sammy
@_sammytm
Followers
854
Following
217
Media
8
Statuses
196
Web3 Security Researcher | 1 x🥇| 1 x 🥈
Portfolio →
Joined January 2024
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#Fittingข้ามฟ้าเคียงเธอ
• 502118 Tweets
THE NEXT PRINCE
• 299783 Tweets
石丸構文
• 156601 Tweets
FURIA ES GRAN HERMANO
• 122695 Tweets
#RIPCartoonNetwork
• 93026 Tweets
Rhea
• 56903 Tweets
Hobi
• 48863 Tweets
カーヴェ
• 36270 Tweets
#sandy
• 25874 Tweets
OneDrive
• 24550 Tweets
Sneako
• 22509 Tweets
Viva la Patria
• 18277 Tweets
Edey
• 15967 Tweets
अखिल भारतीय विद्यार्थी परिषद
• 14994 Tweets
アランナラ
• 14844 Tweets
ジェイド
• 11954 Tweets
Farah Maalim
• 11805 Tweets
JIN FOR W KOREA MAGAZINE
• 11579 Tweets
日経平均
• 10257 Tweets
Pinned Tweet
I'm thrilled to announce that I'm embarking on a new adventure as a full-time independent researcher in Web3 security, starting today!
I just wrapped up my final semester of university, which was a 5-month Web2 internship. However, I discovered the fascinating world of Web3 sec
45
6
215
March was my first month in web3 security.
Made ~$3700
🧵Here’s a summary of contest results :
1)
@PoolTogether_
(C4) ~ 1H ~ $1.47
This was my first audit ever, and I had no idea what qualified as a bug. This led to me submitting only one high-severity issue. Despite a small
18
13
168
Here’s how I went from almost 0 blockchain knowledge to achieving ranks 2 and 5 in auditing contests within just one month ⬇️
Day 0 - 3 : Learnt as much as possible about blockchain technology and security auditing. This included watching youtube videos, listening to podcasts
15
16
152
Solidity may appear simpler than other languages such as C++ or Java on the surface. However, to identify the high-value bugs, one must delve into the challenging 5% of the language, which includes:
1. Opcodes and bytecode
2. Calldata encoding
3. Upgradability patterns
4. Gas
3
20
141
A quick way to kick off your Web3 SR career :
1) Learn Solidity to your best efforts
2) Learn Foundry or Hardhat
3) Practice your skills on chain by doing Ethernaut
Optional : Damn Vulnerable Defi CTF
4
14
117
Right now is the best time to be in Web3 Security
- Multiple contests running in parallel
- Security demand on an upward trend
- Shortage of talented researchers in niches like ZK, Solana, etc
This is the best time to level up your skills and cash in on the bull 📈
6
11
110
CryptoZombies is still arguably one of the best resources out there to get started with Solidity, even though it may be slightly outdated now.
Being stuck in tutorial hell without writing a single line of code won’t get you anywhere.
7
11
109
Another sweet reward from
@Panoptic_xyz
on
@code4rena
!
This was my first big codebase (around 5k sloc), and it was quite challenging to comprehend.
14
2
84
I made some incredibly stupid mistakes that led to a potential 5-digit payout turning into a 3-digit one.
Guys, make sure you properly detail the impact of the bug you found. This could make the difference between a High and a Low finding.
Nevertheless, learnt a lot from this
10
1
76
Immunefi has paid out $100M+ whitehats
Meanwhile hacks in the same period of time have resulted in billions of dollars in lost funds
Good security really is a bargain.
2
9
75
Developers, be careful while using the `create` opcode in your smart contract if you plan on deploying your protocol on the zkSync chain. Here's why 🧵:
1
6
74
The contest results for my second month in Web3 (April) are out, and as before, I will be breaking them down in this thread.
Made ~ $1200
If you've read my previous thread for March, you'll notice that my rewards were much lower this month. This can largely be attributed to two
9
5
63
Make sure you add slippage checks when using Uniswap V3’s `slot0` `sqrtPriceX96` in your smart contract. The `sqrtPriceX96` represents the most recent price. This can easily be exploited by MEV bots and attackers through sandwich attacks.
