Plamen Tsanev
@p_tsanev
Followers
870
Following
206
Media
48
Statuses
764
Smart Contract Security Researcher 🛡️ 30+ H/M vulnerabilities found 🔝 DM for audits 💼
Check out my work:
Joined May 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Kroos
• 498350 Tweets
España
• 476278 Tweets
Project 2025
• 427271 Tweets
Portugal
• 368184 Tweets
Spain
• 349984 Tweets
Ronaldo
• 299943 Tweets
Mbappe
• 266279 Tweets
Alemania
• 198619 Tweets
Yamal
• 187099 Tweets
Pedri
• 165340 Tweets
Lamine
• 164634 Tweets
Wisconsin
• 134158 Tweets
#ESPGER
• 110639 Tweets
Carvajal
• 95357 Tweets
Almanya
• 89604 Tweets
المانيا
• 87530 Tweets
Havertz
• 80922 Tweets
Morata
• 75349 Tweets
Wirtz
• 69069 Tweets
Cucurella
• 68885 Tweets
#PORFRA
• 66117 Tweets
Dani Olmo
• 50910 Tweets
スペイン
• 45511 Tweets
Anthony Taylor
• 43389 Tweets
França
• 42919 Tweets
#FRAPOR
• 36146 Tweets
De la Fuente
• 35602 Tweets
Mikel Merino
• 29987 Tweets
Thuram
• 29739 Tweets
Leao
• 29627 Tweets
Kolo Muani
• 29332 Tweets
#البرتغال_فرنسا
• 28085 Tweets
#Eurocopa2024
• 27033 Tweets
كروس
• 25104 Tweets
Camavinga
• 19818 Tweets
クロース
• 18682 Tweets
Kante
• 16745 Tweets
Fullkrug
• 16740 Tweets
Deschamps
• 16349 Tweets
Dembele
• 15647 Tweets
Oyarzabal
• 14834 Tweets
Barcola
• 14449 Tweets
ポルトガル
• 14300 Tweets
Vitinha
• 13876 Tweets
Imade
• 10253 Tweets
Pinned Tweet
It seems really repetitive and beginners with no achievements yet seem to hate it, but I personally learned it is very true: "simple" findings are not always simple to find, but can have immersive impact.
E.g - the findings that helped me win over 30k$ in February summarized:
1.
6
2
60
Be a dev
Leave bugs
Report them in a contest
Get fired LMFAO HAHHAHA
8
9
98
Yessiir
The winners are:
🥇$17,000 - 1 Medium, 2 Low -
@p_tsanev
🥈$3,300 - Gas Cat 1st -
@0xRizwann
🥉$2,000- Gas Cat & Gas Incentive 2nd -
@PavanKumarKv2
2/
1
2
18
9
1
71
Rewards started flowing in.
First out of two claims got me Top 10 in the
@HatsFinance
leaderboard.
Top 5 when I claim the second one maybe? 😳😳😳
8
1
66
Insane bag this contest ~= 15K dollars, probably more depending on the point dispersity.
That's 1 H and 2 M's.
Thanks for the opportunity.
1
0
6
8
3
64
And just like that, your boy is top 6 in the
@HatsFinance
rewards leaderboard, after my first competition win and another second place.
Truly amazing opportunities in this space, big thanks to the entire platform team and the protocols that ran competitions there.
Amazing!
1
4
45
Just got asked again about my story and roadmap I used to learn web3 even though I am not that big or anything. Even so I decided to compile it here for anybody that is interested or is looking to do the same so beware:
Thread 🧵👇🧵👇
3
6
39
July will probably end before more contest results come out, so here are so stats from my 1st month of contests!
Resolved contests: 3 (1 with no findings)
Highest placement: 5th
Total payouts: 1077$
I want to publicly thank the great web3 🇧🇬community and
@pashovkrum
for it all 💪
6
0
42
I am glad to announce that I will be a base-fee receiver for the upcoming
@Convergence_fi
contest on
@HatsFinance
My labeling of issues will not be final so don't hate me please 🥹
Thanks to the Hats team for this amazing opportunity, I will give it my all!
4
3
43
Me looking at my dry dm's when posting audit wins does not get me private clients
(Am I delusional 😂😂😂)
3
1
43
Ok, July stats changed, I am kinda screaming right now. The Dinari contest at
@sherlockdefi
just increased my payout with another 1K. I hope I manage to do well in August as well 💪🇧🇬🥹
5
2
40
So suddenly 70% of the big web3 names either: step away from auditing and start managing teams/firms or go all in on bounties.
Just read your articles, progress at your own pace and the contest exposure should do it's job, no need for FOMO.
4
1
40
Another nice little milestone at
@sherlockdefi
It just goes to show how little auditors there actually are out there, my stats are pretty neglectable. But the only way from here is upwards!
