Pikagi
curiousapple Profile Banner
curiousapple Profile
curiousapple

@0xcuriousapple

2,183
Followers
887
Following
286
Media
2,059
Statuses

Cofounder and CTO @KrangHQ

🌍
https://t.co/B68Vtx0ADg
Joined May 2020
Don't wanna be here? Send us removal request.
Last Seen Profiles
Tante Cindy

@jandakembangstw

Harleigh Walters

@HarleiWalt

Hamid Sodiq

@SadikovHamid

!湖子

@kolshicako

えびせんぱい

@ni_mi_r5

Athena

@Ashlikesfood

Tante Cindy

@jandakembangstw

LateCoffe

@LateCoffe2

CoquitoThomas

@Cocoparado131

gabbu

@gabbuwuv

INFO BOKEP LOKAL TANTE SEMOK

@bokeplokalmalam

Viral melanesia terbaru 2023

@StalkingVi96051

British NCAA Gymnasts

@britsncaagym

Alex Martin

@Alex_Martin3117

西郷つん 【 公式 】

@saigotsun

Jazi❀

@LT1419

ÄlêxåñÐêr †hê Grêå†

@xandergomez

Miguel Gª

@btctoolbot

6G.KSA

@AhmedRQ8

INFO BOKEP LOKAL TANTE SEMOK

@bokeplokalmalam

Fahad•

@hxaw10

𝖛𝖎𝖓𝖓𝖎𝖊 ❤️‍🔥

@imergiremmimm

evli gizliyim

@evligiz60125833

ثلــوج دافئـــة

@QSQ_9

Yassir BENABDALLAH

@___Yassir___

Alexof2000

@Alexof20001

Little Dragon

@YourSpicyDragon

Notre Dame Prep

@NDPMA

Shin Sengoku NFT

@shinsengokuNFT

Julia Klim

@klimjuls

GoodVibes Club ㋡

@9oodVibesClub

Undead Jack, reborn -Kekistani Privateer 🏴‍☠️

@UndedR98421

Brie Designs.

