Audit Team Leader @Cyfrin Protected $50,000,000,000+ on-chain TVL!

in your storage | 🇰🇷
1 Hour with @PatrickAlphaC where I cover: 1⃣ how I break down stateful fuzz testing by invariant types and contract lifecycle 2⃣ my favorite general heuristics which I use to find all sorts of bugs in many different codebases 3⃣ mindset and ultimate recipe for success Link👇
9
22
225
56,956
Q) How to start making money through auditing? Assuming you have built up a decent skillset, the following strategies may work: 1⃣ Pick a protocol niche (DAO, Perps, Dex/AMM, Lending/Borrowing, Bridges/Cross-Chain etc) then study all the past contest & private reports for protocols of that type, learning all the vuln types & gotchas inside-out. Then focus on contests with that protocol type. Eg @windhustler is known as The LayerZero Guru 2⃣ Apply the same technique to bug bounties, especially if you specialize in some really niche stuff like Fuel/Sway or interactions between Solidity/Rust components - some very high value bug bounties have been found in these newer niche areas where there is less demand but also far less competition 3⃣ Choose a service niche to specialize in, provide a great service and market yourself effectively (people have made $ specializing in all sorts of things like gas optimization @PopPunkOnChain , fuzz testing @getreconxyz , formal verification @alexzoid. Aim to post once per day with content for your niche, become known as the expert in that specialized area 4⃣ Publish high-impact research that gets featured in @blockthreat ; you could take all your learnings from 1,2,3 above and use it to write and publish vulnerability deep dives and all sorts of other valuable content 5⃣ Build a brand - a lot of the security business is branding, protocols are buying not just your services but also the brand name. Once you have a decent brand name you can likely start doing private audits for small protocols, especially in this market there is tons of demand 6⃣ Build a portfolio - create a portfolio of your work showcasing your accomplishments. This is great both for getting private audits and also taking a full-time role at a firm 7⃣ Commit - none of the above will happen overnight. Commit to working hard for the next 6-12 months and see your life change. The only people who didn't make it from when I started are the ones who gave up and disappeared - everyone who stuck around and put in the effort is now printing $$$,$$$ and some even more!
11
59
397
23,270
October 2022 - started learning solidity as a hobby March 2023 - focusing on security & began writing my "Deep Dive" series October 2023 - blessed to join @cyfrin as a full-time smart contract security researcher! 🚀A lot can change in a year if you put your mind to it🚀
47
18
319
37,262
Q) Fastest way to become pro auditor from 0 knowledge? * Free @CyfrinUpdraft courses on Solidity, Foundry & Security * Do 2 First Flights @CodeHawks * Shadow audits of Beedle (codehawks.cyfrin.io/c/2023-0…) & USSD (audits.sherlock.xyz/contests…) * Start competing in real contests
15
39
331
14,565
More niche Solidity knowledge which occasionally gets great findings: 1) storage is copied to memory, then memory copy is reset instead of storage💥 2) storage is copied to memory then correctly reset, but then storage is read instead of memory💥
11
17
283
15,111
3 yrs ago - started learning Solidity as a hobby 2 yrs ago - joined Cyfrin, consistently produced great private audit output 10 months ago - started managing audit team, produced great business results turned audit team into efficient 💰 printer Now - living the dream 💪
October 2022 - started learning solidity as a hobby March 2023 - focusing on security & began writing my "Deep Dive" series October 2023 - blessed to join @cyfrin as a full-time smart contract security researcher! 🚀A lot can change in a year if you put your mind to it🚀
20
9
265
33,065
Happy to announce I'll be leading @cyfrin Private Audit Team in 2025! 2024 was a huge year for Cyfrin private audits, we completed many successful private audits for huge native web3 protocols and increasingly also for major #TradFi institutions. 2025 is shaping up to be even greater; more huge web3 native protocols and massive TradFi names are already booked in for Cyfrin private audits. Our private audit team has worked with a wide variety of skilled contractors and will continue to do so. If there's any way I can help feel free to reach out, I'm happy to open doors to private audits for skilled auditors who are interested!
