Obviously, you've taught me a lot about auditing. But I really want to thank you for all the rock solid advice on how to navigate this wild frontier.
🤠🥃
5
3
78
@KyberNetwork
... but no longer! thanks to a fruitful collaboration between the KyberSwap team & me.
Read the post-mortem for all the details:
5
9
76
One of the things I hate about writing blog posts is that they take so long to polish. Thus, I rarely write them.
I'm going to start doing something that works with my temperament. I'm going to publish them as I continue to work on them.
Would people be interested in this?
16
2
71
I just want to give a shout-out to my mentor and friend
@trust__90
. Naturally, I learned a lot about auditing from you, but your most invaluable advice has been on how to navigate the wild frontier of web3. Thank you.
🤠🥃
1
0
66
Here is an open letter to formal methods researchers, particularly cryptocurrency outliers, on the incredible opportunity that awaits those who finally want to prove the worth of formal methods.
3
16
66
Check out my profile on
@immunefi
#OnchainDefender
Now to put up a decent profile pic and earn some more.
4
3
62
@cantinaxyz
@Uniswap
@UniswapFND
That's going to be one hard codebase to find bugs in. To be completely transparent you should advertise the conditional nature of the pot.
Either say:
- "up to 2.35M" consistently, or
- advertise the levels e.g. 2.35M/300K/50K (actual figures may vary).
5
2
64
A bonding curve makes the behaviour of an AMM completely predictable but this predictability has a key weakness.
If an attacker finds an edge cases in the bonding curve's behaviour they can trick the AMM into coughing up all of the LP's tokens.
An order book style market is
3
4
61
Took me a while to get this, so I'll post it here.
This calculates the CREATE2 address for a contract in Solidity.
It's verbose and subtle. Hope it helps.
4
6
59
As much as I want to comment on current events, I'm shifting my focus to the future.
Finding bugs is one thing but how do we _prevent_ bugs?
I have thoughts, but no solid answers.
10
5
57
After helping
@KyberNetwork
secure their elastic pools, I felt confident that I could invest in their farms once they relaunched.
Yesterday I made a small investment on Polygon in the MATIC-USDC pool for 903/825 tokens. It's only been one day but I made $3.84 in fees!
7
6
55
This whitehat's choice of handle is probably one the greatest flexes of all time 💪
@immunefi
gives you a free hoodie if you earn more than $100K. ("Free lollipop with every lambo purchased!")
pls_send_hoodie has, at the time of writing, earned $1,084,000.
6
2
54
Web3sec. One of the least ageist fields I know.
4
1
52
This isn't just theoretical. Kyber Elastic Pools had a fuzz test that, in principle, could have found their bug. It's just that the state space was too darned large.
1
0
48
@0xOwenThurm
@CyfrinAudits
Don't believe me? Try fuzzing this function which is obviously "wrong" for quite a few values (2**176 == 2**(256 - 80) to be precise).
The fuzzer will have almost zero chance of finding it.
5
5
45
If you've ever found a beautiful bug you'll instantly understand this mathematician's elation.
He gets moved to tears at one point describing the moment he pulled together a proof he'd worked years on.
4
4
43
Just want to give a shout out to
@BeanstalkFarms
for publishing all the bounty submissions publicly. I wish every project did this.
It also gives me a greater appreciation for how many sub-par reports projects must routinely deal with.
1
8
39
@ShieldifyAnon
@jeffsecurity
Is this satire?
If you listen to people who have already made it, it doesn't take long to find people stating (in no uncertain terms) that burnout IS real and that taking time off is important.
It's a marathon not a sprint.
4
0
39
Sometimes I wonder just how f$
@ked
crypto would be if someone found the private key for address(0).
Here's the start to an, as yet unwritten, SciFi story:
On 25 July 2024 the "impossible" happened: multiple transfers for multiple ERC20 tokens from address(0)...
15
3
38
Just watched
@razzor_tweet
's "Not So Famous Attack Vectors In The World Of Smart Contract Security" talk. Highly recommended.
3
12
38
A professional poker player recounts why he stopped playing.
At least with bounty hunting it's a one way valve. You don't have to stake your previous winnings to play more.
