🕵️ Why are you NOT an Elite Smart Contract Security Researcher? Here I try to tackle what makes one actually succeed in this space.
Show some love pls, it's my first website article ☺️
Today I start working as a smart contract triager
@immunefi
🔥
It has been a crazy ride since I ventured into the crypto world, and I'm excited to have the opportunity to work and learn with some of the best in the blockchain security space 🙌
Let's secure web3 🫡💪
"Blockchain hacking is one of the more elusive paths in cybersecurity, but taking it remains one of the best decisions I've ever made. It's groundbreaking, challenging, and extremely rewarding (...). Smart contract hacking is a form of art."
@0xsomnus
#Solidity
is the most adopted smart contract language for web3 devs. Going web2 ➡️ web3 requires a paradigm mindshift 🤯
Here's how one can master solidity to the point of mastery 🧙♂️ Specially from a security perspective 👀🧵
The whitehats who hunt web3 bugs are a special cadre of some of the best hackers in the world at the cutting edge of technology, finding world-changing vulnerabilities
"Why do we STILL have REENTRANCY bugs??"
"Have we learned nothing from so many exploits??"
"Smart contract devs are so dumb broooo"
"Mi famiglia! 😭"
A perplexing phenomenon. But let me give you the other side of the equation, and explain WHY we still have reentrancy attacks 🧵
My 3rd child was born today at dawn 🥹
We rushed to the hospital but not fast enough, I had to deliver the baby at the hospital entrance before any doctor/nurse could come 😬🫣 Everything worked out 💪
Did it pass 2 months already since the last reminder? Who cares!
This is your friendly reminder that reentrancy attacks are stiiiiill a thiiiiiing. 4 new hacks since my last reminder (month and a half ago) 👀➡️
I've done a Deep Dive on Solady's ERC1967Factory contract, written by master
@jtriley_eth
! 🔥
I go really deep into all the assembly, which frankly it's all of it👀
Such a cool contract, hope you enjoy the deep dive! Shout out to
@optimizoor
as well 🙏
One of the most interesting articles I've read recently, awesome work
@DeGatchi
! 🙌
"Placing specific pieces of bytecode in locations to hinder people like me from understanding the nuances of an unverified smart contract’s bytecode" 🔥
This is an unbelievable presentation by
@BowTiedDravee
on the Mindsets of Auditing, at
@opensensepw
🔥🔥🔥
Was really impressed with the quality, this is FILLED with auditing / bug hunting alpha and I highly recommend it to anyone in web3 security 👏👏👏
On August 1st 2022, the Nomad bridge was hacked and $190M of locked funds were drained 🤯💰
The hack was replayed by different players trying to get a piece of it, but did you know the first hacker could have drained everything on a single tx? 👀⚔️
🧵
"I decided to take no shortcuts and I immediately started reading the contracts line by line. It took me about 50 hours to get to the more interesting functions, like withdrawals.
Then I stumbled upon it."
Hard work pays off. Great writeup by
@zzykxx
🔥
In 2022, I made a decision to switch careers and finally go full-time in blockchain development and security.
Rough bear market year, $billions in hacks, other $billions in cefi and scam implosions.
And best career decision of my life 🔥👇
An absolute MASTERPIECE of an article on Invariant Testing with Foundry, by
@eth_call
🙌
I personally enjoyed the "bugs/$(bug).patch" technique, great stuff 🤓💪
If a smart contract vulnerability can be exploited to steal $1B, there should be a $100M bounty payout 💰✊
Wen +$1B TVL projects having +$100M bug bounties? 👀🕵️
Often audit reports will mark 1-step ownership change as high severity vulnerability
If project sets new owner with a typo, might lose ownership forever
Use 2-step process to prevent irrevocable mistakes
E.g.: 2021
@fraxfinance
audit by
@trailofbits
➡️
To perform a security review on a given protocol, one needs to fully comprehend it. Sure, you can speedrun it and get those surface-level bugs. As the industry matures, so will the bugs be covered under more and more layers of complexity and abstraction.
This is especially
SR influencer: "Bruh you think smart contract security gets you a quick buck ofc not! You need to grind! We are hear for the tech!"
Also SR influencer: "Yooow just made $200K and I'm only 6months in lol and I just do part time! If I knew it I would have started at 8 years old!"
Great teams I'm admiring a lot lately (besides
@immunefi
obvly)
-
@threesigma_xyz
- research blog arc
-
@SpearbitDAO
- insane level of presentations they've been hosting
-
@UseArrow
- building passion
-
@ClassLambda
- ...they do everything, actually. Cryptography chads
👏👏👏
Anyone can learn Solidity and deploy a freakin smart contract
That's just scratching the surface. Ngmi 🤷♂️
If you want mastery, dive deeper into the trenches. Learn the fundamentals, crack the EVM 🕵️♂️
In no time, you'll be as jacked as
@PatrickAlphaC
💪
"You may have wondered how to decipher and read evm calldata, then attempted to read the transaction calldata of an Ethereum smart contract, only to become confused at a certain point. (...)