@brie_scarlett

Igor Rabiner

@IgorRabiner

Pierpaolo Bombardieri

@PpBombardieri

Simon Farvacque

@Sporthinker

@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Story of mannnny protocols🫠
Tweet media one
19
77
680
@0xcuriousapple
curiousapple
@0xcuriousapple
7 months
🟢🔴 Public Disclosure for ERC1271 Replay Issue🔴 🟢 On September 25, 2023, I found an issue in a widely used implementation of the ERC1271 pattern that affected more than 15 teams. The following blog describes the sequence of events regarding how it all came together.
14
39
237
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
General Observation🫠
Tweet media one
8
22
204
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
I am done with trying to learn ZK Theory, I am too dumb to do so😭 Applied ZK Engineer from now on 🫡 Circom, is my fren🙂
Tweet media one
13
15
187
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Tweet media one
8
26
145
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
Found 3 high severity bugs today😎 1. Oracles were overestimating collateral for tokens < 18 decimals 2. A DOS attack was possible by paying the debt on behalf of vault to lending providers(div by zero) 3. In some cases, partial liquidations were impossible due to redundant check
Tweet media one
7
9
134
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
Another one 🥂
Tweet media one
8
1
137
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
I view auditing as nothing more than parsing the graph of possibilities. You pick a root and traverse all branches to their maximum depth. How good of an auditor you are is decided based on the number of branches you can imagine and the depth to which you can explore them.
10
13
126
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
lol 🤣 cc: @CurveFinance
Tweet media one
15
5
112
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Found Critical 🥃
Tweet media one
18
0
113
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
I just started with @sherlockdefi , did some 2 contests, and I think their judging sucks I understand judging is hard problem, but I have never expected it to be so bad In my experience @code4rena and @HatsFinance is lot better there Escalations should be used to point one or
19
8
99
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Auditoooors🫠
Tweet media one
8
4
92
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Please dont take this in wrong way I see many upcoming or relatively junior auditors accepting private audits and assuring the security to unaware clients Please dont I am not against anyone taking private audits, just be transparent regarding your skillset. So the client can
12
7
95
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
That's when it gets interesting ☕️
Tweet media one
5
10
93
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
While doing an audit, somehow, after some time, protocol feels like home. Everything seems connected, you start wondering in the imaginary land of all possibilities. That's the most exciting part of doing audits !! That's why I do it 😄
Tweet media one
4
8
91
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
I am really excited about this one Was really a cool one The possible payout is not that big, but I am more satisfied with the class of the issue Was in production for a very long time, and has passed many audits😄
Tweet media one
10
2
86
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
If you want to master Arbitrum’s L1<>L2 communication, read this Address aliasing, Retryable Tickets, Beneficiary, Credit KickBack Address… there is lot happening underneath there.
1
12
74
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
It's done !! Chainlink Price Feeds and Circuit Breakers. Should help develooopers and auditooors become aware of price feed circuit breakers if not already aware Been a pain point of multiple audits, so decided to do something about it😤 Give it a read🫡
Tweet media one
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
Okay, I can't take this anymore; different projects, same issue 😤 It's been the same thing again and again😑 Most projects are unaware of circuit breakers they can add for chainlink price oracles. Seems this issue lacks documentation. We are going to change it 🫡 Soon....
Tweet media one
1
1
10
6
10
76
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
My manager @0xgib asked if I could write a small front-end code for one POC. And its been a nightmare Pls, send help 😭 Nothing makes sense in Javascript land. I miss our deterministic Solidity 🥹
Tweet media one
16
5
75
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Didn't know about this The references feature is best🤩 Pick any state variable and get all lines where it's being touched Thanks to @AckeeBlockchain (for the tool) and @bytes032 (for the recommendation)
@bytes032
@bytes032.xyz
@bytes032
1 year
My all-in-one Solidity extension
Tweet media one
15
32
364
8
4
72
@0xcuriousapple
curiousapple
@0xcuriousapple
9 months
Happy to be placed 2nd on @HatsFinance Leaderboard (By Rewards) 😄
Tweet media one
7
4
72
@0xcuriousapple
curiousapple
@0xcuriousapple
9 months
Happy to report that we, Istanbul Spankers 😎, won the first prize of @yearnfi v3 hack for building a single-sided exposure LP strategy using @SwaapFinance and @aave . It was nice to go back to experimenting on live DeFi. (Before audits, I was DeFi developer) If you are curious,
@yearnfi
yearn
@yearnfi
9 months
🥇Big Win: Istanbul Spankers built single-exposure LP strategies using @SwaapFinance and @AaveAave V3 on Polygon. The funds are divided into i) direct deposit to Swaap and ii) supplied to AAVE as collateral to borrow the paired token, which is then LP'd into the Swaap pool.
Tweet media one
5
11
58
5
14
61
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Of all languages I have used, I like C++ > Solidity > Typescript > Python > Java I fucking hate Java 😤 Was forced to work with it on my first job What’s your order, anon ?
35
2
70
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
And it’s closed 🥂 It is true that some teams are not that welcoming to whitehats , but some teams definitely are This project team for example. Response was quick, updates were provided regularly, and resolution was fair Maybe writeup soon 😄
Tweet media one
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Btw this was confirmed within same day only😄 It was direct loss of assets, executable by anyone Will be paid once all exposure is cleared. Team is well reputed, so I hope for fair payout Their max is not huge, but I am happy Will release the write up if the project allows
5
0
64
10
0
68
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
AI is brilliant but I am not leaving crypto You keep your AI models, and I keep my smart contracts🫡
Tweet media one
6
6
65
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Found simple high severity issue on live contract Submitted Acknowledged Fixed Fix reviewed Bounty is on the way All of this happened in first few minutes of checking that code, lol I wonder how 2 audits missed it, it was really very simple Will give details after payout
4
1
66
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Btw this was confirmed within same day only😄 It was direct loss of assets, executable by anyone Will be paid once all exposure is cleared. Team is well reputed, so I hope for fair payout Their max is not huge, but I am happy Will release the write up if the project allows
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Found Critical 🥃
Tweet media one
18
0
113
5
0
64
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
lmao this is how it should be @ChainLight_io found a critical bug for @zksync era circuits, and this is how @0xPolygon and @Scroll_ZKP reacted 😄 gg
Tweet media one
2
4
63
@0xcuriousapple
curiousapple
@0xcuriousapple
9 months
My best purchase from Turkey Loving it 😻
Tweet media one
10
0
63
@0xcuriousapple
curiousapple
@0xcuriousapple
8 months
Soon ✍️
Tweet media one
6
0
60
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
If you are a protocol handling both ERC20s and Native ETH in your contract, Consider having logic only for ERC20s and use Wrapped ETH inside with an external router for wrap/unwrap. This would make your code homogenous, easier to parse, and save you from all exposure related to
Tweet media one
7
1
60
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Don't want to take names, but one widely known tier 1 auditing company is now a shadow of itself. noticed this in 2 independent audits IMO, tier 1 has changed with time, and many new hungry additions are on block, consider giving them a try if you prioritize security over brand
10
3
61
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Just got done with my current audit. Found 5 criticals (all allowing theft of user assets), 7 high, 8 Medium, 9 low... 🫠 Loved doing this audit It was interesting and novel concept Permissionless execution of debt permits cross-chain 🫡 If client allows will make report public
Tweet media one
2
3
57
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Finally compiled all of my audit reports into one repo 🥳
Tweet card media
GitHub - 0xcuriousapple/curiousapple-audits: box of chocolates

