Kristian Apostolov @KrisApost1 Twitter profile

Pinned Tweet

Kristian Apostolov

@KrisApost1

5 months

Now #13 on the @immunefi 2024 leaderboard 😎

19

6

135

Last Seen Profiles

@lburnsed21

@theadityadas

@bokeplokalmalam

@_9080_

@KIPPOSHI21

@ChateletRichard

@darioeljartible

@BinorRaja

@goopy_zomb

@micaszza

@dhqqwwww

@Implika_Formac

@Nevesit171761

@yvenusx

@Ayam_shades01

@lyorteg

@m9yuaraso

@sotwecom

@Murat261126

@KING_8800_

@diegodiaax

@LP_HinduAssoc

@cmrbolsa

@bokeptobrut

@zhou_mo70730

@stw_pdg

@dul_turkporno

@_homebooy_

@SebeNkambule

@sac4nagem

@bomaasoma

@kukoldytboi

@Shockng

@0i77m

@planepowers

@Ririka_Kato

Kristian Apostolov

@KrisApost1

5 months

Elite status, I'm coming! 🤠 @immunefi

27

6

174

Kristian Apostolov

@KrisApost1

1 year

An article about my unique medium-severity finding in the @caviarAMM Private Pools @code4rena contest. 👇 Users can take NFT flash loans with lower fees by first buying the NFTs, doing whatever with them, and then selling them back to the protocol to give the initial NFT price

6

24

143

Kristian Apostolov

@KrisApost1

1 year

The best solo audits I've seen by far are @zachobront 's. Totally different issues from other stuff I've read.

GitHub - zobront/audits: public audit & bug reports

public audit & bug reports. Contribute to zobront/audits development by creating an account on GitHub.

github.com

4

25

116

Kristian Apostolov

@KrisApost1

1 year

Got another prize from @code4rena .🫠 Big thanks to the C4 team, particularly @sockdrawermoney , and @_ninek for handling the chaos of my complicated certification process!

9

3

110

Kristian Apostolov

@KrisApost1

1 year

Got 4th place and some pocket change off of the @code4rena Caviar Private Pools contest.🫠

16

2

99

Kristian Apostolov

@KrisApost1

2 years

Got my first @code4rena reward from the RabbitHole Quest contest. It is small but still means a lot!

10

1

93

Kristian Apostolov

@KrisApost1

1 year

Here is how you can get an easy H/M on @code4rena or @sherlockdefi . A 🧵 about the CREATE2 optcode👇

6

17

91

Kristian Apostolov

@KrisApost1

1 year

Did you know that DAI has 18 decimals while cDAI has only 8?🤔 If you're auditing a protocol that interacts with Compound, make sure to check for this. If it's not accounted for you have found a potential HIGH!🕵️‍♂️

5

4

83

Kristian Apostolov

@KrisApost1

1 year

Here are 3 reasons to do mock audits on protocols that have been previously audited on @code4rena or @sherlockdefi : 👇 1️⃣. You are not limited to the fixed timeframe of the contest ⏰ Without being tied to the contest's ticking clock, you're free to move at your own pace. Dive

3

11

82

Kristian Apostolov

@KrisApost1

1 year

I completed my first private audit! I believe I provided good value to the protocol despite the limited time. I hope I can share more about it soon! 🔜 Thank you @RealJohnnyTime for the opportunity! DM for a private audit of your protocol! 🗓️

11

3

75

Kristian Apostolov

@KrisApost1

1 year

Personal stats for May: 👇 (1/2) - Placed 4th in the @code4rena @caviarAMM contest - Did my first @code4rena mitigation review contest - Placed 2nd in the @RealJohnnyTime audit - Earned 5359.53 USD in total

5

70

Kristian Apostolov

@KrisApost1

1 year

I was intrigued by the approval sandwich attack for ERC20s after reading the Tessera Code4rena report. Here is a small 🧵on how it works:

5

69

Kristian Apostolov

@KrisApost1

1 year

When auditing a project that is using @OpenZeppelin 's ECDSA.recover for signature validation, there are important nuances to look for. A small 🧵👇

3

11

66

Kristian Apostolov

@KrisApost1

1 year

An @avax attack vector to check for in your next audit 🧵👇

6

10

62

Kristian Apostolov

@KrisApost1

1 year

An article about a high-severity finding from @zachobront ’s @soundxyz_ solo audit: 👇 A malicious actor can front-run the original ticket owner’s call and waste their ticket. 🎟️ Here's a simple explanation of why the exploit is possible: The exploit is possible because of a

