Stay 🔊 , guys!
@dethSCA
is an amazing player and we have a lot of value to provide. We have been working for only 2 weeks together, but it is so charging and we promise quality and results to the web3 space❗️💯
Announcing
@EgisSec
.
@nmirchev8
and I are combining our strengths to provide better security services than we could ever do alone.
We have just finished our first private engagement with
@TrotelCoin
and will post the report very soon. 👀
Win $1000!
At
@EgisSec
, we were inspired and supported by other researchers, and we want to do the same for those who are starting right now.
That's why we plan to give $1000 to the winner of the following challenge. ↓
🥉 Achieving 3rd place in my 3rd contest, all within two months of diving into Solidity, while working on two jobs– a testament to the power of dedication and learning.
👋 Today marks my last day at my Web 2.0 job, and it feels like a promising new beginning.
This alpha is so good that I was wondering whether to share it or not 🤫
Why you should always pay attention when you see that a protocol is using "Solady-SafeTransferLib", instead of OZ implementation:
Do you know why Bulgarians are so good at auditing?! 🥁🥁🥁
We always enjoy watching others do things and tell them they are not doing it correctly! 🥸
Apart from that... the community is rocket ship! 🚀
We have promised results and we serve! 🥇
This would never be possible if me and
@dethSCA
haven't combined our experience under
@EgisSec
- 1st place
- 1 unique high
- Highest coverage
- 10/12 High severity issues uncovered by
Do I have to say "More result soon"...
💪 Why being in web3 security is beneficial for whole range of skills
📒 It teaches you:
- about financess
- how to structure your understanding of abstract concepts and argument yourself
- to spot oppertunities
- to think outside the box
- to constantly learn while making cash
What makes a Security Researcher successful?
- Being persistent
- Being creative
- Being doubtful
- Asking the right questions
What prevents a Security Researcher from being successful?
- Pattern matching Issue
- Giving up too soon
- Searching for easy/short way
🏆
@EgisSec
is collecting 1st places from all contest platforms.
🧾 This is our ultimate proof for the quality of our services.
💯% coverage of H/M findings
Another result is out! 🏅
The most important team events was this competition because it was
@EgisSec
first team contest of many!
We will post Aprils stats in a couple of days. 📈
I guarantee
@EgisSec
is a great choice for your security review.
🏆Check out our performance competing with other researchers in the space on different platforms.
🥇- 5
🥈- 2
🥉- 1
Many people have asked me if we (
@EgisSec
) are planning to organize an internships. Even though we don't plan to do it right now, I believe this moment will come shortly.
Until then I will provide you with a plan for one. 👇
How auditing helps me in my work as a developer:
• Teaches me to understand different codebases/architectures much faster
• I am carefull when writing code. Is it safe? How can be exploited?
• Makes me write better test cases
You decide wether to audit, or go to the coffee
We, in
@EgisSec
triple-check each line of code to ensure our best quality and coverage.
We check for many types of vulnerabilities such as:
- Logical errors
- External integrations
- Edge case inputs
- Rounding Errors
- Reentrancy Paths
- Frontrunning Scenarios
And many more.
There it is!
@EgisSec
first-ever private engagement is now publicly available! It is a small audit we conducted for
@Lambdalf_dev
, who has developed ERC721/ERC1155 libraries with better gas performance than OZ ones.
Check details in the report:
Security Alert! 🚨
Did you know that in Solidity if you assign one memory struct to another, you assign the pointer and do not make a deep copy! If developers are not aware of this behaviour, this can result in major impact 💣
Interesting article:
🚨 Security Alert Regarding EIP712 🚨
Always be careful when you see array, which is being hashed!
🗝️ Array Hashing: When hashing arrays in EIP712, each element must be hashed individually, and then these hashes should be combined in a deterministic order (like sorted or based
Best extension ever!
@MartinMarchev
showed it to me months ago, and I'm grateful 🙏. 'MetaDock' is a must-add to your toolbox, especially if you want to easily explore the code dependencies of the protocol you're auditing!
Link in thread 👇
I have participated in
@VeridiseInc
workshop regarding ZK-Snarks and their zk tools for researches. 🔐
There were challenges and $ for first 5 at the end.
Guess where is me... 😮💨
Nevertheless the knowledge worths more and it was amazing.
Thank you guys! 🙏
Here is my flow before diving into writing a PoC of a complex protocol with bad test suites.
If it is a calculation lead:
Open up and try example values.
If it is logic:
Open up
and start playing around with the suspicious part.
Do you wonder what kind of protocol bugs bring most ROI?
If you see highest paid bounties, those are bugs in bridges between mainnet and some L2 chain.