box of chocolates . Contribute to 0xcuriousapple/curiousapple-audits development by creating an account on GitHub.

github.com
3
3
55
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Regarding Euler Hack: Why people call these attacks, flashloan attacks ? That’s never a root cause, flashloans just aggravate the attack. 😑 Gives misleading impression to users IMO
9
4
53
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
TIL, you can easily slice the calldata using solidity only 👀
Tweet media one
7
3
53
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
When did @EthereumRemix start showing estimates for execution gas cost !!! This is dope
Tweet media one
9
8
50
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
Being an auditor allows or forces you to learn a lot of cool stuff with each project. Learned how optimistic bridges work while auditing connext, and now I feel comfortable while reading any bridge code or its integration.🥳
1
2
50
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
I don’t know if anyone needs to hear this, and why I am saying this loud But, I pride myself on my work and I try to do the right thing even if I don’t have to Money or Incentives, will come and go, what matters to me is my self image That’s all I have You do same, and you
4
1
48
@0xcuriousapple
curiousapple
@0xcuriousapple
9 months
I wonder if working in security has made me pessimistic about everything in general. I tend to think of the worst possible scenarios in daily life too and get anxious sometimes. When I see people happily doing the opposite, I just wonder if ignorance is really bliss.
11
1
51
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
I am not any expert, but I think the real bear market is about to begin 😶‍🌫️ Each day, some product is closing down Perhaps things seemed better until now due to the inertia from the previous bull, but things are about to get real It’s time for survival, bois and girls 😤
6
1
51
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
seems I am not accepted for @yAcademyDAO 's zk security fellowship been lost in solidity for ~3 years, shipped code, audited likes of connext, partydao, maker, sommelier, kwenta.. but seems not enough🥹 anyways, congratulations to all accepted, circuits audits would def be fun👏
9
0
51
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Please shill me your setups, anon 🫡 Actively looking for inspiration
@DrakeEvansV1
Drake Evans is hiring
@DrakeEvansV1
1 year
@0xcuriousapple Double ultra wide is the life ser, one has vscode, the other has two windows up. I also have a third for notes on the bottom and the iPad for sketching
Tweet media one
5
0
23
11
0
48
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
You know, we usually share our ups but hardly share our downs. Let me share a down Just got to know that I missed a not-so-tricky high severity issue in one of my audits 😐 I got blindsided by the optimal path and didn't consider one possible scenario No funds were or are at
4
0
48
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
I have worked in 3 startups by now, tried to build one, but failed...however that's another story The best..best phase, was when it was early (team < 10) I love when things are unorganized but focused, there are no defined roles, there are small victories, there is enthusiasm
3
2
47
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Okay, I thought everyone was aware of this but seems not. Arbitrum has TWO block numbers! 1. The block.number of Solidity will return a value close to L1 block number at which sequencer received the transaction. 2. ArbSys(100).arbBlockNumber() will return the L2 block numbers
3
2
47
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Okay just read one report and saw some centralisation issues reported as high😪 Unless protocol specifies that they want it completely permissionless, marking centralisation or onlyOwner issues as high, mediums is not correct IMO. It’s their explicit trust assumption, you
11
2
45
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Let's see how it goes Was nice one Maybe duplicate, maybe new, not sure I am just happy that I found something severe in live contracts audited by some big names... Weekend ends on high 🥂
Tweet media one
2
0
45
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
Asked someone which language they use for their smart contracts, and they replied "English"🫡
5
0
43
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
@trufflesuite Truffle was first framework for most of us, Thanks 🫡
0
2
45
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
IDK if this is a good approach but I prefer reading good code with inline comments over other forms
Tweet media one
6
2
45
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
You know while auditing the most boring part is getting ramped up, getting a complete understanding of the code, but once it's doneeee, and you have a complete map in head, there is no other fun job than auditing,
4
2
42
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
With all due respect, if you have time and if your code is not the best version you could build, consider doing that first, before sending it for review. First, become proud of it yourself, and then present it as a challenge to auditors, and be like "Try finding issues here" :)
4
2
40
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
Finding leads is easy; verifying them, compiling them, and at last writing good writeups is tiring !!!!!!!!
Tweet media one
4
3
42
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
If you want to understand MEV. Try exploring @EigenPhi I had to prove, how UniV3 liquidity rebalance could be sandwiched, and got a real TX from up here. Gamma Strategy Sandwich :
Tweet card media
Sandwich transaction detail: 0x2373ab4e2d11a5ef91e5b1f0e1e3930e81e9fc6ad5c2dac670faa335eb2feed4

