Marco Paladin
@paladin_marco
Followers
5,171
Following
786
Media
251
Statuses
3,028
Auditing Team Lead and co-founder @0xPaladinSec Brand new to Twitter, happy to share my expertise.
Joined July 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Bolivia
• 1274074 Tweets
#Kalki2898AD
• 931317 Tweets
Venezuela
• 496348 Tweets
México
• 489542 Tweets
Ecuador
• 122113 Tweets
Kairo
• 108491 Tweets
Lakers
• 99015 Tweets
Hanifa
• 98907 Tweets
The Bear
• 91858 Tweets
Romo
• 73827 Tweets
Bautista
• 63287 Tweets
Knecht
• 61602 Tweets
Baco
• 61000 Tweets
Spurs
• 53297 Tweets
#CopaAmerica2024
• 44834 Tweets
DARIO AL 9009
• 44279 Tweets
Santi
• 43670 Tweets
Bahia
• 40773 Tweets
Rondón
• 40376 Tweets
Abel
• 38603 Tweets
Bronny
• 33503 Tweets
Fortaleza
• 24742 Tweets
梅子さん
• 24204 Tweets
Quiñones
• 22307 Tweets
Orbelin
• 20696 Tweets
#MHA426
• 20475 Tweets
Mechico
• 19598 Tweets
Concacaf
• 17277 Tweets
#SAvsAFG
• 15323 Tweets
Antuna
• 13215 Tweets
THE STANDARD X NAMTANFILM
• 12431 Tweets
Aramburu
• 12327 Tweets
Jimmy Lozano
• 11483 Tweets
Maicon
• 10787 Tweets
Pinned Tweet
⏰Solidity challenge time ⏰
So you think you are good at Solidity...
When do these functions revert? 👇
32
130
374
A story on how I as a solidity auditor just almost lost $10k in a single click, and on how you most certainly would have lost it...
Learn how to not get rekt like I almost was and why you should ALWAYS inspect transactions below 👇
104
548
2K
🚨Rug Alert🚨
Be careful with interacting with ohm fork "Orion Finance" on
@arbitrum
presale in 30 minutes
The on-chain contract 0xe1cd602a4ad658f2e0bba76b2c1f3b325840e279 appears to be deployed by serial ruggers.
21
71
370
Is this how you're supposed to use the new GPT-3 chat function?
The highly awaited rap battle between SBF and CZ... 🤦♂️
30
60
362
Today I messaged the SEAL911 hotline with a bug I found in production.
15 minutes later, the CEO of the project was informed.
50 minutes later, the code was patched and no longer exploitable 👀
I cannot recommend SEAL911 enough
Save it:
9
38
303
/19 For anyone in , be extremely careful with removing your LP as you WILL GET RUGGED by the front-end if you remove more than $4k.
There's $200k staked there now, which will likely largely get rugged as people don't check this.
Please spread the word ❤️
2
74
283
🚨BREAKING NEWS:
@coinbase
$BASE chain makes mentions of a potential token deep within their open source codebase!
I figured out how insiders are securing their airdrop allocation and will explain so below...
38
22
275
🤓Solidity challenge 🤓
Loosely adapted from a resolution round I peer-reviewed today.
Can you find the blunder?
37
48
282
/17 It turned out that this frontend literally hardcoded that as soon as $4000 is exceeded in a transaction on the DEX, they would rug that transaction.
An evil genious!!
If everyone gets rugged by their swaps, people quickly ditch the project. If only 1% gets rugged however...
3
17
250
/22 I've been able to learn this lesson without losing money, I hope you can finally learn a lesson the "easy way" as well.
Good luck chiefs, stay safe 🫡
17
10
239
/18 So this ended up being it: I didn't get powned, I didn't experience a magical glitch...
I just finally witnessed the single reason I've been checking these shitty bytecodes my whole life for, and boy I'm glad I check them.
1
5
211
/21 So how to avoid this?
