Whitehat Bandit
@banditx0x
Followers
4,408
Following
879
Media
103
Statuses
3,757
Security Researcher @OpenZeppelin Whitehat Initiate @ImmuneFi Sometimes submitting issues to code4rena and sherlockDefi
Joined October 2018
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Kamala
• 4296149 Tweets
The Loyal Pin Trailer
• 510735 Tweets
#HouseOfTheDragon
• 286214 Tweets
Rhaenyra
• 163811 Tweets
Manchin
• 148539 Tweets
Seasmoke
• 88030 Tweets
#GranHermanoCHV
• 78858 Tweets
東海道新幹線
• 78276 Tweets
Daemon
• 72918 Tweets
Serena
• 66436 Tweets
Leah
• 62315 Tweets
Jana
• 61028 Tweets
#LaCasaDeLosFamososMx
• 58375 Tweets
Punk
• 53938 Tweets
Mysaria
• 53852 Tweets
Kordell
• 49572 Tweets
Alicent
• 48928 Tweets
Addam
• 30473 Tweets
Kendall
• 28703 Tweets
ポポロ休刊
• 27566 Tweets
भगवान शिव
• 25221 Tweets
#LaAcademia
• 24654 Tweets
#ピザBENTO
• 21312 Tweets
Paola
• 17986 Tweets
Yuhui
• 14264 Tweets
北陸新幹線
• 13892 Tweets
電波人間
• 13753 Tweets
Adrián Marcelo
• 13591 Tweets
Harrenhal
• 13218 Tweets
奈良の鹿
• 11578 Tweets
To get rich, compound knowledge and use it to compound capital.
4
114
762
Procrastination happens when emotional incentives don’t match rational incentives
3
89
494
This is the greatest time in history for turning dreams into reality
4
36
275
If you avoid a job, obligations and addictions
And devote yourself to your curiosity and passions
First you will have a lot of time but too little opportunity
Then you will find yourself with too little time and too much opportunity
That's when you've escaped the rat race
2
37
247
Last year I found a Critical vulnerability which could steal $40M from
@perpprotocol
.
The team was dishonest about the bug severity and rewarded $30k.
The experience was devastating and made me give up on web3 security for several months.
Writeup:
Draining $32M in 5 Minutes.
On October 3rd, 2022, we discovered and reported a critical bug in
@perpprotocol
that could have drained $32M, the entire deposited USDC in the pool.
The critical bug was discovered in the "AccountBalance" contract, which serves as the protocol's
18
14
131
20
21
212
~1 year ago I had no idea how to code, and no college education, but had a dream of eventually becoming a top security researcher.
@sjkelleyjr
put out a tweet saying he was looking to fund junior auditors. I sent this DM to him. We never reached a deal, but he showed a lot of
18
18
217
Early retirement is a noble goal that needs a re-branding.
People want to quit their career to escape tedium and pursue passion, adventure and curiosity.
Its not about living life like you're 70.
3
30
177
How I learned solidity from scratch:
1. CryptoZombies
2. Rewrite/type the simple contracts in
3. Watch
@ProgrammerSmart
videos on youtube
From there I was ready to jump into contests. Made an average of ~$100 per contest for first few attempts.
10
15
175
Thread🧵on what makes
@Lifinity_io
not just an AMM, but a money making machine
1/ Lifinity prioritises PROFITABILITY over gameable metrics such as volume and TVL
2/Lifinity pools gain market making profits rather than suffering impermanent loss.
1
26
129
Just got paid for my Critical
@immunefi
submission 🚀
Special thanks to
@0xMackenzieM
and
@0xDjangoOnChain
who gave me some advice during an extended mediation process.
16
8
122
Looking for someone to mentor or collaborate with. If you:
- Already have decent contest results (requirement)
- Are interested in joining OpenZeppelin (optional)
- Plan to be in security research long term
Shoot me a DM 😎
20
7
117
The greatest investors keep an empty calendar. Time and freedom are necessary to make good judgement
2
14
102
Bug bounty paid 🥳
The project had reasons why the bug could have lower impact than the report claimed due to on-chain settings. However, they paid a reduced bounty that I am happy with.