6
5
34
Conal Elliott, a researcher from another field, has convinced me of something.
If DeFi doesn't focus on simplicity of design then security becomes much, much harder. Past a certain level of complexity verifying its security becomes practically impossible.
@conal
4
4
35
The forensic side of bounty hunting is one of my favourite parts of it, and it's something you don't get in competitions as much where everything is hypothetical.
Investigating the blockchain to see how things are really used in practice tickles my inner detective.
1
0
34
Insights from this article probably apply to web3 security too
2
4
34
@MitchellAmador
@immunefi
Back in 2022, when Immunefi was still working out its methodologies, it had a bit of a mixed reputation.
Two years later, I can safely say that it has really locked down its negotiating skills in favour of whitehats.
My thanks. 🙏
1
2
32
You could be on the verge of vindication but it's gonna be painful until then. This was written by Nassim Taleb
3
3
32
Our collective praise of "chads", "gigabrains", and "math geniuses" is a sign of following the wrong incentives.
Our programs should be as simple as possible and understandable by the most number of people that we can manage.
1
2
29
Does anyone out there run their own EVM RPC node so they don't have to pay for Alchemy/Infura/others? If so, any hints and tips on how to do it?
15
0
30
Too funny not to repost
When you believe you found a unique finding on
@code4rena
and then you see the results of the audit contest
1
5
60
3
0
28
There's a lot of work that
@immunefi
does behind the scenes for their whitehats. I'd just like to say a big thank you to you all and
@adrianhetman
and
@0xMackenzieM
in particular.
3
3
29
The top auditors will find a substantial portion of the findings by themselves. But they will also miss a not insignificant number.
The competition model digs deep.
I've been given an incredible gift.
I tried my absolute hardest on Blast. Exhausted every idea I could think of.
And yet… there were 2 Highs and 15 Mediums I missed.
You can't buy education this good.
11
5
236
0
1
28
It's always weird when you find a contract with significant TVL and yet the source code isn't published. Why would anyone put money into a smart contract that doesn't have its source code published? Isn't that a core tenet of DeFi?
5
2
27
Here's a free idea.
Problem: interacting with software on phones is fundamentally annoying. There are so many key presses. Example: Taking a note with a note taking app involves more mental effort than pulling out a notebook and writing with a pen.
🧵
1
1
26
This is a genuinely useful reframing of the problem! Hardware people have known how hard it is to verify for years.
Q: How can I write more secure Smart Contracts?
A: By understanding this key principle: Smart Contracts are NOT SOFTWARE.
Smart Contracts are HARDWARE.
“Alex, WTF are you talking about?”… hear me out…
For the past 20 years, writing software has meant iterating quickly:
65
219
849
2
1
27
We've got to do something about this.
As
@trust__90
says in the replies, the absurdity is that these firms will pay 6-figures for audits but then tighten their purse strings when the (harder to find) bugs are found later by independent researchers.
Just got paid $333 each for 3 separate mediums reported to the same project. They list "up to $5k" for med-severity.
I check the from address of the bounty payment and see this 🤡
37
13
246
6
0
27
@DeGatchi
I've felt that anxiety so many times but it isn't that real in the modern world. As long as you don't have a drug addiction or crippling mental health problems you're gonna be fine. You won't be broke for long. And sitting with the anxiety will make you tougher. Stay independent
6
0
27
This comment from Hacker News perfectly sums up what I can't stand about academia.
When you have to fight that hard just to get a little "seed capital" then
a) you've wasted a lot of time you could have been using to try out your ideas
b) your research probably gets influenced
1
1
27
@rohanpaul_ai
It's like someone from antiquity whistling up a genie to grant you an audience with 50 lords so you can be a serf for them.
Think bigger.
0
1
27
Conditional pots should have an "up to" prefix.
@cantinaxyz
@Uniswap
@UniswapFND
That's going to be one hard codebase to find bugs in. To be completely transparent you should advertise the conditional nature of the pot.
Either say:
- "up to 2.35M" consistently, or
- advertise the levels e.g. 2.35M/300K/50K (actual figures may vary).
5
2
64
2
0
27
It sounds obvious, but when there's a bug in the compiler auditing the source code is useless.