3

6

62

Kristian Apostolov

@KrisApost1

1 year

Thank you for the amazing opportunity @RealJohnnyTime 🙏

1 Hour Interview With The Youngest Smart Contract Auditor

Hello and welcome to our Web3 Security interview!Become a Certified Smart Contract Hacker:https://johnnytime.xyz/smart-contract-hackerToday, we have the plea...

www.youtube.com

7

2

58

Kristian Apostolov

@KrisApost1

1 year

The hooks of @Uniswap V4 are something that will revolutionize the way we handle capital, yet they also have their downsides. A short 🧵about Uniswap V4's new potential attack vector 👇

5

13

59

Kristian Apostolov

@KrisApost1

1 year

Coming out very soon! 🫡 @RealJohnnyTime

5

2

57

Kristian Apostolov

@KrisApost1

11 months

I don't get the whole fuss about what market stage we are in. This tech is clearly here to stay, so relax and improve, that's it.

9

4

53

Kristian Apostolov

@KrisApost1

1 year

Got a top 5 spot in the preliminary results on the @CodeHawks @beedlefi contest. 👇 Hats off to the @CyfrinAudits team for bringing greater diversity to the realm of audit competitions.

3

51

Kristian Apostolov

@KrisApost1

11 months

A cool tool that helps you simulate curve pools and understand how they work:

GitHub - curveresearch/curvesim: Simulates Curve Finance pools

Simulates Curve Finance pools. Contribute to curveresearch/curvesim development by creating an account on GitHub.

github.com

0

10

47

Kristian Apostolov

@KrisApost1

1 year

I'm thrilled to announce that now I am a course ambassador of @RealJohnnyTime 's SCH course! 🎉 Get $50 off with my affiliate link 👇🫡

Smart Contracts Hacking Course

smartcontractshacking.com

4

1

43

Kristian Apostolov

@KrisApost1

1 year

So far I have 0/3 paid criticals submitted to @immunefi . I should consider another method of choosing programs.

6

0

43

Kristian Apostolov

@KrisApost1

1 year

Understanding a codebase > pattern matching with @SoloditOfficial

4

44

Kristian Apostolov

@KrisApost1

1 year

Questions that I ask myself when I see an external call in a protocol 🤔👇 1⃣. Is the destination address of this call arbitrary or fixed? 2⃣. Does the target address invoke any functions within the current contract? 3⃣. Is the recipient capable of modifying any state that the

4

5

44

Kristian Apostolov

@KrisApost1

1 year

Wrapping up my @code4rena Caviar contest participation with 1 high, 3 medium and 2 low severity. Hope they all get confirmed, now let's continue the grind..

7

0

44

Kristian Apostolov

@KrisApost1

1 year

Watch out for arbitrary NFT approvals inside of loops! 👇 If you attempt to call the "setApprovalForAll" function on an @AxieInfinity NFT for an address that already has approval, it will revert. If such NFTs are unaccounted for it can be an easy H/M finding for you!🫡

2

6

33

Kristian Apostolov

@KrisApost1

1 year

This repository and a good amount of focused time are all someone will need to learn all of the main attack vectors 👇

GitHub - kadenzipfel/smart-contract-vulnerabilities: A collection of smart contract vulnerabilities...

A collection of smart contract vulnerabilities along with prevention methods - kadenzipfel/smart-contract-vulnerabilities

github.com

2

7

40

Kristian Apostolov

@KrisApost1

1 year

This article will help you understand what SNARKs are before the upcoming @code4rena @zksync contest 👇

Introduction to zk-SNARKs | Consensys

An overview of zero-knowledge proofs and how to integrate zk-SNARKs into Ethereum.

consensys.io

0

8

41

Kristian Apostolov

@KrisApost1

1 year

I came up🥈in the @CodeHawks @beedlefi contest after the escalations. Congrats to everyone else who participated!

Cyfrin CodeHawks

@CodeHawks

1 year

Errata corrige! 🚨 2nd place went to: 🥈 @KrisApost1 - $1,756.19 USDC

0

6

9

1

41

Kristian Apostolov

@KrisApost1

1 year

Here's who to follow so you constantly get alpha on this platform. A short 🧵👇

3

15

41

Kristian Apostolov

@KrisApost1

9 months

That's my boy! 🫡

4

0

39

Kristian Apostolov

@KrisApost1

1 year

📝Just getting started with @RealJohnnyTime 's SCH course? Here are 3 tips I would have given myself at the start: 👇 1️⃣. Don't use it as your only learning tool. 🔨 Although the course might not cover every aspect in extreme detail, it provides a crucial element - a

4

3

40

Kristian Apostolov

@KrisApost1

1 year

This is a must-read for when you are integrating @LayerZero_Labs in your protocol:

