Ever feel like you're drowning in data? 🌊
Here's a practical tip:
• Take 30 minutes daily to reflect on the information you've consumed. ✨
• Summarize it in your own words. 📝
• Review it at the end of the week. 🗓️
Watch your understanding skyrocket.
Delighted to announce we've successfully completed a comprehensive audit for
@4catamoto
's smart contracts! Thrilled to be supporting the safety & reliability of new projects on the
@BNBCHAIN
as official security service providers.
100+ followers in just 2 days! 🚀
Your trust fuels our passion to deliver mind-blowing content. Here's to a fantastic web3 auditor and security researcher community.
Stay tuned, it's gonna be EPIC! 💥🔍
Did you know auditors can get you hacked?
But how? By recommending faulty code changes.
Here is a story of how AstridFinance protocol lost nearly $190,000 by applying code changes recommended by auditors without a second thought and how you can avoid this happening to you.
Diving deep into the code of smart contracts feels like an adventure. 🚀
But here's the twist:
The real treasure isn't in finding bugs (though important), it's in building a mindset within your team where security is as natural as breathing. 💨🔐
Imagine thinking your project is too small for hackers to notice. 🤔
Here's a hard truth:
Hackers love the 'small fish' mentality. It makes their job easier.
We're proud to extend our support to the next 10 projects coming out from the CATAPULT.
Memecoins deserve top notch security no less than defi projects 🔒
In the world of crypto, every detail matters.
- An overlooked bug today can become a major vulnerability tomorrow. 🐛➡️🔓
- A single line of code can protect or expose millions. 💰🛡️
Make precision your best friend.
Taking the leap into auditing? Just remember: 📝
1️⃣ You don't have to learn everything at once. 😌
2️⃣ It's okay to Google things. 💻
3️⃣ Auditing projects is one of the best ways to learn. 🚀
People fail to invest in audits because they are skeptical about their importance.
There are zero 'quick fixes' that work.
Someone is proposing cheap solutions? Don't be a fool.
Ensuring your contract's integrity requires diligence, so please approach it with that mindset.
Don't gamble with your crypto project's security:
- Trust is not a strategy. 🚫🤝
- Hope is not a security protocol. 🚫🍀
Build a fortress, not just a fence. 🏰🛡️
We’ve used Bulloak (an OpenSource smart contracts testing tool developed by
@OpenZeppelin
’s engineer,
@alexfertel
) extensively for the last few weeks.
Results?
4 bug reports and 1 improvement suggestion 🫡
Legendary
@adrianhetman
gets on stage on Defi Security Summit in a few minutes to reveal the behind the scenes of Bug Bounty triaging.
We'll be tweeting key takeaways live 👇
There's a common myth that writing secure smart contracts is all about being a master coder.
In reality, it's about understanding the bigger picture, foreseeing potential threats and instilling a culture of security throughout your team.
There's a dangerous myth out there that says:
Small crypto projects don't need to worry about cybersecurity.
The truth?
Everyone is at risk. Cybersecurity should ALWAYS be a priority, regardless of your project's size or budget.
The most overlooked part of building a crypto project? It's the security-education of your team.
Responsible development requires everyone on board.
Don't just hire smart people. Hire smart AND security-minded people. 🧠🔒
If you are an auditor, accounting for every detail isn't just a part of your job.
It's the very essence of it.
Stay patient, stay focused. It all adds up in the end.
Everyone knows tests are crucial to making your protocol secure.
But few have clarity on the types of tests needed.
Here is 7 types of tests your protocol needs:
It's not uncommon to see teams running a smart contract audit in a fuss just before launch.
Bad move!
Security should be a part of your development lifecycle from day one.
Wallet security is a critical concern in our reality. But what if your wallet has permissions in your smart contract? A compromised wallet means a compromised contract!
Can we secure an admin role? Yes, we can! Multisignature spreads access across a few wallets, minimizing risks
While it's tempting to rush through development to meet deadlines, neglecting thorough testing can spell disaster.
A well-tested smart contract is a safe contract. Make time for meticulous testing. 🛠️✔️
Excited to unveil our year-long collaboration with
@NativMetaverse
! We are working hard to develop all technical aspects of their project, providing innovative solutions every step of the way. Stay tuned for more updates!
In the rush of deployment, many overlook the importance of a detailed documentation practice. Remember, thorough documentation is not just a formality; it's your first line of defense in ensuring continuity and security. 📖🛡️
Question: If we offered a ‘security guarantee’ would you trust us more?
The truth is, even if we did, you shouldn’t.
