giraffe
@giraffe0x
Followers
1,876
Following
1,925
Media
135
Statuses
1,042
Security Researcher @GuardianAudits | Sharing about the EVM, Solidity and Security | Ex-Air Force Pilot 🚁
Singapore
Joined February 2012
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Adrián Marcelo
• 312910 Tweets
Minecraft
• 227387 Tweets
#BallonDor
• 167977 Tweets
Vinicius
• 156460 Tweets
Singh
• 139669 Tweets
ACPM
• 129575 Tweets
Apalachee High School
• 129563 Tweets
Guns
• 123482 Tweets
Sisi
• 119861 Tweets
Churchill
• 98631 Tweets
Winder
• 64261 Tweets
Rabiot
• 56017 Tweets
Lamine Yamal
• 42843 Tweets
#SpaceMarine2
• 41703 Tweets
#HakkınıVerdikÇebi
• 41132 Tweets
Rabia
• 37245 Tweets
Rodri
• 36997 Tweets
$ICE
• 33656 Tweets
Los Piojos
• 30742 Tweets
The NDP
• 27607 Tweets
Jack Black
• 21763 Tweets
Amartey
• 20410 Tweets
Mondo
• 19760 Tweets
Arnulfo Castorena
• 16936 Tweets
Carvajal
• 16859 Tweets
Ronwen Williams
• 15854 Tweets
Internet Archive
• 15238 Tweets
Mike Collins
• 13588 Tweets
Rod Wave
• 13163 Tweets
Lautaro
• 12295 Tweets
Rick Scott
• 11923 Tweets
Pepito
• 11641 Tweets
Pinned Tweet
2023 year in review
- Left the Air Force
- Joined Defi protocol as a Solidity dev
- Wrote contracts that held > $2mil TVL
- Dipped toes in C4 contests
- Recovered $0.6M of users' funds against N Korean hackers (crazy story)
- Joined more contests
- Top 5 in Sherlock contest
-
15
9
170
This was how my first private audit went:
- Pay-per-Vulnerability
- Just shy of 5-digit payout
- Found 4 Highs, 4 Meds, several Lows
- Life lessons in the art of negotiation
- Highly satisfied client who then offered me a job 🤯
18
8
220
Absolutely thrilled to share that I will be joining
@GuardianAudits
as a full-time Security Researcher
From watching
@0xOwenThurm
's tutorials during my lunch breaks, to now working alongside his core team, this journey feels like a dream turned reality 🥲
Looking forward to
39
10
203
Pattern recognition is one of the easiest ways to pick out low-hanging fruit in an audit
When you see a proxy pattern, several red flags should stick out immediately. What do you see here?
9
31
192
just picked up my first pengu recently and discovered a gem of a community! The people i met at
#SGPengsHuddle
were kind, authentic and v knowledgeable (builders, entrepreneurs, traders etc). Glad to be part of the fam!! 🐧
@pudgypenguins
#PudgyPenguins
36
21
146
First taste of
@immunefi
bounty
Applied a known bug from one protocol to a different protocol...
I may not be the most technical auditor, but I hope to become the most creative and resourceful one 😉
12
5
138
What a crazy start to 2024! Joining
@SpearbitDAO
as JSR
Excited to learn from all the top minds there
LFG 🚀
25
2
119
First time cracking top 3.. with just one solo medium 🏆
Quite unexpected results:
- I'm usually on Sherlock/Cantina, joined this in between contests
- Was on vacation so only spent a couple of days on this
18
1
107
Did a deep dive into OZ's Initializable.sol and finally grokked the difference concepts around:
initialize
initializer
initialized
initializing
reinitializer
/🧵
3
6
90
Which costs more gas? Why?
Hint: difference is at least 40% more
17
3
87
🚨 Ownable2StepUpgradeable edge case
(devs and auditooors should take note)
TLDR:
- Breaking change between v4 and v5 may result in owner being silently uninitialized
- Initialize function must implement _transferOwnership(newOwner)
5
8
80
Some have asked about my mentorship with
@GeorgeHNTR
so I'd like to share some thoughts:
1) Yes, mentors are incredibly valuable.
