Hi there,
Here is a little thread about how a "hacker" tried to pwn me.
As I am into crypto, he probably thought that he has something to win...
๐จDisclaimer: I am a cybersecurity professional. If you are not, do not try this at home!๐จ
I'm thrilled to announce that I'm starting my
@RareSkills_io
instructor journey! ๐
As an alumni of the Solidity bootcamp, I'm excited to give back to the community that helped shape my skills. I will give my best to teach Rust with a focus on security! ๐ฆ
Thrilled to announce that I've joined
@SpearbitDAO
as a Security Researcher!
Excited and ready to contribute and learn with the best in the industry!
@cantinaxyz
is the way ๐ช
2nd rank ๐ฅ in the
@babylon_chain
competition on
@cantinaxyz
I learned a ton on this one about Bitcoin and Go language. I missed one High, but found some cool solo medium ๐
What better way to start the week than with
@babylon_chain
's competition results ๐ช
Here are your top 3 ranked researchers:
๐ฅ
@n4nika_
: $62,387.16
๐ฅ
@zigtur
: $56,390.91
๐ฅ
@0xDontonka
: $10,754.09
Thank you to everyone that participated! Full leaderboard below.
Blast results are out! I managed to rank in the top10๐ช
Happy about the payout, but I missed a lot of issues. Need to level up. ๐ซก
Thank you
@cantinaxyz
&
@Blast_L2
July was a pretty cool month, I worked on several cool audits with
@LoreFinance
&
@Cod3xOrg
! I updated my portfolio with some of the private audit reports.
Wanna see cool findings? Take a look ๐
Letโs wrap up the week with one more batch of competition results! Hereโs
@getgrass_io
โs ๐ฟ
Your top 3 ranked researchers are:
๐ฅ
@J4X_98
: $6,355.65
๐ฅ
@zigtur
: $2,475.93
๐ฅ
@jonataspvt
: $1,881.74
Happy Friday, and thanks to everyone that took part! Full leaderboard below.
Damn, this Cantina shout-out is amazing! ๐ฅ
Thank you for this
@cantinaxyz
, see you soon ๐ช๐ช๐ช
Oh... Btw... Dark Zigtur... More grinding... Soon.
Cantina Researcher Spotlight:
@zigtur
๐ช
A perfect example of someone who ventured into the dark forest of web3 security, grinded his way through and never looked back.
Starting only at the beginning of last year, Zigtur has amassed $100,000+ in rewards at
@cantinaxyz
.
Itโs announcement season, the results for
@aave
โs v3.1 competition are in! ๐ช
Here are your top 3 ranked researchers:
๐ฅ
@StErMi
: 14,285.71 GHO
๐ฅ
@krikoeth
: 8,285.71 GHO
๐ฅ
@zigtur
: 6,285.71 GHO
Congratulations to all those that participated. Full leaderboard below:
Well look who we have here! The one and only
@zigtur
๐ช
We'll be chatting to him this Wednesday 1pm Eastern Time about becoming a security researcher, how he leveled up his game, and more.
Don't miss it!
The results of the
@eigenlayer
competition are officially in and we have some massive payouts to report.
Out of 182 participants - only two Security Researchers placed. Big kudos to:
๐ฅ
@10xhash
- $82,750 USDC
๐ฅ
@zigtur
- $20,250 USDC
Excellent work!
Full details below:
Join me in this
@cantinaxyz
seminar! ๐ช
We will talk about my journey and how I went from Zero to Hero in web3 security in a couple months. No secret kept, pure alpha ๐ซฃ๐ฅ
Well look who we have here! The one and only
@zigtur
๐ช
We'll be chatting to him this Wednesday 1pm Eastern Time about becoming a security researcher, how he leveled up his game, and more.
Don't miss it!
Congratulations to all those that placed in our private
@3dns_inc
competition!
The top 3 placements were:
๐ฅ
@zigtur
- $10,847.5
๐ฅ
@m4rio_eth
- $9,350.3
๐ฅ
@gpersoon
- $6,542.42
Excellent work all! ๐ช
Well look who we have here! The one and only
@zigtur
๐ช
We'll be chatting to him this Wednesday 1pm Eastern Time about becoming a security researcher, how he leveled up his game, and more.
Don't miss it!
ATTENTION: โCalling all Security Researchers ๐ช
Cantina,
@Uniswap
, and
@UniswapFND
will be hosting a HackerHouse for the massive $2.35M Uniswap v4 competition on
@cantinaxyz
.
Full access to Uniswap's team. All meals provided. No costs. Just show up.