View Sandwich transaction details with P&L and token flow chart.

eigenphi.io
2
5
42
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
Nearly every auditing company I am friends with is looking to build products in line with security. Some have even made it their core focus now. It definitely makes sense for the company, imo. No matter how good you or your team become at manual audits, you can’t scale after
4
1
41
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
I just went through OP's RetroPGF's list of applications out of curiosity. Personally, I have nothing to gain or lose here. And I may not have complete context. But it feels weird when I see well-funded projects competing with pure, genuine public goods. Yeah, a well-funded
5
14
29
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
There may be exceptions, but generally, the people who have been around here pre bull are more ethical and friendlier to talk to. Like, a larger proportion of them believes in the public good. Whereas larger proportion of new batch believes in business or cut-throat competition
3
0
40
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
No shade to whoever DMed this, but consider figuring out easily searchable things on your own
Tweet media one
16
2
41
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Someone sent us a repo using truffle for the audit 😐 I can live with hardhat, but truffle? Didn't notice this in the estimate, and now its a pain to test POC's down bad
Tweet media one
6
0
38
@0xcuriousapple
curiousapple
@0xcuriousapple
9 months
Well, I arrived late to the party, but the past few days at @zk_bankai hackerhouse have been a blast. Met some truly intellectual people and had some meaningful talks, and now, I'm having good time reading some solidity code from the rooftop 🥂 When I said I wanted an ETH India
Tweet media one
Tweet media two
3
7
37
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Hmm okay So you find a high severity issue allowing someone to steal assets in already audited and released code, and they offer 2000 USDC in the end 🫠 Just pointing out, bounty payments directly from projects don’t go good always. Some projects are worth your time, some are
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
good day 😄
Tweet media one
1
0
32
6
0
39
@0xcuriousapple
curiousapple
@0xcuriousapple
9 months
I don’t know man, if @RareSkills_io is not able to make it to the RPGF for learning resources, I am not sure who does Probably best free content out there. With no ads, no plugs, no login Basically no monetary expectation from the reader.
@RareSkills_io
RareSkills
@RareSkills_io
9 months
It looks like our RPGF application is ngmi, so putting it out here just in case. The Optimism Foundation invited us to apply for RPGF, and we submitted our ZK Book. It's been the most visited page on our website (more than the homepage) and numerous engineers have used it as a
Tweet media one
10
10
97
2
2
38
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
@milotruck I don’t know man This may offend many But I am not fan of people commenting how could the team would have avoided it just after the hack The time just after the hack is terrifying for the involved teams. And when you see people going rampant on blaming team, it doesnt help If
2
4
36
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Tweet media one
@kelvinfichter
smartcontracts.eth (✨🔴_🔴✨)
@kelvinfichter
1 year
L2 Peace Summit. Force the L2 teams into a room for a week. Probably actually works in practice.
11
7
84
6
1
34
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Either I find myself, overworking or doing nothing There is nothing in middle 😪 Need to work on finding balance and being consistent each day 😤 It’s 7 of the Monday morning, been working all weekend, and I am exhausted. Since now I am satisfied with myself, I may not do any
8
0
37
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
chad teams keep their contracts immutable 🫡
Tweet media one
3
3
38
@0xcuriousapple
curiousapple
@0xcuriousapple
8 months
Hmm, while going through the project for bug bounties, many times you smell some edge case issues of medium or low severity However, you are not satisfied with them yourself; they no longer excite you So, you leave them with an "audit" tag and continue hunting for critical ones
4
0
37
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
IMO @0xSorryNotSorry is one of kindest people you could meet in our arena Thank you ser 🫡
4
0
37
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
Tweet media one
4
8
35
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
I activated my linkedIn two days ago, as one fellowship requested the profile link. I am happy to report today that I have deactivated it again 😌 LinkedIn is still same old bs 🫠 If you are asking linkedin links, sorry fren, you are ngmi 🫡
