Andy Li @andyfeili Twitter profile

Last Seen Profiles

@Khan1990Sa54545

@MarianneBa68525

@triciaisabirdy

@fastcase

@stw46

@sporteventsbe

@hsnhana1

@iamakt__

@Phimchanokplw

@sajjad_yazdani_

@CMS_Law_Tax

@winterstellars

@sorano_blue_

@k1ttybf

@GiraffeSights

@noe1_xx

@_Nadimadisha

@bluemingfIeur

@RSCactu

@averyheeringa

@CoachT352

@VWolf83864177

@salbbsna1

@bokeplokalmalam

@ACEscaldes

@being_sunny1

@VyT4DLNtwirBgF0

@dsupervilleap

@SASTYP1H

@3EIED

@HIN4chan_

@RhylHigh

@Vxrqh

@CallieCaplan

@duoleilomo

@BrandonEwart5

Andy Li

@andyfeili

2 years

1/ How to get started in web3 hacking - the learning resources I used to go from zero to 13k bounties on @code4rena in 4 months

34

201

707

Andy Li

@andyfeili

2 years

A thread of my journey in web3 security in 2022. From noob to security engineer in 1 year. 1. Discovered the world of web3 security in January with damn vulnerable defi

Damn Vulnerable DeFi

Learn smart contract security with the most vulnerable set of Solidity smart contracts ever witnessed.

www.damnvulnerabledefi.xyz

28

143

510

Andy Li

@andyfeili

2 years

great resource to learn about past defi hacks

GitHub - SunWeb3Sec/DeFiHackLabs: Reproduce DeFi hacked incidents using Foundry.

Reproduce DeFi hacked incidents using Foundry. Contribute to SunWeb3Sec/DeFiHackLabs development by creating an account on GitHub.

github.com

14

109

445

Andy Li

@andyfeili

1 year

This is why there hasn't been much content from me recently

78

1

337

Andy Li

@andyfeili

2 years

Want to find your first high severity issue on @code4rena to get +backstage role? This is one of the most common and easy to spot bug on c4. What is the problem here?

18

37

273

Andy Li

@andyfeili

1 year

The web3 security community is growing. 💪 Thanks for 10k subs! 🥳

22

6

197

Andy Li

@andyfeili

1 year

4 years ago I was working a helpdesk job at a MSP making 30k per year. While working there, I got exposed to and started gravitating towards security and studied various cyber security certs after work. 1 year into the job there was an opportunity to do a security assessment

22

10

184

Andy Li

@andyfeili

2 years

Great resource for learning about web3 vulnerabilities. @1nf0s3cpt is constantly updating it, adding new material - truly doing god's work here.

4

33

170

Andy Li

@andyfeili

2 years

9

13

169

Andy Li

@andyfeili

1 year

Now that I am a father I have been thinking a lot about education and how that plays a part in a child's future. For me, I did not do well in the public education system where I was disinterested and did not fit in, which resulted in me wasting my teens and twenties and not

15

2

169

Andy Li

@andyfeili

2 years

Interview with @trust__90 is here. 🙂 We talk about his experience as an exploit dev at NSO Group and his transition into web3 security, and of course tons of details around his methodology and mindset around smart contract auditing.

13

19

157

Andy Li

@andyfeili

2 years

Interview with top auditor @0xDjangoOnChain on how he transitioned from data engineer to full time bounty hunter, earning over 400k this year on @code4rena and @immunefi combined.

8

16

154

Andy Li

@andyfeili

2 years

Just recorded an incredible episode, 2 hours of @trust__90 dropping alpha auditing tips and talking about his insane background developing IOS zero days at NSO Group. Will try to get this episode out in the next 1-2 days

Andy Li

@andyfeili

2 years

Ranked 1 auditor @trust__90 will be coming onto my channel to do an interview this week. What do you want me to ask him?

25

1

131

15

12

151

Andy Li

@andyfeili

2 years

India seems to be really into smart contract auditing, flipped USA recently in my YouTube analytics.

15

6

148

Andy Li

@andyfeili

1 year

Guys... I think this is the problem...

14

12

145

Andy Li

@andyfeili

1 year

Frankly, I joined web3 security because it paid higher than web2 sec. Last year I was telling everyone to switch due to the opportunities and growth in this industry. However with the job market tight and competition fierce in audit contests, it is no longer the case for the

24

9

142

Andy Li

@andyfeili

2 years

Interesting statistic on DeFi hacks

9

19

137

Andy Li

@andyfeili

2 years

How to go from intermediate level auditor to advanced? @0xleastwood - Spearbit LSR, shares his story and auditing alpha in this latest interview! Linked below👇🎥

4

20

138

Andy Li

@andyfeili

1 month

Before having kid I was neutral to whether I wanted kids or not. Now on the other side I want more and wish I started sooner. For all the new dads out there, the first year was incredibly difficult, the baby's needs came first and nothing else mattered. With the sleep

11

2

134

Andy Li

@andyfeili

2 years

Ranked 1 auditor @trust__90 will be coming onto my channel to do an interview this week. What do you want me to ask him?

