nmirchev8
@nmirchev8
Followers
905
Following
227
Media
55
Statuses
775
Security to the world! Smart Contract Security Researcher Part of @EgisSec
Joined June 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Pinned Tweet
Stay 🔊 , guys!
@dethSCA
is an amazing player and we have a lot of value to provide. We have been working for only 2 weeks together, but it is so charging and we promise quality and results to the web3 space❗️💯
Announcing
@EgisSec
.
@nmirchev8
and I are combining our strengths to provide better security services than we could ever do alone.
We have just finished our first private engagement with
@TrotelCoin
and will post the report very soon. 👀
6
10
70
0
0
27
Had great fun auditing in Cairo. 💯
Glad to see some results after all! 💪
16
3
102
Win $1000!
At
@EgisSec
, we were inspired and supported by other researchers, and we want to do the same for those who are starting right now.
That's why we plan to give $1000 to the winner of the following challenge. ↓
60
44
94
🥉 Achieving 3rd place in my 3rd contest, all within two months of diving into Solidity, while working on two jobs– a testament to the power of dedication and learning.
👋 Today marks my last day at my Web 2.0 job, and it feels like a promising new beginning.
Awards have been announced for the
@sparkn_io
contest 🤝
Top 5:
🥇
@CMierez_
- $1097.68 USDC
🥈 Silver Hawks(
@magnetto90
adriro) - $914.05 USDC
🥉
@nikola_mirchev8
- $845.65 USDC
🏅 maanas - $841.73 USDC
🏅
@97Sabit
- $662.24 USDC
(1/2)
3
7
58
17
3
72
- 5th place on
@open_dollar
contest on
@code4rena
- First unique finding!
- 3M, one of them is partial. What if I had explained it better...
🔝🤘
9
5
69
This alpha is so good that I was wondering whether to share it or not 🤫
Why you should always pay attention when you see that a protocol is using "Solady-SafeTransferLib", instead of OZ implementation:
Solodit
Solodit is a platform that aggregates all findings from popular audit platforms.
solodit.xyz
4
7
69
Do you know why Bulgarians are so good at auditing?! 🥁🥁🥁
We always enjoy watching others do things and tell them they are not doing it correctly! 🥸
Apart from that... the community is rocket ship! 🚀
6
6
64
What are your wins in the sphere so far? 🔐
For 4 months I have:
- 4 H
- 11 M
- ~$4000 in wins
Looking forward for results from recent contests... 🙏
4
2
62
💪 Why being in web3 security is beneficial for whole range of skills
📒 It teaches you:
- about financess
- how to structure your understanding of abstract concepts and argument yourself
- to spot oppertunities
- to think outside the box
- to constantly learn while making cash
3
2
58
What makes a Security Researcher successful?
- Being persistent
- Being creative
- Being doubtful
- Asking the right questions
What prevents a Security Researcher from being successful?
- Pattern matching Issue
- Giving up too soon
- Searching for easy/short way
2
3
57
If you participate in
#ethereumcreditguild
on
@code4rena
and struggle to understand governor mechanism, here is a diagram that can help you out! 👇
2
2
54
So many opportunities to make money with Web3 Security. Follow and save the thread, so you have a complete list, which you can check anytime 👇
5
7
54
🏆
@EgisSec
is collecting 1st places from all contest platforms.
🧾 This is our ultimate proof for the quality of our services.
💯% coverage of H/M findings
Awards have been announced for the Sablier contest🤝
Top 5:
🥇
@EgisSec
- $11001.90
🥈
@ge6a_bg
- $6081.99
🥉
@drynooo
- $5132.41
🏅
@bladesec
- $3526.70
🏅
@DzordanTa1567
- $3492.09
(1/2)
4
3
61
7
1
54
Another result is out! 🏅
The most important team events was this competition because it was
@EgisSec
first team contest of many!
We will post Aprils stats in a couple of days. 📈
12
3
52
I guarantee
@EgisSec
is a great choice for your security review.
🏆Check out our performance competing with other researchers in the space on different platforms.