33
11
249
13,781
I've become convinced that #DeFi Liquidation code is the trickiest to safely implement with highest "bug density". New Epic Liquidation Deep Dive coming soon with 37 vuln types - but first check these 10 niche findings that could be your next unique contest winner! 👇
9
22
246
10,035
Sad to see such rage against @pashov for giving interns real-world private audit work experience & mentoring. Many newbie auditors offer to work with me for free just to learn but I'm way too busy to mentor anyone individually. The interns should really be paying Pashov!
24
6
235
15,269
In private audits sometimes I comment out a few important lines like token transfers, then re-run the test suite. If all test still pass, this indicates the test suite doesn't validate important state changes & there are likely many bugs to be found.
19
9
227
15,694
Just published this EPIC Borrowing, Lending & Liquidation Deep Dive! I read through every public c4 & sherlock contest, categorized & systematized the major vulnerability classes found in these #defi systems, and made it all freely available to help YOU! dacian.me/lending-borrowing-…
18
61
215
18,282
Replying to @0xT1MOH
You are one of the younger people building wealth. Congrats! But the sad truth is that many young people who acquire large amounts of wealth end up blowing it and have nothing to show for it later on. To avoid being one of them: 1) Travel - before marriage & kids is the best time to travel, and travel + new experiences is much more rewarding than "bling". I once spent 6 months living on a mountain in Canada going skiing every day, would be very difficult to do that now with wife & young child - traveling will open up new possibilities and you may wish to move countries which leads to.. 2) Second Passport / Residence Permits - the reality is that most countries treat *specific* foreigners better than their own citizens - every country has a group of foreigners it considers "desirable" to whom it will give a better deal than their own citizens - living in a country where you are not a citizen but a desirable foreigner you will receive better treatment everywhere, and you won't be subject to military conscription etc - a lot of countries treat desirable foreigners as "hands off" - there are likely many young people in Ukraine/Russia who wished they had second passports and were living in other countries before being conscripted. This sad scenario has and will continue to play out, you don't want to be one of them - you may be able to acquire other passports through "descent", eg if you have parents or grandparents who were born overseas and you can provide this, many countries in Europe allow 3-4 generations to get citizenships by descent 3) Set up an Asset Holding Vehicle (AHV) - if you think there might ever a possibility of you getting married, or of you being sued, the last thing you want to do is own a bunch of assets or $ in your own name - in many jurisdictions you can set AHVs like Trusts or Foundations so that the AHV owns your assets but you effectively control them (eg by being a majority shareholder in a company that is the Trust administrator, even though the company has no assets and the shares are only worth $1 since the Trust owns all the assets) - AHVs can be setup in foreign jurisdictions (more expensive) or in your local jurisdiction as well 4) Fully paid off nice house - once you've found somewhere to settle down, you want to have a nice fully-paid off house/apartment/etc - most normal people at least in the "West" are looking at a life of 30+ years of debt slavery in mortgage payments, in my own former country of Australia many people are debt slaves and had to take multiple medical treatments they didn't want to avoid losing their jobs and hence losing their home for failing to make debt payments - having your ideal fully-paid off luxury house/apartment etc is a really nice thing to "check off" and removes a lot of stress from your life, especially if you have wife & kids - you may wish to have for example a house in the countryside and an apartment in the city, or apartments in different countries if you plan to split your time between multiple countries - but owning these places with no debt and having them setup as you like them is a great thing for both you and future family - owning these assets through your AHV is a very smart thing if you acquire them prior to marriage since in the event of divorce you will remain control of them instead of being "taken to the cleaners" 5) Diversify your assets - the fastest way to get rich is to take concentrated bets (going all-in on web3 security, on a meme coin etc - a concentrated bet that works out really