nisedo @nisedo_ Twitter profile

Pinned Tweet

nisedo

1 year

To all French speakers 🇫🇷 in Web3 security ⛓️🔒, we've just started a community dedicated to French-speaking enthusiasts and professionals in Web3 security @soliditors ➡️ Send me a DM to join the Discord

10

17

93

Last Seen Profiles

@stwmaniax

@MicroHealthLLC

@NrthEastKngdm

@stw_tuex

@anginribut013

@is5555is

@TVGalicia

@chipitochek

@kumatades

@Parking_Reform

@user66221

@jinrok3

@TheLyonKing5812

@bokeplokalmalam

@AmediMucahit

@DailyPolitik

@virallll37

@HeavenlyAntenna

@kobitheprophet

@stw_pdg

@WJK_9909

@1004Spamz_

@virallll37

@annieroadend

@virallll37

@ArapgirlKaren

@getyouroses

@Vaaaaaaaleeeen

@stwmaniax

@TFeuerste

@Koca8Koca

@myersmentalperf

@lorenzo_zion

@monhan_81

@tgpuratraffic

@BinorRaja

nisedo

@nisedo_

1 year

One of the easiest ways to find bugs in an audit is to look where the test coverage is lacking ❌ And this is the best way to have a clear vision of what the tests are covering or not: 1. Download Coverage Gutters: 2. Cmd+Shift+P -> Open Settings (UI)

23

88

409

nisedo

@nisedo_

10 months

Since I struggled at first to understand the different testing techniques, and since a picture is worth a thousand words, here's my TDLR

21

52

300

nisedo

@nisedo_

1 year

Writing your PoC? Need to interact with a local or deployed contract? Tired of writing the whole interface by copying the func sigs and deleting the bodies over and over? 🫠 You can generate an interface from an ABI with one command: `cast interface` 🪄 → For a local contract:

20

31

244

nisedo

@nisedo_

1 year

The new 5 steps roadmap from 0 to Security Researcher: 1. @PatrickAlphaC YouTube Foundry Course 2. @0xOwenThurm Web3 Security University: @intogateway 3. CTFs: @onlypwner , @nodeguardians DamnVulnerableDeFi, Ethernaut 4. Audit Contests: @code4rena , @sherlockdefi , @CodeHawks ,

9

40

223

nisedo

@nisedo_

8 months

Security Researcher walks into a bar. Orders a beer. Orders 0 beers. Orders 999999999 beers. Orders a lizard. Orders -1 beers. Orders a sfdeljknesv.

40

31

220

nisedo

@nisedo_

10 months

having fun not finding bugs on @stakedotlink

31

24

200

nisedo

@nisedo_

1 year

So you found the sus function (deposit / approve / mint / transferFrom etc.) in your audit and you wish you could quickly and easily test all the ERC20/ERC721 weird behaviors for that juicy high finding? 1. forge install zeroknots/brokentoken 2. write your 4 lines test as shown

12

28

203

nisedo

@nisedo_

4 months

TIL that @Google has its own Sepolia faucet

13

15

202

nisedo

@nisedo_

1 year

So today, I participated in a CTF competition, on the team of @cmichelio , @HickupH and @pashovkrum . Yes, you read that right. How I, a noob anon with just 4 months of experience in web3 security ended up on a team with 3 of the best auditors that web3 will ever see ⬇️

17

5

194

nisedo

@nisedo_

10 months

Satisfying my clients is my only reason for living. Money is of little importance to me, I only want them to be happy and fulfilled 🫶

37

5

179

nisedo

@nisedo_

1 year

IMO, these are the 3 most underrated technical web3 YT channels: 🧑‍💻 For Solidity / EVM deep dives: @cryptojesperk ⛓️ For Blockchain / EVM technical overviews: @jordanmmck 🏦 For DeFi concepts made simple: @kermankohli

13

29

175

nisedo

@nisedo_

12 days

These are the 3 best web3sec blogs IMO: - @RareSkills_io () - @MixBytes () - @CyfrinAudits ()

4

24

184

nisedo

@nisedo_

1 year

Listing out all the entry points to the protocol is crucial in any audit to determine the user flows and the possible attack paths ⚔️ And it all starts with mapping out all the `external` and `public` functions which aren't `view`/`pure`. Here's the quickest and easiest way to