There's no such thing as ‘100% secure’. Security is a continuous process, not a one-time fix-it-all solution.
Deploying smart contract upgrades though
@safe
with a Foundry script WHILE being able to write tests for that upgrade script on a mainnet fork is harder than it should be.
Yet, it's essential for all projects with upgradeable smart contracts.
We're dropping a guide soon.
The difference between a good project and a great one?
The dedication to maintaining security post-launch. A project doesn't finish once it's live. It needs ongoing monitoring, evaluation and improvement.
The most neglected aspect in creating a cryptocurrency project?
Teaching your team about security.
Sustainable development needs the entire team's commitment.
Many companies write about hacks and post real-time exploit alerts.
But you know what's not talked about enough?
The good stuff.
So we've decided to start the 'Last Week in Auditing' series where we talk about reports published last week with our notes from reading them 👇
Security is not always complicated multi-sig schemes, weeks-long audits, or elite hacker level opsec.
Often simple things can help members of your community.
Back to basics. Take care of fundamentals first.
If there is one thing differentiating great web3 dev teams from mediocre ones, it’s this:
outstanding test practices.
Unfortunately, writing tests tends to be cumbersome.
This changes today:
There are two kinds of hackers who can compromise your project:
1) the ones who find vulnerabilities in your code and
2) those who exploit loopholes in your team's opsec practices.
Make sure both doors are firmly shut.
A smart contract auditor walks into a bar and orders a beer.
Orders 0 beers.
Orders -1 beers.
Orders a lizard.
Tries leaving without paying.
Satisfied, declares the bar ready.
The first customer finishes their beer, and asks where the bathroom is.
The bar explodes.
🚨 Alert 🚨
We experienced a security incident on our X/Twitter account overnight, despite robust protections including a strong password and 2FA. We continue to investigate.
Please remain vigilant and remember, Trezor will NEVER request funds or assets be sent to any address.
Foundry tip for getting familiar with a new codebase:
Instead of jumping straight to the code, run 'forge doc --serve' and start there.
Tells you a lot about a project and dev team quality fast.
Before implementing any security advice or recommendations, conduct thorough research!
Not all suggestions are safe.
Some of them are 'Trojan horses' that may compromise your project.
There is no set-it-and-forget-it solution in cybersecurity.
It's not a one-time task but a continuous process of education, adjustments, and refinements.
💩 devs:
・little to no tests
・no documentation
・'invariants, what’s that?'
🥷 devs:
・expample-based tests, branching tree technique, fork tests, fuzzing, invariant tests
・code and documentation go hand in hand
・invariants-first approach
Sometimes it's the small things that make a big difference in security:
• Check inputs
• Use try-catch blocks
• Limit and validate user data
• Keep dependencies up-to-date
• Test invariants
What other small things do you always check? 🧐
Function parameters matter as much as logic 🔍🧠
✅ Check these off your list:
🔹Safe bounds validation 🔐
🔹Zero-value parameter impact ⚠️
🔹Reduced-size types? No gas savings here! 💸
Scrutinize every detail for secure smart contracts 🕵️♂️
The importance of code review:
🔍 Catching bugs early
✅ Maintaining the quality of code
👥 Creating a collaborative environment
🧠 Continuous learning and improvement
Never underestimate a thorough review!
Did you know? 💡
@AlgoFoundation
will double your bug bounty on chosen Algorand projects on
@immunefi
$200k -> $400k 💰
Sounds like an opportunity to go outside your comfort zone and engage in some juicy hunting 🕵️♂️🔍
I often hear that if you want to excel in the field of cybersecurity, you need to be an expert programmer.
Here's some news:
You don't.
You need to understand how code works, true. But being a cybersecurity guru does not entail you becoming a programming wizard.
When it comes to smart contract security, learning is key 🔑:
1. Dive deep into the code
2. Learn from past vulnerabilities
3. Collaborate with other security experts
4. Share your knowledge
Together, we make the ecosystem safer for everyone 🌐🔐
Last week (October 2- 8) 18 reports were published, we've made notes on all of them. For link to all our notes from all past weeks like this post and follow us.
Anatomy of a meticulous audit:
1. Laser focus 🎯
2. Bulletproof analysis 🛡️
3. Patience of a saint 🙏
Master these, and let the audit magic happen ✨
What's your secret to deep work?
Did you know? 🤔
Solidity's `bytes32` is a more gas-efficient alternative to strings in certain cases. Consider using it when string length is fixed and operations are limited to equality checks. Save those Gwei! 💰
If a smart contract is compromised, the effect can be catastrophic. Remember: Code is Law. But what happens when there are bugs in the law? The blockchain community must continue to invest in code quality, security and transparency.