1. Save all addresses you have large stakes in (metamask+spreadsheet)
2. Always check what you approve and only approve what you need
3. ALWAYS check the bytecode of the transaction you're interacting with if it's to a contract with a large allowance
20
17
206
🚨 Stabledoin update 🚨
After reading my thread, the stabledoin owner has officially pulled the rug.
While the frontend was previously selectively rugging at $4k+ value, now it always rugs. I'll arrange a tool for everyone to exit through, 1 moment.
A story on how I as a solidity auditor just almost lost $10k in a single click, and on how you most certainly would have lost it...
Learn how to not get rekt like I almost was and why you should ALWAYS inspect transactions below 👇
104
548
2K
10
35
167
🚨 Rug Alert:
@AlchemyFi_
is executing a clever rug on their Arbitrum Tomb genesis 🚨
DO NOT DEPOSIT and stay out. Please share.
9
54
159
Earlier today I posted a simple challenge which would yield to person that can crack it $15.
Who cracked it?
@deeberiroz
Who got the reward? not
@deeberiroz
👇
10
20
122
/16 This would be crazy... would it?
So I try adjusting my un-lp amount to $10 again, my wallet shows up, no rug!
$6k: Rug
$1k: No rug?
$5k: Rug
$3999 No rug?
$4001: Rug???
1
4
120
Wow cool, a single line command to turn a string into a bytes32 (first 32 bytes). Assembly is so useful!!!
Can you spot the vulnerability?
10
12
120
A month ago I started learning the Move smart contract language for Aptos...
Today I scored my first confirmed bug bounty 🥳
Here's how I did it...
8
3
114
/20 To conclude, it's important to remember that these days there's no room for error when farming, no way to grind yourself back from a -100% position. We're past that.
You need to be HYPER CAREFUL:
1
0
111
Are you even a contest auditooor if you're not raising crits inside the mock directory... 💀
19
7
108
ERC-1155 devs will literally find any way to mess up their contract... WHAT?
Code loosely inspired (didn't copy the exact code).
19
10
108
/11 To be clear: What had happened is that somehow the destination of my uniswap transaction was changed from my own wallet, to another person's wallet.
This is NEVER SUPPOSED TO HAPPEN and when it happens it either means you got hacked, or the frontend was compromised.
2
1
90
🚨 Rug Alert 🚨
Even though I warned you degens an hour before this presale, it filled fully in 10 mins.
The $320k in presale funds was just pulled, discord gone...
Twitter still up:
@Orion_Fi
Funds are distributed over many wallets
🚨Rug Alert🚨
Be careful with interacting with ohm fork "Orion Finance" on
@arbitrum
presale in 30 minutes
The on-chain contract 0xe1cd602a4ad658f2e0bba76b2c1f3b325840e279 appears to be deployed by serial ruggers.
21
71
370
5
12
94
/10 I end up removing my liquidity using remix and am frightened.
Did my browser get hacked? It can't be... I got giga-chad op-sec. Do I? Maybe I shouldn't have installed that one vscode plugin? Maybe I shouldn't have ran npm install outside of a vm...
Fuuuck.
2
3
91
Devs like this are really why I’ll stop auditing rather sooner than later. So exhausting.
You find the most beautiful exploits in someone’s code and they insult you and demean your skills so that their employer maybe doesn’t believe that they messed up…
21
5
94
🚨BE WARNED: Arbitrum's
@arb_tomb
genesis looks like a rug 🚨
Code business logic looks weird and seems to have been setup to obfuscate the fact that they are capable of taking out all stakes.
5
15
87
/1 So I enjoy farming "degen yield farms", auditing, staking, spotting and avoiding rugs in wilderness contracts is what keeps my mind sharp and my auditing game on-point.
Yields are crushed, but I still enjoy it a lot.
2
1
80
/15 Things start clicking: Did this farm's team really somehow add a threshold?
If someone does a transaction larger than $ x,xxx -> take their money! Otherwise, do nothing.