This highlights how important it is to verify things all the way down the stack. This is not an easy fix.
A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop.
Other pools are safe.
89
416
1K
0
1
26
Always nice to see someone take the time to *deeply* understand something you wrote. Nice work
@ding99ya
1. On May 23th,
@1_00_proof
released a critical vulnerability in
@KyberNetwork
which impacts more than $100M funds. This raised my interests and I decided to do some research in CLMM and see if a similar one exists in Uniswap V3 and if so, how did uniswap handle it.
3
23
90
0
1
26
Found a podcast discussing some reasons why AI is not AGI and why we don't have too much to fear. I think it's worth a listen. Some of it might not make sense if you don't know
@DavidDeutschOxf
's other work but the episode is a good starting point.
3
6
26
Here's the (long overdue) post on why I'm becoming a white hat hacker
0
5
25
Security is hard.
Not hard as in "geez, today's Wordle was hard".
Hard as in "curing cancer is hard".
1
3
25
I just learned today that
@CryptoTaxHQ
is Australian made!
This year my tax was very complicated.
So complicated that I honestly thought it was going to take me a month or two, full-time, just to do it.
But then someone recommended this product. I was absolutely amazed that
4
3
25
I wish people in crypto knew that good progress has already been made towards formally verifying code all the way down to assembly code.
In light of the Vyper bug we should take note.
1
4
25
All of us in web3 could learn some lessons here
3
3
25
@bytes032
The real GOATs are the mathematicians and scientists who solve even harder problems for minimal monetary gain.
I wish I had their temperament for I am too attracted to fungible tokens, fiat or otherwise.
3
0
25
Looking forward to the figure on this almost doubling in a couple of days.
4
0
24
@Austen
I've noticed innumerate people do this a lot. They'll cancel out two things because _qualitatively_ they're at odds.
But _quantitatively_ they don't at all. E.g. 70% higher living costs don't cancel out 200% higher wages.
0
0
22
🤣
@zachobront
makes a joke about finding the private key for address(0) by reinstalling Metamask countless times and then bots swarm to tell him that "I had the same issue"
8
1
22
Kurt Gödel came up with one of the most profound results of the 20th century.
But did you know the way he did it would be recognisable as an Epic Hack by almost any security researcher, if they were taught a little syntax/terminology.
Who would read a blog post about this?
6
0
23
@AliX__40
@cmichelio
once suggested this as a general technique to me, and not just for maths.
I think it's great advice.
2
0
22
"Comment 1" from Taleb's anti-cryptocurrency paper () is pretty compelling. Any good counter arguments?
13
3
21
@banditx0x
@0xdoug
Once you've cause the "liquidity" variable not to be updated correctly all bets are off.
Sure, it's the same class of bug, but getting to the "starting point" was much more complicated.
I missed it. Follow-on audits missed it. The Sherlock competition missed it.
It still
0
0
22
Just used
@flexybridge
for the first time.
It works as advertised.
Wow.
That was *super* convenient.
3
1
22
@cantinaxyz
@Uniswap
@UniswapFND
And to be completely fair that goes for all the platforms:
@cantinaxyz
,
@code4rena
,
@CodeHawks
,
@immunefi
,
@sherlockdefi
An "up to" prefix is the bare minimum.
0
0
22
@CyfrinAudits
I've recently discovered that if the edge cases are rare enough e.g. more than 1 in 100,000,000, you just ain't gonna catch it with fuzz testing.
That doesn't take away from how awesome fuzz testing is, but it's something to keep in mind.
1
1
22
@shunduquar
congrats on getting your bug disclosure in the OpenZeppelin Top 10 Blockchain Hacking Techniques!
3
0
22
I would highly recommend
@conal
's stirring call-to-arms on writing correct software. Start at around 9 m and listen until around 12m12s
0
4
19
I wanna follow this project but I don't want to ruin the follower count 😜
2
0
21
Maybe I'm just old but just doesn't *grip* me as something I want to try. It doesn't mirror anything that I'm familiar with. Commoditising relationships seems like something that has been tried since the dawn of time and never works. I guess we'll see.
3
1
19
@bytes032
But it was the principle of the thing.