3
3
41
I was literally:
1. Thinking what to tweet about
2. Wondering how are results going
And bam, another 3-4 hours of work, maybe 5, result in
@code4rena
feeding me 💰❤️🔥
6
0
38
I won't tell my friends about my web3 success, but there will be signs
4
3
38
I noticed I am something of a Batman these days, but instead of a millionaire during day and a hero over night, during the day I work as a PVC window installer, but during the night I study and grind web3 on my PC and nobody knows 😂😂😂
6
3
34
This is the only aspect of web3sec I haven't delved into, so it's time for something new. Wish me luck ✌️
(Would take a couple of attempts 😅)
4
0
36
I read only one of his unique findings but why is
@windhustler
the smartest man alive.
I won't even go into it, just read how he combines several issues together:
2
1
36
Showed a guy my results and got him to start web3 courses.
I am officially an influencer 😎
1
0
35
As the
@Convergence_fi
contest on
@HatsFinance
ended, I can confidently say I really enjoyed being a lead auditor/judge. It gives a different insight on the codebase and I got some really good leads/learned a lot while discussing other people's issues. Would gladly do it again.
3
5
33
Just learned a new issue to look out for:
Loops trying to optimize their gas by incrementing the index in an unchecked field can suffer from an OOG error in case of a 'continue' statement since it would loop over the same 'i'
Write it down in your checklist 🤓💪
6
3
30
May not seem like a great achievement, but I managed to go on a streak of 3-digit pay outs in the last 3-4 contests I did.
Anything I have earned so far has been very inconsistently distributed, but I am gaining consistency now. 🥹🥳
2
1
31
The year's about to end and I *could* go ghost depending on the holidays, so I want to get this out of the way.
A year summary🫨(my web3 time, since only it is relevant 😶🌫️)
May, June, half of July:
Your boy studied. For such a short period of time I managed to learn so much and
1
1
30
Just concluded my audit of the
@LooksRare
protocol on
@sherlockdefi
. By far the best experience with sponsors I've ever had, on point, answering everything and even helping me during the PoC's so we can both reach the desired outcome. Would gladly do another round in the future🫡
4
2
28
Another small win for only around 2 hours of auditing and an hour of reading docs. Thank you
@code4rena
.
3
0
28
Security alpha alert 🧠
Using 'msg.value' inside a conditional can lead to locked funds. If the first condition fails and the other branch (else statement) does not revert or utilize the sent value, it can get locked up in the contract.
Always make sure to revert or refund!
5
5
27
Just started the Rust/Solidity comp at
@HatsFinance
Rust is actually a cool language once you get it's syntax a bit, so hopefully looking at the submissions I will manage to level up my Rust for the future.
So summarized, don't expect any results from me here, only learning 😳😳
0
0
29
If anybody told me that
@sherlockdefi
would be a battle in the comments between a valid real issue and a broski that's not even on the leaderboard, linking the rules over and over again like I am in court, I would have just stuck with C4, Hats and Codehawks 😂😂😂
7
2
27
I reckoned it would be cool to tweet about insane web3 stuff I find while studying old reports, so todays take:
The
@hydra_dx
competition at
@code4rena
had an issue about matching in and out assets.
Seems simple to find.
Then you notice it has only 2 reports for 8k$ each 🫨🫨🫨
2
0
26
Even with no monetary compensation for your time during an audit, the sense of enlightenment you feel after learning what you've missed or that your non-reported issue was actually valid brings in valuable knowledge in on itself
Knowledge >>> money
1
3
27
I did a little cleanup and added a few reports and 2 audits. Currently at 20+ H/M's.
It's only upwards from here 💪👇
1
2
27
As September and the summer are coming to a close, I decided to do a summary of my ~3 months of active contest participation. 🧵👇
7
1
25
Update: my reward token from
@HatsFinance
Paladin comp is pumping up and I am not even able to claim it yet 😭😭😭
Imagine expecting 15k and cashing out at 20k.
3
0
27
Enter a hats contest.
Get front-ran on the most basic issues.
My first valid is a medium, all before it are OOS/invalid 🤑🤑🤑
4
1
24
I get it, but I am tired of seeing "top 10 learning resources".
The answers are:
@PatrickAlphaC
@RealJohnnyTime
@0xOwenThurm
I would much rather see code repos with auditing notes by the top researchers, to be able to study what their mind notices and thinks when reviewing code.
2
1
25
Security alpha alert:
Whenever I see a contest using a factory contract (quite often), I always have a lead in the back of my mind to make sure the opcode used in it and the salting are correct.