1
2
78
I feel like I've audited more ERC-1155 projects with reentrancy exploits in them than without any.
I mean- not bad for business to have standards with footguns but you know 🤔
6
0
81
For anyone wondering what a "simple loop" is in the 0.8.22 automatic unchecked loop optimization...
Here are some examples of loops that WILL be optimized:
2
8
74
🚨 Deus DEI exploiter just returned 2023 ETH worth almost $4m 🚨
Together with my,
@pcaversaccio
,
@adamb83024264
and the BSC whitehat's returns, that's almost $6m in recovered funds!
6
13
76
/8 Onto my final routine check, let's validate the contract data like I always do. I'm a perfectionist, I'm an auditor. I don't trust frontends.
WTF!! WHERE IS MY ADDRESS???
removeLiquidityWithPermit always contains the destination wallet, but mine is not to be found here?!
4
6
66
/13 What?? Now my address does show up?????
Why did it show a wrong address before? Did I read it wrong? Am I losing my mind? Why can't I replicate this??
I end up concluding that by some magical reason the frontend logic must have spit out random bytes in pure magical unluck.
1
0
62
/9 What is this address? '0x557767186fA8d022C9556C31e31Dbeb83a562DD1'? That's not my wallet, this wallet hasn't had a single transaction on the blockchain?!
1
0
64
/6 The auditor giga-chad that I am, I of course check the approval destination, luckily it's the router which I had stored in my notes. You wouldn't want the frontend to approve some malicious address would you now...
All good so far!
2
0
66
/2 One of these "funny" degen farms I came across was on "dogechain" (this project is in fact a rug so be careful):
Intuitively, the codebase looked secure, nearly unchanged from Uniswap V2 and the MC didn't seem to allow for rugs to occur. All good!
2
0
61
Done 🫡 Worked together with my old friends at
@RugDocIO
to provide the affected fish with an way out
Anyone who has LP stuck in here and is going to get rugged can use this tool to break up the LP safely. It avoids the frontend.
Good luck!
3
7
64
The person in question made a 13 post long accusation of my company () on why we don't like the following code
This snippet has two distinct vulnerabilities
1. It returns a potentially non-zero padded address
2. It interrupts all execution flow with return
Devs like this are really why I’ll stop auditing rather sooner than later. So exhausting.
You find the most beautiful exploits in someone’s code and they insult you and demean your skills so that their employer maybe doesn’t believe that they messed up…
21
5
94
15
4
66
🚨Rug Alert: on Arbitrum 🚨
The 18 hour old DEX on Arbitrum called "OscarSwap" contains rug code in the MasterChef.
Currently there appears to only be about $75k at risk, let's hope that doesn't increase.
Please share so people stay out 🙏
6
26
61
/12 So I accept that I've been potentially powned and take a break. Once I'm calmed down, I attempt to replicate the issue. I had already removed my LP through contract interaction (using remix) manually so I test with $10 LP.
1
0
59
🚨 Rug Alert 🚨
on Ethereum has rug code!!
🙏 Please share so people don't stake in the pools
4
28
55
/14 But yesterday, I was so ready to withdraw the remainder of my stake (~$8k, I deposited some more). So I use the frontend again assuming that I just had a glitch.
There it was, wallet DD1!!! I didn't lose my mind after all.
But why couldn't I replicate it before?
1
0
57
Oh so you think you are an auditor?
Name every tree you wasted printing code!
10
2
54
Update: They pulled the rug :( $320k gone.
I'm sorry for all the folks who didn't get to read my tweet in time ☹️
8
2
54
/3 So I staked a few days ago and made some money. Liquidity was literally like $10k in my pool so I didn't have to bridge anything to dominate a good portion of the pool.
Good times.
1
0
52
I love the fact that I've audited so many protocols that whenever someone wants to know whether I'd be any good at auditing their protocol, say an options protocol, I can send them a past report like this:
7
5
50
/4 A day or two ago, the project migrated to their "farms V2", essentially the same codes but a new factory, to my surprise, the code was still pretty clean.
