stanchev
@stanchev_33
Followers
1,291
Following
234
Media
30
Statuses
407
Smart Contract Security Researcher 🫡 Web3 enthusiast
Joined January 2024
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
SEVENTEEN
• 1289672 Tweets
Carat
• 78291 Tweets
FELIP TAKES ON BBPHSTAGE
• 51264 Tweets
#TimnasDay
• 49639 Tweets
SLOTH STYLE BY NUNEW
• 47344 Tweets
The Next Prince Q9
• 45623 Tweets
オーストラリア
• 45304 Tweets
GLICO ALMOND X MEW
• 34311 Tweets
#バナナサンド
• 33567 Tweets
TAYNEW x NIVEA SPOTLIGHT
• 31575 Tweets
#サッカー日本代表
• 25840 Tweets
ミンギュ
• 22772 Tweets
BBPH ANN1V WITH BINI
• 22765 Tweets
金木犀の香り
• 21447 Tweets
うさぎだらけくじ
• 17423 Tweets
最終予選
• 17359 Tweets
ジョシュア
• 16687 Tweets
スングァン
• 15898 Tweets
Zaplana
• 15547 Tweets
ドギョム
• 15503 Tweets
エスクプス
• 14790 Tweets
モグコレ
• 10693 Tweets
Pinned Tweet
Consistency is key in Web3. 🔐
Some days you put in 12 hours of work, others just 1.
Don't beat yourself too much about it.
1 is better than 0.
Never ditch everything completely. Even writing a single twitter post a day will keep your mind where it should be. Once you start
9
23
182
After reading a bug bounty writeup from
@deadrosesxyz
I got hooked up on them immediately.
It's like you peek into the mind of the hunter. 🧠
I found this resource that is stacked with such write-ups
I read most of them last week.
Does anybody know of
5
26
156
Web3 security is a billion dollar industry and it will continue to expand.💸💸💸
Doesn't matter if you are coming "late".
Many people are leaving their high-paying full-time jobs to ⚠️RISK⚠️ becoming a security researcher.
That should tell you a whole lot.
Do not hesitate.
19
15
139
I am getting DM's all the time with the questions:
Where to start with web3 security?
Is it worth it?
Answers are:
-
@CyfrinUpdraft
- Yes
7
11
120
How to get rich in 6 months
(not a Ponzi scheme)
👇
1. do a contest
2. read the report after it's finished
repeat at least 10 times or more.
profit
7
9
112
About 2 months ago I started to actively audit contests.
The most interesting part about my journey is that I immediately started with a pretty large codebase.
(around 2.5k nsloc, for those of you who are curios it was
@SizeCredit
on
@code4rena
, soon when the report is
5
10
110
If you have been actively auditing the past 3 months, there is 90 percent chance, you have audited a staking contract. ⭐️
Currently I am auditing one, the most helpful resource I found was this video from the smart contract programmer. It could be a little math heavy but by the
4
9
100
Auditing is not a simple task, not at all. 📌📌📌
But why making it harder with additional tools, different approaches, reading lots of stuff that is unnecessary at the moment and so on.
Use the Bulgarian CEI pattern 🇧🇬
- Check the code
- Effectively spot the bugs
- Immediately
4
7
102
The most rewarding feeling an auditor could experience is not a 6-digit payout. It is when you understand a codebase that you thought was impossible to grasp.
Several days of intense researching, reading the docs, reading every function line by line multiple times, no
4
5
100
Today I turn 24
Even though I am considered young, the amount of amazing security researchers way younger than me is incredible and is only a sign of how great web3 security is as a space
I am very happy to be here, getting to know a lot of smart people and securing the web3
17
2
98
I said till the end of September I will be top 10 in a contest.
Here are my results for
@tadle_com
contest on
@CodeHawks
💰 Reward: 508$
⭐️ Rank: 10
🐛 5/14 highs uncovered, 0/4 mediums
The competition was fierce with about 1.8k findings
Grats to all in securing the protocol
14
2
97
If you wonder when is the best time to become smart contract security researcher, it is 2024.