🥇- 5
🥈- 2
🥉- 1
3
3
51
"Mom, I am on
@code4rena
tweet"
Awards have been announced for the $36,500 USDC
@open_dollar
audit 🤝
Top 5:
🥇
@0xhals
- $2,698.44 USDC
🥈
@McgrathCoutinho
- $2,583.24 USDC
🥉 yashar - $2,468.82 USDC
🏅 klau5 - $2,455.71 USDC
🏅 nmirchev8 - $2,356.66 USDC (1/2)
5
3
39
8
0
48
Many people have asked me if we (
@EgisSec
) are planning to organize an internships. Even though we don't plan to do it right now, I believe this moment will come shortly.
Until then I will provide you with a plan for one. 👇
2
6
48
6(5)th place on
@MorpheusAIs
Thank you
@CodeHawks
for taking the right judging decision!
Web3sec is wild!
Found the issue under 30 min...
7
0
41
How auditing helps me in my work as a developer:
• Teaches me to understand different codebases/architectures much faster
• I am carefull when writing code. Is it safe? How can be exploited?
• Makes me write better test cases
You decide wether to audit, or go to the coffee
6
3
42
We, in
@EgisSec
triple-check each line of code to ensure our best quality and coverage.
We check for many types of vulnerabilities such as:
- Logical errors
- External integrations
- Edge case inputs
- Rounding Errors
- Reentrancy Paths
- Frontrunning Scenarios
And many more.
0
4
37
There it is!
@EgisSec
first-ever private engagement is now publicly available! It is a small audit we conducted for
@Lambdalf_dev
, who has developed ERC721/ERC1155 libraries with better gas performance than OZ ones.
Check details in the report:
2
2
35
Security Alert! 🚨
Did you know that in Solidity if you assign one memory struct to another, you assign the pointer and do not make a deep copy! If developers are not aware of this behaviour, this can result in major impact 💣
Interesting article:
1
6
35
🚨 Security Alert Regarding EIP712 🚨
Always be careful when you see array, which is being hashed!
🗝️ Array Hashing: When hashing arrays in EIP712, each element must be hashed individually, and then these hashes should be combined in a deterministic order (like sorted or based
2
3
36
Best extension ever!
@MartinMarchev
showed it to me months ago, and I'm grateful 🙏. 'MetaDock' is a must-add to your toolbox, especially if you want to easily explore the code dependencies of the protocol you're auditing!
Link in thread 👇
4
4
32
I have participated in
@VeridiseInc
workshop regarding ZK-Snarks and their zk tools for researches. 🔐
There were challenges and $ for first 5 at the end.
Guess where is me... 😮💨
Nevertheless the knowledge worths more and it was amazing.
Thank you guys! 🙏
2
3
33
🚀 For
@EgisSec
was a great experience to participate in Hats contest.
💸 Really high reward rate for those who can spot the bugs!
🏆Winners🏆
🥇 $4,500 - 1 Medium, 1 Low -
@EgisSec
(
@nmirchev8
&
@dethSCA
)
🥈 $4,000 - 1 Medium - 0x5a73...102e
🎖️ $1,500 - Lead Auditor
@p_tsanev
1
2
11
5
1
32
Here is my flow before diving into writing a PoC of a complex protocol with bad test suites.
If it is a calculation lead:
Open up and try example values.
If it is logic:
Open up
and start playing around with the suspicious part.
2
3
31
Do you wonder what kind of protocol bugs bring most ROI?
If you see highest paid bounties, those are bugs in bridges between mainnet and some L2 chain.
Nowadays it is common to see a launch of a new chain, which is a fork of some famous client. So study those bridge bugs. ↓
1
1
30
I'm thrilled to announce that I recently had the chance to contribute to strengthening the solid code base of
@amet_finance
. 🙏
I wish them a lot of success with the project. 💯
You can check my report here: 👇
4
3
30
Do you participate in
@MorphoLabs
contest on
@cantinaxyz
⁉️
I think that documentation and onboarding experience is a blast and you guys made the ultimate de facto how a protocol should look like before an audit.
Thanks a lot! 🙏
2
2
31
For all your friends, which you pitch to web3 sec 💯🔐
Here is my repo with great educational resources 📒
0
6
30
And when I see this, I know it is time to sit on my ass and study harder past audits... 📝
1
0
29
I will give you №1 tool for your cross-chain PoC.
Writing a fork, or unit test for a cross-chain project may be overwhelming and time-consuming
With this library you can rapidly start writing your actual PoC. ↓
2
2
29
Don't rush an audit!
