This article has been something I've wanted to put out for a long time because it's what I wish I had when I was getting started with fuzzing. It was only with @alcueca's help through multiple rounds of editing that we were able to get it to a point where it can help the absolute beginner without overwhelming them with too much new information. This is only the beginning, we've got many more of these types of articles in the works to onboard more people into the world of fuzzing!

RT @getreconxyz: A lot of new projects are deploying Their opsec is lackluster Their multisig are a joke Time to fix this Stacked Office…

The limiting factor in most engagements usually ends up being the time you have to actually implement invariants. So you need to make sure the ones you're implementing actually offer a good bang for your buck . This all starts with actually understanding what the system you're looking at is supposed to be doing so you define invariants that actually help you find unobvious issues. This post can help you with the first step in that process. In the next one we'll look at how we actually implement them as code. Stay tuned 👀

RT @getreconxyz: New Year, New Security Goals? Make your resolution count, book an audit with Recon today! With our advanced fuzzing te…

This has been the most successful year I've ever had. At the start of the year I knew basically nothing about fuzzing but was incredibly fortunate to learn from one of the goats @agfviggiano 🐐 while writing for the all things fuzzy substack and published my first fuzzing related post in February. I kept writing and learning about fuzzing and in May was given an opportunity by @agfviggiano and @GalloDaSballo to join the @getreconxyz team writing articles and enhancing my fuzzing skills. A couple months later I was given the opportunity to work with the chads at @GuardianAudits and @perimeter_sec for some engagements. I also had an article get mentioned in @WeekInEthNews, gave a talk about fuzzing in my non-native language @h2hconference , and got to attend Devcon in Bangkok. While in Thailand I also got open water scuba certified 🤿 which has been on my list for many years now and wouldn't have been possible without the lifestyle that this field allows. It still doesn't feel real to me to get to work alongside such amazingly talented people as I do, without their patience and willingness to take a gamble on me I definitely wouldn't have made it this far. 🙏 Having to turn away from contests to focus on becoming a better fuzzing engineer while seeing other people that started around the same time as me getting better in their competition results while having no quantifier of my own progress honestly got to my head for a bit. But of course eventually over the course of the year I did get better at fuzzing and now only partially feel like an imposter. 🤡 The old saying about people overestimating what they can do in a day but underestimating what they can do in a year really feels like it sums up this year for me. I used to think in time horizons of a couple months and would constantly get disappointed when I wouldn't make the progress I wanted, get frustrated and give up on whatever it was I was trying to do. Learning to shift my thinking to be in the span of years and being okay with sucking for a while has made it a lot easier to actually make any progress because any perceived setback or lack of progress turns out to be insignificant in the long run. So to anyone who needs to hear this: just... keep... going

Inspired by @Montyly 's talk at FuzzFest about contributing to Medusa I spent my free time this week diving into Go and the Medusa codebase. I haven't felt this lost since the first time I opened a repo on code4rena but it's also awesome to learn how one of the tools I've been using almost every day works under the hood. The fear of not knowing how something works then slowly figuring it out through trial and error (and now with the help of an AI teacher) is probably one of the most rewarding feelings that there is. First contribution coming (hopefully) soon 👀⏰🤞

Link to the recon discord:

RT @evan_van_ness: #MostClicked * @gpersoon wins Underhanded @Solidity_lang Contest * @VitalikButerin on future Eth PoS changes * @worldco…

This process has been one of the keys to helping me advance my fuzzing techniques. Struggling through something yourself is often the best way to learn but the second best way is to learn from other people's experience. It's less painful but I'd say it offers about 90% of the learning retention because of having to try and explain back the lessons learned in a way that makes sense.

@KrisRenzo @forkforkdog I don't feel worthy of this title 😅 but really appreciate it!

It can be easy to feel like you understand an exploit when you just read it in a report but for me at least this doesn't really help with committing it to long-term memory. Going through the process of creating fuzz tests to catch 3 of the vulnerabilities from @RenzoProtocol's @code4rena competition however has helped ingrain in my mind to always be on the look out for issues related to delayed withdrawals in protocols that integrate with @eigenlayer . A lot of people recommend SRs that are getting started to read audit reports, and in the time I spent creating these tests I could've probably read the report of every protocol that integrates with EigenLayer but now I know I can reproduce these issues from memory whereas I might only remember surface level details if I had read the report (depth of understanding > breadth of understanding). If you also want to fuzz integrating protocols checkout the eigenlayer-fuzzing repo I built:

This was part one of an adventure in learning about a whole new ecosystem that continues to make me bullish about Ethereum the more I learn about it. Looking forward to digging into @eigenlayer more and building tools that can help integrating protocols ensure their security. Will be sharing lessons learned along the way.

@forkforkman @getreconxyz @eigenlayer Thanks, I appreciate the shoutout!

@devtooligan Congrats! 👑

I feel incredibly humbled to be a part of this team, a couple of months ago these were the people I was looking up to (and still do) in the fuzzing space, getting to work with them still feels surreal.

The best advice I’ve gotten from @GalloDaSballo on invariant testing (and software development generally) is summed up by write less, think more. While counterintuitive it’s been extremely helpful to remind me to think about what I’m trying to accomplish before writing a single line of code. After you have the basics down anyone can write a test suite, but what differentiates one that’s effective and tests what it’s supposed to vs one that doesn’t achieve coverage and actually test anything is the thought you put into understanding the system to know what actually needs to be tested and the working within those constraints in a way that’s maintainable and understandable for everyone else that may interact with it. I still have much to learn on this front but boy does it make things a lot more interesting to break down a problem and try to engineer an optimal solution for it.

Gonna be my first time in Southeast Asia. I love that these events give me a reason to visit new places. See you all there 🫡

Recently used this in a test suite setup and it really is a great little tool. Even though it solves a simple problem, it saves time and gives you one less thing to think about, there's not much more you can ask for in a tool. It's the kind of thing that makes you wonder why it hadn't been done sooner. Nice work @CodeIsLight!