Time to move because now all the APR is for grabs in pool 3, and not pool 2 which my tiny stake was chilling in.
1
0
51
Who’se going to defisec summit in Paris? Would love to meet some folks
20
1
49
/7 Onto the actual transaction, it's nicely pointing to the router which I saved before, nice!
1
0
47
Returning some whitehatted funds to
@DeusDao
Can people confirm authenticity of their multisig?
5
3
47
/5 So here I go, I unstake from the masterchef, and am about to unwrap my LP. As this is a modern Uni V2 frontend, unwrapping goes with a signature flow where you don't need to send an approval transaction.
2
1
46
Was an absolute pleasure auditing this one.
OApps can now be simpler due to unordered execution, you’ve now got complete control over your app’s security specification…
And that all with complete interop with V1
3
4
42
@0xngmi
Multichain is a highly secure bridge using cutting edge MPC (My Personal Cloud) technology.
4
9
42
Extremely proud to be writing and maintaining an EIP with these champions!
As an auditor, I've gotten the chance to audit tens if not hundreds of vesting contracts, all very different from one-another.
EIP-5725, the Transferable Vesting NFT, is set to change that 🔥
2/2 I am teaming up with
@Ape_tasti
,
@paladin_marco
, and
@MarioAtPaladin
to create and co-author an Ethereum Improvement proposal to address this and create a common implementation for token locks and vesting. Looking to discuss and get feedback from anyone with expertise in this
1
1
13
3
5
41
Founder of
@SpearbitDAO
on evm flaws: transient storage
Transient storage maxis in the room raging
He does have a point
3
0
40
Finally… LayerZero… V2.
What a milestone. Behind the scenes everyone has been cooking so hard on this for so long.
So glad that we at Paladin have helped out with the security design of this, was tons of fun and challenge🔥
4
2
35
🔥🔥It was an absolute pleasure to work with the amazing folks from
@unsheth_xyz
during their audit!
Audits like this one are what I live for, read below why...
We chose prominent smart contract auditors
@0xPaladinSec
because they specialize in DeFi protocols, and were recommended to us by our partners at LayerZero (Paladin is one of their auditors). The co-founder and CTO
@paladin_marco
led our audit.
4
0
10
1
8
35
❓SOLIDITY TRIVIA - Can you find the bug❓
This Game is vulnerable. Figure out and explain why 😉
7
2
37
Is it just me or is
<500 lines of code/file = fun times
>500 lines of code/file = big sad
4
1
35
Rewrote a smart contract which has been perfectly functioning in prod for over a year for gas optimization.
Does gas optimization really feel good to y'all? I feel like this is hugely -EV... Scares me a lot to hyper-optimize, have been re-reading optimized sections all day...
5
1
35
EVM maxis really out there implementing BRC-20 on their chains rn 💀💀💀💀
Boyyy, Ethereum was invented so you didn't have to do this lmfaooo
8
3
33
Moving back to solidity security review after having a few consecutive Move jobs
6
0
35
If anyone is doing on-chain vesting for their tokens, consider adoption this standard I helped write!
Shoutout to the big brains
@MarioAtPaladin
@Ape_tastic
@ApeGurus
for spending many weeks of brainstorming on perfecting this one 🤙
I'm really excited to announce that after a year of writing and review, "ERC-5725: Transferable Vesting NFT" became official today.🥳
The next goal is to integrate this standard into NFT marketplaces. My DMs are open if you would like to chat about it.😉
12
10
36
2
10
33
So you think you’re an auditor…
How many kgs of paper have you printed?
If the answer isn’t a forest… Send that resumé to TechRate instead 🙃
Back then
@paladin_marco
teached me auditing on paper - this is the last step I personally do before I finalize the audit and it is mainly focused on the very details.