Smart Contract Audits - Composable Security 🇵🇱⛓

A few weeks ago we reviewed a project that was integrating with LayerZero Omnichain Tokens. We were not able to find an all-in-one security…

composable-security.com

0

3

37

Kristian Apostolov

@KrisApost1

1 year

I and my people at Red Lotus 🪷 got a small reward from the @ajnafi @code4rena contest 👇 Huge thanks to all of my teammates for the dynamic environment, where we learn a ton! 🫡🚀 @mis4nthr0pic @0x3b338 @escrow_ @White_Oak_Kong @mariodev__ @0x_3agle @DedOhwale 0xWagmi

9

4

38

Kristian Apostolov

@KrisApost1

2 months

@GalloDaSballo The kid in the picture feels like a personal attack

4

0

38

Kristian Apostolov

@KrisApost1

1 year

Soon @summit_defi 🇫🇷

1

3

35

Kristian Apostolov

@KrisApost1

1 year

I believe people should strive to be deeply immersed in auditing. 👇 Why follow a certain "roadmap", which bores you to your core when you can follow whatever intrigues you, whilst progressing even more because your brain processes information better this way.

4

0

33

Kristian Apostolov

@KrisApost1

1 year

Try and limit your auditing sessions to a specific amount of time instead of going until you can't anymore. Taking a smal cue and exploring it within a short amount of time is much better than forcing yourself to always be productive!

2

0

33

Kristian Apostolov

@KrisApost1

1 year

Gummy bears have made their way to Paris @code4rena

1

34

Kristian Apostolov

@KrisApost1

1 year

Got small reward from the @sherlockdefi @UnitasProtocol with my buddy @0x3b338 ✌️

2

1

33

Kristian Apostolov

@KrisApost1

1 year

Managed to secure a position in the TOP 5 from @RealJohnnyTime 's SCH audit challenge. 👀🎉

3

0

34

Kristian Apostolov

@KrisApost1

10 months

Why do meal prep and pomodoro when you can abuse stimulants and sleep 3 times a week?

8

1

31

Kristian Apostolov

@KrisApost1

11 months

This is the first article I would recommend to any programmer just starting out in web3:

DeFi for Dummies: Understanding Decentralised Finance

Blockchain is a disruptive technology that has come to reinvent how you do things. From how corporations are structured , to helping you…

medium.com

0

9

32

Kristian Apostolov

@KrisApost1

11 months

Knowing how oracles work will help you find even more than "Lack of sequencer uptime check". This paper will teach you all you need:

2

4

31

Kristian Apostolov

@KrisApost1

11 months

I've been paranoid about putting my money into DeFi protocols ever since I got serious about security. Are you feeling the same, anon?

9

0

31

Kristian Apostolov

@KrisApost1

1 year

When auditing a @zksync contract using CREATE and CREATE2 always check whether the compiler knows of the bytecode of the new contract in advance. If it doesn't a lot of unexpected stuff will happen. 👇

2

30

Kristian Apostolov

@KrisApost1

1 year

The more context you have on a codebase, the more potential vectors and scenarios pop up in your head.

2

1

29

Kristian Apostolov

@KrisApost1

1 year

Even though some of the code examples in it are a bit old "Mastering Ethereum" is still an amazing resource to learn the basics from 👇

2

4

28

Kristian Apostolov

@KrisApost1

1 year

Discipline is 10x more important than everything else in this sphere! Being consistent and efficient with your time will take you much farther than simply being "smart". So next time when you see someone earn a big bounty/reward ask yourself whether you do as much as them. 🤔

1

29

Kristian Apostolov

@KrisApost1

1 year

Had a blast auditing the @eigenlayer @code4rena contest with my friends over at team R.E.A.C.H. Thank you @mis4nthr0pic @opensensepw for the amazing community! LFG🚀🔥

1

29

Kristian Apostolov

@KrisApost1

11 months

This book completely changed my perspective.

0

5

27

Kristian Apostolov

@KrisApost1

1 year

As always had a blast doing a @code4rena contest. @ajnafi was definitely something different and interesting to look into. Thanks to everyone at team R.E.A.C.H. and @opensensepw for the amazing environment!🫡 On to the next one!⏩

2

1

29

Kristian Apostolov

@KrisApost1

1 year

Memory growth on the @zksync era chain is very different from the EVM. On the EVM the growth is always in words (32-byte segments), while on ZKsync it's in single bytes. This allows for much more flexibility and efficiency, but may also cause unintended behavior. 🤔

1

28

Kristian Apostolov

@KrisApost1

1 year

Not using the “Pull over Push” pattern is almost always going to lead to a vulnerability 👇 🧵

1

27

Kristian Apostolov

@KrisApost1

1 year

Past audits != no bugs.

