Martin Marchev
@MartinMarchev
Followers
1,733
Following
784
Media
147
Statuses
1,663
Explore trending content on Musk Viewer
Kroos
• 498350 Tweets
España
• 476278 Tweets
Project 2025
• 427271 Tweets
Portugal
• 368184 Tweets
Spain
• 349984 Tweets
Ronaldo
• 299943 Tweets
Mbappe
• 266279 Tweets
Alemania
• 198619 Tweets
Yamal
• 187099 Tweets
Pedri
• 165340 Tweets
Lamine
• 164634 Tweets
Wisconsin
• 134158 Tweets
#ESPGER
• 110639 Tweets
Carvajal
• 95357 Tweets
Almanya
• 89604 Tweets
المانيا
• 87530 Tweets
Havertz
• 80922 Tweets
Morata
• 75349 Tweets
Wirtz
• 69069 Tweets
Cucurella
• 68885 Tweets
#PORFRA
• 66117 Tweets
Dani Olmo
• 50910 Tweets
スペイン
• 45511 Tweets
Anthony Taylor
• 43389 Tweets
França
• 42919 Tweets
#FRAPOR
• 36146 Tweets
De la Fuente
• 35602 Tweets
Mikel Merino
• 29987 Tweets
Thuram
• 29739 Tweets
Leao
• 29627 Tweets
Kolo Muani
• 29332 Tweets
#البرتغال_فرنسا
• 28085 Tweets
#Eurocopa2024
• 27033 Tweets
كروس
• 25104 Tweets
Camavinga
• 19818 Tweets
クロース
• 18682 Tweets
Kante
• 16745 Tweets
Fullkrug
• 16740 Tweets
Deschamps
• 16349 Tweets
Dembele
• 15647 Tweets
Oyarzabal
• 14834 Tweets
Barcola
• 14449 Tweets
ポルトガル
• 14300 Tweets
Vitinha
• 13876 Tweets
Imade
• 10253 Tweets
Pinned Tweet
Happy to share my biggest achievement so far – my first contest win!
The contest was tough. Rock-solid codebase and 3 previous audits (1 internal, 2 external). Yet I managed to find a couple of issues.
Big thanks to
@immunefi
for the opportunity!
This is just the beginning.
The $30k
@immunefi
Arbitration Boost is finished and results have been posted!
Congrats to
@MartinMarchev
for seizing first place!
🥇
@MartinMarchev
: $13,730
🥈
@0xSCSamurai
: $7,500
🥉 seinsidler: $1,269
More results below!
👇
3
2
34
7
3
71
Found a high severity vulnerability on Immunefi.
Protocol fixed fast but tried to shortchange by paying only 20% of the award.
Escalated to Immunefi.
Meanwhile found a crit in the same protocol.
Radio silence.
Protocol gets removed from Immunefi.
Happened to no one ever 🥲
27
5
165
Luckily the whole situation ended in a remarkable turnaround.
Today I got my award paid in full.
Mad props to the
@immunefi
team for their top notch mediation 🫡
Kudos to the protocol as well for doing what's right.
I'm very happy as this is my first payout on Immunefi!
Found a high severity vulnerability on Immunefi.
Protocol fixed fast but tried to shortchange by paying only 20% of the award.
Escalated to Immunefi.
Meanwhile found a crit in the same protocol.
Radio silence.
Protocol gets removed from Immunefi.
Happened to no one ever 🥲
27
5
165
22
11
144
Do you know what a "returnbomb" attack is?
In this thread I will explain the mechanics and implications of this lesser-known attack vector and how to mitigate it.
Let's dive into it 🤿👇
9
28
132
My first award from an audit contest 😊
It ain't much but it's such a motivation!
Wasn't even expecting anything given how rock-solid the ENS codebase was 🫡
35
3
125
The type of status updates I love seeing on Immunefi 🥰
9
3
108
I've recently discovered Foundry's forge inspect.
It's a handy tool that allows you to get useful info about a given smart contract.
E.g. forge inspect Contract storage renders the storage layout of the contract.
You can also inspect its bytecode, assembly, methods etc.
6
11
100
My tips for those new to web3 security:
- Learn the fundamentals but don't overstudy;
- Start contests as early as possible;
- Get used to writing PoCs;
- Be selective of the reports you read;
- Study real-life exploits and hacks;
- Learn in public;
2
9
93
I have just submitted my first report to
@immunefi
.