During my time in the Air Force, I learnt that scholars were assigned a mentor (usually senior officer) from the start of their careers. This gave
5
10
67
Front-running attacks with ERC20 Permit:
How can this be exploited? 👇
7
5
58
Fun fact:
In my FIRST ever contest (GMX v2) i found a solo medium 😅
Didn't even realize the significance till much later
How?
@0xOwenThurm
tweeted some alpha on the topic of try-catch and the 63/64 rule..
By luck, I saw it then went to search the codebase for any try/catch
3
2
61
🚨Solidity quirk that has led to a real-life exploit:
EVM reads calldata in 32 byte chunks. What happens if you pass in a 33 byte calldata?
The extra bytes are truncated!
In the POC below, 5 is passed as argument along with extra bytes aaaaaa... but only first 32 bytes (i.e.
6
2
61
Recently learnt something fascinating about Merkle trees🌲
@RareSkills_io
When submitting Proof E, ever wondered how the contract knows whether to..
hash right (Hash E-F)
or
hash left (Hash F-E)?
2
5
57
Found my first Medium severity finding in the GMX contest with
@sherlockdefi
🔥🥳
The codebase was quite extensive and v well-written
Managed to pick out something due to an obscure rule on forwarding of gas during external calls -- which I learnt during my
#30daysweb3security
11
0
56
Took 5th place in
@RioRestaking
contest 🦒
I enjoyed learning about Eigenlayer integrations (esp. since I have personal funds there) and hope to do more restaking audits in future!
Set a goal for five top 5 contest results this year. Looks like I'll be achieving it soon 👀
@RioRestaking
@tapired
@zzykxx
@10xhash
🏆
@RioRestaking
Audit Contest Results 🏆
4. g - $7,058.64
5.
@giraffe0x
- $3,862.81
6.
@0xmonrel
- $3,535.89
7.
@Composable_Sec
- $2,720.41
8.
@0xKaden
- $2,571.28
9.
@0xbemic
- $2,479.90
10. fnanni - $1,871.69
1
0
0
8
1
51
🚨What are the common pitfalls of using .pop()?
1. Incorrect implementation (which can be quite subtle)
Take a look at this function below. What is wrong and how could it be exploited?
Deleting Items from an array
There are 2 ways to delete an item from an array in Solidity - using `delete` and `pop` methods. Let's take a look at the differences and which one you should use in your project:
1. Using `delete`
In this example, we can see that the `removeItem`
3
12
79
1
7
51
Solidity/Security job interview alpha 👀
Have an interesting, creative live hack/exploit example in mind that you can speak intelligently about
Preferably one that is recent too
3
2
49
Found a bug in a live protocol’s codebase with >$100M TVL.
No bounty on immuneFi, so am reaching out to them directly with a report and POC
Hope they will 1) respond and 2) consider it valid! 🤞🏻
7
1
47
Missed an obvious one in a recent contest 🤦♂️, can you spot the bug?
15
1
48
Happy with my small win of $29 from my first ever audit with
@code4rena
Using it to treat myself to a nice meal tomorrow! 🍔🍟
Seems like the space is getting pretty crowded -- I am focusing my efforts on higher value H/M findings for future audits!
Join my first
@code4rena
audit and submitted 2 gas optimization, 4 low-severity and 1 medium-severity finding for the
@NeoTokyoCode
contest!
Looking forward to see how I fare and more importantly which were the bugs I didn't catch
0
0
5
8
0
43
🚨 Find your next critical bug in "liquidate"
@0xOwenThurm
does an amazing video covering the different types of vulnerabilities:
I've summarized them into a checklist with quick notes for future reference:
1
3
46
Completed
@code4rena
audit contest for Asymmetry Protocol
Feeling good about this one. Submitted 3 high severity and 1 medium finding
Did not bother with gas optimizations/QA as there were so many other juicy findings!