Nowadays it is common to see a launch of a new chain, which is a fork of some famous client. So study those bridge bugs. ↓
I'm thrilled to announce that I recently had the chance to contribute to strengthening the solid code base of
@amet_finance
. 🙏
I wish them a lot of success with the project. 💯
You can check my report here: 👇
Do you participate in
@MorphoLabs
contest on
@cantinaxyz
⁉️
I think that documentation and onboarding experience is a blast and you guys made the ultimate de facto how a protocol should look like before an audit.
Thanks a lot! 🙏
I will give you №1 tool for your cross-chain PoC.
Writing a fork, or unit test for a cross-chain project may be overwhelming and time-consuming
With this library you can rapidly start writing your actual PoC. ↓
Don't rush an audit!
If you are not familiar with bridges, taka your time to study the basics and do not try to pattern match from Solodit.
This will save you time, trust me! 💯
Another great article by
@DevDacian
about precision loss issues and how to spot them, when it's not obvious. 🔍
Also perfect example of how to use fuzz testing like a boss. 😎
Just received my first payout from
@code4rena
! 🥳
It may not be much, but I'm extremely satisfied with just one day spent diving into
@centrifuge
's rock-solid codebase.
Plus, I'm thrilled to be one step closer to a backstage role! 🚀
#Code4Rena
#Centrifuge
🔥 Ready for some blockchain truth bombs?
💣 Maybe more than 75% of blockchain protocols revolve around borrowing/lending. 🚀 That's why I never miss a beat on this topic! Dive deep with
@DevDacian
's article for all the crucial insights! 💡
Choosing the right contests is crucial for success. I spend a lot of time researching before participating. I'm excited to share detailed "daily warden" threads about ongoing competitions.
Let's kickstart this journey! 🧵👇
Share if you're interested in frequent updates!
This is a kickstart to all beginners, who want to quickly immerse themselves and begin participating in contests.
If you manage to go navigate between the following topics and understand the problems really, I promise you, your name will soon be high in the leaderboard. ↓
Based on overall issues I am quite happy with my result on last
#SteadyFi
on
@CodeHawks
.
I am also happy that I am on a streak with good results!
Thank you for the oppertunity. 💪✌️
Solo or team audit 👀?
@EgisSec
team, led by
@dethSCA
&
@nmirchev8
, shared what their experience was like participating and winning the Convergence Audit Competition as a team in one of our guest spotlight articles🎩
Check out everything here 🔗
🚨 A tip on what to do if you feel stuck on a codebase:
Have a good checklist of common vulnerabilities to check for 📝
I believe the following is almost mandatory for private audits, where you want best coverage for your client
🔍 Understanding the Diamond Proxy Pattern in Smart Contracts 🔄💎
Have you heard of the Diamond Proxy Pattern in
#Solidity
? 🤔 Let's dive into this powerful design pattern that enhances modularity and upgradability in smart contracts. 🚀
Hey, if you want to check out my solo submission (M-8) in the
@open_dollar
contest on C4, you can find the report here:
Feel free to review all the submissions, it might be beneficial for you. 🤘
‼️ Easy bugs you may overlook, if you dig into "complex logic" combinations mindset:
• Event emissions with correct data (after data has been updated)
• Setters for state vars, which are not set in the constructor
• Divisor obtained from a getter func, which may return 0
Security Alert!
Every time you see try/catch you should carefully examine the situation, because there are multiple situations, where the transaction will revert, without entering the 'catch' block. ↓
If you audit
@autonolas
be sure to go trough their repository docs. They are really good and helpful. 😊
Even if you don't participate, but you are interested in cross-chain governance, I suggest you to take a look at it. 👀👇
Tech and web3 are all about decentralization and remote working.
You can be part of a rich community delivering alpha every day from anywhere in the world. ↓
If you are more of a practical learner or just want to observe protocol concepts from different aspects I suggest you to use for DAOs.
It is an awesome tool with a plenty of features that help you visualise voting processes. 🗳️
These days around security is super exciting! 🥳
@bytes032
with his initiative to match protocols with clients
@code4rena
with a bounty feature
@CyfrinAudits
with their learning platform
Guys... I go to bed nervous that I may miss something...
Thank you! 🙏
It is important to adopt different mindsets when doing audit sessions❗️
One time be a financial expert, who want to break the DeFi concepts in the protocol. 💰
Other time go with EVM nerd searching for code pitfall. 🐛
Just spent 3 hours crafting a Proof of Concept for the
@MaiaDAOEco
- Ulysses protocol in
@code4rena
. 🚀 It's amazing how much you can learn about architecture and omnichain concepts by diving in.