In cybersecurity, it's not just about the knowledge. It's about the mindset.
Think defensively. Understand the attacker's perspective. Constantly ask, How can this be breached?
Don't just build walls, anticipate attacks.
The Cybersecurity industry is rapidly evolving with new technologies, attacks and countermeasures.
But what remains CONSTANT?
- Attacker's motivation
- Basic Principles of Security
- Importance of Security Controls
Sticking to basics is the key.
The art of smart contract auditing is more than just finding reentrancy vulnerabilities, integer underflows/overflows, or front running attacks. It's about understanding the entire business model, reviewing docs/specs and communicating effectively with the team.
The key to mastering Solidity? 🔑
Understand the EVM 💻, learn by building projects 🛠️ and reviewing others' code 🔍. Then, experiment with best practices 📚 and stay updated on new releases 🚀
You've created a crypto project and life's good. Until one day, you discover someone has assumed a role with certain permissions in your protocol. Is all hope lost? Not necessarily.
Things could have been manageable if there was a way to pause the contract or revoke the hacker's
Did you know? 🤔
The most valuable skill you'll develop in the cybersecurity field is persistence 🔒. Never give up, and keep pushing your boundaries to learn more, grow stronger, and ultimately become an expert 💪.
👀 Here are some questions to ask yourself when auditing state variables in Solidity 🧵
・Can it be constant? 🤔
・Can it be immutable? 🧊
・Is the visibility explicitly set? 👓
・Can it be internal? 🤫
・Are there any unused variables? 🤔
When you think you've learned everything about web3... just remember, there's a whole world of protocols, tools, and concepts out there waiting to be discovered! Keep learning. Keep exploring. Stay curious. 🌐🚀
A new series of 'Last Week in Auditing' from September 25 - October 1 is now available. Last week, 16 reports were published, and we've made notes on all of them.👇👇
CyberSecurity is more than just a skill or career. It's a mindset, a culture. It's about knowing how to keep yourself and others safe in this ever-growing digital world.
Some lifehacks for writing secure Solidity code:
- Keep your contracts as simple as possible
- Use the latest version of Solidity
- Write tests, lots of them
- Avoid reusing the same variable multiple times.
- And most importantly, get your smart contracts audited.
The security game is unjust.
You have to protect against all scenarios.
An attacker has to find only one exploit.
This asymmetry will always haunt the world built on technology.
Smart contract auditing should be a methodical process.
1️⃣ Understand the project.
2️⃣ Manually review the code.
3️⃣ Run automated analysis tools.
4️⃣ Test for common vulnerabilities.
5️⃣ Review the test suite and coverage.
6️
Vital to invest in web3 security, but do we know what it really means?
• Secure architecture
• Vulnerability management
• Threat intelligence
• Audits
• Incident response
Imagine having the power to shape the internet 🌐 as we know it, to transform it into a more open and decentralized network. This is what blockchain enthusiasts and developers are doing every single day. A standing ovation for them 👏
Biggest misconception about smart contract audits:
It's not someone pouring over your code on a Friday night finding all the bugs.
It's an intricate process where we become intimately familiar with your project, how it works, and where things could go wrong.
⚠️ Watch out for DoS traps! 🕵️♂️
Unexpected reverts can lurk when checking balanceOf().
Put your safety first:
1️⃣ Examine the code closely
2️⃣ Watch for hidden reverts
Don't let sneaky bugs ruin your audit! 🚫🐛
Stay vigilant, stay secure. 🔒
After a long day of crypto auditing, you might find it therapeutic to disconnect from technology and observe the world around you.
The digital world is fascinating, but nature reigns supreme 🌱
The most important skill in Cybersecurity?
Learning how to learn.
Once you have this skill, you can pick up anything new in no time. And in a field that's ever-changing like Cybersecurity, this skill is absolutely vital. Learn it and use it.
Writing your internal audit report? Remember this key point:
Make it SPECIFIC! Giving vague observations won't help anyone. The more specific you are, the easier it will be for your reader to understand what action they need to take.
Not all vulnerabilities are bugs, and not all bugs are vulnerabilities. Bugs can lead to vulnerabilities, but sometimes the coding is not flawed, its the design, implementation or configuration that leaves it exposed.
Get the basic right!
If you want to catch those sneaky bugs:
1. Read the code carefully
2. Use the right tools
3. Understand the complex parts deeply
4. Take breaks and return with a fresh mind
Remember, there's no shortcut to mastering a skill.