6
1
42
Denial-of-Service(DOS) attacks via gas griefing is a popular bug/finding
A typical attack goes:
- Attacker finds a cheap way to push spam into storage array
- Reading from that array becomes increasingly expensive
- Critical functions that rely on that array are unable to be
2
4
41
1 month of staking ETH with
@Rocket_Pool
🥳
Minimal hassle, just check-in everyday to see effectiveness healthy
Rewards:
ETH emissions: 0.07901 (half goes to me)
Fees + MEV rewards: 0.02544
RPL: 1.95
Works out to be roughly 8.3% yield annually 🔥🔥$RPL
10
3
39
Initial findings from
@cantinaxyz
's first ever competition
@MorphoLabs
are out!
While I personally could not find any bugs 😔, so far there are 1 high and 9 meds confirmed 🤯
I'm committing to review what I missed. Let's dive into the high finding 👇
3
5
39
Inspired by .
@gh0stlygh0sts
I wrote and deployed my first omni chain NFT using the amazing tech from .
@LayerZero_Labs
and with the wonderful guide from .
@labfordup
LFG!! 😍
my NFT travelled from $FTM to $AVAX 🚀
Next... to brainstorm for ideas to push this further..
11
1
35
Wrote ERC1155 entirely in Yul/Assembly 😅
Fun, challenging exercise from
@RareSkills_io
to learn the inner workings of EVM
5
2
36
Another 4th placing in Sherlock💪
Getting the hang of my own style and process of auditing, feels like top spot is within reach 👀
@jojo_exchange
@IAm0x52
🏆
@jojo_exchange
Audit Contest Results 🏆
4. giraffe - $841.79
5.
@0xT1MOH
- $802.18
6.
@0xhashiman
- $668.48
7. vvv - $668.48
8.
@cawfree
- $668.48
9. FastTiger - $307.01
10. rvierdiiev - $307.01
1
0
2
8
0
34
First 1000 attestations of my rocketpool node!
Feels good to be contributing towards decentralization
$RPL $ETH
4
0
33
1/ Questions to ask during an audit
Can this ___ ?
- revert
- be front run
- be griefed
- re-enter
- receive donation
- value change
- run out of gas
- round incorrectly
3
2
33
It's crazy how many 'audit' firms out there just run automated analysis, generate an automated report and declare the contracts secure and safe 😱
For that same money, I bet the client could have paid for a decent solo auditor and get 100x more value
12
4
32
IMO the most important skill for any new solidity dev or auditor is learning to be RESOURCEFUL
If you have to ask for a roadmap, or where to start you're sadly ngmi
So many good resources out there you're literally spoilt for choice
I compare this to my previous career as a..
4
1
32
TIL that even though data is omitted in:
(bool success, ) = _to.call{value: msg.value}("")
it doesn't mean that contract doesn't handle it ❌
data returned is STILL copied to memory which presents a form of gas griefing attack 👇...
2
1
32
Seneca is a fork of
@Abracadabra_MIM
's Cauldron V4 contract
Bigger lesson here is the danger in blindly forking code
_call is a dangerous function only protecting callee if the address is blacklisted
In Seneca's case the BentoBox (vault) was blacklisted and safe, but users who
Here's the bug in Senaca's code that is getting users drained. Revoke approvals to them immediately.
I've been kicked out of their Discord for trying to warn users, and they are actively deleting messages about this there.
11
33
147
4
3
30
Most interesting/unique bugs come towards the end of the review period
Don’t underestimate the potential of doing one more pass through the codebase… never know what you or others have missed!
Auditor alpha: "H-05: Native Yield Token Yields Cannot Be Configured After Deployment"
Courtesy of
@giraffe0x
🫡
0
3
21
3
1
27
Another milestone this month ✨
Got my first private audit (small one)… and without putting up “DM for audits” !