Thanks
@immunefi
and anon project 🫡
Just submitted a Medium to ImmuneFi.
The coded POC was mainly written with ChatGPT :)
I asked GPT for a simple foundry POC template, then to search up the token addresses for an LP pool and to deal them to the attacker. Then I wrote the remaining few attack steps.
9
4
74
6
2
97
Started learning Rust. What makes people say that Solidity is "easy" and Rust "hard"?
19
3
73
2 lessons from recent
@immunefi
experiences:
1. Before writing a POC, submit a basic transaction using the protocols web interface (not a hack or test related transaction). Then check on etherscan which contract you just interacted with. Sometimes the contracts in the scope page
3
4
75
Just submitted a Medium to ImmuneFi.
The coded POC was mainly written with ChatGPT :)
I asked GPT for a simple foundry POC template, then to search up the token addresses for an LP pool and to deal them to the attacker. Then I wrote the remaining few attack steps.
9
4
74
$3 million vulnerability just chilling in sherlock repo
5
4
70
5 protocol types I feel comfortable with:
👍 AMM's
👍 Perpetuals
👍 Uniswap v3 Integrations
👍 Borrow/Lend
👍 Staking
5 protocol types I need to learn more about:
📖 Cross-Chain / LayerZero Integration
📖 Balancer Integrations
📖 've' sytems (veCrv, veFXS etc)
📖 Liquid
3
4
64
My game theory model of why
@code4rena
has 300% to 500% more community audit coverage than
@sherlockdefi
🌶️
Let's assume there are 2 contests running with the exact same Contest Pool, nSLOC, duration:
- Code4rena
- Sherlock
Now let's say all the auditors are given a ELO rating
I'm spilling some alpha here but I guess I'll tell the real story:
Sherlock realized that smart contract coverage doesn't work if audits don't work. So Sherlock got really focused on auditing. Started doing traditional audits, then tried C4 for our own smart contracts and it
5
0
41
12
3
65
Seek status, not money or wealth. Status is your place in the social hierarchy.Wealth is an unfair distribution of assets. Money is how we transfer status.
1
6
61
A tweet that will be relevant 50 years from now is a good tweet.
But they don't make for popular tweets
0
7
57
The upcoming Ethernaut CTF has great prizes ($7K over 2 days)
👀Theres a rumor that OpenZeppelin recruiters might look at the CTF leaderboards for Security Researcher candidates
Get ready for the Ethernaut CTF! Do you have what it takes to secure first place?
Starting 16/03, compete for:
💰 $7k cash prizes + Defender subscriptions
🔒 48h of unique blockchain challenges
🏆 A chance to earn special POAPs
Register now at !
4
54
194
4
6
55
@trust__90
1st Invariant: Each operation changes the difference between two colours by either 3 or 0.
Eg if you rub blue and green, result is 4 B, 12 R, 14G. Diff of blue and red is 5+3, Diff G and B is the same, Diff R and G is (5-3)
2nd Invariant: Theres no combination of adding or
6
1
50
The OpenZeppelin v5.0.0 contains a fix for the ERC4626 Vault Inflation Attack.
RIP beginner auditors🫡
5
1
48
Why did you choose to be an auditor rather than a dev?
(or vice versa)
32
3
48
Pick an area where you can be an intolerant minority among a tolerant majority.
2
4
45
@xuwinniexu
won $500k auditing rust code without even knowing the language.
"Hacking skill is independent from language"
3
2
44
Hey all im personally not interested in this role as the salary is pretty meh, but if any beginner auditors are interested in an entry-level salary hit up
@SpearbitDAO
Spearbit is looking to hire 2 Lead Security Researchers paying up to $1,000,000 yearly each.
We are looking to onboard for two positions:
• Cosmos SDK + COSM/WASM Security Expert
• Geth / Go + Node Security Expert
The application is in the tweet below:
28
76
259
5
0
42
Don't read for advice
Read to improve your thinking
Then think for yourself
1
7
44
2 months ago
@0xSpearmint
said in DM's that he was studying security 7 hours a day non-stop while still being in university.