No, it is not some time in the past, it is right now.
Most of the people who are entering this space need to hear this.
Don't bookmark this post to read later for motivation. I don't
3
10
96
If you are struggling to start with auditing, here is a great article from
@0x3b33
that I personally follow from the beginning.
Must read 🫡
4
17
94
Managed to secure my first 3-digit payout from contests(26th place). 💸💸💸
I've read the report, saw what I missed(there were 2H and 2M , I found 1M).
Gratz to all participants for securing the protocol. The contest was TempleGold on
@CodeHawks
My goal is 4-digit payout and
13
2
93
I really want to keep the motivation in all the great researchers that are currently trying their best in the web3 space. ⭐️⭐️⭐️
As I currently hit 1k followers, I decided to do something small, but from the heart for the community. 🫡
Today I am announcing a week of bug
7
3
88
If you are still wondering if there is a place for you in web3 security lets observe some stats📊 on
@code4rena
leaderboards.
Code4rena leaderboard 2022:
About 800 active auditors.
Code4rena leaderboard last 365 days:
About 1500 active auditors.
Takeaway:
These are not
5
4
85
Your brain should always click whenever you have abi.encodePacked() in authentication, signatures and data integrity.
📌📌📌
Why is that you may ask, let me explain:👇🧵
abi.encodePacked(string,string) may result in a collision in some scenarios, let me give you an example ⭐️
3
11
78
Find the bug challenge part 1⃣
Reward: 30$ 💵
❓❓❓
What could be the problem if Logic is the implementation of the Proxy contract?
Whoever guesses it first is the winner! ⭐️
I'll post the results tomorrow same time.
Happy hunting! 🐛
39
3
76
Another smol win. This time from the
@TraitForge
contest on
@code4rena
. Thankful that I could contribute to the security of the protocol.
Wish them the best! ✌️
7
0
67
Most people find it really hard to jump into audits, even though they learned for month and months.
Here is a video of
@0xOwenThurm
that guides you perfectly in how to jump into your first contest and do your best.
Enjoy ✌️
1
5
65
The first 3 public contests you do are going to be hardest. 📌
In these 3 audits, you will experience the most intense roller coaster of emotions ever.
These are the audits that will test your mentality, and the amount of discipline you have.
They will give you the first scent
3
1
62
Is Rust gaining momentum. I see two very large Rust contests:
1. Axelar on
@code4rena
- already started
2. Centrifuge on
@cantinaxyz
- starts on the 19th of August
Maybe it's time to niche down a little.
Here is a playlist that can get you started with Rust
0
1
59
If you want to be an exceptional auditor, don't do what other auditors do.
What works for them at the moment, may not work for you, as there are levels to this.
I've learned that the hard way.
Keeping it simple is the key.
8 hours a day.
Read code and research the EVM.
1
1
59
You want to know how to navigate larger codebases?
📌📌📌
Here's how 👇
1. Grab an external function that creates a flow(supply, borrow, liquidate, repay, withdraw, depositCollateral, claimPrize, etc.)
2. Try to understand it as deeply as possible looking through every call it
3
7
59
Yesterday I managed to hit 1000 followers.
Love the space, love the energy.
Lots more content coming along.
Tomorrow I will announce something cool that you can participate in, so stay tuned. 💰
2000 till the end of the year. Mark my words.
Thank you all! ✌️
6
0
58
Improving as an auditor is doing what you are scared of.
Scared of that 5000 nsloc codebase - do it
Scared of that escalation war - do it
Scared of asking the devs a question - do it
Scared of the competition - crush them
Ready to give up - repeat ☝️
Whenever you think you
0
7
57
Gaining momentum with Munchables
Another small win
Manage to find 3 out of 6 H/M🐛
Have to ramp up this number to at least 75% found for every contest
1
0
53
Another great tool that is a must have for an auditor is the Solidity Metrics extension.