5

3

24

Kristian Apostolov

@KrisApost1

1 year

Submited a medium, some lows, QA and gas to the @asymmetryfin code4rena contest. It felt great! Now let's continue the grind..

3

1

25

Kristian Apostolov

@KrisApost1

1 year

Got some bucks from the @code4rena @asymmetryfin contest👇

3

0

26

Kristian Apostolov

@KrisApost1

1 year

@0xOwenThurm "Any application that can be written in JavaScript, will eventually be written in JavaScript." - Jeff Atwood

2

0

25

Kristian Apostolov

@KrisApost1

11 months

How do you tackle math-heavy codebases, anon?

8

0

25

Kristian Apostolov

@KrisApost1

1 year

The @KyberNetwork @sherlockdefi contest showed the importance of looking into potential vulnerabilities hidden within the OZ contracts version your protocol is integrating with. This resource has all of them listed:

@openzeppelin/contracts vulnerabilities | Snyk

Learn more about known vulnerabilities in the @openzeppelin/contracts package. Secure Smart Contract library for Solidity

security.snyk.io

1

2

26

Kristian Apostolov

@KrisApost1

1 year

Found a good amount of bugs on a codebase that was previously audited. Turns out that there is always something else that is around the corner.🤔

1

2

26

Kristian Apostolov

@KrisApost1

3 months

I’m at @ethbelgrade , who wants to chat?

4

1

26

Kristian Apostolov

@KrisApost1

1 year

I'm looking forward to the @summit_defi ! Who else is going? 🇫🇷

4

1

24

Kristian Apostolov

@KrisApost1

11 months

Overly centralized protocols are an insult to the very idea of DeFi, change my mind.

4

1

23

Kristian Apostolov

@KrisApost1

1 year

Doing an audit with someone else is much more valuable as your skill set and your partner's skill set can greatly complement each other's.

1

0

24

Kristian Apostolov

@KrisApost1

1 year

@Uniswap V4 has ditched ERC721 in favor of ERC1155 for minting positions to LPs. This change was needed because @Uniswap V4 at its core is a contract, that contains all of the pools instead of a factory contract that deploys new pool contracts. 🦄📈 This is a very clever

2

6

25

Kristian Apostolov

@KrisApost1

1 year

Thanks @opensensepw @mis4nthr0pic for the cool little talk we were able to do!

2

23

Kristian Apostolov

@KrisApost1

10 months

The @aloecapital contest was very fun. Thank you @hayden_shively for the amazing cooperation!

SHERLOCK

@sherlockdefi

10 months

@aloecapital @panprog 🏆 @aloecapital Audit Contest Results 🏆 4. rvierdiiev - $3,154.30 5. mstpr-brainbot - $2,020.62 6. 0xReiAyanami - $1,611.73 7. @KrisApost1 - $1,168.26 8. SilentDefendersOfDeFi - $443.47 9. Nyx - $443.47 10. @BizzyVinci - $443.47

0

2

6

3

0

24

Kristian Apostolov

@KrisApost1

1 year

Another amazing tool from this cool guy 👇

Antonio Viggiano

@agfviggiano

1 year

📣 Introducing: Solidity Audit Report Generator, a VSCode extension that helps you write your reports using templates, ChatGPT, and // @ audit comments.

13

42

272

0

1

24

Kristian Apostolov

@KrisApost1

10 months

I've gained a huge appreciation for SRs who don't always get the unique edge-case findings, but always manage to find all bad logical errors.

2

0

23

Kristian Apostolov

@KrisApost1

1 year

@sherlockdefi Bulgaria: The place with the most EVM Security Researchers per square kilometer.

1

0

23

Kristian Apostolov

@KrisApost1

11 months

Proper time allocation is the best skill a security researcher can possess.

2

1

23

Kristian Apostolov

@KrisApost1

1 year

My blog/newsletter is now LIVE! 🎉 A series of fascinating articles are heading your way soon! Which kind of content would you find more valuable? 🤔 1. Findings/Unique vector breakdowns. 2. Doing breakdowns on complex concepts. Drop for your answers in the comments. 👇

5

1

23

Kristian Apostolov

@KrisApost1

1 year

I've been binging all of @hake_stake 's @ProofOf_Podcast episodes in the past few days. There is some really eye-opening advice in it!

