Alex the Entreprenerd @GalloDaSballo Twitter profile

Pinned Tweet

Alex the Entreprenerd

5 months

If you’re using Medusa and Recon for your POCs, send me the best report you wrote. Each month I’ll feature the best one on the ReconOffice Hours and I’ll give the author 150 USDC!

4

2

33

Last Seen Profiles

@estella_dawn

@color_kumasan

@leleorebocador

@abdelachrian

@SultanAbduIaziz

@RahmanAlha52323

@ibubohay2

@Airieszone

@katycat_lisa

@BinorRaja

@TeenageWaitress

@yua_shiraishi

@stw_pdg

@caaannsu

@stwtutik

@KavkazHussaini

@aju7097

@akireru_yuito_2

@hades7x_

@OLrin_00

@ConchosIri71845

@ELN_Kaixin

@Gul_e_

@peasoupntexas

@DrKathleenRoss1

@Gunahgar__

@JUNMINPUNYAKU

@KB_artwork

@batuz1263

@bokeplokalmalam

@EricGmez222614

@gazebofestival

@SoyUbunto

@duujam417

@papmantan69_

@INSneuro

Alex the Entreprenerd

@GalloDaSballo

11 months

If you could ever only watch one video for Security Research, this is probably it

4

38

306

Alex the Entreprenerd

@GalloDaSballo

11 months

After 2 years, I won my first contest on @code4rena !

50

10

259

Alex the Entreprenerd

@GalloDaSballo

10 months

What if you could build your POC visually?

34

9

200

Alex the Entreprenerd

@GalloDaSballo

3 months

Bulgarian Auditor starter pack

17

5

181

Alex the Entreprenerd

@GalloDaSballo

11 months

You need to learn Echidna and Medusa, it will serve you well very soon

7

30

144

Alex the Entreprenerd

@GalloDaSballo

8 months

- balanceOf - Try / catch - _safeMint The amount of vulnerabilities in using these functionalities is so high you can make a career out of finding bugs there What are other one-liners that make you smell blood?

27

14

150

Alex the Entreprenerd

@GalloDaSballo

10 months

I judged 2200 findings

12

1

143

Alex the Entreprenerd

@GalloDaSballo

1 year

She's a 10 but she thinks lack of address(0) checks is a vulnerability

16

18

134

Alex the Entreprenerd

@GalloDaSballo

1 year

All the active and upcoming contests, sent to you each morning:

25

29

134

Alex the Entreprenerd

@GalloDaSballo

3 months

We're buying the bus ticket with this one! 👏

10

0

128

Alex the Entreprenerd

@GalloDaSballo

9 months

Just read the calldata bro 💀

12

0

126

Alex the Entreprenerd

@GalloDaSballo

9 months

Today, with the wrong signature, you can lose 100% of one of your tokens Tomorrow, with EIP 3074, you will be able to lose 100% of all of your tokens with one signature Soon, with EIP 4337, somebody else will be able to lose 100% of all of your tokens with one signature

5

11

119

Alex the Entreprenerd

@GalloDaSballo

10 months

Me and @agfviggiano are building a tool to help you setup invariants on any new foundry project. Currently I believe i takes 1/2 days to setup invariants properly, once we're done with V0 it will take around 1 hour. If you're interested in checking this out, DM!

7

123

Alex the Entreprenerd

@GalloDaSballo

8 months

Let's do a masterclass in getting started and turning Code4rena into a career! These are a few of my notes in preparations for tonights Office Hours, see you there!

2

4

117

Alex the Entreprenerd

@GalloDaSballo

1 year

This POC shows you how to perform view-only reentrancy Just copy paste the code into your tests as an integration test For Auditors: Apply the check to test if an oracle is safe or not (test against all uses, see sturdy)

GalloDaSballo - H-01 wstETH-ETH Curve LP Token Price can be manipulated to Cause Unexpected...