For auditors : Bookmark this tweet, you
2
4
50
A lesser-known fact about auditing contests is that you can begin examining the code even before the contest officially starts. Since most Web3 protocols are open source, a quick visit to the protocol’s website and some exploration on GitHub can provide access to the code
1
2
45
Took a little break from auditing and analyzed all the contests I participated in during March.
Despite a great start, I noted four key mistakes that, if avoided, could have led to much better results and a bigger 💰:
1. **Completely Neglected Out-of-Scope Contracts**
Since I
5
6
44
I've started creating "save states" to quickly resume my security reviews after taking breaks.
Previously, when I returned to a codebase after a few hours or days, it would take me a while to regain my train of thought. This would sometimes take several minutes or even hours,
3
1
40
A tip for your first auditing contest:
Always go through the documentation of the platform you’re competing on.
I recently saw a case where someone submitted a valid report but was not rewarded because they were unaware of the escalation process. (P.S. They lost upwards of
3
0
39
🐐🐐🐐
Winner Announcement 🏆
@_sammytm
has written a detailed thread explaining the differences between creating code on zkSync and the Ethereum mainnet.
Solady uses the create opcode, which causes the function in question to fail.
Read it here:
0
3
8
1
0
29
New wave of contests proves yet again that the demand for Web3 security is on a steep climb. There’s going to be a lot of FOMO, as I'm sure a lot of big money is going to be made here.
3
1
28
DMs are now open on public demand😅
I'm thrilled to announce that I'm embarking on a new adventure as a full-time independent researcher in Web3 security, starting today!
I just wrapped up my final semester of university, which was a 5-month Web2 internship. However, I discovered the fascinating world of Web3 sec
45
6
215
3
0
23
This time it’s rank
#2
in
@RadxChange
contest on
@sherlockdefi
A few stats :
> First 4 digit payout
> Second contest ever on sherlock (3rd overall)
> First month in web3
> Second week of active auditing
Don’t plan on stopping anytime soon💪🔥
🏆
@radxchange
Audit Contest Results 🏆
Congrats to:
1.
@zzykxx
- $6,280.31🥇
2.
@Al_Qa_qa
,
@_sammytm
- $2,826.79🥈
@zzykxx
made $3,000.00 fixed pay + $6,280.31 from the contest pot!
$16,000.00 rewards ➡️ $7.8M+ paid out in rewards.
1
1
11
9
0
22
Happy to share that i’ve placed at rank
#5
in my first ever contest on
@sherlockdefi
Missed out on reporting a couple bugs that I thought weren’t bugs but later turned out to be bugs xD but a great learning experience nonetheless.
@Amphor_io
@zzykxx
🏆
@Amphor_io
Audit Contest Results 🏆
4.
@Mihir0181
- $1,632.33
5.
@_sammytm
- $874.57
6. Varun_05 - $718.90
6.
@MarsWhiteHacker
- $718.90
7. Afriaudit - $679.98
7. DMoore - $679.98
8. 0xLogos - $273.97
1
2
7
3
4
21
I just realized- had I chosen "USDC + Points" on the
@RadxChange
contest, I would've been top 30/ LSW level on the leaderboard.
Never too late to learn from your mistakes 😅
Goal for the year: Become LSW on Sherlock
2
0
21
2)
@Amphor_io
(Sherlock) ~ 2H ~ $874
This time around, I had a better understanding of how to identify bugs. The knowledge of ERC-4626 from the PoolTogether contest was particularly useful, as it helped me quickly understand the codebase. I submitted four issues in total, three
3
1
21
@Amphor_io
3)
@RadxChange
(Sherlock) ~ 1H|1M ~ $2826
I didn't spend too much time on this contest, probably close to a day and a half. However, my experience from the two previous contests helped me understand the codebase very quickly and identify a fairly unique medium-severity issue.