Creativity is so underrated…
Applies not just to the actual audit but also for related tasks (escalations, networking, getting clients etc)
4
0
28
Dencun upgrade hits mainnet in a few days time 📣
Among the ugprades include EIP 6780: changes to SELFDESTRUCT
Is it going to be deprecated? TLDR no
What are the security implications?
Read more to find out 👇
3
4
25
4th place! A bittersweet victory 🦒
In my audit journey where i'm no longer new but also not quite pro yet - the hardest phase imo
To all those in the same boat, an encouragement to keep pushing and not give up. Light at the end of a tunnel, we will have our glory one day
@PopsicleFinance
@IAm0x52
@HHK_eth
@0xDetermination
🏆
@PopsicleFinance
Audit Contest Results 🏆
4.
@giraffe0x
- $1,216.39
5. Bauer - $904.83
6.
@0xArmedGoose
- $781.52
7. detectiveking - $730.87
8.
@0xOndrejJuda
- $574.04
9.
@talfao1
- $574.04
10. mstpr-brainbot - $485.52
2
0
3
4
1
26
Best days are doing what you love and making money while at it. Today:
Breakthrough and finding first bug
in a complex codebase
Also made big change buying Ansem’s cat while browsing CT over breakfast
4
1
24
Having a mentor is priceless, but finding a good one is not easy.
Thanks
@GeorgeHNTR
, I'll do my best and hope to similarly give back to the community one day 🙏
@nisedo_
@milotruck
@deadrosesxyz
@0xT1MOH
I think I've done something similar with a few other people who are either close to me or just seem very serious and motivated, but
@deadrosesxyz
showed the best results and managed to extract the most value out of me. Someone I'm currently helping in a similar way is
@giraffe0x
1
0
16
3
2
26
Did you know?
That ERC20 and 721 both have the same transferFrom() function selector?
transferFrom(address,address,uint256)
What could go wrong? 🤷🏼♂️
7
1
24
Reviewing what I missed from
@MorphoLabs
contest on
@cantinaxyz
Here's another creative one from
@milotruck
to learn from:
"Deviation in oracle price could lead to arbitrage in high LLTV markets" /🧵
1
2
24
With 3074 going live soon, such EOA checks may no longer work as expected
Submitted a related finding in the Rio contest, but unfortunately was judged OOS ☹️
EIP-3074 was just approved to go live in the next Ethereum hard fork.
This EIP will forever change how users interact on EVM chains, making wallet UX simpler, cheaper, and more powerful.
Here's a high level overview of EIP-3074 and how it'll change the game 🧵:
97
559
2K
2
1
23
Can you spot the bad 'K' error here?
Related to Uniswap V2 'swap' function that also doubles up as a flash loan function
Dived deep into this with
@RareSkills_io
Probably another example of bad 'K' value verification that resulted in a loss of ~$30K.
0
1
24
12
2
20
Definitely good alpha. Came up in the recent Aloe contest too:
❌ Error: uint160(uint160 a * uint56 b)
Intermediate result of a * b can overflow uint160
✅ Fix: uint160(uint256(uint160 a) * uint56 b)
Cast to uint256 first then multiply
Solidity Alpha: When casting the result of any arithmetic operation like:
int256 diff = int256(currPrice - lastPrice);
The result is first stored in the larger type of the 2 variables and only then casted.
This can lead to a critical vulnerability that may easily be missed. 👇
7
24
199
3
2
21
🔧 Foundry Tip:
Common to see this in tests:
vm.assume(a > 0 && a < 100)
Which might cause "cheatcode rejected too many inputs" error. 🚨
"assume" should only be used for narrow checks i.e.
vm.assume(a != 1);
For broader checks, use "bound" instead:
a = bound(a, 1, 99)
1
0
22
I watched 2 whole hours of
@milotruck
so you don't have to. Here are my takeaways...
