samuraii77
@samuraiii77
Followers
641
Following
84
Media
9
Statuses
84
Blockchain Security Researcher | Multiple Top 1 / Top 3 / Top 5 Finishes 🏅 Top Ranked Watson @sherlockdefi 🕵️ Top 30 last 90-days @code4rena
Web3
Joined March 2024
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Adalet
• 203112 Tweets
Gazze
• 119644 Tweets
ベイマックス
• 106032 Tweets
Chester
• 101089 Tweets
#サクサクヒムヒム
• 53867 Tweets
NANON LETSGO NYFW
• 46808 Tweets
#笑うマトリョーシカ
• 46341 Tweets
HAPPY BIRTHDAY TANNIE
• 39129 Tweets
#ساعه_استجابه
• 33501 Tweets
#dilanpolat
• 31415 Tweets
E. Jean Carroll
• 28909 Tweets
#2KDay
• 28903 Tweets
#DAY6_9th_Page
• 26759 Tweets
#4MINUTES_EP7
• 26706 Tweets
#浦島坂田船11周年
• 26285 Tweets
Franco Escamilla
• 26207 Tweets
#HAPPY_EJ_DAY
• 24461 Tweets
Game Day
• 22481 Tweets
Ayşenur Ezgi Eygi
• 18723 Tweets
#데이식스_청춘의_9번째_페이지
• 15949 Tweets
おぱんちゅうさぎ
• 15600 Tweets
BGYO DESERVES BETTER
• 10857 Tweets
Ocak
• 10025 Tweets
Just saw I have broken the $20,000 mark from contests 😮
It's nothing crazy but knowing that just 4 months ago I was just starting out with my first contests and had 0 earnings to 2-3 months ago when I had just around 3,000$ in earnings is pretty nice.
Next mark - $50,000 🫡
26
8
317
#11
in the
@SizeCredit
contest
I found 9 H/M bugs, more than everyone but 1-2 people but I guess the more unique ones ate up a lot of the reward pot and finished a lot further behind than what I expected.
Lesson for next time - find even more issues and don't let that happen 🫡
11
6
109
#2
on the Thorchain in C4.
Not extremely happy with the result as I forgot to submit the only M/H left not found by me but that's a lesson learned 😅
7
2
85
My first 4-digit payout in my second (arguably first) contest ever!
Definitely pretty happy with those results but of course, there is still a lot of room to improve, had a great time auditing the
@dittoproj
in
@code4rena
!
9
0
62
Shadow auditing is one of the best ways to improve, especially as a beginner.
The contest in this thread is a great option to do a shadow audit on! (Spoiler Alert: It is not Beedle)
🧵
7
5
66
Around a day has passed so it is time to reveal what the issue was 🧐
Firstly, there were some lower impact issues such as:
- Not validating msg.value
- Redeploying the Referrer contract everytime
- Users can set themselves as the referrer
Now, about the high impact issue 🧵
2
3
63
Doing team audits on C4 after the introduction of the Hunter and Gatherer bonuses might be the new meta 🧐
For example, in a recent contest I did, if I had teamed up with someone that had just any 2 findings which I didn't find, we would have gotten $16,000 as a gatherer bonus.
1
1
37
Two results from recent contests.
Definitely not happy nor satisfied with these results but trust me, it won't be long before I get the
#1
spot in a contest, I promise! 😉
5
0
33
I found a very similar issue in a recent audit I conducted so such an issue can definitely appear in a protocol you are auditing, definitely keep that in mind in your next audit and do not miss it😉
Congrats to everyone who managed to find it!
2
0
13
Well, actually not. The issue here is that even if referrer is address(0), the address of the deployed Referrer contract will not be, thus the check will always pass making it so every deposit with no referrer dilutes the rewards for actual referrers.
3
0
8
TIL that the Remove Comments VS Code extension doesn't just temporarily toggle off the comments but removes them completely 😵💫
RIP audit tags 🪦
3
0
8
Whenever a user deposits, he can set a referrer. That deploys a Referrer contract through which the referrer can interact and get some rewards.
If the user has not set a referrer, we do not update the referrer units due to the address(0) check... or is that actually the case?🤔
1
0
6
@zdravkohristov0
@ZivoeFinance
@sherlockdefi
@BiasedMerc
Even worse when you saw it but didn't bother to think about it as it's just wrong event emission 😵💫
0
0
5
@woshilalala
@sherlockdefi
If a protocol wants to get the same quality (or even higher) as most T1 firms for a fraction of the price, this is your guy 👀
1
0
5
@woshilalala
@SizeCredit
@code4rena
Congrats my man, thought I beat you this time but turns out not 😂🫡
1
0
4
@vancelotx
Yes, that's an unintended issue, you can assume that the referrer contract only gets deployed once. This is a bug but doesn't really have huge impact except people paying more gas
0
0
3
Also assume that there is a check disallowing the depositor from setting himself as the referrer, that is not the bug I intended to put :D
0
0
2
Give it 2 days or more in case you are just starting out and try to find as many issues as possible. Then, read the issues found and try to understand them to the best of your abilities. Good luck!
0
0
3
For those saying that the referrer contract gets deployed every time, that is an unintended issue but it also doesn't really have much impact besides users paying more gas. You can assume that there is a function called getOrDeployReferrer() there instead. The bug is elsewhere
0
0
2
@0xJuancito
@milotruck
And it all depends whether they are trying to validate or invalidate the issue 😂 trying to invalidate it makes the price of the attack a trillion dollars more expensive
0
0
2
1
0
2
@arabadzhiev_
That's interesting, they refused to change the rankings and rewards when the judge found out he accidentally invalidated one of my valid issues in one of the contests.
1
0
2
Why is it a great option?
- It's short (≈500 SLOC)
- It's not hard to understand
- It has a decent amount of issues, some of them very simple
- It involves a lot of common DeFi concepts
1
0
2
@yatharthpnwr
We are deploying the referrer, we are not sending any ETH to it so the fallback function wouldn't be called. Also assume that the Referrer contract is 100% trusted
1
0
2
@MartinMarchev
A guy from the Immunefi team has been regularly trying to get a reply from the team, not sure if that counts as mediation or if it's something else. The team replies once every 1-2 weeks and then dips again 😅
1
0
1
@DAgantem1624
That's not the bug, you can imagine that the withdraw function for the referrer gets his money like this:
uint256 moneyForReferrer = totalMoneyForReferrers * referrerUnits / totalReferrerUnits
0
0
1
@zarkk01
Not sure what the bug I found is yet haha but I think I have an idea what it was, it was not hard to spot
1
0
1
@MartinMarchev
Me 1 month and a half after submitting an issue and still waiting for a decision 💀
1
0
1
0
0
1
@KoolexC
I don't think this example is quite correct, there is no benefit to not investing here while the dilemma is different
0
0
1
@jesjupyter
That's true, I made the code super simple so I missed some details but assume that there is a function used there instead that only deploys a contract if there isnt one already deployed for the referrer
0
0
1
@stanchev_33
The referrer contract will take care of that, for example by having an onlyOwner modifier and the owner being set as the referrer during the constructor. You are in the right direction though
1
0
1