well) - but once rich, the fastest way to go broke is to continue taking concentrated bets - create a plan for wealth diversification, whether that is something simple like having % of net work in US stocks, some foreign stocks, some physical gold & silver + $10,000 stacks in multiple foreign currencies that you can easily access in a "shit hit the fan situation" along with a "go bag" (GTFO quickly, especially if you live in your home country where you may be conscripted), real estate you rent out that returns yield and may provide capital gains in the future - it is great to have multiple diversified income streams - again it is best that all these things are actually owned by your AHV, not yourself directly 6) Some bling - bling should really be the last priority but it is perfectly fine to treat yourself with a small % of your income / net worth - my preference is to avoid flashy logos and trendy things, instead opting for timeless classics and quality that reflect my personal style and will never go out of style really - eg instead of buying a blinged out Rolex, buy a Vacheron Constantin, Cartier Tank Louis or similar - something very nice which conveys classic, timeless elegance - eg instead of buying clothing at Louis Vuitton, Gucchi, Burberry etc which have very distinctive and visible logos, buy clothing made from good quality organic fabrics without any logos from brands like Hugo Boss, Time (in Korea), or more well-known Ralph Lauren Purple Label or even Brunello Cucinneli if you really have $ to burn (there are many more brands in this category for menswear which you can find, all depends what you want to spend really) - be careful about displaying wealth especially when living or traveling to countries which are not safe as this can make you a target for robbery and also for gold diggers This list is long enough now, should give you some ideas what to do with the $ - good luck and wishing you every success!
14
16
216
14,400
Received my first bug bounty: $28,000 admin brick & forced revert in a live smart contract. Combines two vulnerabilities: missing access control & unchecked state transfer, leverages them into perm forced revert & admin brick. Successfully mitigated. dacian.me/28k-bounty-admin-b…
20
29
202
31,561
Cyfrin jobs launched with a 🔥 list of job openings: @Uniswap @monad @vyperlang @EtherFi @heliuslabs @solana @redstone_defi Almost all Mid->Senior level roles 🚀
7
8
196
13,327
Just published my most epic deep dive to date: 💡 DeFi Liquidation Vulnerabilities Bible 💡 ✅ 37 detailed vuln types ✅ heuristics to find each one ✅ highest bug density ✅ maximum bang for buck Link 👇
12
20
194
7,274
Niche but very useful Solidity vulnerability pattern! Function takes user-supplied address(es) as input but doesn't validate they are legit protocol contracts! Attacker can deploy their own hack contracts to get control, execute arbitrary code & return arbitrary values!
14
15
189
9,264
Want to learn how to evolve your own Specialist AI Auditor Agent? Check out my new deep dive: "Using Claude To Evolve Specialist AI Smart Contract Auditors" Learn the exact methodology I used to evolve Amy & follow the links to her open-sourced primer! dacian.me/using-claude-to-ev…
18
19
192
9,956
We've started getting audit quote requests for "vibe coded" AI-generated smart contracts. I can confidently say that this trend is a positive for our industry which will keep us gainfully employed for many years to come! Please send us all your vibe coded contracts for audit!
12
12
185
24,995
Permit2 `SignatureTransfer::permitWitnessTransferFrom` takes as input `permit` and `transferDetails` which both have a token amount field, but: * only permit's amount is used for signature verification * only transferDetail's amount is used for actual tokens transferred If the contract you are auditing: * integrates with Permit2 * allows users to specify input `permit` and `transferDetails` * saves into its internal storage the amount deposited as being from `permit` even though it allows the `transferDetails` amount to be different Then you've likely found a critical drain vulnerability!
7
19
188
10,131
Some auditors have a fanatical religious belief that audit contests are the greatest thing ever. But the reality is that almost all top auditors eventually stop doing contests and transition to private audits or even more "business" type roles. Why is that? Because unless you absolutely love PvP & arguing with strangers on the Internet, you'll have a much better quality of life while still making great $ doing private audits for top clients. "Winning" for most auditors is getting to near-constant supply of private audits with great clients as quickly as possible.