Proof Of Podcast - PoP #5 - Bytes032 - Competition Drives Him: How to Get Good at Auditing | RSS.com

- From Manager to Security: The Power of Reality Checks - Top Down and Individual Flows: Organising Function Calls for Better Understanding - Competition Drives Him: How to Get Good at Auditing - How...

rss.com

1

2

22

Kristian Apostolov

@KrisApost1

11 months

It's fascinating to know how hackers manage to launder the stolen funds and not get caugth. This @TornadoCash breakdown will help you out:

4

2

21

Kristian Apostolov

@KrisApost1

1 year

There are ALWAYS more bugs in a codebase. But the only way of uncovering them is letting people with different perspectives look at the code.🕵️‍♂️

2

0

21

Kristian Apostolov

@KrisApost1

1 year

In just over two months, I've dived deep into the world of web3 security and I'm excited to continue my learning journey. In this 🧵, I want to share some key takeaways from my experience so far.

2

20

Kristian Apostolov

@KrisApost1

1 year

Me and @0x3b338 got a small payout from the @sherlockdefi @Footium contest 👇

0

1

20

Kristian Apostolov

@KrisApost1

1 year

Preparing some big alpha for the coming days.. 👀

1

20

Kristian Apostolov

@KrisApost1

8 months

Loved auditing @UmamiFinance ! 🫡

Umami

@UmamiFinance

8 months

Umami DAO is happy to announce that our GM Vaults based on @GMX_IO 's v2 model have passed @GuardianAudits tests & the auditing process is complete! 🍔 Check out this Medium article below for more information on our Launch & a link to the audit! 👇

2

16

60

1

0

20

Kristian Apostolov

@KrisApost1

1 year

Managed to go trough the @PopsicleFinance @sherlockdefi contest. Found some fun stuff. On to the next codebase. ✌️

1

0

20

Kristian Apostolov

@KrisApost1

8 months

It do be like that

Daniel | Guardian Audits ◻⛓

@dannygfromnyc

8 months

0

5

40

0

20

Kristian Apostolov

@KrisApost1

11 months

Always try and debunk the vulnerability mitigations applied in past audits of the codebase you are auditing. Sometimes the assumption behind the mitigation can easily be broken.

0

1

19

Kristian Apostolov

@KrisApost1

1 year

Try and escalate every low-severity bug you find! Most criticals are simply expanded minor issues. 👀

1

0

19

Kristian Apostolov

@KrisApost1

1 year

Auditing the @eigenlayer contest on @code4rena has really shown me what cooperation and banging your head against the wall can do😅.

3

1

17

Kristian Apostolov

@KrisApost1

10 months

Would it be nice if assembling a report for your client took only a few seconds, anon?

1

0

18

Kristian Apostolov

@KrisApost1

11 months

Protocols don't need security until they do.

0

1

18

Kristian Apostolov

@KrisApost1

1 year

Contest platforms cherish the unique edge case findings, rewarding them generously. Yet, in bug bounty or private audits, they are often dismissed. Incredible how the perspectives are so different!

1

0

18

Kristian Apostolov

@KrisApost1

1 year

Thank you for the great opportunity! 🫡

Owen | Guardian

@0xOwenThurm

1 year

@opensensepw is doing something really cool with REACH! It was a blast working with @KrisApost1 & @deliriusz_eth from the community of auditors there!

2

5

26

1

0

18

Kristian Apostolov

@KrisApost1

1 year

(2/2) - Worked/studied a total of 103.5 focused hours and 72 relaxed ones - Drank 70 coffees and 12 energy drinks - Wrote 11 articles/threads. - Read 22 @code4rena reports, 5 @sherlockdefi reports, 6 @SpearbitDAO reports and ~50 more miscellaneous findings on @SoloditOfficial

4

0

18

Kristian Apostolov

@KrisApost1

1 year

Submitted 1 high and 3 medium severity findings to the @Footium @sherlockdefi contest with my partner in crime @0x3b338 . As always the grind continues and LFG!🚀🔥

2

17

Kristian Apostolov

@KrisApost1

1 year

Always check the accounting of a vault that is delegating funds to other protocols as it may be subject to inflation attacks. A 🧵👇

2

4

17

Kristian Apostolov

@KrisApost1

1 year

MAKER tokens aren't fully ERC20 compliant! 👇 Their "name" and "symbol" functions return bytes instead of a string. This may lead to some unexpected reverts or unintended behavior. Watch out in your next audit! 🕵️

1

0

17

Kristian Apostolov

@KrisApost1

11 months

"Using DeFi will NOT make you rich overnight" should be made a mandatory disclaimer on frontends similar to responsible gambling messages.

1

0

16

Kristian Apostolov

@KrisApost1