Here's what hard work and concentrating on a single contest can get you 👏
🥈
#2
in my third security contest
Some interesting points about this one:
- I spent the whole 3 weeks on the codebase
- I did this contest while studying for my medical school exams
- I submitted my last issue around 3:45 AM on the last day (the contest ended at 4 AM), it ended
24
5
148
1
1
44
Smart Contract Auditing is a field where:
- Skill is measurable
- The variance in productivity is superlinear.
@IAm0x52
can provide x100 the value in an audit contest compared to a mediocre auditor who puts in the same amount of time.
So two things can simultaneously be true:
8
1
41
Things you DON'T need to be a great auditor:
- being good at maths
- knowing how to code
- above room temperature IQ
- being able to find bugs
There are auditors with only $50 in
@code4rena
earnings providing MASSIVE VALUE to clients through solo security reviews, making web3
6
2
42
@naval
Did you extrapolate this from seeing people look forward to social events for the excuse to get drunk?
3
0
41
Most common reasons to pick auditing over dev are:
- It's more meritocratic. You can prove your skills without landing a job first.
- Prefer breaking over building
3
5
39
@sjkelleyjr
To find the bugs without knowing how to code, I visualised how AMM's work and to come up with exploits.
This picture from my most critical finding at the time:
@banditx0x
@sjkelleyjr
How did you find 3 separate bounties last year(2022) when you didn't know how to code 1 year ago?
1
0
3
2
2
40
Top 5 regrets of the dying
I wish I:
1. stayed true to myself
2. hadn't worked so hard
3. had the courage to express my feelings
4. stayed in touch with friends
5. let myself be happier
Now invert, and go live your life!
0
6
39
Understand that ethical wealth creation is not possible. If you publicly despise wealth, status will come to you.
2
2
37
The only employer that will pay you what you're worth is yourself.
1
8
40
Most "deep and existential" quotes are obvious truths stated in a way that arouses emotion
0
6
38
Learn to sell. Learn to sell. If you can do both, you will be unstoppable.
1
5
39
If you think for yourself you will eventually find nobody that thinks like you.
0
6
36
The best audit firms have shorter reports. Someone with valuable findings won't put 20 pages of filler before them.
5
1
37
Want novelty? Meet new people.
Want connection? Spend time with those closest to you.
0
5
34
An entire life can be wasted
Solving insoluble problems
Or pursuing the unattainable
4
2
34
How often do audits make an entire dev team get replaced? 😮
I have received payment for 9 reports from
@AlchemixFi
boost at
@immunefi
@AlchemixFi
replaced the entire dev team that caused the issue and willingly paid for the mistakes they made. Thank you once again for the kind support
@OddlySpecivik
@0xMackenzieM
@0xTimofey
@Ov3rKoalafied
15
3
220
3
1
30
It is the eyes of other people that ruin us. If all but myself were blind, I should want neither a fine house nor fine furniture.
-Benjamin Franklin
1
8
27
ZKSync airdrop has audit contests as one of the eligibility criteria
Ya'll might want to check
12
9
96
3
0
32
So many auditors expressed interest in learning ZK, so maybe I shouldn't learn it 🤔 I want to research something other people don't know is important yet.
8
0
32
CYCLOS ENCYCLOPEDIA
The most used protocol on any layer 1 is the Automated Market Maker.
These threads will explain why Cyclos will be the undisputed king of AMM's
2
5
29
>90% of attacks that people call "flashloan exploits" can be done without a flashloan
6
0
30
Don’t play iterated games. All the returns in life, whether in wealth, relationships, or status, come from one off prisoners dilemma scenarios.
1
5
30
Unspecific knowledge is found by pursuing what is hot right now rather than your genuine curiosity and passion.
1
5
30
Running out of ideas during an audit?