24
6
181
10,471
Who Dares Wins? 1 year ago I: * sold a business I had been running for many years * permanently relocated with my wife & young daughter from Australia to South Korea * joined @cyfrin to go all-in on smart contract security All of the above choices were major life-changing decisions with BIG risk, yet all have turned out much better than I could have ever hoped. In the last year I've led numerous private audits producing STACKED reports with valuable findings for our clients. Beyond that I've continued to publish multiple high-impact research deep dives as Cyfrin has graciously given me paid research time between audits to study, learn and write about things I'm interested in. Have also been greatly privileged to connect and work with many talented researchers and developers, resulting in huge improvements to my skillset and ability. I'm very happy to be fully devoted to smart contract security and excited for what the next year will bring!
9
4
183
8,870
For auditors doing the Zaros audit looking to quickly understand Perpetuals, these are some notes I made on how Perpetuals protocols generally work with concise definitions of the most important concepts.
10
19
178
8,923
New EPIC Slippage Deep Dive has been released! Using @SoloditOfficial I went through every H/M Slippage audit finding & systematized all major slippage vulnerability classes to help YOU! Slippage has been a great source of *unique* H/M findings! dacian.me/defi-slippage-atta…
15
40
176
14,454
I've just completed the Cyfrin Updraft Assembly and Formal Verification course! 🔥 The best course to learn: * Assembly, Yul and Huff * Opcodes * Formal verification using Halmos & Certora And way more, completely for free! Check it out here 👇 updraft.cyfrin.io/courses/fo…
7
11
175
8,211
future of finance 🚀
7
12
175
7,928
Admin functions are often overlooked by both devs & auditors: * devs don't test them anywhere near as much as regular functions since they are designed to be infrequently used and because "admin is trusted" * auditors especially those trained by competitive audits tend to ignore them because "admin is trusted" But admin functions especially innocent looking ones have been a great source of cool findings in my private audits, for exactly these reasons! Here is my favorite one where an admin could change a parameter or unpause the contract using these admin functions, but an attacker could sandwich attack the calls to completely drain the protocol! dacian.me/concentrated-liqui…
17
13
175
15,883
Thoughts on bounty hunter life in light of this finding. To find this mainnet critical, 2 auditors spent 5 weeks doing nothing but auditing Bunni until in the 5th week they found a beautiful exploit which could drain user funds. This was psychologically "easy" because the auditors were being paid while doing a private audit. But what if they were not being paid and just bounty hunting? Could you do nothing else but bounty hunt one protocol for 5 weeks? During that time, would you say "no thanks" to multiple lucrative private audit offers, reject multiple contest opportunities, set aside all other potential work and income in order to remain 100% focused on Bunni's codebase - with no guarantee of successful finding or a payout? When would you give up? Week 2, week 3, week 4? How many auditors could dedicate 5 weeks sacrificing other lucrative opportunities all without any $ coming in, in order to remain 100% dedicated and focused to reach the mainnet crit in the 5th week - with no knowledge that the mainnet crit even existed? Makes me think that there are plenty of other mainnet crits available out there, but the required unpaid time to find them is too psychologically & economically daunting for many current market participants.
The Bunni team has made a write-up of the exploit discovered by @cyfrin that could've led to the theft of user funds. In the write-up we describe in detail what the issue was and how we addressed it. blog.bunni.xyz/posts/bug-dis…
12
12
161
18,948
*EPIC* New "Chainlink Oracle DeFi Attacks" Deep Dive is out NOW! Features 13 Oracle-related vulnerability classes that all smart contract developers & auditors should be aware of! Covers a few niche vulnerabilities that aren't very well known! medium.com/cyfrin/chainlink-…
9
41
153
12,464
One technique I use when auditing is to comment line-by-line explaining what each line does. This forces me to think about every line, what it does and why it is doing it. Such explanatory comments can also be contributed in a PR to the protocol as an additional deliverable!
9
10
162
5,494
Epic start to 2025 for @cyfrin announcing partnerships with: Circle Chainlink Uniswap Curve RocketPool ZKSync Soneium GMX Guardian OpenZeppelin Trezor We're working harder than ever building the #Web3 we promised! 🚀
9
9
159
9,087
This code was audited by a well-known firm & both of these issues were missed. The project is due to launch in a few hours. 23-page audit report says "Contract is safe to deploy" with big green tick. What do you think?