Kidding 🤣 Was an absolute joy to listen to this on the plane
Took down some notes for future reference:
1/
The wait is over, and it's finally here! 🎉
I just dropped an exclusive interview with the
@code4rena
rising star,
@MiloTruck
.
You won't believe the insights and secrets revealed! 🕵️♂️ 🧵
(Either watch now or bookmark for later!)
9
3
95
2
1
19
Completed my first judging contest! 🚀🚀
Would recommend it to any junior auditor looking to level up faster.
4
2
17
Time to bring back
#stakefromhome
@superphiz
?
Didn’t have a home node during the Merge last year.. not missing out this time!
Upgraded to smart node v1.9.1 ready for
#shapella
#Ethereum
$RPL 🚀
1
1
19
Day 17 of
#30daysweb3security
@Web3SecurityDAO
Today I set up my very first
@Rocket_Pool
home node validator 🔥
In the process, I learnt more about MEV which I will share below 👇
2
3
14
Honestly, when I left the Air Force I had no idea how the year would play out. Expected to take things slow and was worried if I would even find a job as a software engineer..
Crazy what happens when you just follow where your passion and interests leads you to...
1
0
17
Shitcoin Researcher 🤝
2
1
17
Double-checking to be double-sure 💪💪 lol
* From a codebase I'm reviewing
5
0
17
In 2024 I will
- Set aside time daily to increase knowledge in security
- Grind contests weekly, aiming for 5 more top 5s
- Post regularly about my wins, my losses and my learnings
- Triple my followers on X
- Find 3 clients for private audits
Looking forward to review this in
3
0
18
100% agree. Very exhausting for me as a person who’s generally conflict avoidant.
Part about the community judges also true.
Yes they’re so valuable to the process but sometimes can’t help but wonder if they:
1) have enough context and insight to the codebase,
2) are spread too
I couldn't do any auditing last week, but I had the "pleasure" of experiencing the judging process on one of the major platforms. Like
@deadrosesxyz
, I'd like to share my thoughts.
1. I dislike the adversarial setup
The system is set up so that each actor is pitted against
13
0
65
1
1
18
I was analyzing the
@SocketDotTech
exploit while it was ongoing, which then gave me ideas to look for a similar bug in a contest I was in...
Led to a confirmed high 🔥
3
0
17
Learning Yul/Assembly has given me a deeper understanding of the EVM
Ever wondered how Events are emitted under the hood?
How many max arguments?
How indexed vs non-indexed args are handled?
Anonymous events?
Gas cost?
/🧵
2
1
16
Great challenge to strengthen my Solidity knowledge
Despite reading the answers in the comments, it still took me a while to really understand it
Sharing in more detail here for anyone keen! 🧵
⏰Solidity challenge time ⏰
So you think you are good at Solidity...
When do these functions revert? 👇
32
124
372
3
1
15
Wasted a good 5 days doing the Seneca contest on
@sherlockdefi
only to see it cancelled due to some licensing issue
Had 3 highs / 4 med reports written up and ready to submit
Frustrated but moving on.
@SenecaUSD
@sherlockdefi
@SenecaUSD
I found 3 highs and 4 mediums during the
@sherlockdefi
contest which I believe to be valid.
Some of the findings are related to the LayerZero implementations which are unrelated to
@MIM_Spell
.
Rather than let them go to waste, I can share them with you privately
2
0
6
2
0
15
Choosing the right audit contest is crucial. 🎯
Initially, the Ethena Labs contest seemed to check all the boxes: 1) an interesting project, 2) not too complex code, 3) low sLOC. 😌
3
0
11
Answer: transfer and burn should not be msg.sender as approved account could be calling this
transfer would send tokens to approved account instead of owner of tokenId (dangerous)
burn() would revert when called by approved account as they do not own the tokenId (DOS)
2
0
12
No funds lost here, just annoying DOS and poor UX
How do we solve this? Use a try/catch as recommended by Openzeppelin:
2
1
12
@OpalDeFi
@Balancer
@xiaoming9090
(aka Balancer God) previous reports helped a ton for gaining context and attack ideas 😉
2
0
13
B:
If upgradeability involves inheritance (as in the example above), then the inherited contract should have a storage 'gap'
Why?