GalloDaSballo high H-01 wstETH-ETH Curve LP Token Price can be manipulated to Cause Unexpected Liquidations Summary The wsteETH-ETH LP token is priced via it's virtual_price Through what Chaina...

github.com

1

11

113

Alex the Entreprenerd

@GalloDaSballo

6 months

Got a pretty cool question about dealing with big codebases Here's my reply

5

9

107

Alex the Entreprenerd

@GalloDaSballo

4 months

7 PhDs spent 3 months to make $8k One Bulgarian kid made $10k in 5 minutes by finding a stale oracle check

Certora 🔜 @ Token2049

@CertoraInc

4 months

Its happening @VitalikButerin PropertyGPT claims $8,256 in @code4rena contests

14

23

134

8

1

110

Alex the Entreprenerd

@GalloDaSballo

9 months

A surprisingly simple but useful invariant to test is whether an oracle will return the same price if you call it multiple times in a row This would have prevented a rare edge case in the eBTC codebase Wisdom is knowing you should have this invariant test

8

4

104

Alex the Entreprenerd

@GalloDaSballo

1 year

They don't know we use uint32 for timestamps so we can sell them the fix in a hundred years That's called job security

3

5

101

Alex the Entreprenerd

@GalloDaSballo

4 months

Crypto is the only industry that lacks Front End Developers

22

6

102

Alex the Entreprenerd

@GalloDaSballo

1 year

Don't mind me, just testing all possible cross-contract reentrancies real quick 💀

4

3

99

Alex the Entreprenerd

@GalloDaSballo

8 months

Am looking for an intern SR, help us manage the discord and collect info, we'll teach you to find bugs

38

8

92

Alex the Entreprenerd

@GalloDaSballo

4 months

Peak Performance

9

4

93

Alex the Entreprenerd

@GalloDaSballo

8 months

1 hour and 40 minutes on how to make it in Code4rena - Rules for HMs - How is dedouplication done? - How are Analysis judged? - How to find bugs? - How to cash out - How do you turn Bug Hunting into a career? And more!

7

9

91

Alex the Entreprenerd

@GalloDaSballo

2 years

pov: you're a judge @code4rena

4

3

90

Alex the Entreprenerd

@GalloDaSballo

1 year

Security Research Tool Workshop Syllabus 👉👈 wdyt anon?

10

7

93

Alex the Entreprenerd

@GalloDaSballo

5 months

After 4 months of research and development Grants by the eferium foundation and dogecoin I'm proud to unveil the newest design for the Daily Warden!

9

1

91

Alex the Entreprenerd

@GalloDaSballo

8 months

Join me and @agfviggiano Thursday the 1st for the first public Demo of Recon! We will show you how you can get started running medusa on any foundry repo, within a few minutes We will then explain the tech and best practices behind it Sending Discord Links only via DM

28

9

91

Alex the Entreprenerd

@GalloDaSballo

9 months

Biggest challenge for next year will be not to fomo into a million different things Play your own game

7

9

88

Alex the Entreprenerd

@GalloDaSballo

9 months

How tf do you: - Find and Prevent 0 day exploits - Send 47 different attacks - Win a C4 contest While having another job? Come find out tonight!

10

3

89

Alex the Entreprenerd

@GalloDaSballo

10 months

If you ever feel down, remember that if you won $0.01 in @code4rena you are an award winning developer!

12

6

87

Alex the Entreprenerd

@GalloDaSballo

1 year

What do you think? 👉👈

22

4

88

Alex the Entreprenerd

@GalloDaSballo

4 months

Security Contest Lore vs Gameplay

9

5

87

Alex the Entreprenerd

@GalloDaSballo

2 months

Before and After the Euler Contest

7

2

84

Alex the Entreprenerd

@GalloDaSballo

11 months

It was an honor to ++i with you

5

83

Alex the Entreprenerd

@GalloDaSballo

2 years

Trigger your auditor with this one trick

8

1

82

Alex the Entreprenerd

@GalloDaSballo

3 months

Year 2030

9

7

81

Alex the Entreprenerd

@GalloDaSballo

8 months

Probably the greatest productivity tool when it comes to writing POCs

4

6

80

Alex the Entreprenerd

@GalloDaSballo

7 months

Write some tests Let Medusa cook Come back to a report of exploits We are weeks away from this

9

1

81

Alex the Entreprenerd

@GalloDaSballo

1 year

RIP, thank you for your service!