18
12
160
50,616
Cute niche Solidity knowledge shown using Chisel that occasionally converts into nice Critical DoS findings. Multiplying two smaller types & putting the result into a larger type will overflow revert, unless casting one of the smaller types prior to multiplication.
5
5
158
8,358
🥉won $18,274.25 with 1 unique medium: incompatibility with fee-on-transfer & rebasing tokens. Very basic finding normally with tons of duplicates but with audit demand so high there are less eyes on every contest. Great time for auditors - if you want it, go get it!
Awards have been announced for the Beanstalk Part 1 contest🤝 Top 5: 🥇 @HolyDevoti0n - $24,148.11 🥈 @golanger85 - $21,798.57 🥉 @0xInAllHonesty - $18,274.25 🏅 @0xbeastboy - $11,825.65 🏅 @ZealynxSecurity - $8,223.41 (1/2)
17
3
156
47,091
💡 Auditor Portfolio Tips 💡 Over the weekend I went through 50+ DMs from auditors looking to do private audits with Cyfrin, examining portfolios and findings. Here are 8 tips for building a better auditor portfolio! 1⃣ Have a portfolio page! Many auditors who DM'd me had no portfolio page, even some with quite good accomplishments. Simply by having a portfolio page you are ahead of many auditors. Github is fine or your own website is more fancy, but both work! 2⃣ Links to everything! Many portfolios claim wonderful things about contest rankings, findings found etc, but there is no direct link. Please have direct links and check that they are correct so that a hiring manager can easily click through and get to the source to verify the claim! 3⃣ Top 5 or Top 10 sickest findings - I really like to know, what are your top 5 or top 10 sickest findings, the exploits you are most proud of? Include a section in your portfolio, it can be quite simple just a list of bullet points with the title of each finding that is a clickable link to the finding on Solodit - make it easy for me to see your best! 4⃣ Links to private audits you have participated in, and if you personally found important findings within that audit then include that info as well! 5⃣ Avoid putting audits you have done of protocols that got REKT! If you audited something that later got REKT, you don't want that on your resume! The reality is no one is perfect, no one can catch every bug, but just don't put that on your resume, it isn't a good look! 6⃣ Links to high-impact research, bug bounty write-ups etc - put this in a section as well, again doesn't have to be big, a simple dot point list of title with clickable link is fine 7⃣ Contest rankings - if your resume is full of contests, consider removing the contests where you didn't get a significant ranking and just list the ones where you ranked well, together with a direct link to the leaderboard. If you found unique/significant findings list that as well. Make it easy for me to see your best work! 8⃣ Strengths / areas of interest - if you have done any non-Solidity non-EVM, highlight that for example in the private audit or contest listing, say that it was in Rust on Solana, or Move, Cosmos, Cairo whatever. Make it easy for me to see you have other skillsets. If you are a specialist in certain protocol types - include that! These tips will help you not just with me but with any hiring manager, you want to make it as easy as possible for us to see your achievements! Put your best foot forward and let's get it! 🚀
5
24
167
9,402
A Cyfrin team member created an AI "Luna" for @CodeHawks which auditors are using to ask all sorts of questions about the codebase being audited. If you ask it the right questions it can provide some pretty amazing responses and has context about vulns from previous audits!
10
12
163
6,379
Got my daughter on a scooter since she was 1.5yrs old, took her out to practice most weekends when not too cold. Finally this weekend (2.5yrs old) everything came together & she had a great time riding the scooter without assistance!