10

19

156

nisedo

@nisedo_

1 year

This might be the most underrated content in all of Web3 💎 @tinchoabbate , one of the very top researchers out there breaks down step by step from a technical perspective one of the most brilliant hacks we've ever seen: @TornadoCash 🌪️ And it's only got 52 views 😲

6

26

152

nisedo

@nisedo_

1 year

We’ve all been there, you start a new contest, 30 contracts in scope, and you already feel lost searching through all the folders to find which files are in scope and which are not 🫠 How to have all in scope files marked in VSCode and opened in a click? ⬇️ 1. Go to the README

23

21

149

nisedo

@nisedo_

11 months

So @CertiK ’s talk at @TheTrustX was about using ChatGPT for audits. Bold.

21

5

138

nisedo

@nisedo_

1 month

I have listed all the non-Solidity contests that I could find on @code4rena , @sherlockdefi , @CodeHawks ➡️ If I missed any, drop a comment and I will add it

18

14

135

nisedo

@nisedo_

2 months

Forge console.log() now supports decimal 👀 console.log("%18e", 25 * 1e16);

10

14

128

nisedo

@nisedo_

5 months

I used to think that the best auditors had ~80% of their submitted issues validated 🎯 Interesting to see the "winrate" of some of @sherlockdefi 's top auditors 👀

12

7

123

nisedo

@nisedo_

6 months

love it or hate it, but @shafu0x has style

19

6

120

nisedo

@nisedo_

11 months

How it feels like auditing @MorphoLabs

15

7

113

nisedo

@nisedo_

6 months

for those (like me 🥲) who missed this great @TheSecureum workshop by @palinatolmach , @RaoulSaffron and @YliesFalcone from @rv_inc , here are the links to all the resources: Project repo: Day 1: - recording: - slides:

RV-Secureum Workshop: Introduction to Runtime Verification (2024-04-01 17:34 GMT+5:30)

drive.google.com

5

21

118

nisedo

@nisedo_

26 days

It took me years of intense research and countless client interviews, but the results are in... 🥁 The ultimate audit firm tier list

19

7

113

nisedo

@nisedo_

8 months

Me: - Anyone can succeed in web3 security with hard work and determination All the best SRs: - BSc + MSc in Computer Science - 5+ years in web2 backend development - 200 IQ

7

3

111

nisedo

@nisedo_

1 year

Recently I've been studying @IAm0x52 's findings on @SoloditOfficial and I really learned a lot from the 9 Solidity YouTube Tutorials he took the time to make and include in his reports:

7

10

107

nisedo

@nisedo_

1 year

✅ My Kind of Perfect Day: ☕️ 3 Coffees 🍽️ 2 Meals 🔍 6 hrs of Auditing 📚 10 Findings Studied on @SoloditOfficial 🏋️‍♂️ 30 min of Exercise 🚿 1 Shower 💤 8 hrs of Sleep What's yours? 🫵

24

4

97

nisedo

@nisedo_

10 months

as @zachobront n°1 fanboi in the entire universe, there's no better way to start the year than by reaching the leaderboard and ranking 13/146 in his @TheSecureum RACE-25 🎉

9

0

100

nisedo

@nisedo_

9 months

The path to becoming a successful competitive auditor is long and hard but straightforward: - Choose a contest - Commit 100% from start to finish - Code a PoC for every H/M issue you find - After the contest ends, code a PoC for every H/M finding you missed

5

8

99

nisedo

@nisedo_

9 months

i recently switched from studying random findings on @SoloditOfficial to studying all findings of a specific auditor, focusing on their mindset and thought process here are my top 3 with the link to access all their findings on @sherlockdefi (including the excluded/non-rewarded

8

11

102

nisedo

@nisedo_

22 days

currently ranked 6th on @immunefi

6

7

103

nisedo

@nisedo_

11 months

1st best advice I've ever received: @GalloDaSballo : write as many PoCs as possible 💯 2nd best advice I've ever received: @3DOCsec : write your own tests from scratch without even looking at the tests already written by the devs 🫣 I'm trying it for the first time on the

6

7

99

nisedo

@nisedo_

11 months

What happened to "we don't negotiate with terrorists"?