It will calculate nSLOC, complexity score and a lots of other interesting stuff. There is also visualisations such as:
- Inheritance hierarchy of contracts
- Risk reports
- Call graph
It
0
4
53
Whenever you audit, if you find something extremely hard that seems impossible to understand, remember one thing before giving up:
📌📌📌
Lots of other auditors found the same thing hard and gave up on it. Be the one who doesn't. This is how you find unique 🐛
3
3
52
Every time I see someone post a win on a contest or a success story in web3, I am getting extremely happy, because someone is changing his/her life for the better doing what he/she loves.
Keep grinding 🫡
0
1
50
This post will be an update as to where I am at the moment with web3 security. 📌📌📌
It has been an amazing month! Why is that?
I've managed to put on an average of 6-8 hours of focused work per day (some days 10 hours, other days 3, any hour counts), it was hard at first but
3
1
46
While everybody tells you how their Web3 journey started with "Mastering Ethereum", mine started back in 2021 losing 5k USD on Binance Futures. 🔪 😄
Here I am 3 years later, trying to get my losses back with Web3 security. 🤓
3
1
46
Staring at code for hours on end helps you to grasp every little detail of it. 👀
Even when I am resting the flow of the protocol stays in my head. 🧠
That's why I tend to find more of the complex bugs around the end of the audit. 🐛
3
3
47
I did this for a week now, and I want to say that it just glues me to the monitor for 3 - 4 hours straight of pure focused work.
I don't know what it is, but I really did 10x
Thank you
@nisedo_
🫡
If anyone wants to give it a try -> type 40 Hz Gamma Binaural Beat in youtube
4
3
47
If you want to have a better understanding of a codebase do this 👇👇👇
At the end of the day just scan it one last time without any comments, notes etc. Just pure code.
It still amaze me how with every scan I interpret it differently.
It is the same code over and over again,
2
8
70
Today the results for
@SizeCredit
were published, unfortunately my submissions got invalidated.
Congrats to everyone who succeeded in protecting the protocol. 👏👏👏
Despite my results, this presents great opportunity to me. There were a total of 17 H/M🐛 uncovered. Once the
6
1
45
As competition arises, we see around 2k+ submissions in contests with low sloc.
Next 2-3 months, I will mostly do 3k+ sloc competitions.
I want to challenge myself in order to level up.📈📈📈
Will post everything about my journey.
Godspeed.🫡
1
2
40
Most of the people in web3 are very intelligent and open to communication.
Use this to your advantage as it could leverage your knowledge a lot. Some things are learned only by experience
2
0
39
Most of you have seen the word Slippage in DEFI.
What is it exactly?
How it could lead to serious vulnerabilities? 🐛
📌📌📌
I have found this article from
@DevDacian
and it's a pure gem.
Make sure to check it out. It will up your game a lot.✌️
1
8
37
All in all I got 2 out of 6 Highs and 3 out of 19 Mediums in the
@traitforge
contest
Today i would like to do a recap on the Highs. Which ones I caught and which ones I missed. What was the thinking process behind it, and what I could improve.
2
1
38
Tip for Smart contract security researchers:
Think as a blackhat 🎩🎩🎩 (but please if you find something don't steal all the funds)😁
Jokes aside ask these questions when you are doing an audit:
1. What if I call this sequence of methods?
2. What if I provide X input as value
2
6
36
My favourite thing to do while waiting for a contest to start is to read a past report and writing POC's for some of the vulnerabilities in it for better understanding.
This way I activate my brain to go into "auditing mode".
What's even better is recognising a similar
3
4
37
If you have these questions:❓❓❓
How to approach a codebase?
How much time to audit per day to be the most productive?
What is the average time spent auditing per month?
How to handle burnouts?
How to be disciplined?
All the questions that an auditor could have are answered
4
2
35
I can relate a lot to
@windhustler
and what he said in this podcast with
@HackenProof
Being a corpo Java software engineer for over 3 years hadn't developed my mindset and approach at codebases such as Web3 security did in 3 months. Sometimes you need to
1
3
34
Recently I am trying to learn as much H/M vulnerabilities on as possible. Having all that knowledge will help me in future contests and private audits a lot.