You'll find this funny. I was once playing around with an ethical framework we we assume that the many universe's interpretation of quantum mechanics is real.
Under this framework, it becomes unethical to do too many risky things because
3
0
19
Probably applies to competitive auditing
"Perfection is impossible.
In the 1,526 singles matches I played in my career, I won almost 80% of those matches.
But what percentage of points did I win?
54%
In other words, even top ranked tennis players win barely more than half the points they play.
When you lose ever
448
13K
91K
2
0
20
Here's a suggestion that might align incentives and provide some "skin in the game" for bounty hunters to continue their involvement with a project.
While I agree that bounty hunting is providing a one-time service to a project (and does not imply an on-going commitment), what
3
1
20
My researcher friend goes further. The maths you base your programs on must also be simple. If a vanishingly small portion of the populace can't even understand that, how could it ever be deemed secure?
they don't want you to know this but the key to safe smart contract development is actually to make your contracts as dumb as possible
34
30
220
0
0
19
Posting on X is a little like being a comedian testing their new jokes on the open mike circuit in their home town.
1
0
18
Bug huntin' music
4
0
18
I've always been skeptical that code can ever be bug free...
...but somehow nature's laws seem to be.
They're also remarkably simple.
4
0
17
A transparent security culture is the aspiration.
But it's not as simple as "security through obscurity = bad".
It's normal for security reports/post-mortems to remain private for a period of time following a responsible disclosure. However, I now believe more should be done.
3
1
18
Great summary.
I think Anton Ego from Ratatouille got it right.
"Not everyone can become a great auditor.
But a great auditor can come from anywhere." - Anton Ego (if he was talking about auditors and not cooks)
Celebrity Auditors: So i made $100K this month from Auditing alone.
Junior Auditors: Wow, freaking cool (smashing likes and repost button, asking in comment section and DM with "how can i get started? "can you share resources" "Please help")
Celebrity Auditors: (shares
8
9
116
1
0
17
@andyfeili
I actually got a tear in my eye reading this.
That first year of parenting is hard. It's hard for all the obvious reasons like lack of sleep, loss of free time, less time with your partner as just a pair.
But it's also difficult because it strips away any pretensions you had of
1
0
17
Bookmark this.
@thisvishalsingh
Love the questions! Thanks for asking these🤙
1. It depends on how much time you have as I don’t think it’s the matter of skill.
Boosts are great as they motivate you to be quicker on your judgements, they demand from you to test and verify your assumptions in form of a PoC and
2
3
20
0
0
16
Subtle arithmetic errors are hard to find... but when you do they almost always lead to things breaking in BIG ways. Read
@zachobront
's page turning story about one he found in PRBMath's pow() function
After sharing this report, a few people reached out asking how we possibly found H-03 (“PRBMath pow() function can return inconsistent values”).
There are some interesting lessons in how this was discovered, so thought it'd be fun to share the story.
6
18
136
0
2
16
This is cleaner than some codebases I've seen though...
1
0
16
@sentient_x
People might not realise why I format the numbers that way. Yes, it makes them easy to read but it also allows me to copy and paste them into Chisel and have them recognised as valid integer literals.
That's why I don't put in commas and a period before the decimals.
1
0
16
Crazy thought. Don't take too seriously. Just food for though.
What if LPs signed up to the "risk" of paying out bounties to whitehats that protected their money?
A problem that many liquidity-based protocols face is that they're only making fees off their protocols which
7
1
15
It's not like every day has been pure joy either. There's a lot of frustration in this job, but it's the good kind.
But dread is gone. I'll take that.
0
0
16
@HollaWaldfee100
This sounds eerily similar. If I've got a reason to read a report it'll help but randomly reading them is kind of boring and I don't know if it sticks.
1
0
15
@BirnbaumPaulPro
@KyberNetwork
It wasn't actually. But
@KyberNetwork
are a fine bunch of fair minded people that reward good work.
1
0
15
LOL. This is what I feel like.
For every founder that successfully exits, the most common feeling afterwards is that it was pure luck and that this will be the most amount of money they’ll ever make from a product they start from scratch.
So they fall back on their newfound credibility in their industry to do
144
200
3K
5
0
15