22

7

96

nisedo

@nisedo_

5 months

I rarely leave my house, but when I do, it's to go halfway across the world ✈️🇹🇭

12

3

95

nisedo

@nisedo_

11 months

I might have overdone it on the swag thing at @EFDevconnect and @TheTrustX 😸

20

1

88

nisedo

@nisedo_

6 months

studying @deadrosesxyz 's 129 findings helps you understand: 1. the guy's genius 🧠 2. how soul-draining escalations are 💀

4

1

89

nisedo

@nisedo_

3 months

I gathered some public data and made a pretty table out of it: 🏆 The Hall of Fame of Competitive Auditors 🏆

6

7

90

nisedo

@nisedo_

4 months

I had fun learning a bit of Rust by coding auditsetup to automate my process of starting a new audit in a single click: → git clone audit repo ⬇ → open code editor 🧑‍💻 → open and mark all files in scope 📌 → create a folder with: → notes .md 📝 → findings

10

87

nisedo

@nisedo_

9 months

one great thing i took from ultimate goat @0xWeisss is to comment every single line "On every line you go through add //ok as a comment at the end once you have reviewed even if boring, it makes you review every line to the dot" in complex parts of the code i often go one step

12

8

87

nisedo

@nisedo_

1 year

The best habit I've implemented in my routine to improve myself as a Securitoor🕵🏻‍♂️ I study 10 @SoloditOfficial H/M findings every night before going to bed 👨🏻‍💻 If I’m on a specific audit I will look for related issues otherwise I pick random. For each finding: → I add the

11

17

83

nisedo

@nisedo_

9 months

it was truly an honor 🫡

Pashov Audit Group

@PashovAuditGrp

9 months

Pashov Audit Group's first smart contract security team audit report has just been published, 10 more coming🫡 This month-long audit has ~25 Critical/High/Medium findings and we did have 2 guest auditors. Worth a read✌️

5

3

75

5

3

83

nisedo

@nisedo_

6 months

dm for rust audits

7

0

84

nisedo

@nisedo_

6 months

it's study time anons 📖 8 new @zachobront audit reports have just been added to @SoloditOfficial 👀

7

6

84

nisedo

@nisedo_

3 months

TL;DR A year ago, I stumbled upon @cmichelio 's iconic article, and since then, I've been having a blast staring at smart contracts all day And a massive shoutout to the @CyfrinAudits team, from @CyfrinUpdraft , to @CodeHawks to Solodit-you guys are the real MVPs 🫡

Cyfrin CodeHawks

@CodeHawks

3 months

CodeHawks brings top security auditors and protocols together to strengthen security. But do you ever wonder how they become an auditor in the first place? CodeHawk auditor @nisedo_ shared his journey with us 👇

1

6

51

9

5

82

nisedo

@nisedo_

4 months

What it’s like to be a smart contract auditor

6

2

83

nisedo

@nisedo_

1 year

The only thing missing for @SoloditOfficial to truly be "The Bible for Security Researchers" was the audit reports from one of the most prestigious firms in the space: @GuardianAudits 🛡️ If watching @0xOwenThurm 's 113 videos wasn't enough for you, you can now read, reread, and

5

12

81

nisedo

@nisedo_

1 year

Inspired by @PatrickAlphaC , @0xOwenThurm and @KrisApost1 , I've been trying out the Pomodoro Technique for a few days and the results are great! I've experimented with 25/5 and 50/10 timers ⏰ and it's the only method I've found that helps me get past the ~6 hours of auditing a

26

3

79

nisedo

@nisedo_

11 months

@realgmhacker dropping bug bounty alpha 👀 TOP 3: 1. Rounding errors 2. Re-entrancy 3. Return bomb

6

9

79

nisedo

@nisedo_

10 months

This is the best IRM explanation I've ever read, once again by the @RareSkills_io chads 👑 TDLR: "Interest rates are a function of the utilization of the assets in the protocol. The exact shape of the function is set by governance. The interest suppliers earn is less than what

4

9

73

nisedo

@nisedo_

1 year

Here is the total number of participants on the all-time leaderboards: @code4rena : 1641 @sherlockdefi : 285 @CodeHawks : 481 @SoloditOfficial : 3897 ( @HatsFinance and @immunefi aren't sharing their full leaderboard) How can there be such a difference?