If you are not familiar with bridges, taka your time to study the basics and do not try to pattern match from Solodit.
This will save you time, trust me! 💯
3
0
29
Sport The Bug Challenge
#1
Here is a real code snippet with an issue in it.
Could you point it out?
Will post the answer as a comment in 2 days.
2
4
29
Another great article by
@DevDacian
about precision loss issues and how to spot them, when it's not obvious. 🔍
Also perfect example of how to use fuzz testing like a boss. 😎
0
6
27
I found this article from
@OpenZeppelin
about their solution to the ERC4626 Inflation Attacks, which explains in depth the details of the problem:
0
4
28
Just received my first payout from
@code4rena
! 🥳
It may not be much, but I'm extremely satisfied with just one day spent diving into
@centrifuge
's rock-solid codebase.
Plus, I'm thrilled to be one step closer to a backstage role! 🚀
#Code4Rena
#Centrifuge
3
1
26
🔥 Ready for some blockchain truth bombs?
💣 Maybe more than 75% of blockchain protocols revolve around borrowing/lending. 🚀 That's why I never miss a beat on this topic! Dive deep with
@DevDacian
's article for all the crucial insights! 💡
3
3
27
Choosing the right contests is crucial for success. I spend a lot of time researching before participating. I'm excited to share detailed "daily warden" threads about ongoing competitions.
Let's kickstart this journey! 🧵👇
Share if you're interested in frequent updates!
2
3
26
This days I am going through Cairo and it is really exciting to figure out how much I love Solidity. 🧐
2
1
26
Strike me with your beat Web3 security blog, article, threads, etc.
Let's make a gem thread with useful info.
6
4
24
This is a kickstart to all beginners, who want to quickly immerse themselves and begin participating in contests.
If you manage to go navigate between the following topics and understand the problems really, I promise you, your name will soon be high in the leaderboard. ↓
2
4
26
Based on overall issues I am quite happy with my result on last
#SteadyFi
on
@CodeHawks
.
I am also happy that I am on a streak with good results!
Thank you for the oppertunity. 💪✌️
3
2
25
🏅I would lie if I say that we (
@EgisSec
) are not surprised with our Aave contest results.
🚀 Especially considering we have spent only one day on it.
4
2
24
Pretty good article on one of the most powerful tools to expoiters
0
5
24
Surprise! 💥
Another 🥇with a cool article about our team process.
Check it out! 👇
Solo or team audit 👀?
@EgisSec
team, led by
@dethSCA
&
@nmirchev8
, shared what their experience was like participating and winning the Convergence Audit Competition as a team in one of our guest spotlight articles🎩
Check out everything here 🔗
2
59
83
0
1
24
💡Quick advice for folks who want to dive into Solana ecosystem after spending some time on EVM 👇
3
4
24
🚨 A tip on what to do if you feel stuck on a codebase:
Have a good checklist of common vulnerabilities to check for 📝
I believe the following is almost mandatory for private audits, where you want best coverage for your client
0
3
24
🔍 Understanding the Diamond Proxy Pattern in Smart Contracts 🔄💎
Have you heard of the Diamond Proxy Pattern in
#Solidity
? 🤔 Let's dive into this powerful design pattern that enhances modularity and upgradability in smart contracts. 🚀
1
2
23
Soon more!
First contest results for
@EgisSec
.
Thank you to
@cantinaxyz
and
@VenusProtocol
for the opportunity.
Expect more results in the upcoming weeks. 💪
15
2
87
2
0
23
When you watch
@PatrickAlphaC
's great course and see yourself inside! This way you know everything he says is truth 😃😉
1
1
22
Hey, if you want to check out my solo submission (M-8) in the
@open_dollar
contest on C4, you can find the report here:
Feel free to review all the submissions, it might be beneficial for you. 🤘
3
1
22
‼️ Easy bugs you may overlook, if you dig into "complex logic" combinations mindset:
• Event emissions with correct data (after data has been updated)
• Setters for state vars, which are not set in the constructor
• Divisor obtained from a getter func, which may return 0
0
3
22
Security Alert!