2

10

79

Alex the Entreprenerd

@GalloDaSballo

6 months

We've been blessed by an incredible amount of trust It is up to us to prove to these projects that it was worth it

3

81

Alex the Entreprenerd

@GalloDaSballo

7 months

Why can't solidity be like javascript?

18

0

79

Alex the Entreprenerd

@GalloDaSballo

9 months

Unironically Prettier + a Frontend are the easiest way to boost this metric Good solidity code rarely leads to a lot of writing, most of the work is thinking

3

2

75

Alex the Entreprenerd

@GalloDaSballo

2 months

We thought we could write the perfect smart contract With no bugs Turns out we couldn't

9

5

74

Alex the Entreprenerd

@GalloDaSballo

8 months

I read code

10

1

73

Alex the Entreprenerd

@GalloDaSballo

1 year

OG resource to learn EVM exploits: These all already happened, best to learn from them

1

11

73

Alex the Entreprenerd

@GalloDaSballo

11 months

Daily Warden now tracks Cantina Competitions!

10

6

69

Alex the Entreprenerd

@GalloDaSballo

4 months

Zero alpha on twitter Meanwhile I drop a 2 hour workshop on how to unfuck your code from day 0 As always the recording is in the Recon Discord This Thursday we'll drop another banger

3

72

Alex the Entreprenerd

@GalloDaSballo

9 months

Goals for next years: - Get promoted to LSR

6

2

69

Alex the Entreprenerd

@GalloDaSballo

9 months

Active and upcoming contests, sent to you each morning: (Next years is gonna be crazy, keep yourself up to date)

7

3

67

Alex the Entreprenerd

@GalloDaSballo

1 year

1 weird trick to make your contracts bug free DEVS BENEDICAT ET PROTEGAT CONTRACTVS MEAM

9

8

70

Alex the Entreprenerd

@GalloDaSballo

7 months

Good DeFi Dev Interview questions: - Write a way to claim multiple rewards in bulk (avoid duplicates, show logic) (top 30%) - Initialize a UniV3 Pool without the Factory (top 10% devs) - Code a Balancer Swap (top 1% devs)

5

69

Alex the Entreprenerd

@GalloDaSballo

3 months

In this video I go over 2 bugs I found in the Tapioca C4 Contest with Invariant Tests - Library Encoding error - Causing a DOS The biggest takeaway is how you can use the fuzzer to give you preconditions you cannot find with manual review

4

5

67

Alex the Entreprenerd

@GalloDaSballo

1 year

Pro Tip: Use assembly if you’re paid hourly!

5

1

66

Alex the Entreprenerd

@GalloDaSballo

7 months

This video is really great, you should check it out!

6

2

66

Alex the Entreprenerd

@GalloDaSballo

13 days

Would you like to have a site where all top SRs discuss judging decisions, as a means to get a consensus on Severity and Impact?

13

0

67

Alex the Entreprenerd

@GalloDaSballo

8 months

Shoutout to a few SRs: - @jeiwan7 best univ3 SR I have ever worked with - @0xhyh & @StErMi they can probably find a needle in a haystack - @agfviggiano rising star of 2024!

5

0

65

Alex the Entreprenerd

@GalloDaSballo

7 months

Join me and @agfviggiano tomorrow for the reveal of Recon! - Get started with invariant testing within minutes! - Start with best practices from day 1 - Let the tool do the work for you We'll do a demo and show something we cannot share publicly 👀 Link is shared via DM!