So that if PoolModel is upgraded with additional variables, it will not conflict with storage slots previously written on the proxy
1
0
12
Proofs also represent a decimal value, which makes comparison possible
During tree construction, proofs are pre-sorted by value. So, E < F
Now, when the contract verifies the proof, it also sorts by value, guiding it to the correct left or right hash.
Pretty neat, right? 😊
0
0
11
A:
If contract is meant to be upgradeable, the imports from OZ should not be from 'regular' contracts but from "contracts-upgradeable"
These upgradeable contracts will have special init functions instead of a constructor to ensure proper interaction with the proxy
1
0
12
I agree this is a problem
These days I hesitate to submit an obvious bug/error if I know it will be invalidated by contest rules
Yet, I recognize that clear rules are necessary to avoid overwhelming submissions that are OOS or lacking in impact
A sponsor agreeing to fix
@trust__90
@sherlockdefi
@Optimism
Should link to this instead:
The number of bugs that will be fixed but aren't rewarded
6
1
37
0
0
11
Gd step-by-step analysis of the hack
Combination of donation + precision error
1. Flashloan cbETH and donate to inflate collateral index
2. Mint shares taking advantage of precision calc issue
3. Redeem back for cbETH to repay flashloan
4. Borrow $R off shares, sell & profit
The stablecoin protocol
@raft_fi
was under a flash loan attack. It resulted in ~6.7m stablecoin $R being minted and the protocol lost $3.6M 🚨
The root cause is the precision calculation issue when minting share tokens, which is used by the hacker to get extra share tokens.
1/N
4
10
57
1
0
10
Or this. Keeping the goal simple for 2024:
Show up daily, avoid distractions
Smart contract auditor roadmap:
1. Do a lot of security reviews
2. After each review, figure out how to do better on the next one
You can get a lot of this on a competitive audit platform like
@codehawks
.
Just keep doing.
That’s the roadmap.
14
44
301
0
0
11
Every time I post about an audit win or see the community doing it I think about this... 🤣
1
1
10
My last contest for the year!
Didn't do as well as expected... 1 High 1 Med valid out of 7 submissions, due to my misunderstanding of a key logic in the codebase
Will reflect and learn from my mistakes and look forward to the next 💪
@nounsbuilder
@IAm0x52
@Niroh
@UnforgivenCode
@coffiasse
@HHK_eth
@xAriextz
@BKWeb3
🏆
@nounsbuilder
Audit Contest Results 🏆
18. giraffe - $850.38
19. kutugu - $828.44
20. Tricko - $828.44
21. Inspex - $828.44
22.
@I_am_0xMosh
- $828.44
23.
@0xPopeye_
- $828.44
24.
@ge6a_bg
- $21.94
1
0
0
0
0
10
Anyone else doing the Zerolend contest on
@cantinaxyz
?
Found a bug but can’t figure out how to show/prove it. Would love to have someone to discuss with. DM me discord giraffe0x
0
1
10
@mrjasonchoi
time lag between an event emitted and the graph updating. causes a bit of frontend headache
1
1
10
Day 27 of
#30daysweb3security
@Web3SecurityDAO
Amazing video by
@0xOwenThurm
explaining signature malleability exploits in such a clear and concise way.. i finally get it!
I try to summarize below which helps me remember better 👇
1
1
10
C:
No initial storage values should be be declared!
It is akin to setting it in the implementation's constructor...
