Extremely happy of having my article published by
@immunefi
! Hard work pays off!
Take your
#web3
OpSec game to a new level and remember;
"Stay safe in the
#crypto
space!"
This is the EXHAUSTIVE guide to securing your crypto wallet on a virtual machine and preventing bots front-running your transactions.
By
@P_Misirov
. Well done, sir!
If you follow the guide, you'll be in the top percentile of crypto power users.
Submitted a project about AI using whisper AI to transcribe interviews, stable diffusion to generate all visuals and chatGPT to write 80% of the essay. Explained the lecturer how I did it and conclusion is that faculties in Europe are not ready for this tech.
As a developer &/or security researcher, you are a sexy target for phishing campaigns!
We love sharing, cloning repos, testing code and installing dependencies until we get rekt
This is a POC for a phishing campaign targeting devs who don't know the consequences of enabled FFI
at
@ETHGlobal
london hackathon, someone approaches us:
- "what are you guys building?"
- me: oh just hooks on uniswapV4
- "cool! what do they do?"
- me: incentivizing concentrated liquidity at specific tick ranges by rewarding liquidity providers with dynamic fees during high
👉UX tip: Using GitHub web IDEs👈
If you are looking at a GitHub repository, change the top level domain from:
-
to
-
for a web IDE view. Its much faster and easier to navigate!
If you don't have a multi-session terminal open to
- run foundry unit tests
- python for quick math (Leo don't kill me)
- chisel for memory dumps
- anvil node for block inspection and general testing
- chatGPT cli API to ask questions
Are you a 2023 blockchain dev?
Past Friday 1st of September at around 19:15 I helped arrest a shooter right next to my house.
It was the most insane experience I ever had in my life 🧵/n
not paying attention to
@cantinaxyz
is like fumbling bitcoin in 2012
- lower competition than on other platforms
- massive ROI: financially, socially and professionally
- you can start a whole career by doing well on cantina
CANTINA is making security researchers rich
Next security trend will be the rise of smart contract Reverse Engineers who got into it because of an increase in low level understanding powered by tools and langs like Huff
More effective Incident Response
Obfuscation services will emerge
Improved behavioral analysis tools
1/5 One of my fav moments at
@summit_defi
was when
@SagivMooly
came running to the entrance looking for
@tarunchitra
who was late for his panel. We look outside and see Tarun trying to park the lime scooter in a forbidden area so Mooly dashes toward him, grabs the scooter...
Redoing all
@the_ethernaut
challenges using
@huff_language
and arrived to Magic Number, the one where we had to write bytecode to pass the level!
This is why HUFF is so cool!
👈Left: Write runtime + initialization then compile
👉Right: Write runtime then compile
Taylor Swift has recently revealed her concern about the state of smart contract development practices on Late Night.
" ...we do know that assembly comes with trade-offs, and I think it is in everyone's interest to maintain immutable code efficient and accessible to everyone.
You need to approach writing MEV bytecode as if you were writing malware (disclaimer, this is red teaming 101*)
- Build your own obfuscation tools, never use open source ones.
- Create psychological traps for researchers, the most valuable asset they have is their time
@SpearbitDAO
portfolio ABC's:
A) Each and every one of our clients is working on world changing apps
B) Each and every L/S/A/J Researcher at
@SpearbitDAO
is making a world changing impact
C) Saluting the best 🫡
Name a sexier security portfolio than this
hands down the most "useful + educational" merch i saw at
@EthereumDenver
for now is
@zksync
's "explain zk like im 5" book. great way to onboard new ppl into zero knowledge!
hats off to their growth-marketing department
In a few days we will be interviewing the one and only
@_hrkrshnn
, co-founder of
@SpearbitDAO
and Cantina.
It’s been a big year for them and it has barely started 👀
What should we ask him?
The “move fast break things” philosophy is good for product iteration but does not make sense when working with smart contracts holding user funds.
Want to do it still? Fine, sign a damages compensation agreement in advance, let’s see how strong your philosophy really is ;)
How to kill all gas findings once and for all ⛽️
- via_ir = true
- optmitizer = true
- optimizer_runs = 100_000_000
- save_money = yes
- compile_fast = yes
Thank you for coming to my Ted Talk, have a great day
Finally solved the first ever
@curta_ctf
puzzle made by the MVP
@fiveoutofnine
🫡
Thank you for the headache, please make more!!
Also shout out to the bitwise chads at the Hackers Delight Book club server for sharing cool resources!
🧵/6
I am used to the feel of adrenaline because of skydiving, extreme sports and martial arts. But this adrenaline rush is something I have never ever experienced, took me hours to calm down.
Provide extra value during a security engagement by creating architectural diagrams.
It will improve your understanding, help fellow researchers, the protocol team will appreciate it and it will expand their documentation.
All security reviews should have one!
You are fine, you are still early on web3 sec.
When the web2 InfoSec megabrains start joining the space that's when you will need to find new edge, because those chad-nerds can take on 5 complex projects at once without taking a toilet break (they are just not interested yet)
Patrick from
@FuzzingLabs
showing how EVM disassembly works and how to reconstruct the control flow graph (CFG) of an Ethereum smart contract when you only have access to the bytecode (closed-source).