3
0
20
I recently signed up for a contest on
@cantinaxyz
Here are my thoughts on the platform so far :
1. I like the Code Review interface, however, It’s a bit slow and unresponsive.
2. I really wish there was an interaction medium between auditors/sponsors like the discord
3
0
20
In recent contests, I've specifically noticed issues related to:
- Opcode compatibility across different chains
- CWIA
- Calldata
- The 63/64 rule
making a lot of 💰💰💰
1
0
16
✌️
@titlesxyz
@xiaoming9090
@mt030d
🏆
@titlesxyz
Audit Contest Results 🏆
4. 14si2o_Flint - $1,371.53
5.
@Composable_Sec
- $882.77
6.
@Oizo____
- $759.71
7.
@_sammytm
- $589.49
8.
@0xSimao
- $463.83
9. ArsenLupin - $414.04
10. Kalogerone - $410.95
3
0
2
2
0
14
A lot of value to gain from this post⬇️
@MartinMarchev
’s story proves that if you’re passionate enough about something, you will succeed eventually.
1/14
Time for a new
#WhitehatSuccess
Story!
@MartinMarchev
is a hands-on hacker who started web3 security only a year ago, getting serious only in Dec '23. But that didn't stop him from bagging first place in the recent Immunefi Arbitration Boost with over $13,000 in earnings.
9
12
138
1
0
13
Coming back to this after getting my first few audit wins is very refreshing. This amazing blog by
@milotruck
really helped me navigate through the world of Web3 security when I was first starting out.
Took a break from staring intensely at Solidity to write a blog.
I bring you: "A year of Competitive Audits" - my learnings from competing in contests for a year, and an honest review of the opportunities it gave me.
Do check it out, it's full of alpha:
59
58
406
1
0
13
Quoting from "" :|
"On ZKsync Era, contract deployment is performed using the hash of the bytecode, and the factoryDeps field of EIP712 transactions contains the bytecode. The actual deployment occurs by providing the contract's hash to the
1
0
11
Some popular cloning libraries will NOT work on zkSync. Ex: Solady's LibClone. So make sure to check if the library you use is compatible with zkSync.
Reference:
1
1
11
@sherlockdefi
Wouldn't have been possible without
@RealJohnnyTime
and
@ProgrammerSmart
's CTF solutions, and
@PatrickAlphaC
's videos. You guys rock!
1
1
9
Overall, I wouldn't say that this month was particularly disappointing. I'm currently part-time, and my main focus isn't money but learning as much as possible by constantly challenging myself and testing my limits.
I learned A LOT from the Panoptic contest and overcame my fear
1
0
9
@0xpangreed
@PoolTogether_
Patrick Collins foundry and security course, Smart contract programmer’s videos, JohnnyTime’s videos, CTFs - Ethernaut, Damn Vulnerable Defi
0
0
9
@sherlockdefi
The more you gain experience with different kind of codebases and DeFi concepts the easier it becomes to do 2 imo. This is why a lot of pros skip 1 because they can understand what the code is trying to do just based on the code.
1
0
8
1) I decided to take on a massive challenge
At the beginning of April, I decided to focus most of my time on a single audit (
@Panoptic_xyz
on
@code4rena
), which lasted for 21 days.
This contest was particularly hard for me as it involved ~5000 SLOC, and the protocol was built
3
0
9
@0xjuaan
@jack__sanford
Have experienced
#2
before, when someone already disclosed a vuln in private threads. Sponsors do unknowingly drop hints.
2
0
8
@sherlockdefi
@NotionalFinance
Let’s not fool ourselves, we’re not winning a contest which has
@xiaoming9090
as lsw
3
0
7
@sherlockdefi
@titlesxyz
Wrote a whole thread on it‼️
Developers, be careful while using the `create` opcode in your smart contract if you plan on deploying your protocol on the zkSync chain. Here's why 🧵:
1
6
74
0
0
6
@SachetDhanuka
@PoolTogether_
Thank you so much for the encouragement! Absolutely, those moments of uncertainty are just part of the journey. Sticking through the challenges is definitely worth it—every setback is a setup for a breakthrough!
0
0
6
@zilberb6109
@Amphor_io
@RadxChange
I started off by doing Ethernaut CTF (
@ProgrammerSmart
for solution videos), then I did Damn Vulnerability DeFi CTF (
@RealJohnnyTime
for solution videos), all while also referring to
@PatrickAlphaC
’s foundry and security course.