I hope my finding will bring some real value to the affected protocol.
Keep your fingers crossed for a positive outcome, guys!
8
0
83
Participated in
@RareSkills_io
's last web3 security CTF contest!
Despite falling short of a top spot, I've learnt some invaluable lessons 🦾
The CTF goal: drain all funds of the following smart contract n the most gas efficient way.
(1/7)
3
8
84
We managed to secure 2nd place at the PartyDAO contest! Really happy with our result!
I'm so proud of my teammates
@MarinaPironeva
and
@dethSCA
. Such a great teamwork, fellas!
This has been such an invaluable experience.
Thanks for the opportunity,
@code4rena
&
@prtyDAO
🫡
23
2
82
I love Immunefi for its role in securing the web3 space, but some recent experiences have highlighted some critical areas that need improvement.
I recently lost a $100K bounty due to a grey area in Immunefi's Common Vulnerability Exclusion List policy. To put it mildly, it was a
13
2
82
Hunt bugs in the wild at 3:00 am
Find a high on-chain in a 300M+ TVL protocol
Get mad adrenaline rush
Start prepping the report
Check the protocol repo on GitHub
Find out the team committed a fix 2 days ago
Be dead inside 💀
#TrueStory
5
0
77
Another day, another CTF writeup! 📚
Excited to share my journey through Damn Vulnerable DeFi challenge
#2
: Naive Receiver.
Let's dive deep and explore intricate mechanics of draining ether from an unsuspecting ERC-3156 flash loan receiver.
Ready to embark? Let's go! 🚀
(1/8)
1
9
55
Recently discovered Vulcan's println() - so much better than Foundry's console.log()!
Supports Rust-style string templates with unlimited args, which is a huge win for complex debugging.
It also features formatting numbers as decimals. So no more squinting at zeros! 🧐
🔗👇
5
7
64
Solidity tip: use abi.encodeCall instead of abi.encodeWithSelector
As of version 0.8.11, abi.encodeCall should be your go-to choice for ABI-encoding data.
Why? Because it adds type safety, reducing errors and thus boosting your smart contract security.
3
8
60
DeFiHackLabs Academy is such a great resource on web3 security.
It simply provides so much alpha 🔥
3
8
54
Writing smart contract tests with Hardhat is abomination.
19
3
53
With Foundry, you can also access the full storage layout of a deployed contract!
Just use:
cast storage <contractAddress>
It displays a table similar to 'forge inspect' along with the storage values.
You just need to set the ETHERSCAN_API_KEY environment variable first.
I've recently discovered Foundry's forge inspect.
It's a handy tool that allows you to get useful info about a given smart contract.
E.g. forge inspect Contract storage renders the storage layout of the contract.
You can also inspect its bytecode, assembly, methods etc.
6
11
100
3
3
55
I've just won my first award from
@code4rena
's bot races 🏁
While the performance is far from stellar, I am really happy and motivated since this is only the beginning 💪
4
2
55
Need a quick refresher on read-only reentrancy? 🧐
Explore with me a real-world example of this attack vector found in Curve's steth pool.
🧵👇
5
10
53
We landed 6th place in the Ethereum Credit Guild contest. Super pleased with our result!
Big shoutout to my teammate
@0x3b338
who found the majority of the issues for the team 💪
Thanks to
@code4rena
and
@CreditGuild
for the opportunity! 🫡
9
0
52
Woke up at 4:30am today to wrap up my last Allo contest submissions at
@sherlockdefi
.
I have a family, a newborn, a dog, and a full-time job as a senior engineering manager at a fintech company.
When it's important, you MAKE time!
Embrace your challenges and keep pushing 💪
4
1
51
TIL that OZ's ERC20 implementation allows you to make a 0 value transferFrom() on behalf of any address without explicit approval 🤯
That's the epitome of address poisoning!
Alas, this issue cannot be fixed as it risks breaking many protocols.
Some thoughts on the topic 👇🧵
5
3
52
Love it! Thank you,
@immunefi
🔥
Check out
@MartinMarchev
's CUSTOM PFP for taking 1st place in the
@immunefi
Arbitration Boost.
Well done, ser!
7
3
71
5
1
50
Sometimes you need to interact with an external contract deployed on-chain when writing a PoC in a forked environment.