Every time you see try/catch you should carefully examine the situation, because there are multiple situations, where the transaction will revert, without entering the 'catch' block. ↓
2
3
22
If you audit
@autonolas
be sure to go trough their repository docs. They are really good and helpful. 😊
Even if you don't participate, but you are interested in cross-chain governance, I suggest you to take a look at it. 👀👇
1
2
22
First team contest for
@EgisSec
It is time to show some results!
Congrats to
@SBSecurity_
for the cup! 🇧🇬
Congratulations to all those that participated in the
@VenusProtocol
competition! 🪐
Here are your top ranked researchers:
🥇 SBSecurity (
@Slavcheww
): $15,750.71
🥈
@zigtur
: $13,250
🥈EgisSec (
@dethSCA
/
@nmirchev8
): $13,250
🥈
@TamayoNft
: $13,250
🥉
@thepantherplus
: $1,250
1
0
34
2
2
21
Tech and web3 are all about decentralization and remote working.
You can be part of a rich community delivering alpha every day from anywhere in the world. ↓
1
2
20
Who is credited with the following secret?
"The time to improve in web3 sec is when there's blood in the streets."
1
1
19
If you are more of a practical learner or just want to observe protocol concepts from different aspects I suggest you to use for DAOs.
It is an awesome tool with a plenty of features that help you visualise voting processes. 🗳️
0
2
18
What do you know about reorgs on blockchain?
I thought I knew some things, but learned a ton from the following article by
@abarbatei
🙏
1
4
18
These days around security is super exciting! 🥳
@bytes032
with his initiative to match protocols with clients
@code4rena
with a bounty feature
@CyfrinAudits
with their learning platform
Guys... I go to bed nervous that I may miss something...
Thank you! 🙏
1
0
19
It is important to adopt different mindsets when doing audit sessions❗️
One time be a financial expert, who want to break the DeFi concepts in the protocol. 💰
Other time go with EVM nerd searching for code pitfall. 🐛
0
2
19
Just spent 3 hours crafting a Proof of Concept for the
@MaiaDAOEco
- Ulysses protocol in
@code4rena
. 🚀 It's amazing how much you can learn about architecture and omnichain concepts by diving in.
Moral of the story: start with a PoC as soon as you suspect something 💡🔎
0
0
16
🎉 Let's congratulate
@0xDenzi_
for being the winner in our initiative.
📈 He just 7.5x his reward from the competition thanks to
@EgisSec
💸 The reward has been sent
Win $1000!
At
@EgisSec
, we were inspired and supported by other researchers, and we want to do the same for those who are starting right now.
That's why we plan to give $1000 to the winner of the following challenge. ↓
60
44
94
2
1
18
Quiz time:
On which chains sandwich attacks are not possible and why?
Are there another issue on those chains, that is not present on those with sandwich malleability?
1
1
18
Rules:
- Participate in the contest at by "signing up" for the challenge. To do so, repost and comment on the main thread, and follow
@EgisSec
.
- Only for SRs with < $2K in previous contest winnings.
Reward:
The highest scorer wins $1000.
Happy hunting!
2
2
18
Do you wonder what kind of vulnerabilities are accepted for guaranteed bounty payout?
Checkout the best resource from the biggest in the industry:
Repository with reported issues trough
@immunefi
0
6
18
🚨 Top performers advice! 🚨
If you have an opportunity to audit a well written code of famous protocol vs bad code, which contains many easy to spot bugs, definitely go for the first one if you want to chase big goals! Process will teach you persistence and deep focus. 💯
0
2
18
If you are wondering if
@EgisSec
winning a contest is a one-time event...
Wait for another proof soon!
Another🏆added to
@EgisSec
's trophy room.🥇
This was a fun contest with some cool vulnerabilities.
Thanks
@sophon
and
@sherlockdefi
for the opportunity.
4
2
51
1
0
17
What are my goals in Web3?
Reach the level, where I meet
@deadrosesxyz
in person and tell him the story how I have been reading his nickname in bulgarian until couple of days: 🤫
"deadro-(some name)-e(is)-sexy"
4
0
17
Being a top auditor means always exploring the latest exploits and vectors. Your 'blackhat' mindset could be your key to success, but understanding what other 'blackhats' do will give you a significant advantage. 🕵️♂️🔒 Follow thread for must-reads:👇
2
2
16
1/4
Deep dive into derivatives and pitfalls you must watch before auditing such protocol! 👇
2
2
16
If you judge security competitions, you learn the most important auditor skill "doubt everything".