25

1

131

Andy Li

@andyfeili

1 year

I talk to @zachobront about his audit process, how he collaborates with other top auditors to find unique bugs and his recent success on @immunefi and @sherlockdefi .

Zach Obront: Winning Audit Contests & Crushing Bug Bounties

I talk to Zach Obront about his audit process, how he collaborates with other top auditors and his recent wins on Sherlock and Immunefi. Links:https://twitte...

www.youtube.com

13

26

127

Andy Li

@andyfeili

2 years

Easily search through previous audit reports from code4rena and Sherlock

4

22

122

Andy Li

@andyfeili

2 years

@PatrickAlphaC is coming over to security! 👀 In this interview we talk about Patrick's decision to leave Chainlink to focus on security and his advice for new auditors and engineers in web3. btw Patrick is also hiring auditors! Link below 📺👇

7

15

119

Andy Li

@andyfeili

2 years

Spearbit lead security researcher and code4rena judge @0xleastwood will be joining me for an interview to share his alpha this weekend. What do you want me to ask him?

26

2

115

Andy Li

@andyfeili

2 years

Joining Sigma Prime next week as a security engineer! 🎉

23

2

117

Andy Li

@andyfeili

2 years

Feels good when your PoC works

12

2

113

Andy Li

@andyfeili

11 months

6

0

111

Andy Li

@andyfeili

2 years

When learning something new, bouncing between different learning resources is a good way to progress when you hit a difficult topic that is hard to understand. You might come across a blog or article that explains things at just the right difficulty level to make things click.

14

12

113

Andy Li

@andyfeili

1 year

Coming back with more interviews with top auditors soon.

11

0

114

Andy Li

@andyfeili

1 year

DeFi gets rekt so often that as an auditor I still don’t use it. Even after 1000s of bugs crushed through audit contests, solo audits, bug bounties etc, it doesn’t feel like it has gotten much better. Degens will accept this risk for the chance of profit, but how can we

12

4

100

Andy Li

@andyfeili

2 years

god damn Linkedin

13

4

100

Andy Li

@andyfeili

1 year

Certik and PeckShield having majority market share while wardens who can find real vulns on c4 get paid wojak wages. Something is not right.

9

3

95

Andy Li

@andyfeili

11 months

Alex the Entreprenerd @GalloDaSballo on Freelancing, Business and Internal Security Practices working on @eBTCprotocol

4

15

93

Andy Li

@andyfeili

1 year

You know Solidity? Ok name 10 EIPs

20

2

89

Andy Li

@andyfeili

1 year

I am convinced that writing a lot of PoCs and test coverage is THE best way to up-skill as a security auditor. I remember asking @0xleastwood (who previously worked at @sigp_io ) in an interview about how he went from intermediate to advanced. He wasn’t sure the reason and said

Sigma Prime

@sigp_io

1 year

We're firm believers in crafting our own tests during security reviews 🧪 Why? It not only helps us discover more vulnerabilities but also grants us a deeper comprehension of the target. You may notice the test suites that accompanies our reports aren't just PoCs, but offer

4

6

45

10

18

90

Andy Li

@andyfeili

2 years

This CTF looks cool

2

12

90

Andy Li

@andyfeili

2 years

It is hiring season, internship opportunities at both ToB and OZ 👀 Links 👇

5

13

89

Andy Li

@andyfeili

1 year

Everyone wants to be a solo auditor, while working at an audit firm is highly underrated. With a newborn I have not been able to grind as hard as I did last year, but just passively upskilling daily by doing your job is a pretty sweet deal. Consistant progress compounds over

8

2

85

Andy Li

@andyfeili

2 years

Video coming soon! Just had an amazing conversation with 100proof over the weekend about how he took home a 150k bounty on @immunefi . We talked for over 2.5 hours about topics ranging from bounty hunting, @code4rena , computer science, web3 salaries and his massive payday.

Notional

@NotionalFinance

2 years

1/ Late last night we received a notification through Immunefi of a vulnerability in the Notional smart contracts. The vulnerable code was disabled immediately and no user funds are at risk. User functionality is fully operational and you can continue to use Notional as normal.