Check out the article below to get a good understanding 💪
0
3
25
I spent the past 2 days on
@SoloditOfficial
preparing for my chosen upcoming audits and I am surprised how obviously biased some issues are. Just goes to show how the
@CodeHawks
anonymous approach is the way to advance contests further 💪
3
1
24
"Yeah bro I did a contest for 1-2 days and gave up because I didn't find anything, this web3 thing is such a scam, I am going back to the office"
3
1
24
A wise researcher once got asked how he chooses which bounties to tackle and he answered:
"I look if their logo is colorful enough"
Just drop the stupid filters imo, this is some next level ultra instinct 😂😂
But seriously,
@KrisApost1
is a beast.
0
1
24
When I first read about solidity's **delete** not working on mappings and structs containing them, I thought I would never see this as an issue.
Hats' latest Aleph contests proved me wrong 😈
2
2
24
This is the most brilliant issue I have read in a while:
@zachobront
is a total genius
TL;DR pls check contract existence when using Solady
Solodit
Solodit is a platform that aggregates all findings from popular audit platforms.
solodit.xyz
4
2
23
Some of my takes this week:
1.
@CodeHawks
has potential to outgrow its competition
2. There is a general trend in recent contests to have more nSLOC for the same short timeframes and lower rewards
3. The current model of
@sherlockdefi
is pretty controversial
What do you think?
3
4
21
Judging is fun until the ChatGPT submissions kick in.
You can imagine the rest.
2
0
23
The amount of times I have seen this while studying findings is insane 🥹
Never skip the low-hangings in fear of dupes.
0
2
22
The guy reading 100 pages of docs vs the guy who goes haha I fuzzed and scribbled some functions = unique finding.
I love this space 😂
2
0
23
I actually have mental issues.
I was thinking of reporting 2 issues confirmed by the sponsor in a contest and forgot?
Am I actually schizophrenic?
5
0
22
Beast
The past few months were tough. Loads of blood, sweat and tears without much in return. I felt like I wasn’t going anywhere.
But today, I am finally happy to share my greatest accomplishment so far - My first ever contest win.
The story continues, we are just getting started...
25
4
198
1
0
22
Just found one of the bigger flaws of
@CodeHawks
. Reading through the submissions of TheStandard contest I am shook:
1. ChatGPT reports
2. 0 reading of known issues
3. Overinflation of severity and 1 sentence reports briefly mentioning the actual root cause
Pray for the judges 🙏
7
0
22
Ok, but imagine being so immersed into finding logic bugs that YOU MISSED THE EASIEST ACCESS CONTROL ISSUE, WHAT IS WRONG WITH ME
2
0
22
People love seeing others' wins online and get motivated, but the latter holds as well since it gives you a reality check.
So here is my Immunefi loser experience so far and my takeaway 😅:
2
0
21
It is literally like
@0xOwenThurm
says here:
My first 200 hours were relatively bad, but I got some things here and there, even though I haven't had any recently big findings, I find myself considering more probabilities and lists of potential issues 🫡
1
1
20
Day 3 of trying to understand what in the world is happening in Sherlock's comment sections and how are they even considered when there are real issues there.
4
0
21
It is that time of the month, and since I think no new results will come out soon, I am posting my August stats, this time with a bigger contest quantity, but less time spent on each one due to personal reasons:
Contests: 7
Total payouts: ~1700$
We are aiming even higher next!🇧🇬
3
2
20
I reached 5k in 4, but here lie the great importance of marketing and networking combined with skills. Hopefully I can reach such results, but my 6 months mark won't look like that. Truly inspiring indeed 💯
Just crushed $200K for the year.
0 → 3k: 4 months
3k → 200k: 6 months
Think twice before you consider quitting early on.
50
39
860
0
1
19
Current progress on one of the codehawk's contests. Will drop some feedback on the platform once these get resolved.
1
0
19
Imo
@sherlockdefi
should subside from "omg it's in the rules, invalid".
Brother either the protocol fixes it or I drain/block the contracts, tf you mean "Low severity due to rules"
10
0
18
Auditing on
@HatsFinance
actually makes my brain race. It's like telling me "how many vulnerabilities can you report before everyone else" 😈
It's actually an insanely different experience.
3
1
21
Am I the only one doing
@0xDYAD
's contest on
@code4rena
whose brain is so rotted to the point I read it as gyatt instead of dyad?
5
1
19
A little update for July:
After escalations my rewards jumped from ~1000k to ~2500k
Trust the process 💪
4
0
17
Here are some of my pinned sites with good resources/checklists during audits:
And my favorite one 🥹🥳
0
5
18
I love people posting like "hahaha I found 15 highs in this contest 😈" and we never hear from them again. Like, where are you broski?
THAT is why you never ego-post before official results.
3
1
19
People like
@pashovkrum
and
@bytes032
making 6 figures montly, people like me and many others who started just on youtube and twitter articles in 3-4 months, making 4 digits, which for most is a living.
And people are still being skeptical of the field 😲😤
2
1
17
Guys I have a dilemma, advice would be appreciated.