You can use cast to generate an interface for you instead of coding it by hand:
cast interface address
1
7
47
Signing structured data in a PoC is easy!
Use Foundry's makeAddrAndKey() to generate an address and its corresponding private key.
OpenZeppelin's ECDSA.toTypedDataHash() will hash the typed data for you.
Then use vm.sign() to create the EIP712 signature.
That's it!
3
4
47
The
@MaiaDAOEco
contest at C4 is over.
This was my second contest ever. It was a tough one and definitely a brain-bender for me!
Unfortunately, I was not able to find any vulnerabilities. Not discouraged at all. Lack of success is part of the journey.
What did I gain?
Got to
5
0
46
Yet another CTF write-up.
In this thread I'd walk you through the process of solving challenge
#4
from Damn Vulnerable DeFi - Side Entrance.
Let's dive into it 🤿👇
(1/8)
4
5
47
Bug bounty tip: if a project has listed both their GitHub repo and their on-chain contracts as part of their bug bounty program, always check that these two match.
Thank me later.
2
3
43
Ever heard of ERC-7512?
It's a draft proposal to introduce standardized on-chain audit reports.
Curious to learn more about it?
🧵👇
4
11
44
Damn, ENS is solid.
Lots of researchers would be starving this month.
11
0
42
Got a modest reward from the Uniswap contest at C4.
After an interesting turn of events, the contest ended without any HMs.
This resulted in the pot being distributed across Low/QA issues and some wardens making pretty solid payouts off L/QAs 🔥🔥🔥
It was a pleasure 🫡
6
0
41
Wrapped up the ENS contest at C4.
Unfortunately, didn’t manage to find any vulnerabilities.
Nevertheless, decided it’s a good opportunity to submit my first analysis report at C4.
When life gives you 🍋, make lemonade.
4
1
39
When writing a PoC in Foundry, you can use vm.storе() and vm.rеad() whenever you need to read or write a private state variable of an already deployed contract.
1
2
38
Every time a solidity dev writes a for loop like that, a kitten dies.
If you don't know, now you know.
4
1
36
Curious how duplicates affect the score of your issue at
@code4rena
contests?
I've created a Desmos graph to help you visualize the impact of dups:
🔗👇
4
0
38
Hands down the best explanation of how Curve's VotingEscrow works
🧵Understanding Voting Escrows
Voting Escrows are probably one of my favourite contracts and oddly enough there's almost always multiple issues within them.
What exactly are they? To put it simply - users lock some of their funds for a period of time. They in return receive a
12
31
238
0
2
36
I've recently discovered a potential critical vulnerability via a sandwich attack at Immunefi.
It turned out the attack wouldn't be profitable for the attacker in any case.
is a great tool that lets you calculate the profitability of sandwich attacks.
Sandwich attacks aren't as simple as they seem.
It's not always a win for the attacker. The success depends on different factors like traded amount, fees and slippage protection.
Check out
@cmichelio
's article that clarifies the complex yet often oversimplified mechanics 👇🔗
1
0
21
2
4
35
Just stumbled upon
@milotruck
's audit methodology, and it's an absolute gem! 💎
Check it out here:
1
4
35
Delving into the EVM feels like a bottomless rabbit hole, with endless layers to explore. Always something new around every corner.
Here's a great list of EVM learning resources that got you covered:
0
7
33
PoC writing tip: signatures as byte arrays use r, s, v order, not v, r, s like vm.sign() & ecrecover().
This may be confusing, but it aligns with ECDSA's r, s math.
v comes last as it's extra data, ensuring correct r, s interpretation when the signature is sent as bytes.
2
2
30
@bytes032
"Discipline is doing what you hate to do, but nonetheless doing it like you love it."
— Mike Tyson
1
0
33
Here is a proven method to learn from experience:
Feel the pain of not reporting a valid issue because you thought it was of low severity 🥲
8
0
31
Avoid measuring yourself against other security researchers, as it's a sure path to disappointment.
Remember everyone's journey is unique, with their own backgrounds, strengths, and weaknesses.
Bet on your strengths and aim to be just a little better than you were yesterday.
5
0
31
When reviewing DeFi protocols claiming to support all ERC20 tokens, it's important to dig deeper.
Using SafeERC20 simply does not cut it!
Here's a non-exhaustive list of questions that you, as a security researcher should be asking, when reviewing such protocols 👇
1
8
29
Achievement Unlocked 🎉
I was really looking forward to this one!