The problem was I didn't have methodology for studying these vulnerabilities,
@andyfeili
has
Solodit
Solodit is a platform that aggregates all findings from popular audit platforms.
solodit.xyz
2
3
34
Find the bug challenge part 3⃣
Reward: 50$ 💵
This is my implementation of an ERC4626 vault.
The thing is that I did not pay for an audit and now I am holding lots of TVL $$$ 💸
Find a way to drain my vault and win the prize.⭐️
Everything else that is not shown in the
13
2
34
Stumbled upon this podcast by
@HackenProof
where fellow Bulgarian SR
@gkrastenov
shares amazing alpha.
Highly recommend if you want to know about private engagements. How to start finding your first clients and retaining them for the long run by giving solid service.
Always
3
2
34
If the contracts are as "smart" as they say, why are they getting exploited all the time? 😬
11
1
33
Tip for newly onboarded auditors that will bring y'all some serious cashflow. 💡
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1. ❌ Stop asking others "Am I late for web3 security?"
2.✅ Start asking yourself "How does this function changes the state of the protocol?"
1
0
33
I rarely post something that is not web3 related, but this video has had me glued to the monitor for an hour.
📌📌📌
The importance of 10-12 hour workdays is massive.
Yes they are hard and painful.
Yes you feel miserable rotting for so many hours in front of the screen.
0
1
31
Success should not be that thing, where you bow to everyday and pray that sometime you might reach it.
It should be made a standard. Same as, do not eat food from the floor.
Let's say this month you need to find at least 30 vulnerabilities in contests.
Now this is the
2
4
32
I will show you how to master one of the basics in solidity STORAGE. 📌📌📌
(solid fundamentals == solid results) ✌️
1
3
30
As I have around 3 years of backend development(Java)
It was very hard to read the "formatted" code in Solidity.
Just the way it was laid, didn't match with my workflow.
I've found this extension for VS Code which is allowing you to configure a formatter the way you like.
In
1
1
30
Web3 is in its early stages but things move very quickly. You have to be agile.
👇👇👇
You either watch things happen, join things as they happen or make things happen.The ball is always in your court. The choice is always yours. ✌️
1
0
30
After the weekend is over, Monday is such a nuisance. You are resting then suddenly you need to get out of your comfort zone and start to work.
Getting into web3 security, will eliminate this dread forever.
No days off 🙃
4
0
30
Past week I had a lot of work done with ERC20 tokens.
I will do multiple threads on weird ERC20's.
My first "guest" is USDT.
Lets begin this 🧵
2
2
29
If you are participating in a contest, where there are no sponsors that can answer your questions and the documentation is not that good.
This is your time to shine. 🫡
Examine the code as much as possible as most of the wardens will have different interpretations of the
0
1
29
Nothing better than starting the day with 4 hours of focused work. Right when the brain is as sharp as it can be🫡
0
0
29
Communication is key in web3. 🔑🔑🔑
In either contests or private audits you need to communicate with developers. Don’t think you can do it on your own, you may but there will be lots of invalidated issues ❌ obstructing your path to success✅. You are the security researcher,
1
1
29
Find the bug challenge part 2⃣
Reward: 40$ 💸
❓❓❓
This is an auction house protocol.
In an auction, participants can place bids. When a new, higher bid is made, the previous highest bid is returned to the bidder who placed it.
Comments:
Fee on transfer/deflationary/rebase
16
2
28
Second round of the bug hunting week is done! 🐛
As there are 2 scenarios in which the protocol could be exploited we have 2 winners.
(nobody managed to get both of the scenarios right)
Winners are:
@shibi_kishore
- caught the scenario where using an ERC777 token DOS'ed the
3
2
28
Nowadays, reentrancy vulnerabilities are at an all time low.
Why is that? 🤔
📌📌📌
Using ReentrancyGuard and the nonReentrant modifier.
Also applying the CEI(Checks -> Effects -> Interactions) pattern.
But that doesn't mean they could be 100% prevented.