Seats Limited. RSVP Below:
Actually learning Solidity security auditing, and
@code4rena
has amazing contents for it! ๐คซ
The TraderJoe v2 report has some easy to understand vulnerabilities like this one that allows user to transfer tokens to itself and improve its own balance !
Good job
@BowTiedDravee
๐ฆพ
For those working on the
@OndoFinance
audit on
@code4rena
, here is a little diagram of the rUSDY contract.
I'm open to feedback ๐
Other contracts and external calls are coming soon !
(This Drawio drawing is heavily based on
@14si20
recent work)
Last week, I discovered
@curta_ctf
. They released the Puzzle
#17
created by
@_hrkrshnn
.
After a few tries, I managed to complete it and I had a lot of fun doing it๐
Here is my write-up for this challenge:
Early Bird Round 1 has SOLD OUT!
That was fast ๐จ
Next round will be coming up soon + application for discounted student tickets
Click the bell in our profile to get notified when we tweet
๐ฅณ๐ฅณ๐ฅณ
Introducing the Cantina Fellowship Program ๐ช
Get bonus payouts, private access to opportunities, the chance to share in the upside of Cantinaโs growth, and more.
More information below.
As promised to
@windhustler
a month ago, when
@zigtur
did muscle-ups, I was on vacation and found a bar where I couldnโt do them because it wasnโt straight.
But Iโm ready for ROUND 2 OF THE PULL-UPS CHALLENGE.
Last time I maxed out on pull-ups was during last year's challenge,
As promised to
@windhustler
a month ago, when
@zigtur
did muscle-ups, I was on vacation and found a bar where I couldnโt do them because it wasnโt straight.
But Iโm ready for ROUND 2 OF THE PULL-UPS CHALLENGE.
Last time I maxed out on pull-ups was during last year's challenge,
So, results are clear! 44% think I should continue eating bugs at the
@cantinaxyz
.
@sherlockdefi
is not that far with 32%.
What surprise me the most is that 13% of "Else?".
Do you expect Zigtur's private audit services? ๐
@jack__sanford
Clearly, sharing submissions with clients has positive impacts, for both clients and researchers.
Take my first experience on Sherlock with Mento. I report a solo High finding, with a valid PoC and valid impact, but my root cause description is incorrect. More explanations are
Security part of
@RareSkills_io
Solidity Bootcamp : DONE! โ
Halfway through the bootcamp, and I learned a ton!
Next : diving into assembly with
@Jeyffre
Udemy courses about Yul and Gas optimization ๐ซก
#solidity
#smartcontract
This Friday at 12pm ET, we'll be going live on this account with
@zachobront
๐ช
The agenda? Diving into the work he did with
@SuccinctLabs
to turn the OP Stack into a ZK chain using SP1.
Don't miss it!
Amazing podcast, I really enjoyed the procrastination discussion.
If you are playing long-term, you need to find what best fits with you in terms of environment, process and methodology.
I would add: Don't copy what others do. Do your own mistakes, create your own way and
Your strongest weapon is leveraging your knowledge.
Join myself and
@Jeyffre
on
@ScrapingBits
to talk about:
๐ How to break into a new field
๐ง Effectively researching
๐จโ๐ซ Teaching and education w/
@RareSkills_io
โ๏ธ And so much more...
Out now!
Several months ago, our
@quarkslab
team reviewed part of KUKSA.val. We showed that even if Rust is a secure language, it still has limitations. ๐
If you want to learn more about Rust, JWT and gRPC, give a read to the full report and blogpost!
Imagine if Software Defined Vehicles ran on open source components!
Recently our engineers had the opportunity to have a glimpse of the future and audit the KUKSA.val databroker thanks to the support of
@OSTIFofficial
and
@EclipseFdn
Here is the summary:
Once again, a reminder to never trust anyone. Be parano.
Some months ago, I had a similar scenario. It was less elaborated compared to this one. See
Spear phishing can be even more easy in Web3 with all the transparency that it brings. Attackers are
Found myself one click away from falling to a spear phishing attack today! If you're giving services in the web3 space, be VERY careful with who you interact and how the initial exchanges of information are done.
2 weeks ago,
@nftbigsummer
approached for security services for
First time in the
@TheSecureum
TOP 10 with a score of 7.7/8!
That's a nice start of 2024 for me ๐ฅณ
RACE-25 designed by
@zachobront
was a really nice one!
@10xhash
@sherlockdefi
@SkyEcosystem
Sad to hear that. This type of scenario happens sometimes.
I don't know who is right or wrong, or even if there is a correct output to this situation.