5

6

55

6

3

80

Andy Li

@andyfeili

2 years

Made a video sharing the CV I used to land a job in web3 security. Hope this helps you guys who are working hard trying to break into this industry.

6

7

77

Andy Li

@andyfeili

1 year

My estimate and breakdown for the number of people who can consistently make more than 10k per month in web3 security as an independent security researcher. spearbit has all the good independent researchers roughly ~100 onboarded. Lets say SRs and LSRs make more than 10k per

Andy Li

@andyfeili

1 year

How many independent security researchers do you think are making more than 10k per month today in 2023

10

1

27

12

6

76

Andy Li

@andyfeili

2 years

Ever wondered what it was like working as a smart contract auditor at a firm? Here is my experience after the first month. 📺

6

5

71

Andy Li

@andyfeili

2 years

Made a video on my study methodology for code4rena

My Study Methodology

My note taking methodology for studying previous audit findings on code4rena. Code4rena reports:https://code4rena.com/reportsTomo's Blog:https://tom-sol.noti...

www.youtube.com

3

11

68

Andy Li

@andyfeili

1 year

With all the talk of companies forcing their employees to come back to the office, it is awesome to be working in an industry that is truly 100% remote

7

1

71

Andy Li

@andyfeili

11 months

Joe ( @joe_vanloon ) @audit_wizard Founder, ex-FAANG Security Engineer on Threat Modeling, AI and Security Tooling

7

5

73

Andy Li

@andyfeili

2 years

Good article from samczsun on price oracle attacks. Explains things with stories and anecdotes that make it very approachable - even for beginners.

So you want to use a price oracle

Everything you need to know about price oracles and how to use them safely

samczsun.com

3

5

67

Andy Li

@andyfeili

1 year

I chat to @moise__ about his web3 security journey transitioning from big4 and his current work at @SpearbitDAO

Moise: Transitioning from Big4 to Web3 Security

Moise shares his transition from a traditional Big4 consultancy role to the Web3 security realm. We talk about transferable skills, learning resources and hi...

www.youtube.com

7

3

63

Andy Li

@andyfeili

2 years

Reading about zk - all the useless high school math is coming back to me now 😂

8

4

62

Andy Li

@andyfeili

1 year

Stop scrolling for "audit alpha". It is not here. Your time is better spent actually doing the work

4

2

61

Andy Li

@andyfeili

2 years

0xDjango - Code4rena and Immunefi Bounty Hunting

0xDjango went full time on web3 security as an independent researcher this year, and has found success on both Code4rena and Immunefi earning over 400k combi...

www.youtube.com

4

9

61

Andy Li

@andyfeili

1 year

After you run out of ideas during an audit, read some reports to get the brain juices flowing again.

3

2

60

Andy Li

@andyfeili

2 years

Video is here! @pashovkrum joins me in this interview to share his latest auditing and business alpha around private audits and building industry connections Link below 👇

pashov

@pashovkrum

2 years

Just finished my interview with @andyfeili and I can give you a pro-tip on those - never do them when you are underslept😂 All jokes aside, I did give some alpha on my solo auditing experience and all-things-web3-security as well. When is it coming out? Soon™️

5

3

82

3

12

59

Andy Li

@andyfeili

2 years

new interface looks slick @tohohh_ I find myself using it almost daily

2

3

58

Andy Li

@andyfeili

1 year

This was a special one to be a part of. My first review as lead, in addition to having a few “ah ha” moments which helped improve my overall auditing process. Really interesting codebase, fantastic project.

Sigma Prime

@sigp_io

1 year

We have just released the review for Lyra Finance V2 Smart Contracts. 4 criticals, 2 highs and 4 mediums all resolved by the @lyrafinance team. 🎉 Check out the report here:

0

7

37

4

0

56

Andy Li

@andyfeili

11 months

Another post about certik farming for engagement

3

1

56

Andy Li

@andyfeili

11 months

Who is going to come out of c4 retirement for this

8

3

56

Andy Li

@andyfeili

1 year

Should MEV bot operators be criminally liable if their bot front-runs a hack transaction?

23

4

50

Andy Li

@andyfeili

1 year

If AI goes rogue it will start to introduce backdoors in the software that it writes for us. This means we will always need security researchers performing code reviews 🫠

4

3

50

Andy Li

@andyfeili

1 year

@1_00_proof will be joining me in another podcast episode soon talking about his massive 7-figure bug bounty from discovering a very unique concentrated liquidity protocol bug, which put over 100m funds at risk. What questions do you want me to ask him?

8

5

51

Andy Li

@andyfeili

2 years

Woohoo onboarded to @SpearbitDAO , let's go!