14

3

64

Alex the Entreprenerd

@GalloDaSballo

1 year

Recording of the Workshop on Security Research Tools - Check the chain - Decompile Contracts - Build a Critical POC (Live) Video: Slides:

1

13

65

Alex the Entreprenerd

@GalloDaSballo

1 year

If Silicon Valley Bank was a DeFi Project: SVB can be viewed as a CDP manager that implements a 2 strategy system Each depositor account is a CDP, that can only deposit and borrow The CDP Manager can move the funds into it's two strategies

1

7

63

Alex the Entreprenerd

@GalloDaSballo

1 year

Writes code for 10 minutes, writes tests for 6 hours

5

2

64

Alex the Entreprenerd

@GalloDaSballo

7 months

This article has gotten so many Yield Farmers into thinking around delta neutral You should understand these concepts if you want to find more economic exploits

2

11

65

Alex the Entreprenerd

@GalloDaSballo

12 days

Uhoh, you sent a solo finding on Sherlock?

6

0

67

Alex the Entreprenerd

@GalloDaSballo

7 months

Legend

2

3

61

Alex the Entreprenerd

@GalloDaSballo

5 months

Daily Warden now has a Dark Mode!

4

3

61

Alex the Entreprenerd

@GalloDaSballo

2 years

Trying something new: If you want one of your Security Research Report Roasted, send me a DM, I’ll publish the feedback publicly so be ready for that

7

5

59

Alex the Entreprenerd

@GalloDaSballo

1 year

Chose violence

3

1

62

Alex the Entreprenerd

@GalloDaSballo

8 months

Imagine getting all of your invariants scaffolding setup with a couple of clicks Or reach out and see it for yourself!

2

4

58

Alex the Entreprenerd

@GalloDaSballo

4 months

I can't believe the judge preferred zachs report to mine

2

0

61

Alex the Entreprenerd

@GalloDaSballo

3 months

Just one crit

3

0

60

Alex the Entreprenerd

@GalloDaSballo

1 year

This finding is a great example of why you want to do a security contest before launching your project: - Peer Reviewer missed it - Auditor missed it - @0xcuriousapple save the day gg wp

Velodrome LP Share calculation wont work for all velodrome pools · Issue #24 · hats-finance/VMEX-...

Github username: @abhishekvispute Submission hash (on-chain): 0x6c095881eb903abb853914dd88ca7962750a9620cae6633e1c70e0a869790d8b Severity: high severity Description: Description VMEX intends to all...

github.com

1

7

59

Alex the Entreprenerd

@GalloDaSballo

3 months

Pretty unhappy with a lot of judging I'm seeing around, what's a fair way to criticize that will lead to positive change?

11

3

58

Alex the Entreprenerd

@GalloDaSballo

8 months

New year, new you! Let's chat about the foundations of Bug Hunting - How do yo find bugs? - What makes a great report? - Where to learn from? - What are C4 rules? This Thursday!

3

4

55

Alex the Entreprenerd

@GalloDaSballo

10 months

Just had a nightmare, my protocol didn't support feeOnTransfer Tokens!

10

2

55

Alex the Entreprenerd

@GalloDaSballo

8 months

Let's say, hypothetically, I were to make a C4 Blue Team That offered continuous fuzzing as part of the engagement Would you want to join? (DM)

18

2

57

Alex the Entreprenerd

@GalloDaSballo

1 year

50 Daily Wardens! 🎉 Timeline view just dropped! /timeline What do you think?

13

3

55

Alex the Entreprenerd

@GalloDaSballo

1 year

I built the POC of a oracle manipulation attack live as well as showing a myriad of interesting tool for security research, you should check this out

ZKsync (∎, ∆)

@zksync

1 year

Didn't make it to EthCC? Join today's livestream of zkSync's developer day. Session details and link👇

28

109

373

1

8

57

Alex the Entreprenerd

@GalloDaSballo

5 months

When the escalations against you fail, and you're getting paid

4

1

55

Alex the Entreprenerd

@GalloDaSballo

10 months

I don’t think people understand how valuable echidna is to the space

8

0

52

Alex the Entreprenerd

@GalloDaSballo

4 months

My favourite findings: - Minting the right address allows stealing all funds via execute (77) - How to find an encoding error with fuzzing (69) - How I used Recon to find me a way to drive the twTap cumulative to 0 causing a DOS (55)

Code4rena

@code4rena

4 months

We’ve just published the @tapioca_dao invitational audit report! Impressive roster of security researchers including @deadrosesxyz , @GalloDaSballo , @CarrotSmuggler , and 8 others competed to find the highest and rarest vulnerabilities Full report below 👇

4

5

46

3

6

55

Alex the Entreprenerd

@GalloDaSballo

9 months

You can uniquely represent 2^256 with a combination of 64 different emojis What could possibly go wrong?