Because some of those reports contain very convincing assumptions, which most of the time are wrong.
If you manage to find that out, you will do it with developer assumptions too.
0
0
14
🚨 Audit Tip 🚨
To uncover more protocol vulnerabilities and bugs, dissect each module individually. Start by reviewing the protocol's test separation – developer's tests can be incredibly helpful in identifying each module as a distinct chunk. Gradually explore each part, and
0
2
16
🚨 Reward Staking Explained 🚨
Great video by SmartContractProgrammer on reward staking mechanism. Definitely must watch if you participate in C4 Unistaker contest! 👇
0
1
15
I will tell you how to understand the user flow inside a complex project the fastest way possible! 🤫 ⬇️
1
2
16
Sofia, Bulgaria is a great place to be if you want to develop in web3 sec.
Amazing and helpful community.
If have the opportunity to come to some events such as the following, you better not miss it
1
1
15
Do your draw diagrams of the projects you audit?✏️
The first picture is based only on docs.
I want to visualise everything I don't understand and compare my future knowleadge to it.
This is my initial writing on Maia Dao Ulysses.
(Suggest you not to use it 😁)
3
1
14
Our goal in
@EgisSec
is to provide high quality service with great value and special attitude.
This really motivates us!
0
2
17
If you are interested in analyzing different protocols and their security score, here are your ultimate companions.👇
1
3
14
Second second place for
@EgisSec
.
Thank to
@ShieldifySec
for the oppertunity.
More to come soon!
Thanks for participating: 🫡
1.
@zanderbyte
🥇
2.
@EgisSec
🥈
3.
@CarrotSmuggler
🥉
4.
@shealtielanz
5.
@Pelz_Dev
6.
@0xCaera
-
@el_hajin
-
@atharv_181
-
@p_tsanev
-
@MaslarovK
-
@___praise
0
3
21
1
0
14
Tips to optimize your contests:
- Seize opportunities when you have a lead; don't procrastinate.
- Begin with a Proof of Concept (PoC) to validate and ensure nothing is overlooked.
- If it is a valid one, spare some time to write down the report. This will save you a lot.
0
0
14
Alpha Alert! 🚨
It isn't safe to trust that operation inside the `catch` block of a `try/catch` statement would be executed, if inside the try block there is an untrusted external call, whose return value is being saved to memory.
Out of gas revert isn't catched❗️
1
1
14
What is the name of an attack vector, where the attacker benefits from tx between user interactions?
Like a "sandwich", but the bread is between two hams?
2
0
13
🚨 Daily short reminder 🚨
If you see that a protocol integrates stETH, always check how is the accounting managed, because stETH is a rebasing token and rewards are being distributed daily at 12pm UTC
0
0
14
It was nice experience to team up with another researcher. I should do it more often 💯
Had a nice experience participating in the Ethereum Credit Guild
@code4rena
contest with my team mate
@nmirchev8
who I learnt a lot from🫡
Got a nice little reward along with very good learnings✅
5
0
27
1
0
14
Today I have written 2 PoC tests for one issue demonstrating different impacts. ✌️
Have you done it too? 🤔
1
1
14
Backstage at
@code4rena
has been a game-changer. It's a guaranteed skill booster! Dive into a world of new ideas and practical learning, an exciting way to level up your skills. Event-driven studying – if that's even a term – is a blast!
#Code4Rena
🚀💡
1
0
14
Interesting Story:
I have received +backstage in the day the post-judging and successfully defended one of my findings! 🌟 (It was accepted as partial)
- 5th place on
@open_dollar
contest on
@code4rena
- First unique finding!
- 3M, one of them is partial. What if I had explained it better...
🔝🤘
9
5
69
3
1
14
🏁 So many contests, so little time! With parallel competitions on the horizon, how do you pick your battles?
🧐 Share your strategies and tips for choosing the perfect contest in a crowded field.
0
0
12
If you plan to participate
@BrahmaFi
contest in
@code4rena
I suggest you go through
@safe
docs & code 👇
2
1
11
A month of hard work, important decisions and corresponding outcome.
This is a 100% honest alpha.
You better check that out! 👇
0
0
13