Whenever you observe
1
2
27
A tip for smart contract security researchers:
Buy an actual whiteboard.💡💡💡
I can't really tell the difference functionally between Miro and an actual whiteboard, but actually getting up from my chair and drawing on a physical board has boosted my productivity and creativity
3
2
25
Most people deem web3 very risky, so they choose the "safer" option which is a corporate job.
Didn't know "safe" meant you could get laid off any time of the year even if you do your job perfectly fine. 🤐🤐🤐
3
0
27
Challenge for SR's: ⭐️
Whenever you have the urge to bookmark a post, just read it. 🤓
Bookmarking is the ultimate guide to procrastination.😴
Whenever you read it, if there is some crucial knowledge that you may reference in future audits, then bookmark it.✌️
0
1
27
If you're currently participating in the
@Karak_Network
Restaking contest on
@code4rena
, make sure that you read the ERC-4626: Tokenized Vault standard.
It is crucial to understand it, as it allows ERC-20 tokens to be represented as shares of a tokenized vault, while keeping
1
1
27
If you need to attain some Cairo knowledge, I recommend this video.
It is concise and gives the most value for it's length.
Even though there aren't many Cairo contests at the moment, if anyone decided to participate in some of them, this is a gem 💎💎💎
0
2
26
Today I've hit 500 followers.
I am truly humbled.
Will up my game x10 for the next 6 months.
Lots of content upcoming.
Thank y'all.
Godspeed to 1000.🫡
3
0
26
Hands down the best newsletter, if you want to keep up with everything regarding Web3 security.
They even have an archive that you could browse.
Lots of info, much alpha ✌️
2
3
25
If you want be an elite security researcher, you should learn from the best
@deadrosesxyz
.
Give it a listen, truly remarkable.
had a really nice talk recently with
@deliriusz_eth
and
@escrow_
highly suggest all beginners to listen to this as I shared a lot of my insights on how to be a better auditor 👀
5
9
121
0
2
26
If you are new to the Web3 space, you probably have seen the words faucet and facet. It seems that they are the same term, but actually they represent different aspects of Web3.
📌📌📌
What are they and how they are used in actual scenarios I will explain in this 🧵👇
2
0
26
Damn it feels good when sponsors are responsive and they really try to understand your explanation of a vulnerability.
In the meantime, they show their point of view which can give you a different insight of the protocol.
That helps a lot. ✅
Big thanks to such devs, it is
1
0
25
While researching different attack vectors for the
@SizeCredit
contest, I have come across one of the best articles on Lending/Borrowing DeFi Attacks written by
@DevDacian
If anyone has something similar to this article please add it in the comments or DM me.
Thank you!
1
2
25
I decided to participate in the
@SizeCredit
code4rena contest. This is the first contest i take part in. At first glance 2.5k nsloc seemed a bit too much for a beginner like me.
After spending the whole day, learning and researching, watching the code walkthrough several times,
2
4
24
Doing audits/contests is probably the best you can do to level up.
If you are feeling miserable doing contest, I have happy news for you, you are on the right path. Misery makes you research.(misery=gain)
At first I didn't believe it. Now I'm full send on that info.
Jump into
0
0
24
This is amazing, I've managed to surpass 200 followers.
I want to thank you all! 🫡🫡🫡
📌📌📌
My only goal is contributing as much value to the web3 space as I can, doing audits and creating content.
Godspeed to 500.
3
0
23
Whenever you feel like giving up, put this work consistently for 6 months, then try to give up, if I could guess then you won't 😉
2
0
22
When it comes to web3 sec, my strategy is to not learn things I don't need at the moment.
One of this thing was Hardhat👷. I stumbled upon some unit tests written in Javascript that were run on Hardhat. I've been a Foundry user since the beginning of my journey and I got a
1
2
23
After about 2 weeks of actively auditing a contest I want to share some key takeaways about the whole experience as I think that could help a lot of security researchers going forward.
Thread below:
2
1
23
Tip for auditors.💎
Share everything about your research.