3

2

52

Alex the Entreprenerd

@GalloDaSballo

1 month

POV you sent safeTransfer findings in 2021

1

0

53

Alex the Entreprenerd

@GalloDaSballo

7 months

Join me and @agfviggiano this Thursday 9:00 AM PT - 12pm PM ET - 5pm UTC For the public reveal of Recon: the easiest way to setup invariant testing! - We'll demo the tool - Explain the theory behind it - May or may not bootstrap blast invariant tests

2

4

52

Alex the Entreprenerd

@GalloDaSballo

2 months

3 years and nobody correct me every time I said kekkak f

24

1

53

Alex the Entreprenerd

@GalloDaSballo

11 months

My goal with this talk is to highlight the opportunities that have risen from publicly competing in Security Contests. From one-man-shops to companies, tools, careers, epic fails and glorious wins

TrustX

@TheTrustX

11 months

🎉 #TrustX2023 Speaker: Alex The Entreprenerd 🎙️ Alex The Entreprenerd @GalloDaSballo , Independent Security Researcher, will speak about "The Wardens Journey"

0

1

13

3

7

51

Alex the Entreprenerd

@GalloDaSballo

7 months

Having a blast

10

2

51

Alex the Entreprenerd

@GalloDaSballo

7 months

How to make your judging better: - Pay me a shitton of money

3

1

50

Alex the Entreprenerd

@GalloDaSballo

8 months

Who's doing Cairo auditing?

19

3

49

Alex the Entreprenerd

@GalloDaSballo

4 months

As of today I have found 3 critical issues with Recon in public contests, I look forward to sharing these with you as the reports are made public If you want to avoid me findings these bugs in your code, come check out the office hours later today!

Discord - Group Chat That’s All Fun & Games

Discord is great for playing games and chilling with friends, or even building a worldwide community. Customize your own space to talk, play, and hang out.

discord.com

6

1

50

Alex the Entreprenerd

@GalloDaSballo

3 months

If you're planning a contest and want to stand out on the cacophony of it all Consider promoting your contest on the Daily Warden!

5

3

51

Alex the Entreprenerd

@GalloDaSballo

10 months

If you could ever only visit one website for Security Research, this is probably it

5

1

49

Alex the Entreprenerd

@GalloDaSballo

10 months

Add to the checklist: - Does the protocol use `balanceOf()`? Seems to be a major way to hijack logic

5

0

49

Alex the Entreprenerd

@GalloDaSballo

11 months

The Daily Warden reached 250 subscribers!

7

3

49

Alex the Entreprenerd

@GalloDaSballo

1 year

Silver Plaque at 10k

7

1

49

Alex the Entreprenerd

@GalloDaSballo

4 months

Let me see: - payable.transfer = bad - ERC20.safeTransfer = good - ERC721.safeTransfer = bad - ERC1155.safeTransferFrom = The only Option! Job = Secure

1

49

Alex the Entreprenerd

@GalloDaSballo

1 year

If you need to fetch historical values for a `view` function in a contract - Add .env - Change CONSTANTS - Send it

GitHub - GalloDaSballo/historical-contract-values-fetcher-ts: Fetches historical values via alchemy

Fetches historical values via alchemy. Contribute to GalloDaSballo/historical-contract-values-fetcher-ts development by creating an account on GitHub.

github.com

5

2

48

Alex the Entreprenerd

@GalloDaSballo

2 months

Next Thursday I’m walking you through all my notes of OP Fault Proofs. All the tricks I tried to help myself find as many bugs as possible May or may not have a cameo from a legend

0

2

45

Alex the Entreprenerd

@GalloDaSballo

10 months

Luke becoming a warden

3

47

Alex the Entreprenerd

@GalloDaSballo

10 months

Grinding out the EV

3

4

47