The opportunity to start learning immediately after the contest is over is pure gold!
Thank you
@code4rena
🫡
5
0
28
Maybe I am missing the point here, but ERC1155 seems a bit unwieldy to me. Let me explain why.
Imagine owning an ERC1155 token. Its fungibility doesn't matter. My token has this funky ID:
29893339427188950692346721405892029443088172875108616825357223485919315451455
Now, I lose
7
2
27
The Immunefi team have done an amazing job with the mediation.
Not much they could do when a protocol goes rogue though.
3
0
27
You participate in the
@MorphoLabs
contest at
@cantinaxyz
and struggle to build the project locally?
Run the following command:
git init &&
git submodule add lib/forge-std &&
git submodule init &&
git submodule update &&
forge install &&
forge test -vvv
1
3
26
Got a modest reward from the
@ZivoeProtocol
contest at
@sherlockdefi
.
I managed to find 3H and 2M.
Not my best performance for sure but definitely a valuable experience.
Thanks for the opportunity
@ZivoeProtocol
and
@sherlockdefi
🫡
@cergyk1337
@0xSimao
@BiasedMerc
@IronsideSec
@armormadeofwoe
@drynooo
@WhyBhumii
@DzordanTa1567
@MarsWhiteHacker
@int0x1catedCode
@amarfares_
@0xDenzi_
@daniel_arms90
@0xTendency
@KupiaSecurity
@dimulskiatanas
@SUPERMAN_I4G
@0xWeb3boy
@saidamdev
@Audinarey
@flack00n
🏆
@ZivoeFinance
Audit Contest Results 🏆
38. Tricko - $309.72
39.
@0xsl01
- $191.77
40.
@MartinMarchev
- $189.89
41.
@bauchibred
- $141.62
41.
@ZanyBonzy
- $141.62
41. thank_you - $141.62
41.
@brandon_shi
- $141.62
1
0
2
1
0
27
Here’s a tip on how to improve your auditing skills:
Start bodyweight training.
2
0
27
I had a bit of a hard time to grasp the various aspects of lending protocols when I began my web3 sec journey.
As a matter of fact I still find some of the concepts confusing form time to time.
The following blog post series on lending protocols helped me a lot:
🔗🧵👇
3
5
27
Just wrapped up the submissions for the
@WildcatFi
contest at C4.
My fourth contest so far.
Teamed up with
@flack00n
on this one. Definitely a great experience bouncing ideas off a fellow auditor.
Excited for the results, and hopefully a step closer to the backstage role! 😁
5
0
25
Thrilled to share that my bot has aced the
@code4rena
qualifications! 🤖
Super stoked about this achievement.
Can't wait to participate in my first bot race!
3
0
26
Sushiswap's algorithm for staking rewards distribution is well-regarded for its gas efficiency and smart design.
Variations of it have been used by many different DeFi protocols.
To understand its mechanics, I'd recommend this great article:
3
11
26
5am is my best time for auditing.
No distractions, just pure focus.
3
0
23
Great compilation of
@immunefi
bug bounty writeups 🔥
Thanks for putting it together,
@sayan_011
🫡
2
0
22
Trust me, I've taken a byte out of the Truster! 🧐
Ready for the third Damn Vulnerable DeFi challenge?
Buckle up, fellow hackers. We'll dive into the next CTF write-up and tackle the thrilling Truster challenge.
LFG 🚀
(1/10)
3
3
23
This is a very good introductory read if you’re trying to wrap your head around Uniswap v3 math:
1
2
22
Learning in public is such a powerful concept.
At first it felt a bit awkward.
It even felt like it exposed a unique aspect of being vulnerable as all of my mistakes become visible and magnified.
But let me tell you why over time it became a game-changer for me 👇🧵
3
0
21
Funnily enough my best leads for findings come when I'm not at the computer while doing something totally unrelated to auditing.
1
0
22
If that's what a bear market looks like then bring some more bears! 🐻❄️
3
0
21
.
@0xSCSamurai
is the epitome of grinding hard and crushing it against all odds
A truly inspiring and moving story 🔥
#WhitehatSuccess
Meet
@0xSCSamurai
, a whitehat who rose from losing his home to becoming a top contender in several bug bounty boosts. This man literally bug hunts while living in a tent. His journey is a nail-biting tale of risk, adversity, and one hell of a comeback story.