Post about your web3 thoughts.
It is good for your brand, it is good for the space.
All opinion matters.
1
1
23
The biggest flex a security researcher could have is finding 100% of the vulnerabilities in a protocol.😎
Of course this comes with time, a lot of fxing time.
It is for sure time well spent.✌️
3
0
22
A type of vulnerability that I've witnessed recently is not having a proper way of withdrawing assets from a contract.
Easy to explain example will be:
If you see payable function in a contract, there should be 100 percent a withdraw for native ETH. If there is not that is a
4
2
21
FAILURE ❌❌❌
is one of the best things that can happen, if you properly extract everything that led up to it.
Take 2 steps back, observe the larger image. Pinpoint what you've missed. The hardest of bottoms shows the stronger sides of an individual.
Embrace it ✌️
0
0
21
Here are 3 tips that will get you to your first payout as quickly as possible 🧵👇
2
2
21
Web3 is very volatile. Sometimes the crypto market seems bearish and investors are backing off from the space. It is hard, it is problematic. It seems like everything will crumble down.📉📉📉
I have some major advice on how to handle such situations.
Read
Code
🤓
1
0
21
Something new that I tried today for the
@SizeCredit
contest is looking in the test suites so i can better understand the flow of the protocol.
I think as a security researcher, it is essential to always dig in in the tests.
I thought that I had an excellent understanding of
0
1
21
If you think you have nothing to do and may have a little rest, go to there is plenty to do there.
When I say plenty, I mean just a mere 12k findings to consume and upgrade your arsenal.
Solodit
Solodit is a platform that aggregates all findings from popular audit platforms.
solodit.xyz
1
1
19
Everybody knows about the SR role on
@code4rena
Before achieving it there will be hardships in validating some of your findings.
What are the ways to improve your experience in PJQA while not having the SR role.
1. Have a friend that has the SR role so you can do escalations
0
0
20
Equivalent of contest results is the time you put into deep diving the protocol and learning all its mechanisms.
Needless to say: deep diving == money
💸💸💸
0
0
19
I found this amazing interpretation of the Ethereum Yellow Paper that makes it way more understandable.
📌📌📌
It is called the beigepaper.
I highly recommend reading it. If you had a hard time with all the mathematical stuff, you will surely understand it this time.
2
1
18
If you are wondering what kind of questions to ask the developers during a security audit,
@tinchoabbate
got you covered with this post.
It is concise and very informative. Must read 🧐
0
2
18
Wrapped up my report for the
@SizeCredit
contest.
Managed to find some vulnerabilities, hopefully they get validated.
It feels amazing finishing an audit, wow!
Can't wait to see what vulnerabilities I didn't catch.
Good luck to all the participants.
It was a pleasure!
1
2
18
Yeah, yeah, I get it, breakups are hard and depressing.
But have you ever invalidated the finding you were most proud of right after the contest ended. 🙂
3
0
18
As I do not have definitive answer of the problem, I will give a hint:
It is related to a token functionality 📌📌📌
Find the bug challenge part 2⃣
Reward: 40$ 💸
❓❓❓
This is an auction house protocol.
In an auction, participants can place bids. When a new, higher bid is made, the previous highest bid is returned to the bidder who placed it.
Comments:
Fee on transfer/deflationary/rebase
16
2
28
11
0
17
Sharing all your progress publicly, what you have learned, what you have missed to learn, what you will learn, is probably the best way to get some feedback and spread the knowledge. ✌️
Do not miss out on the opportunity.
0
0
16
If the protocol has good unit tests, make sure you use them to your advantage.
They could show you a lot.
How the protocol behaves in certain scenarios.
It's like additional documentation to search through.
A small change in parameters or maybe adding new elements to the
0
2
15
First round of the bug hunting week is done.
Winner is 🥁🥁🥁
@baba_shamsuddin
Congratulations to the winner! ⭐️
We started with something easy, things will get harder and harder. Be prepared.
I am happy to see lots of correct answers. Kudos to all!
The vulnerability is
2
0
15