5
0
35
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
If you want to land a good private audit client, go in the wild and find issues in their code. They may consider you if you find something good Happened thrice to me by now😄
10
2
34
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
What does free memory pointer have to do with immutables? If I have immutables inside the contract, my free memory pointer is staring at some diff location than 0x80 while constructing 🤔 Tagging some solidity chads @_hrkrshnn @ethchris 🙏
Tweet media one
4
2
36
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
Nice spot to work 😌
Tweet media one
6
0
33
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
No one is perfect But accepting it in public, being open for feedback, responding in public to each concern, and then actively working on it, takes guts !!! Respect ++ @sherlockdefi and @jack__sanford
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
I just started with @sherlockdefi , did some 2 contests, and I think their judging sucks I understand judging is hard problem, but I have never expected it to be so bad In my experience @code4rena and @HatsFinance is lot better there Escalations should be used to point one or
19
8
99
2
0
34
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Since I am more active on bounty hunting than audits these days, each day I am realising how different they are Only thing that matters in bounty hunting is what’s at stake present moment and what could come at stake in future No theoretical issues No issues that could have
5
0
34
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
Recently I found an high issue affecting some well known protocols NOT on Immunefi. One has their own bounty program, and one doesn’t have any official one. I reported to both, and it’s been 3 days, I am yet to get any reply. Project Teams, consider atleast sending a
8
2
34
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
hmmm workings of the @CurveFinance have been a complete black box for me tried looking into contracts, but the naming like D, _A, xp, and my lack of knowledge of Vyper are not allowing me to connect things Are there any good explanations in the wild? or Official docs
11
2
30
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Tenderly is just awesome 🤌
3
1
32
@0xcuriousapple
curiousapple
@0xcuriousapple
9 months
Landing in Bangalore soon 😄 Will be vibing with some zk folks at @zk_bankai . Not sure, but maybe will build something around @zkp2p or @zkemail . Have been fascinated by combination of zk and dkims, since the time I audited a dkim recovery wallet. Then, I will probably attend
2
1
32
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
good day 😄
Tweet media one
1
0
32
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
This is a very underrated benefit of being an auditor. Probably VC's should consult auditors, lol Seeing code maturity very close and having talked with the protocol team, you get very good data points of teams capability and culture Have seen nothing of a code, getting $$$,
2
2
30
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
2:40 am People still building Sponsors still helping It’s all happening in Istanbul After many up and downs, we were able to build one simple working product as well, more on that soon…. Was good learning experience By @karooolis , @tekin_io and me
Tweet media one
Tweet media two
2
1
28
@0xcuriousapple
curiousapple
@0xcuriousapple
7 months
Writing POCs for products involving off-chain infra is frustrating at times 😪 You basically can't show something happening end to end since its not all atomic on single state machine Bridges, Oracles, Orderbooks for example
1
2
29
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Well, it does happen sometimes. Particularly when the project lead or founders don't understand much code and were in belief that their code is world-class🫠
Tweet media one
1
2
29
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
Hmm okay I really didn’t want to get involved, since it’s unfortunate turn of events. But I keep seeing people misinterpreting it Please know that the private audits I and other solo auditor conducted were on different scope. You can easily check this by verifying scope in
@thebensams
Benjamin Samuels
@thebensams
10 months
Let’s talk about this hack because it has serious implications for anyone who builds smart contracts and cares about security. Raft had four audits conducted by a variety of firms including a contest platform, solo auditors, and a consulting firm. Not a single audit caught this
11
46
276
2
0
31
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
Lately I have been loving bounty hunting more than regular audits I like it’s free-from nature There is no defined timeline 😌 Had some small success here and there, but nothing big, let’s see