Moral of the story: start with a PoC as soon as you suspect something 💡🔎
🎉 Let's congratulate
@0xDenzi_
for being the winner in our initiative.
📈 He just 7.5x his reward from the competition thanks to
@EgisSec
💸 The reward has been sent
Win $1000!
At
@EgisSec
, we were inspired and supported by other researchers, and we want to do the same for those who are starting right now.
That's why we plan to give $1000 to the winner of the following challenge. ↓
Quiz time:
On which chains sandwich attacks are not possible and why?
Are there another issue on those chains, that is not present on those with sandwich malleability?
Rules:
- Participate in the contest at by "signing up" for the challenge. To do so, repost and comment on the main thread, and follow
@EgisSec
.
- Only for SRs with < $2K in previous contest winnings.
Reward:
The highest scorer wins $1000.
Happy hunting!
Do you wonder what kind of vulnerabilities are accepted for guaranteed bounty payout?
Checkout the best resource from the biggest in the industry:
Repository with reported issues trough
@immunefi
🚨 Top performers advice! 🚨
If you have an opportunity to audit a well written code of famous protocol vs bad code, which contains many easy to spot bugs, definitely go for the first one if you want to chase big goals! Process will teach you persistence and deep focus. 💯
Another🏆added to
@EgisSec
's trophy room.🥇
This was a fun contest with some cool vulnerabilities.
Thanks
@sophon
and
@sherlockdefi
for the opportunity.
What are my goals in Web3?
Reach the level, where I meet
@deadrosesxyz
in person and tell him the story how I have been reading his nickname in bulgarian until couple of days: 🤫
"deadro-(some name)-e(is)-sexy"
Being a top auditor means always exploring the latest exploits and vectors. Your 'blackhat' mindset could be your key to success, but understanding what other 'blackhats' do will give you a significant advantage. 🕵️♂️🔒 Follow thread for must-reads:👇
If you judge security competitions, you learn the most important auditor skill "doubt everything".
Because some of those reports contain very convincing assumptions, which most of the time are wrong.
If you manage to find that out, you will do it with developer assumptions too.
🚨 Audit Tip 🚨
To uncover more protocol vulnerabilities and bugs, dissect each module individually. Start by reviewing the protocol's test separation – developer's tests can be incredibly helpful in identifying each module as a distinct chunk. Gradually explore each part, and
🚨 Reward Staking Explained 🚨
Great video by SmartContractProgrammer on reward staking mechanism. Definitely must watch if you participate in C4 Unistaker contest! 👇
Sofia, Bulgaria is a great place to be if you want to develop in web3 sec.
Amazing and helpful community.
If have the opportunity to come to some events such as the following, you better not miss it
Do your draw diagrams of the projects you audit?✏️
The first picture is based only on docs.
I want to visualise everything I don't understand and compare my future knowleadge to it.
This is my initial writing on Maia Dao Ulysses.
(Suggest you not to use it 😁)
Tips to optimize your contests:
- Seize opportunities when you have a lead; don't procrastinate.
- Begin with a Proof of Concept (PoC) to validate and ensure nothing is overlooked.
- If it is a valid one, spare some time to write down the report. This will save you a lot.
Alpha Alert! 🚨
It isn't safe to trust that operation inside the `catch` block of a `try/catch` statement would be executed, if inside the try block there is an untrusted external call, whose return value is being saved to memory.
Out of gas revert isn't catched❗️
What is the name of an attack vector, where the attacker benefits from tx between user interactions?
Like a "sandwich", but the bread is between two hams?
🚨 Daily short reminder 🚨
If you see that a protocol integrates stETH, always check how is the accounting managed, because stETH is a rebasing token and rewards are being distributed daily at 12pm UTC
Had a nice experience participating in the Ethereum Credit Guild
@code4rena
contest with my team mate
@nmirchev8
who I learnt a lot from🫡
Got a nice little reward along with very good learnings✅
Backstage at
@code4rena
has been a game-changer. It's a guaranteed skill booster! Dive into a world of new ideas and practical learning, an exciting way to level up your skills. Event-driven studying – if that's even a term – is a blast!
#Code4Rena
🚀💡
🏁 So many contests, so little time! With parallel competitions on the horizon, how do you pick your battles?
🧐 Share your strategies and tips for choosing the perfect contest in a crowded field.
April stats and recap for
@EgisSec
is here. 🏆
Read the whole thread for a recap of all contests and alpha. 🧵
Stats:
📅1st month of contests as a team
⚒5 completed contests
💰$24,632 in winnings
🏆Placements: 🥇🥈🥈
🔍21 High's (1 solo), 18 Medium's (2 solo) found
Recap ⬇