15

10

77

nisedo

@nisedo_

4 months

Diagrams with code snippets in VSCode → @CodeDiagram 🙌

13

9

74

nisedo

@nisedo_

3 months

when @DevDacian had enough of Bob and Alice

6

4

75

nisedo

@nisedo_

1 year

Amazing technical breakdown of the @eulerfinance hack by @tinchoabbate of @theredguild 💻🕵️‍♂️💸 Thought I knew all there was about this hack but I ended up learning something new 👀 Which hack would you like to see covered next?

2

8

70

nisedo

@nisedo_

9 months

I grew up on these streets

laurence

@functi0nZer0

9 months

I grew up on these streets

97

42

936

13

2

67

nisedo

@nisedo_

10 months

KISS principle at its finest by @lonelysloth_sec : « My general method is pretty simple. I look at pieces of code that look important, try to understand what assumptions it makes, then check if the assumptions are invalid in any scenarios. If there’s anything in the code I don’t

LonelySloth

@lonelysloth_sec

10 months

This was my best year yet in bug bounties. Feeling thankful and hoping that next year is even better. Thanks @immunefi @OddlySpecivik @0xMackenzieM #ImmunefiWrapped

20

18

252

2

10

66

nisedo

@nisedo_

9 months

because, like everyone else, I have more @X bookmarks than days left in my life to read them all, I've finally found a @googlechrome extension that lets me search through my bookmarks:

Twitter Bookmarks Search - Chrome Web Store

Finally search all your Twitter Bookmarks!

chromewebstore.google.com

10

3

64

nisedo

@nisedo_

9 months

people act shocked, but it's just that this time it got out i’m sure it happens a lot i’ve seen newly-created accounts that are making the top 5 in contests or an account created on the last day of a contest that submits a solo finding..

ZKsync Developers (∎, ∆)

@zkSyncDevs

9 months

To the participants of the recent $1.1M @code4rena zkSync competitive audit and the zkSync community 👇 As the competition came to a close, as is customary for our team, we conducted an initial review of the results and findings. Integrity, transparency and fairness are core to

40

390

8

0

65

nisedo

@nisedo_

11 months

Daily: Audit Smart Contracts & Study @SoloditOfficial reports Monthly: Participate in @TheSecureum RACE & @curta_ctf In between: Practice with @onlypwner & @nodeguardians

4

5

65

nisedo

@nisedo_

1 year

OKAY, IT’S HAPPENING! EVERYONE, STAY CALM!

6

1

66

nisedo

@nisedo_

1 year

@hansfriese @SoloditOfficial I looked up every checklist I could find and bookmarked the ones that seemed to be the best. There's a lot of redundancy between them, but taken together they cover all possible bugs I think:

2

10

65

nisedo

@nisedo_

1 month

@cmichelio can we please have an update on this masterpiece?

3

1

66

nisedo

@nisedo_

8 months

When @CyfrinAudits takes your lousy post, turns it into an 1200+ word long educational masterpiece, and still gives you credit 🫶

3

4

64

nisedo

@nisedo_

7 months

Huge kudos to the @soliditors team for ranking 19th out of 825 at this weekend's @OpenZeppelin Ethernaut CTF 🏆🚩 @0xMlome 👏 @3DOCsec 👏 @0xEzSwim 👏 @__mikb__ 👏 @0xjarix 👏

2

9

59

nisedo

@nisedo_

1 year

aaaaaaaand I can die in peace

2

0

63

nisedo

@nisedo_

5 months

just in case

Uttam Singh

@uttam_singhk

5 months

how solidity devs comment their code

14

18

243

5

4

63

nisedo

@nisedo_

6 months

I finally want to try my hand at bug bounty on @immunefi but the UX of going from contract to contract on @etherscan is 💀 How do the pro hunters do it? Is there some magic tool/process I don't know about? Or is the solution really to have 47 Etherscan tabs open on your