Meaning when the proxy does a delegatecall, it expects `duration` to be 3 * 30 days but it is actually 0 (the default vault for uint256)
Only constants and
3
0
9
User submits tx to depositWithPermit()
Attacker frontruns, takes the signature and call token.permit() themselves
Since the signature is valid, token will accept it and increase the nonce
When user's tx is mined, it fails due to incorrect nonce
1
0
8
The contract has only two pieces of information:
1. Relevant proofs (Proof F, Hash G-H, Hash A-D)
2. Merkle root
The solution? It's surprisingly elegant!
1
0
9
Great refresher on abi.encode / encodePacked for those attempting the
@BrahmaFi
audit with
@code4rena
Really gets to the nuances that I can't find anywhere else
I've prepared a 🧵 for you on
- Whats the difference between abi.encode() & abi.encodePacked()
- Whats their use case with keccak256
- How to use them safely and prevent hash collisions
If you find this helpful, retweet to reach more devs & auditors and make this space safer 🫡
7
42
184
0
0
9
15% * 0 = 0
We believe it is in the protocol's best interest to distribute tokens to durable users — not sybil farmers.
If you are a sybil, you have two options:
– Self-report sybil addresses for 15% of your intended allocation. No questions asked. The deadline to do so is May 17th.
– Do
3K
1K
5K
0
0
9
Starting the day right. What a feeling!
Confirmed 1 high, 1 medium for the
@PopsicleFinance
contest
thanks for the help
@gogotheauditor
😉
3
0
9
@optimizoor
In 2021 accidentally uploaded my private key to github and got drained…
The account held 2
@pudgypenguins
😭Could never bring myself to buy back in.. now i watch from the sidelines as they pump 😭😭😭
4
0
8
@optimizoor
💯!
SSTORE between 0 and non-zero costs 20_000 gas while a non-zero to non-zero only costs 100 gas
2
0
8
🔥 Day 2 of
#30daysweb3security
@Web3SecurityDAO
Today I learnt THREE interesting gas saving tips 🧵:
1. Changing a uint from zero to non-zero cost 20k gas, but only 5k gas when changed from non-zero to non-zero.
So, start your NFT totalSupply from 1 instead of 0!
1
0
7
If the _to receiver is malicious, it can send back a very large data payload
Memory allocation then becomes very costly such that the tx reverts, or the msg.sender of the tx has to pay a huge amount of gas
Learnt this reading pashov's writeup here:
Solodit
Solodit is a platform that aggregates all findings from popular audit platforms.
solodit.xyz
2
0
8
Earlier this month,
@BuildOnBase
released a challenge with a small bounty
It was a well-designed and super fun test of knowledge of EVM ECDSA signatures
I will share how I solved it, a 🧵👇
BOUNTY ALERT: We're looking for web3 enthusiasts to solve our crypto bounty!
First 50 finishers will get $250 in ETH, first 500 finishers will earn an exclusive NFT, and an opportunity to score a convo with a recruiter at Coinbase. 👀
Check it out 👇
105
204
686
3
3
8
Great thread. I didn't get the answer right, the 8/10th tweet helped cement my understand 💪
🧵1 / 10
This thread will test your understanding of delegatecall, and introduce a mental model for understanding its execution context.
Quiz
The following chain of function calls is executed:
In the context of the call from C to D, msg.sender is which of the following?
a) EOA
3
17
93
1
0
8
For others like me who have a previously compromised wallet that is eligible for the
@arbitrum
airdrop, I wrote a script that *might* help against the hackers and bots
Not sure who it might help. And let me know if it can be improved!
2
0
4
Wow. Used
@OpenAI
DALL-E 2 to merge some photos to represent my transition into the metaverse and was completely blown away! Humanoid avatar was generated by AI too.
Penguin NFT and ENS added by me to complete a new twitter profile banner 😅
#dalle2
#Metaverse
#PudgyPenguins
1
1
7
D:
_disableInitializer() should be called in implementation's constructor
why?
This sets `initialized = type(uint64.max)`. So no one can call `initialize()` directly on the implementation, which otherwise could have impact on the proxy
`initialize` should be only callable
1
1
8