6
0
30
@0xcuriousapple
curiousapple
@0xcuriousapple
2 years
If you are new to auditing, don't worry about the results Auditing is a profession with exponential growth Slowly with each audit, you get equipped with patterns, you discover your own techniques, and one day you get to deploy all My 1st month:Only Gas Op Today:Somewhere ahead
1
3
28
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
Won bounty for best use of cow’s programmatic framework too 🐈
Tweet media one
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
Presenting you, our 1.5 day hack 🥂 UniRoll : A flexible and automated payroll streaming service based on @CoWSwap ’s programmatic orders 🐮 How’s it ? More about it here :
0
1
13
2
1
29
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
Been completely out of loop of sec tools like formal verification and fuzzing. Mostly coz I am lazy 🫠 Recent events have made me realise that I shouldn’t be They may not make sense effort wise in contests, but in private audits or big bounties they could be Learning them now
@bahoz_eth
B A H O Z
@bahoz_eth
10 months
I published the second post on Formal Verification with @CertoraInc It delves into the world of Propositional Logic, a foundation for formal methods with some practical examples.
1
5
83
4
0
27
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
Top 3 common solidity vulnerabilities, anon Any guesses what they could be ???
Tweet media one
6
0
28
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
It's been a while since I wrote a good amount of code (Fall 2021) It was audits only from loooong time. It's time I do so A lot has changed, but, no? Shill me if your favorite tools🫡 my curr set: co-pilot, foundry, hardhat, pyrometer libraries: oz, solmate, solady UI: wagmi
7
0
30
@0xcuriousapple
curiousapple
@0xcuriousapple
9 months
Well, now you all know who found the thirdweb issue (2771 + Muticall): @0xChew First, it was @iosiro_security , and then Mr. @0xChew took it to another level 🫡 I have worked with @0xChew in the past and can definitely attest that he is a chad 🧙‍♂️ Consider giving him a follow
@0xChew
0xChew
@0xChew
9 months
I was the auditor that identified and reported a vulnerability in @thirdweb 's contracts. Now that the issue is public, I can talk about how it was discovered and how it all went down.
24
54
363
1
0
30
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
I know some of you are interested in my process for bounty hunting, as I keep receiving similar DMs. Please understand that I am not a very successful bounty hunter yet. I only started bounty hunting in mid-August and have had some success here and there, but as of now, it's not
3
0
30
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
update: accepted let's see how it goes
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
seems I am not accepted for @yAcademyDAO 's zk security fellowship been lost in solidity for ~3 years, shipped code, audited likes of connext, partydao, maker, sommelier, kwenta.. but seems not enough🥹 anyways, congratulations to all accepted, circuits audits would def be fun👏
9
0
51
2
0
29
@0xcuriousapple
curiousapple
@0xcuriousapple
1 year
@Jeyffre IDK, if it’s right, but something I advice is, try to become good engineer, learn the art of engineering, and then you can basically be any XYZ engineer on demand. The best devs, I have worked with in our space are not necessarily blockchain devs only. They could basically do
4
0
28
@0xcuriousapple
curiousapple
@0xcuriousapple
11 months
This is common problem for all of us @immunefi @MitchellAmador Have you thought of allowing whitehats to skip POC if their accepted reports are above certain threshold and if ratio of accepted/total > some threshold Whitehats with X amount of accepted reports are less
@milotruck
MiloTruck
@milotruck
11 months
@0xcuriousapple Yeah spending time to write a detailed report and PoC just for it to be a dupe is 🥲 How do you create a "simple" PoC? Do you just prove the bug is possible at the bare minimum, without demonstrating any impact?
1
0
6
5
2
25
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
TrustX was success, onto next ones 🐈
Tweet media one
Tweet media two
Tweet media three
3
0
27
@0xcuriousapple
curiousapple
@0xcuriousapple
7 months
What's going to be "?" anon
Tweet media one
@boredGenius
zefram.eth
@boredGenius
7 months
wtf you can now restake your restaked staked ETH this is not a drill
Tweet media one
137
59
754
12
4
29
@0xcuriousapple
curiousapple
@0xcuriousapple
10 months
TrustX ZK Accelerate Security Breakfast by Hats Finance Coworking Solidity Summit ETHGlobal: Istanbul Is there anything else I should attend? My interests lie in smart contracts, security, zk applications, game theory, and building stuff. But mostly, I just want to meet
3
0
25