The Paladin contest at
@HatsFinance
will be paying out in their native $PAL, which is looking to be steadily rising in price. Do I hold it in the bull, or would I be too greedy and potentially shoot myself in the foot?
13
0
17
Ah yes, C++ "while" loop lecture, while auditing the RealWagmi
#2
at
@sherlockdefi
😁
Priorities are locked in.
4
1
17
For the upcoming C4 Brahma contest:
And of course the amazing past-reports at
to familiarize yourselves with common exploits
Solodit
Solodit is a platform that aggregates all findings from popular audit platforms.
solodit.xyz
3
2
18
Some alpha from a recent experience:
Please break down functions with specified gas limits. The
@chainlink
VRF service let's you specify a gas limit, but at the same time it shouldn't revert at all.
A recent finding at
@sherlockdefi
's
@LooksRare
contest:
2
1
17
I see all these people that just started, but are like, I wanna make 10k a month by the end of the year. I find such goals motivating, but you can easily get dissapointed.
My goal is to audit until I have seen almost everything, since a ton of issues are mostly similiar.
3
1
15
OMG, this actually worked and non other than the goat himself followed me 😂😂
@GalloDaSballo
Love you bro
1
0
15
If I got a USDC token every time a web3 contest has active sponsors, well-structured comments and comprehensive documentation, I would have about 2 USDC 🥹🥹🥹
5
1
15
I wake up and the new year welcomes me with 5 new contests on sherlock with almost perfectly aligning dates🥹
Good luck to everybody this year, hopefully you reach your goals.
Mine are to just get good 😭
0
0
16
2024 and price manipulation still happens.
It's not really that hard to:
- use internal accounting
- use a TWAP
- use more than 1 oracle service
1
1
16
Happily waiting for some contest cash, knowing contests I have confirmed findings in are finishing up. 4 digits pls 😳👉👈
1
0
16
Ah yes, the end of October, filled with contests that you will wonder how to fit into a schedule. Damn missed this great feeling of HAVING OPTIONS 🥹🥹🥹
4
1
16
Instant follower count increase strat:
1. Post about the new 1.1 mil contest on
@code4rena
2. Bam, tweet gains traction.
Waiting for them tweets with ZK learning resources 😂
2
1
15
Another 3 digits win from
@code4rena
, sharing a payout with the great fellas from the Crimsot Rat Reach team 💪
3
0
16
I am not really active due to the lack of new contests, so until the big C4 contest comes, I thought it will be good to contribute to the space with a little article on DoS vulnerabilities 💪👀
Link:
0
0
15
Security alpha alert:
Apparently on zkSync, the address deviation is different from the one on the other EVM-compatible chains, thus the same bytecode can create 2 different addresses on other chains and ZK. A recent finding from
@code4rena
, +1 to the checklist with multichains.
0
0
16
3 hours into my 3rd contest, decided to dm the team. This brings me great join 💪💪
0
0
15
Where was this video, when I was starting DeFi 😭
A great and simple term stock-market rundown:
1
2
16
"Haha, ETH price is going up in the bull run, I will hold my rewards in ETH to get the extra leverage"
ETH price the past week: 📉📉📉
3
0
15
Imo, access control issues are a lot more fun to uncover when they involve the careful crafting of arbitrary parameters to bypass protections.
You just feel so smart describing it, unlike the classic "anyone can set new owner".
Hopefully I can share such a finding soon. 😈🫨
1
1
15
Security alpha alert:
The importance of well structured reports is COSMIC. In the report for the Basin contest at
@code4rena
I had found an issue with their AMM with only 1 other duplicate, but due to the badly written report on my side, I got only partially credited.
Moral of
0
2
14
‼️INSANE SHERLOCK LIFEHACK‼️
‼️USE BEFORE IT'S PATCHED‼️
If you have a decent ranking on the leaderboard, smaller contests are the goats. Even if your submissions get invalidated, there's a big chance the contest would have no issues and distribute the pot based on leaderboard.
4
0
15
I love how everybody is posting Beedle findings before the final report. Literally the first high I randomly decided to open was invalid.
Please share your results and findings after you have validity proof, for your own sake and image.
3
0
15
Read reports and watch videos all you want, the simple keys for success are just:
1. Filter issues on
@SoloditOfficial
by top auditors and study them
2. Check out your past contests' issues and study what you missed
3. Follow top researchers and keep track of the alpha they post
0
3
14
Update 1# - 255$ for a solo low finding at
@CodeHawks
.
RWA protocols looking to integrate assets like digitalized real estate and stocks all lack sufficient mitigation in events of stock-splits. It's a really sneaky finding, but completely real and highly likely.
Happily waiting for some contest cash, knowing contests I have confirmed findings in are finishing up. 4 digits pls 😳👉👈
1
0
16
3
0
13