14

3

65

nisedo

@nisedo_

1 year

First time I've made a diagram for an audit ✍️ It's a lot of fun with @excalidraw as well as being very useful for getting an overview of the protocol 👀

11

1

64

nisedo

@nisedo_

11 months

Did you know that the highest paid finding on @code4rena was found by the @SpearbitDAO team and @sw0nt during the @opensea Seaport May 2022 contest? The bug "_aggregateValidFulfillmentOfferItems() can be tricked to accept invalid inputs" earned them each $212 372 💰

6

2

63

nisedo

@nisedo_

7 months

The 4-step process to becoming @hansfriese good at auditing

4

10

63

nisedo

@nisedo_

10 months

my kind of christmas tree 🎄

6

1

58

nisedo

@nisedo_

3 months

In audit contests, you either win or you learn. But in private audits, there's no way of really knowing how we're performing and how to improve.

3

0

62

nisedo

@nisedo_

11 months

Merhaba Istanbul 🇹🇷

2

0

61

nisedo

@nisedo_

9 months

and here is the direct access to all @IAm0x52 338 findings on @sherlockdefi 🫡

HollaDieWaldfee

@HollaWaldfee100

9 months

The best advice I can give to any auditor 🫡 > Focus on high-signal learning opportunities, there's no time to waste.

4

1

42

2

5

60

nisedo

@nisedo_

11 months

Thanks @PatrickAlphaC and congrats to the whole @CyfrinAudits team for the launch 👏🚀 @CyfrinUpdraft is going to be THE place to be for all newcomers 🧑‍🏫

3

4

58

nisedo

@nisedo_

11 months

If you were wondering why Web3 UX sucks

5

58

nisedo

@nisedo_

11 months

@cergyk1337 ’s tool is just sooo great that @PatrickAlphaC is recommending it in his lastest Security & Auditing course 🔥 The best and easiest way to view all the code changes made in recent upgrades for a given proxy 👀

4

6

59

nisedo

@nisedo_

2 months

one could expect that one day a fake sponsor might launch a public contest with a malicious repository to drain the wallets of all participating auditors

10

5

59

nisedo

@nisedo_

7 months

And here's the template for all @excalidraw fans like me who want to be @gpersoon good at drawing Solidity call flow diagrams:

Gerard Persoon

@gpersoon

7 months

For everyone who wants to draw Solidity call flow diagrams, here is the template that I use:

10

23

158

1

5

58

nisedo

@nisedo_

1 year

New audit pragma 0.6 0% coverage 0 code comments It's gonna be a bumpy ride

15

0

56

nisedo

@nisedo_

11 months

The second highest paid bug on @code4rena was during the second @opensea Seaport contest in January 2023 and was a Solo Medium found by 0xsomeone paid $71,500 💰 "Incorrect Encoding of Order Hashes"

nisedo

@nisedo_

11 months

Did you know that the highest paid finding on @code4rena was found by the @SpearbitDAO team and @sw0nt during the @opensea Seaport May 2022 contest? The bug "_aggregateValidFulfillmentOfferItems() can be tricked to accept invalid inputs" earned them each $212 372 💰

6

2

63

2

53

nisedo

@nisedo_

10 months

there are smart contract auditors, security researchers, bug bounty hunters… and then there's @lonelysloth_sec

LonelySloth

@lonelysloth_sec

10 months

This was my best year yet in bug bounties. Feeling thankful and hoping that next year is even better. Thanks @immunefi @OddlySpecivik @0xMackenzieM #ImmunefiWrapped

20

18

252

5

1

55

nisedo

@nisedo_

11 months

Round 1 Fight! 🥊

2

3

53

nisedo

@nisedo_

6 months

It’s me, rustacean expert

nisedo

@nisedo_

6 months

dm for rust audits

7

0

84

6

0

54

nisedo

@nisedo_

10 months

ty @CyfrinUpdraft for providing the answer to half my dm

3

4

49

nisedo

@nisedo_

1 year

@IAm0x52 is not only the most brilliant Web3 SR (IMO), but also a skilled negotiator ⚔️ This finding below demonstrates both ⬇️ First, it took me a good 30 minutes to deeply understand the vulnerability 🤯 Then, it was like watching a masterclass in negotiation, with popcorn