Listen to
@BowTiedDravee
's "Mindsets of Auditing" video with
@opensensepw
2
1
31
Arm yourself with outrage, misinterpretation and unspecific knowledge.
1
7
29
Thanks
@immunefi
! Aiming for the Elite ImmuneFi Hoodie next year 🚀
A new INITIATE joins our ranks...
Congratulations to
@banditx0x
!
Your special item(s) will be arriving in your inbox shortly.
See you at the next tier!
More about perks for Bug Hunters:
3
1
32
1
4
31
Contests are indeed much tougher since last year despite the bullrun.
For example, "slot0 for uniswap is easily manipulated" paid $440 in Feb 2023. Now it is worth $1. Some other 1 liner issues paid $400 back then.
9
0
30
Writing something great is 90% experiencing and thinking 10% writing.
You're almost done, why not finish?
1
4
31
Logic helps you dig deeper into a hole.
Lateral thinking tells you where to dig.
0
4
30
About to review 28 missed findings for the Salty-io contest 🫡
2
0
30
Once the debate over which contest model is best, the next Shelock vs Audit Firm comparison/analysis will drop 🍿
6
1
30
Status is relative. Pick partners with low intelligence, energy and, above all, integrity.
1
4
26
The attacker mindset is far more important than any technical skill for success in smart contract security
3
0
28
"Academia is a magical place where bright young narcissists forgo 6-8 years of present income in order to forgo a lifetime of future income."
@eiaine
🤣
0
4
26
Become the best in the world at being virtuous. Keep redefining virtue until this is true.
1
2
27
Predicting that ImmuneFi announce the largest contest ever (again), bigger than the Fuel attackathon
I've got some vibes inbound security fam.
Brace yourself.
1
2
26
5
1
28
Web3Sec Country Power Rankings:
1. Bulgaria
2. North Korea
3. Israel
2
0
26
According to celebrity auditors, trying out Defi platforms is a good way to improve your understanding of the codebase
But why I am getting poorer every day
Someone help 🙏
4
0
26
In retrospect, participating in every $1mil + contest since last October would have been the best contest selection strategy.
1
0
25
@SpearbitDAO
and
@RareSkills_io
are both hiring technical content writers.
Could be a good fit for contest auditors as your issue writeups can be used as a portfolio of work 👀
3
2
25
Don’t ignore people playing wealth games. You gain status by attacking people playing wealth creation games
2
2
24
tfw you're thinking through a critical attack path but its time for your pomodoro break
5
0
23
Finding a new purpose in life often comes with the pain of admitting that you were directionless and unhappy before you found your passion.
0
3
24
It was incredibly fun meeting everyone at
@OpenZeppelin
Just wrapped an incredible week in Porto with the
@OpenZeppelin
team!
We're pushing boundaries to take OpenZeppelin to every corner of crypto:
• The OZ Ecosystem Stack is now available across four ecosystems, with more on the way—stay tuned for updates!
• Our Research Team
4
14
66
1
0
23
Notes from Michael Mayer and Erik Torenberg podcast:
In schooling you can get 4.0 GPA without a unique thought. In real life you get rewarded for what is plausible and impactful/interesting.
3
4
21
And 11 of them are auditors
Bro, there are like only 10 people left in web3. This is the new bottom💀💀
60
3
177
3
0
23
Great article by
@xb0g0
He picks 4 instructive findings and reverse engineers the auditor's thought process.
When reviewing findings, you should ask yourself about the thought process that lead to the bug 🧐, not just the technical details
Analyzing the reports from past contests is probably the most important skill that will turn you into a GREAT auditor IF you do it PROPERLY
I have invested a week and ALL of my experience to create the ultimate deep dive on the subject.
I break down
15
32
164
1
0
19
A filter for quality, by definition, has a high rate of rejection
0
1
22
Don't climb an imaginary ladder.
Find your niche in the ecosystem.
0
6
21
> Leaves note - "this is really important to look at"
> Never look at it again
> Miss 2 highs
2
0
22
The Internet has massively broadened the possible space of status games. Most people haven't figured this out yet.
1
2
22