8

0

51

Andy Li

@andyfeili

2 years

2/ @cmichelio is ranked 1st on @code4rena with more than 1 million in awards - start by reading his blog to get the big picture

How to become a smart contract auditor | cmichel

From time to time, I receive messages asking me for advice on how to get started as a smart contract security auditor. While there are…

cmichel.io

1

10

49

Andy Li

@andyfeili

1 year

Try this next time you are learning something new Give your brain time to absorb the information. Pull up various articles/videos on the topic, and instead of reading them all at once, read them over several weeks, a month or longer. Spaced repetition is god tier

3

50

Andy Li

@andyfeili

2 years

It is amazing to see how many people successfully made the switch to web3 security this year (many with no prior tech experience) thanks to @code4rena . Securing the ecosystem while also providing the opportunity to upskill the next generation of security practitioners. 👏

Code4rena

@code4rena

2 years

What a year it’s been! In 2022, the C4 community: - Received over $9.5M in rewards - Made 10k+ unique findings - Worked with Sponsors to run 135 comps - Grew the Warden pack to 2.3k+ None of this would’ve been possible without your support, so thank you frens. Here’s to 2023 🎉

2

6

89

1

4

50

Andy Li

@andyfeili

2 years

Found the tweet last year that got me into web3 security 😇 The timing was really good, found myself thinking - "hey what else am I going to do over the Christmas break, lets check out this CTF!"

Devansh (⚡, 🥷)

@0xAsm0d3us

3 years

Damn Vulnerable DeFi is the wargame to learn offensive security of DeFi smart contracts. Throughout numerous challenges you will build the skills to become a bug hunter or security auditor in the space, and yeah Merry Christmas🎄 #blockchain

5

184

588

2

3

48

Andy Li

@andyfeili

2 years

Interview with Pashov tomorrow! Last chance to get your questions in

pashov

@pashovkrum

2 years

Doing an interview answering stuff about my smart contract security journey next week. Any cool questions you'd like to hear answered from me? P.S. Posting my two previous interviews as a comment under this, we will try to not repeat the questions from there much

14

8

105

7

1

48

Andy Li

@andyfeili

2 years

trust_90: NSO Group Hacker turned Web3 Security Researcher

An interview with Trust, ex-NSO Group hacker turned web3 bounty hunter and independent security researcher. In just under a year, Trust has rocketed to the t...

www.youtube.com

1

6

47

Andy Li

@andyfeili

2 years

@yAcademyDAO has dropped some sweet alpha videos recently

3

9

46

Andy Li

@andyfeili

2 years

If you enjoyed my recent interview with @0xDjangoOnChain on his success on @immunefi . Make sure to also check out the video I did with @1_00_proof last month were he tells the full story of his 150k bounty. Here is the clip in case you missed it.

3

2

45

Andy Li

@andyfeili

2 years

2022 has been a good year (also found out I will be a father 😇) Onward and upwards for 2023! 🍻

11

0

47

Andy Li

@andyfeili

2 years

In this episode @BowTiedDravee joins me and talks about his journey - learning smart contract auditing from scratch. He shares auditing advice and his report automation process he used to rank 1st in gas optimisations in the $1M OpenSea contest.

dravee.eth

@BowTiedDravee

2 years

2022 was life-changing. I quit my web2 DevOps job + Ranked 22nd on @code4rena (n°2 in sheer nb of findings) & became a Scout + Met a lot of awesome people at TrustX + Did 2 audits as a SR at @SpearbitDAO + Was in @yAcademyDAO 's 4th cohort + Made lots of frens 😄 LFG rock 2023!!!

6

1

104

4

46

Andy Li

@andyfeili

11 months

Darren @_Parsely_ zBlock1 Alumni @yAcademyDAO on learning ZK, web3 security while working full time

4

45

Andy Li

@andyfeili

1 year

The unfortunate truth is that DeFi does not fulfil the promise conducting finance without trusted intermediaries. Majority protocols definitely *can* rug you if they wanted to, even if the code is audited/immutable etc etc

4

2

44

Andy Li

@andyfeili

1 year

web3 security

Cooper

@enlightenedcoop

1 year

What are the highest paying careers? And by highest paying I mean high potential to earn 500K+ and even seven figures after 5-10 years

282

28

708

4

3

44

Andy Li

@andyfeili

2 years

Featured on @blockthreat again. Thanks @trust__90 & @0xDjangoOnChain ! 🤝

1

2

43

Andy Li

@andyfeili

2 years

7/ I made a beginner roadmap video providing a bit more info on the above I am documenting my web3 journey on my YouTube channel - follow for more web3 hacking content

Beginner Roadmap to Smart Contract Auditing

A guide for beginners to get into web3 smart contract auditing. Sharing the learning resources I used to get to this point and talking about my future goals ...

www.youtube.com

8

4

40

Andy Li

@andyfeili

11 months

Lucas Calderon @lmc_security on building startups, AI security tooling and the impact on security research

1

8

36

Andy Li

@andyfeili

1 month

Doing some golang reviews

5

0

40

Andy Li

@andyfeili

1 year

Does being a good auditor make you a better dev, or does being a good dev make you a better auditor? Does it go both ways?