7

1

53

nisedo

@nisedo_

3 months

I have been using @ChatGPTapp 4/4o daily for everything related to auditing for a year. I switched to @AnthropicAI Claude 3.5 a month ago and it's an order of magnitude better

14

0

53

nisedo

@nisedo_

11 months

Well played @aramas95 , very well played

1

52

nisedo

@nisedo_

4 months

In today's "data no one has but no one asked for" segment, I'm pleased to inform you that the total rewards for all 617 contests since Feb 2021 amount to $40,425,829 💰 Tune in tomorrow for more data you didn't ask for

3

2

53

nisedo

@nisedo_

10 months

when auditing a function, i often wonder whether it's better to thoroughly examine the entire function before moving to other called functions or to follow the call path to its end each time @infosec_us_team 's answer: "Manually navigating back and forth through a medium to

10

5

50

nisedo

@nisedo_

11 months

You can also autogenerate the interface file with: `forge inspect ContractName abi --pretty > filename.sol` A great tip from @ProgrammerSmart :

Print Storage, Functions and ABI with Foundry

Examples of using forge inspect to print out storage variables, functions and ABI.Codehttps://github.com/t4sk/hello-foundryBookhttps://book.getfoundry.sh/Tak...

www.youtube.com

nisedo

@nisedo_

1 year

Writing your PoC? Need to interact with a local or deployed contract? Tired of writing the whole interface by copying the func sigs and deleting the bodies over and over? 🫠 You can generate an interface from an ABI with one command: `cast interface` 🪄 → For a local contract:

20

31

244

4

3

48

nisedo

@nisedo_

8 months

i guess it’s time to learn how to multitask

6

2

50

nisedo

@nisedo_

9 months

Yesterday's episode of "Sneak Peek into the Brain of an Audit God" by @opensensepw featuring @milotruck , was one of the best step-by-step explanations of an auditing process I've seen thus far 👌 He delves deeply into: ➡️ Preparing for a contest: • How to prepare through

MiloTruck

@milotruck

9 months

You can now watch me talk for 1.5 hours about how to stare intensely at code. Hopefully some of you can gain insight from listening to my audit methodology! Check it out here:

5

14

106

1

5

50

nisedo

@nisedo_

1 year

Yeah… I think I may have gone a bit overboard with the merch thing... Ty @summit_defi and @EthCC for sponsoring my wardrobe

5

0

45

nisedo

@nisedo_

10 months

only after completing a month long audit with a genius like @0xWeisss do you realize how much more there is to learn truly one of the most talented SR i know 🫡

3

0

49

nisedo

@nisedo_

9 months

this is an absolute must read for anyone in web3sec

ChainLight

@ChainLight_io

9 months

We are excited to announce that we are releasing our 150-page internal research to the public. This report includes: → 112 hacks' scale, root cause, and underlying chain analysis → Correlation between security audits and hacks. → Post-incident responses from the team →

46

60

221

2

1

45

nisedo

@nisedo_

17 days

Audit, math and chess Happy Sunday

3

1

49

nisedo

@nisedo_

1 year

There's a new kid on the block and it's looking very promising @swissknifexyz 🇨🇭🔪 The all-in-one EVM toolbox 🧰: → Constants → Epoch Converter → Blockchain Explorer → ETH / Hex / Keccak256 / Padding Converters @apoorvlathey doing God's work once again 🫡

5

6

47

nisedo

@nisedo_

10 months

interesting that the two youngest and most talented SR atm have opposing methodologies with both astounding results @HollaWaldfee100 : break it first, understand it later @milotruck : understand it first, break it later

GiuseppeDeLaZara

@windhustler

10 months

I quit my full-time Solidity job in July and took a leap of faith into uncertainty. 5 months later, I managed to maintain my earning levels, cashing in ~$46k. Here are some stats: > Competetive audits: ~$24k > Private audits: ~$14k > Bug bounties: $8k These are the 4 things

19

11

210

7

2

47

nisedo

@nisedo_

9 months

@yiamat_1 @stakedotlink loving it so far, first time looking at CCIP, it's fascinating

1

7