11
18
144
0
5
21
Trying to fix your broken PoC only to realize you’ve uncovered yet another vulnerability is the ultimate adrenaline rush.
0
0
21
Sandwich attacks aren't as simple as they seem.
It's not always a win for the attacker. The success depends on different factors like traded amount, fees and slippage protection.
Check out
@cmichelio
's article that clarifies the complex yet often oversimplified mechanics 👇🔗
1
0
21
The slope-intercept form of a linear function is commonly used in DeFi protocols.
It is used to calculate decaying voting power, IRMs, etc.
If you need a good explanation of it, check out this great lesson at Khan Academy:
🔗👇
1
1
21
Is mutation testing part of your toolkit during audits, anon? 🧬
If not, it should be! 🧐
Dive with me into this thread to understand why it's such a powerful method that can yield valuable leads for vulnerabilities 🤿🧵👇
(Re-post because of accidental tweet removal 🤯)
Mutation testing is a method that helps identify "blind spots" in unit tests.
It works by creating multiple "mutants" of the source code by deliberately introducing bugs into them.
Then tests are run against the mutants to check if they will catch the bugs.
1
0
8
0
3
19
Happy with our results in the Wildcat contest!
@flack00n
and I discovered 2H, 1M, plus some L/QA issues. Loved the team work!
This was my fourth contest. Went all in, really enjoyed it and gained tons of knowledge 💪
Thank you
@code4rena
&
@WildcatFi
for this opportunity! 🫡
3
0
20
We've all seen private audit reports with heavily inflated severities.
@HalbornSecurity
's BVSS reduces subjectivity in severity assessment to large extent.
Web3 security definitely needs a standardized scoring system like traditional cybersecurity's CVSS.
What do you think?
2
0
19
I love grinding early in the morning.
There is something magical about it.
The quiet and peace make it so easy to slip into the zone. There's nothing quite like it.
2
1
18
Solidity readability tip
#1
:
Use _ to make long numeric literals easier on your 🧠
It costs nothing.
1
1
18
If you’re just starting out, read this👇
I wish someone had told me this back when I was starting:
❗️ Good auditors work 5x, if not 10x, harder than you
❗️ You can be either good at Twitter or good at auditing
❗️ It takes more time than you expect
❗️ Learn as much as you can from each audit
❗️ Posting proof of
3
15
166
0
0
17
TIL Hardhat uses automine mode by default which mines a new block on every state-changing function call.
I admit that it took me awhile to figure out why the timestamps in my PoC were off 🫨
2
1
17
Cracking up at a
@MaiaDAOEco
comment in the
@code4rena
competition 🤣
Cheers to andreas for his witty sense of humour!
3
0
15
Such a gem 💎
It’s a fantastic chance to look into the thought process of one of the top dogs in this space.
It would be awesome if other big names did the same.
Who else’s auditing notes are you curious to see? 👀
Been busy these last few months but finally got some time to share my audit notes!
Includes notes from the WAGMI
#2
@sherlockdefi
contest. I was LSW for this one.
Shoutout to M-8 (
#122
) which I found but didn't submit because I thought it was low🙃
7
24
180
0
0
14
Wanna search on-chain for all function calls of a particular contract, e.g. USDC
#mint
()?
Bloxy is a handy tool which allows you to do that easily.
🔗 Link below 👇
1
1
15
Keep an eye on this guy 👀
Stats from my first 4 months of active auditing.
- 9 High severity issues found
- 19 Medium severity issues found
- ~10, 000$ in rewards from contests
All of this with a full time dev job.
I still have a lot to learn and I'm extremely grateful to everyone that has helped me.
19
14
206
0
0
15
💡 Quick auditing tip
The Split Editor feature in VSCode comes in handy when you want to peek at a function's declaration or implementation while you maintain the current context.
By default it splits the editor vertically.
To split horizontally, hold the ⌥ key on a Mac.
3
1
15
.
@_sammytm
is a beast in the making 🔥
Mark my words!
Here’s how I went from almost 0 blockchain knowledge to achieving ranks 2 and 5 in auditing contests within just one month ⬇️
Day 0 - 3 : Learnt as much as possible about blockchain technology and security auditing. This included watching youtube videos, listening to podcasts
15
16
152
3
1
15