16

0

41

Andy Li

@andyfeili

1 year

Web3 security hangout with @hake_stake and @pashovkrum 🫡

Web3 Security Hangout: Hake, Pashov & Andy

0:00 Audit Workflow18:56 ChatGPT23:40 Immunefi30:10 Work Life Balance33:45 Yearn Finance 10m Hack40:34 Audit Process46:57 Pattern Matching Bugs57:32 Operatio...

www.youtube.com

0

6

41

Andy Li

@andyfeili

1 year

Come work with me

Sigma Prime

@sigp_io

1 year

📢 We're in the midst of reviewing applications for our Blockchain Security Internship! 📢 Haven't applied yet? Good news - applications remain open for the next 2 weeks. Dive into the world of web3 security with Sigma Prime. Details below. ⬇️

4

9

58

4

40

Andy Li

@andyfeili

11 months

Pits Certik against own firm in the first round thinking it would be an easy win. *certik with the upset* Feels bad man

Nikita Kirillov

@urbittesweet

1 year

Round 1 (1/8). @CertiK vs @pessimistic_io Let the tournament begin!

17

2

27

4

0

40

Andy Li

@andyfeili

11 months

Yesterday: *everyone shitting on javascript* Today: *Truffle sunsets* Everyone: 🫡🫡🫡

5

1

36

Andy Li

@andyfeili

1 year

Damn the job market is tight right now

Sigma Prime

@sigp_io

1 year

Appreciate the overwhelming interest in joining our team! Over 140 applications have come in for the Blockchain Security Intern position, with some truly outstanding candidates. We will be evaluating and setting up interviews soon. 🙌

2

12

53

5

0

38

Andy Li

@andyfeili

1 year

Editing the video now, will be dropping soon 🫡

hake

@hake_stake

1 year

Excited for @andyfeili to drop his next video with @zachobront !

4

2

26

3

36

Andy Li

@andyfeili

1 year

My timeline is full of this guy today

6

2

37

Andy Li

@andyfeili

2 years

3/ learn solidity with @PatrickAlphaC 's 32 hour solidity course you don't need to go through everything, just pick up on the basics of solidity and web3

Learn Blockchain, Solidity, and Full Stack Web3 Development with...

This course will give you a full introduction into all of the core concepts related to blockchain, smart contracts, Solidity, ERC20s, full-stack Web3 dapps, ...

www.youtube.com

1

5

34

Andy Li

@andyfeili

2 years

This is so good -

toto

@totovoto

2 years

I'm creating a database with #Solidity audit findings. You can search by keyword/tag and severity. @ethereum Can be useful for smart contract auditors

10

18

70

2

35

Andy Li

@andyfeili

11 months

If your post has more bookmarks than likes - then it is alpha. If it has more likes than bookmarks - then it is not alpha.

5

1

34

Andy Li

@andyfeili

18 days

auditing an interesting call flow: call -> call -> delegatecall -> delegatecall -> call

1

0

34

Andy Li

@andyfeili

2 years

Watch this video from @SpearbitDAO for a full explanation of the issue.

Community Workshop: Maple by Riley Holterhus

Riley Holterhus is a former Paradigm researcher and current Spearbit security researcher hacking contracts while finishing his final year of CS + Math underg...

www.youtube.com

1

6

32

Andy Li

@andyfeili

2 years

Attacker can front run the first depositor to steal a portion of funds.

5

0

33

Andy Li

@andyfeili

11 months

Prepare for the contest with zk bug tracker

GitHub - 0xPARC/zk-bug-tracker: A community-maintained collection of bugs, vulnerabilities, and...

A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto. - 0xPARC/zk-bug-tracker

github.com

Code4rena

@code4rena

11 months

The biggest ever Code4rena audit is incoming, thanks to @zksync 🤝 Find a valid vulnerability and take home a slice of the $1.1M prize pool. Get yourselves ready Wardens 🫡

13

45

234

1

6

32

Andy Li

@andyfeili

1 year

@pashovkrum Congrats man, you deserve it. I know how hard you work. On another note, another wave of "dm for audit" accounts are coming 🙂