0
0
5
4. **Did Not Spend a Lot of Time Learning, Reading Previous Contest Reports, and Brushing Up on Solidity**
Focusing solely on auditing work meant there was not enough time for learning. This can stagnate your results over time. Some bugs/attack paths are so complex that you
1
0
5
3. **Did Not Report Many Bugs Simply Because I Didn’t Think They Were Severe Enough**
This is probably the biggest mistake on this list. It single-handedly led me to miss out on a lot of potential payouts. I held myself to a high standard and only reported bugs that I thought
2
0
4
@alexzjeh
@PoolTogether_
Spent a month doing CTFs and learning solidity before jumping into audits.
0
0
4
🧵 How Relays Enable Automation and Gasless Transactions in Web3 🧵
1/ Introduction to Relays: In the Web3 ecosystem, relays are intermediary systems that facilitate user interactions and blockchain networks, often invisibly handling complex processes behind the scenes.
1
0
3
@RealJohnnyTime
Can absolutely vouch for this 🫡
Your CTF solutions were immensely helpful when I got stuck in a challenge.
Also your podcasts are a great source of knowledge for anyone that is getting started.
1
0
3
10/ Looking Ahead: The evolution of relays will continue to play a pivotal role in the adoption and scalability of blockchain technologies. As these systems become more sophisticated, we can expect a more seamless integration of Web3 technologies into everyday applications.
0
0
2
@immunefi
@MartinMarchev
Congrats again bro
@MartinMarchev
, the hard work is finally paying off!
Also, I wonder if you actually look like this irl😹
0
0
3
@AllenGeorge08
If you don’t have web2 exp, I recommend writing some code by making some projects first.
0
0
2
@mylifechangefa1
The finding was marked invalid in the initial judging, later on during escalations, a dup of it got validated while the newbie Watson's finding remained invalid, as they didn't appeal (they didn't know about the escalation phase)
3
0
3
@zdravkohristov0
Also if _feeTier*amount is less than FEE_DENOMINATOR, fee will always be 0, so user can use this to their benefit and avoid paying fee.
1
0
2
@Zubeirdayib24
Determination and the 3-4 years of coding experience before this really helped.
0
0
2
9/ Benefits for Users and Developers:
-Users enjoy a smoother, more accessible blockchain experience without worrying about gas fees.
-Developers can attract a broader audience by lowering the entry barriers and simplifying the user interface of their applications.
1
0
2
🤨
0
0
2
2. **Only Focused on Small Contests**
On average, small contests have much higher participation than longer contests, which leads to a higher number of duplicates for the same bug. Coupled with a smaller prize pot, this results in a much lower payout per bug, even cents in some
2
0
2
Q : Does anyone know how I can get a Cantina invite? I tried messaging both
@cantinaxyz
and
@CantinaBouncer
, didn’t work.
2
0
2
@jack__sanford
I think both have their pros and cons as far as SRs are concerned
C4: More incentive as no LSW $ cut
Sherlock: LSW but incentivized to participate to become LSW
0
0
2
Had a blast auditing
@PoolTogether_
on
@code4rena
. Great codebase with a very sophisticated test suite! I spent the entirety of the contest duration auditing it, and I've learned a lot along the way.
0
0
2
@jecikpo
@zdravkohristov0
Didn’t participate in Sophon😅😅 Do call me if you need any backup though 🤘
1
0
2
@0xGreed_
@PoolTogether_
@code4rena
I did find one interesting issue, would love to discuss over DMs
0
0
2
@0xpangreed
@PoolTogether_
Patrick Collins foundry and security course, Smart contract programmer’s videos, JohnnyTime’s videos, CTFs - Ethernaut, Damn Vulnerable Defi
0
0
9
0
1
2
2
0
2
8/ Security and Trust:
Ensuring the security of relays is paramount as they can become central points of failure. Solutions include decentralized networks of relays, rigorous security protocols, and using trustless designs wherever possible.
1
0
1