We will delve into the encoding sequence of calldata"
@DeGatchi
💡 Though in this analysis I trick the 0xbad bot into giving me WETH allowance (as the original hacker did), you could actually make it transfer you the funds directly 🕵️
Encode target address + funcsig + args ➡️ WETH.transfer(attacker, $$)
"So you've decided to participate in bug bounties as a bug hunter...
How do the high ranking hunters find vulnerabilities in such short amounts of time?
Grab your spear, anon. We're about to explore the jungle!"
Speedrunning Web3 Bug Hunts
@DeGatchi
🕵️🔥
Beyond excited to share that I was granted
@immunefi
's whitehat scholarship, to study, hunt down bugs and help secure the
#defi
space 🔥🔥
Started a week ago, and loving every minute of it 🙌
My hack analysis is out! This was SUCH an interesting investigation 🕵️♂️🔎
Hacking an unverified smart contract (no source code available) is definitely a challenge, had to use lots of tx viewers and decompiling tools, along with just trial and error on a local fork 🔥
New Hack Analysis by
@realgmhacker
is live!
We look at how the 0xbadcode MEV bot was exploited for $1.46m and walk you through how to make sense of compiled bytecode.
It's tricky.
If you're looking to build your skills, you'll want to read this one.
Do developers write more insecure code when using AI copilots and assistants? Yes. Yes they do. I'm shocked.
"Overall, we find that participants who had access to an AI assistant wrote significantly less secure code".
Paper →
Some securitooor freelancers just grew to big influencers with weird and cringe takes. Some of these might never get to be skillful SRs, even though they are very successful already. Industry seems broken.
An extremely cautious way of handling oracle price feeds, by the folks at
@LiquityProtocol
👌
A lot of code is collapsed to fit the image, but I highly recommend checking the whole thing.
Code →
You may think being successful in the web3 security space is easy, because there're so many new researchers exploding 🚀
You think wrong 🙅
Those are grinders. There's room in the space, absolutely. But you need to put in the effort ⚔️ and persevere 💪
It's not that smart contract security takes an insane amount of knowledge, and thus most people will fail to reach the senior level.
As in most things in life, it's about focus, work ethics, resilience, discipline.
Not everybody has the will power.
Do you, anon?
My
@huff_language
implementation of
@Uniswap
's Permit2 is going smooth, though it will take me quite a while, I think. But I like the process 🔥🙌
Not tested yet so might have some errors 😅
A comprehensive list of DeFi slippage attacks, with a massive amount of audit examples, by
@DevDacian
👏
This is a great article for anyone wanting to enhance their DeFi security knowledge and master slippage vulnerabilities 🔥
Hey Solidity anon, wanna become a Solidity wizard? How about you check these good lookin Solidity patterns by fravoll?
Sure, it's solidity 0.4, but hey, still good lookin resource
Web3 security is booming with young talent, which is great 👍
At the same time, I feel like the space will 10x once it booms with more experienced researchers 🤔
More experience, less repeated mistakes ⚔️
Not a lot of bugs get submitted for Blockchain/DLT assets on Immunefi. I don't think it is because of them being bug-free. Rather, the Web3 space still doesn't have that many security researchers with that skillset.
Kind of a problem. Most bugs on that layer are catastrophic.
Smart Contract Security is a topic covering all development stages, from inception to mainnet
- Not just to think during design 📜
- Not just in testnet 🧪
- Not just pre-audit 🪲
- Not just at mainnet 🕵️
Security will be the constant stress test on ur team and ur product 🔐🔥
Hardly an industry has ever been so knowledgeable about a specific bug category / attack vector. Crypto bros have had enough of Reentrancy reentering their lives.
The man
@pcaversaccio
shows us a painfully complete list of reentrancy hacks - to date...
To add to our tooling and security track, we were joined by
@realgmhacker
who showcased some of the most common smart contract vulnerabilities found in audits or hacks.
Did you know the EVM limits the gas forwarded to an external call to 63/64ths of the total gasleft()? 👀 (see EIP-150)
To see what effects this might have, check out this high vulnerability found by
@zachobront
in a
@sherlockdefi
audit to Optimism 🔥
Here's a great paper to learn about Concentrated Liquidity in Automated Market Makers 📈
The author also presents interesting performance comparisons between
@Uniswap
V2 and V3 👌
➡️
The hacker mentality is truly a marvellous thing.
Some bugs are found by whitehats who don't understand much of the fundamentals.
And there are people solid in the fundamentals who actually struggle in finding vulnerabilities in the wild.
What is the hacker mentality? 🤔
Very interesting article by
@Elliot0x
on looking at code and thinking in terms of invariants.