However, you are a beast and your work is always so valuable for projects ๐ซก
My
@heymintxyz
ERC1155 smart contract audit is wrapped up! ๐ซก
Auditing this project was really funny! ๐ฅ No critical findings, but some high ones!
All results can be found here:
#solidity
#SmartContracts
#ERC1155
@zksync
Era contest on
@code4rena
was insanely hard. It was definitely not for entry-level security researchers! ๐ณ
If you had trouble understanding zkSync Era's inner working, we tried to make it affordable for you! ๐ซก๐
Confused about zk-Rollups? Whether you took part in the zkSync
@Code4rena
challenge or are just curious about
@zkSync
Era's magic, we've got you covered! ๐Unravel the intricacies of a Layer2 transaction alongside experts
@zigtur
, turt and
@0xdeadc0de___
Guys, who will build an app where we can bet on SR's market value, and which platform are they signed to? With the platforms' moves in the last months, we are entering a similar scenario to that of top soccer players.
It could be just a few poly-markets, but this stuff will
22/23
5. Conclusion
Being targeted by an attacker is a strange feeling. The scam that the "hacker" created was really clean, and I think that a lot of people could have been tricked.
Hopefully, Windows Defender detects the malware. Users will most likely not be infected.
@fede_intern
@sherlockdefi
@immunefi
@code4rena
The
@sherlockdefi
LSW role is one of the best feature from my POV. It ensures project a really good quality no matter what.
On the other side, with the judging rules on this platform being strict (if not changing after the contest), I feel like it can lead to situations where
Almost wrapped up auditing the
@heymintxyz
Solidity project and had a blast! Managed to optimize gas usage, identified a potential security issue in the presale mechanism, and explained a bug in delegatecall. Thank you
@Intenex
for the opportunity!
Currently working on the evm-puzzles created by
@fvictorio_nan
! 6/9 done ๐๐ฅ
These challenges are absolutely amazing, thank you for the brain workout!
#EVM
#Solidity
Wanna see some cool findings in smart contracts written for Stellar Soroban? See this blogpost from
@quarkslab
๐
The Soroban platform allows writing Rust smart contracts. Its authorization framework is pretty strange, a sort of mix between EVM and Solana. ๐ตโ๐ซ
In June 2024, Quarkslab engineers Turt and
@zigtur
audited the DeFi product developed by Airswift that "optimizes funds flow" between buyers and suppliers. We would like to thank the Stellar Development Foundation for supporting this project. Report here:
21/23
hse.exe starts reading all browsers data such as cookies, local storage... It then sends all data to the hacker's server using TCP connection.
For crypto guys, this is where your metam
@sk
data are all stored (such as private keys).
Little update about this: here is the final user workflow for
@OndoFinance
audit. ๐ค
Had fun working on this
@code4rena
contest!
Note: here the bridge contracts are calling the same USDY contract, which is not the case on practice (they are different chains ๐).
For those working on the
@OndoFinance
audit on
@code4rena
, here is a little diagram of the rUSDY contract.
I'm open to feedback ๐
Other contracts and external calls are coming soon !
(This Drawio drawing is heavily based on
@14si20
recent work)
Here is a big difference between Web2 and Web3. You can't rely on "external party security".
Protect your project from untrusted parties, but also from trusted parties when possible. Defense in depth is mandatory.
My message to Web3 devs: Please listen when a SR warns you about
I see a lot of competent solidity devs carrying the web2 mindset where:
> External integrations are not your business.
> If something breaks elsewhere, you will just point fingers in that direction.
This does not apply to web3.
Itโs your business if something breaks externally
@trust__90
I don't understand how such project can survive.
How could we get rid of this type of behavior and get an healthy ecosystem?
For me, the only way would be to set security as a marketing argument. Maybe a reputation platform/standard for projects?
@_hrkrshnn
Finally found some time to read this report. Really nice findings! Good job
@ralexstokes
&
@mattsse_
๐ซก
The recent Babylon competition shows similar issues (especially for memory consumption issues).
Nice to see Rust being more and more used for this type of application ๐ฆ
@solidityauditor
Hi, I was targeted several weeks ago. And yes, they were trying to get me download a malware, which I did. 'cause I like risk :D
I explained it here:
Hi there,
Here is a little thread about how a "hacker" tried to pwn me.
As I am into crypto, he probably thought that he has something to win...
๐จDisclaimer: I am a cybersecurity professional. If you are not, do not try this at home!๐จ
@windhustler
Update: I took a breakfast this morning, and damn my concentration is gone. I didn't eat a lot (around 200kcal) but that is killing my productivity.