-
🌶️ take: Displaying the slightest positive reaction toward the Kyber (or any criminal) hacker is an example of lack of critical thinking and how people tend to romanticise outlaws. What's next, asking him to go on a podcast and hire him as a "solo auditor"?
We need an Offensive Security playbook for web3, so accounting for the whole cyber kill chain. Who is working on this?
(If you make it happen, your long term engagement farming will skyrocket x100 so def a good incentive! Also let me read it first pls)
I see you like stories, here is another one!
1/8
@cmichelio
,
@Deivitto
and I walk into a bar (yes this is how it starts) because
@functi0nZer0
posted a tweet with an address close to Notre Dame so we decided to drop by and say hi...
Thank you to
@SCBuergel
from
@hoprnet
for giving us the guest lecture at
@KoiosDAO
today! Great insights on HOPR both technical and DAO wise, passionate talk about data privacy and someone very approachable to ask questions to!
Hope to see you again and GL! Go HOPR!
#HOPR
We have some exciting news... Cantina Beta is Live!
Before you dive in - let's talk about what all of this means for protocols and researchers today 🪐
( Read to the end for researcher access codes 👀 )
🧵👇
this is the second time cantina breaks a historic record in the security contests space in less than 3 months.
impressive, considering it is only a 5 months old product
Welcome... to the new largest competition in history with
@eulerfinance
!
💰 $1,250,000 USDC
🗓️ May 20th - June 17th
📍
@cantinaxyz
Invite only. Don't have one? Details below:
This is the Github profile of the North Korean dev that hacked Munchables on Blast.
Here are all the red flags🚩 for those of you looking to hire in the future:
1) Clear logo farming, very unlikely any dev is super proficient in all of these languages/tools. There are more
If there is any life advice i can ever give you, is to do martial arts.
I did both boxing and muay thai. My cousin was a regional boxing champion and all his latino friends would beat the f* out of me each time we sparred. Truly priceless life lessons beyond simple exercise
I've been following
@danielvf
for a long while and learned so much from him. His posts are so motivating, they always nerd snipe me and make me want to go investigate.
Now seeing him live, is a whole new level of awesome
@0xtuba
After certain amount, the money / happiness curve becomes logarithmic.
In an (debatable) abundant (western) society, in contrast to previous centuries, money is actually less valuable than free time or personal development.
Life experiences > $.
Ask your elders.
I cant take this anymore. every day I am checking the
@SpearbitDAO
discord and there is alpha.
And now
@brockjelmore
is coming on Thursday 26th to drop more alpha on practical security-focused guides and checklists for smart contract development!
Can sec pros do something!?
People and Nations will soon realize that crypto technology (incl zk) solves a much deeper problem than creating an accessible worldwide financial operating system.
In a world where we are sharing the digital space with AI, proof of personhood will become critical
You will see
Once again in the weird math side of the internet.
This is regarding the 2+2=5 argument, point is fair but most people miss it, especially if they don't care about math or have never suffered by the hands of cryptographers redefining terms.
proposition is that words and symbols
There's a lot of foundry functionality available people don't yet know about. HariGPT is good but not available 24/7.
We should have a custom chatGPT specialized on foundry docs! Is anyone working on this already??
@gakonst
-
-
If you believe money is the primary driver of action, you're in for a wild ride. Wait until you come across:
- Idealists
- Dark triad personalities
- Unconscious destructive behavior
- People prone to negative affectivity
Knowing how to identify these will give you edge in life
if you are a high TVL protocol leader you should invest in opsec, counter-intel and threat-intel. security is so much more than just code review, i literally walked into most high profile events by cutting the line and not showing any QR code (speaking spanish helped). imagine
@foldfinance
Plot twist: the searcher changed his strategy and faked retirement. The repo has vulnerable dependencies which pop a reverse shell as soon as you install them.
LLMs x Security
An AI bot, code-named 📎 helps
@cantinaxyz
triage bug submissions.
It is very good at classifying duplicate bug reports, and we're constantly making it do more. This is a good one 🤯
PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.
3/5 ... and ask him:
"If the screen locks, what is the password to unlock it?!"
"Don't worry about it" - replies Mooly - "I work in security, there is no password"
I exchange an LMFAO look with
@0xRajeev
who was standing next to us and ...
5/5 ...sitting in the front row, and return the phone.
"Mission... accomplished?"
Needless to say i spent the whole day laughing.
@SagivMooly
and
@tarun
are absolute MVPs
PS:
@tarunchitra
told you i would tweet this story ;)
Real World Assets will be a powerful narrative in 2024, it is therefore that I introduce the first RWEI or Real World Ethereum Inscription (a.k.a ethscription) to trade AMSterdam city shares in a permissionless and decentralised way.
@BrianRoemmele
Ive got to say that this is very cool and def a step forward! Couple caveats:
1) This is the equivalent of chat gpt 2.5
2) Make it easier to tune and train on local!