"I guess it's either you write invariants, or the blackhats write them for you" 👀
During
@EFDevconnect
I gave a talk at
@TheTrustX
on the Hacker Mentality, and a talk at
@solidity_lang
Summit on Common Solidity Pitfalls.
I'd like to thank these organizations for the amazing opportunity, it was an honour!
📖 Towards Automated Security Analysis of smart contracts based on Execution Property Graph 🔥
Authors propose finding certain vulnerabilities by traversing a combination of CTG, DCFG and PDG, allegedly finding a 0day on Uniswap V1 👀
➡️
Bytegraph is so amazing. Here's the look of the latest Huff labyrinth
@curta_ctf
from
@0xKaden
🤯
Mind you, all those blocks can be zoomed in to see the opcodes inside it.
Great job
@pldespaigne
👏
➡️
TWAP Oracles by
@solidityauditor
. What I found most interesting was the simple explanation on how to assess the cost of a TWAP manipulation. This ties into feasibility limitations, as provided by
@immunefi
, and auditors should know how to assess these.
On the last lecture of
@Artemis_HQ
bootcamp, Nov22, I gave a thorough explanation of the HundredFinance hack, largely based on
@immunefi
's hack analysis by the man
@hephyrius
🙌 Here's the PoC I built with Foundry 🛠️ and
@QuickNode
⛓️
Want to know what's so ingenious about this Seaport's snippet of returning a string? It's the usage of just 2 mstores. Here's a
@devtooligan
gist with the tldr
@z0age
Sh*tposting and cat videos are a better strategy to gathering crypto twitter followers than building a pure Yul ERC20-Permit implementation to help devs understand EVM/solidity deep stuff. Also much easier.
But yeah I'll just keep on with my yul/assembly endeavors.
Let's say a whitehat finds a bug on a live smart contract 🕵️
Theoretical impact: total loss of funds with a single transaction.
Actual value at risk: ZERO, because there's still no TVL on that asset.
STILL.
The smart contract is live. Immunefi BBP marks the asset as in scope.
Just finished reading the latest masterpiece from
@Jeyffre
over at
@RareSkills_io
:
➡️ Smart Contract Security, an extensive list of the issues and vulnerabilities that tend to recur in Solidity smart contracts 🔥
Hoping to see this grow into a book 😉
@RektHQ
news is both informative and highly opinionated. I find the articles pretty in-depth, as well as with a wicked style that often makes me laugh. I wish they would output more 📝
Few people have heard of
@huff_language
Fewer know the huffooor community is where all the chads are hanging out
Fewer have actually tried coding in Huff
Fewer have fallen in love with that sweet sweet bytecode sugar
Fewer are the contributors helping Huff grow 🔥🚀
🎤
#ETHDam
Speaker Announcement: Introducing
@realgmhacker
from
@immunefi
! Aerospace engineer with diverse experience in IoT, Finance (Analytics), and Digital TV. Currently, a Smart Contract Lead at Immunefi, a teacher at RareSkills and Security Researcher extraordinaire! 🔒
As a triager on
@immunefi
, you get to see the inside of the most brilliant security minds in web3 🕵️ Some findings take the hacker creativity on just another new level. Quite marvelous to witness such gems, some of which might never get to the public sphere 👀
I've been seeing a lot of "get all
#DeFi
alpha" threads out there, but none have my main source.
So I thought I'd write the ultimate super duper thread on how to get all
#crypto
alpha!🧵
But actually it's just a tweet.
Join
@10b57e6da0
tg chat.
That's it.
You're welcome.
I would actually advise smart contract devs to have a portion of their week dedicated to auditing / bug hunting 🪲🕵️
Even if you don't get money off of it, you certainly workout that code reviewing muscle 💪 and you get exposed to different programming styles and patterns 🧠
After some months of mentoring, a friend of mine finally managed to break into the smart contract security space 👏
All credit goes to his hard work and courage. He is extremely talented, and I'm glad I get to see him succeed.
Getting into this industry without a guide/mentor is
🥁 NEW SPEAKER ANNOUNCEMENT
Please give a standing ovation to
@realgmhacker
, Head of Security at
@immunefi
.
He's going to talk about bug bounty solutions as the last line of security defense once a protocol goes to mainnet and actually has economic value at risk.
Props to the Foundry core contributors team. Almost every time I get some weird unexplained error, I just do 'foundryup' and it gets resolved. Amazing.
Trying to read all my open tabs with articles and papers.
- start reading paper
- halfway and already opened 3 new paper references tabs
Struggle is real.
Hey how about those days when people would "accidently" kill contracts full of funds and then others would propose state transition EIPs to change code in an address and unfreeze funds? Ah, youth!
Become a blockchain shadowy supercoder by completely mastering the inner works of the Ethereum Virtual Machine (EVM), all the way to the bytecode level, with the insane EVM handbook from
@noxx3xxon
➡️