Developers sometimes forget a _ or assign wrong variables - this is a great way to find simple issues!
10
9
93
11
4
29
@bytes032
HAAANK DON'T START REPLACING EACH PORTION OF SOLIDITY WITH ASSEMBLY HANK NOOOOO THIS IS NEVER WHAT I INTENDED NOOO IT WAS SUPPOSED TO BE THE OPTIMIZERS RESPONSIBILITY NOT YOURS HANKKKK
4
0
33
Anyone else now learning Move/Aptos? Haha
We started a study group.
16
0
33
I deployed a simple on-chain Solidity CTF with a HUGE bounty
Who can find the blunder? Who can break my bank?
YOU ?? Good luck 🫡
7
3
31
Smart contract hacks are down 95% after developers started added a terms of service to the top of their smart contract stating "you are not permitted to exploit this contract"
1
3
27
🚨 Learn Move Challenge
#1
🚨
Wouldn't it be cool if there was a language which learned from the flaws of Solidity, the EVM and Solana?
People claim that language is...
Move.
Are they right? Only one way to find out...
/1
6
1
30
@AmadiMichaels
Dang mate if you supported dogechain, I could have demo'd your tool here. Still absolute champ that you support so many chains. It would be SO COOL to see this integrated in upstream metamask too...
19
0
24
@0xngmi
I think the larger concern is that a single, potentially hostile, potentially not doxxed, person controls a domain name which can rek millions of our dollars ser,
regardless of whether it will happen or not 😅
3
1
29
Just noticed tintinweb (The famous vscode solidity extensionoooor) replied to me!!!
🥹🥹🥹
Emotional day, sorry for noticing it 3 weeks late, champ 🫡
0
4
25
And YOU can be exploited! And YOU are exploitable!
(Me to all the functions in your carefully crafted codebase ❤️)
3
1
21
Sifu is a lot of things, but he's not exactly a gambler, to close his $20m short on chain, I assume he knows something.
4
2
25
/1 If you can solve this exercise without writing or running tests, you have the necessary understanding of Solidity's type conversion and literals framework and I salute you🔥
If not... This is your opportunity to catch up and learn 🤓
3
0
24
Security alert: Seems like the defillama team is splitting into two with some hostility
🚨 Uninstall the chrome extension and stay away from until the dust settles
Both these products could rek you pretty hard if they are in malicious hands
1
5
20
@JJordan
Client of ours increased line width by 50% and got a 30% discount with a competitor of us after they requoted the codebase, that being the only change.
They still chose Paladin as they couldn’t phantom an auditor blindly quoting lines of code being any good haha
3
1
26
All the shade thrown on team Vyper...
As if people really don't know the amount of compiler vulnerabilities which have been discovered and subsequently patched in solidity...
Just a fun little example below
1
3
25
Very proud to see our firm partnering with more and more chains.
Being able to contribute to making the space safer in times like these means a lot.
Looking forward to the collaboration,
@ElastosInfo
! 🔥
Paladin is excited to become the security partner for the
@elastosinfo
ecosystem!
Following several intriguing audits within Elastos, Paladin will leverage its careful knowledge of auditing methodologies and security experts to provide peace of mind to the Elastos' users.
6
14
59
0
3
25
Tell me I’m reading this wrong… Did an audit firm founder exploit
@y00tsNFT
in prod?
Lmfao I don’t think that’s the procedure ser.
9
3
24
How do y'all feel when you audit a V1, then years later they release the unaudited V2 and a new feature gets exploited.
For some reason I always feel bad about it ☹️
6
3
22
It appears that DD1 was able to steal about $60k in tokens stolen from the $200k which were at risk!
95% of DD1s profits came from a single wallet, C9Fa.
Moment of silence for C9Fa ☹️
I do wonder if the remaining $140k was already big brain or got out because of this.
1
0
21
Took me 20 minutes to figure out... Gosh I hate web stuff
Cool new Move learning community is up though:
3
2
17