19
1
148
5,221
Many auditors secretly love when projects get hacked, they dance on the grave using it as a marketing opportunity and/or to mudsling competitors
10
2
147
20,572
Q) What is your approach for any codebase audit? It isn't exactly this linear but: 1⃣ Pre-Audit Study: a few days before the audit reading available docs, researching similar protocols, making notes about expected protocol entities, black-box invariants and vuln types for that protocol type (if not something totally new) 2⃣ First Read: read the codebase for the first time, making lots of notes with audit tags and compiling a list of questions which I'll later ask then answer of the protocol. The order that I read the source code files in is now guided by intuition plus my pre-audit study and existing knowledge of that protocol or similar ones. On codebases with lower code quality I can get a bunch of findings during this first pass 3⃣ First Question Answer: after first read through with a mental model of the protocol I'll go through all systematically ask and answer all the questions. Sometimes this may involve creation of PoCs to put the system into different states and see what happens 4⃣ Second Read Plus More Question/Answer: reading the codebase for the second time, order is again guided by intuition + learnings from first pass. During this phase am also switching into different thinking modes like gathering white-box invariants then trying to break them, following flow-of-funds, examining external interactions etc, asking question of the codebase then seeking to answer those questions. On high code quality codebases this is where I can get some good findings 5⃣ Test Suite Analysis: looking for gaps in the test suite coverage and for assumptions and/or additional code the test suite uses that is not present in the actual protocol, then create PoCs to see what happens in these gaps 6⃣ Teammate Brainstorm: around half-way through the audit have a brainstorming session with teammates, we discuss our findings and *how* we found them, ideas we had that didn't work out, leads we are following etc 7⃣ Third Read: taking everything I've learned go back once more again guided by intuition + previous learnings. Using tactics like black-box testing (asking "what if this scenario occurs" then PoC'ing it to see what happens), thinking up unexpected/unusual sequences of transactions that break developer/code expectations, lots of different alternative mental models that give new ways of seeing the codebase, new angles of attack. Typically will get some good findings here again even on high quality codebases 8⃣ Write Findings As I Find Them: me personally as soon as I have a finding, I write it up ideally with a PoC in our internal system so my teammates can see it and it can be shared with the client. As I primarily work on longer private audits (up to 6 weeks) both I and the clients prefer to get new findings every week for faster mitigation turn around. Also sharing findings quick enables teammates to learn from eachother, plus it gets me excited like a shark smelling blood putting findings up and seeing my teammates putting up findings, that there is more blood in the water, more bugs to be found 🦈 🚀 9⃣ Report Prep: I write the "Protocol Summary" section of the report once I have a decent grasp of the protocol then update it as I discover new learnings. Similarly once we have a bunch of findings I'm writing at least a first version of the "Executive Summary" section where our findings are described. Writing listing out invariants we found and broke, protocol actors, threat models etc forces me to logically order my thoughts which itself can give new ideas 🔟 Mitigation Review: my preference is for the client to fix issues as I find them and to review the mitigations while they are still fresh. If too much time has passed between the end of the audit and the mitigation review this is not ideal for anyone as the context will need to be "re-loaded". This is another reason why we share findings with clients as they are found during the audit which works best for everyone
8
22
144
8,184
Medusa fuzzing a DeFi platform that is LIVE on Ethereum mainnet! Within 5 mins (often much faster), Medusa is able to break 2 invariants. Echidna occasionally is able to break 1 invariant within 5 minutes. Foundry can't break any invariants within 5 minutes. 🚀 MEDUSA 🚀
7
13
137
15,356
audit contestooor life
10
7
139
7,258
Foundry vs Echidna stateful fuzzing the same contract under private audit. Both break the invariant finding a permissionless Critical exploit but Echidna produces an optimized txn set making it easy to understand + produce PoC for the Client. Echidna > Foundry, gg @trailofbits
13
10
131
17,931
It looks like every week there is one or more new audit firm started by solo researchers. This is classic bull market behavior in any industry; as the wave of fortune comes by, many attempt to hop on and ride it. Some end up doing really well but when the wave inevitably crashes against the shore many will end up broken on the rocks. Most of the new brands created this year won't be around 2-3 years from now in the next cycle, and many auditors making big money will blow it all and have nothing to show for it a few years down the track. If you are young and have never experienced a business cycle, when the $ is coming fast and easy, it feels like it will always be like that and the temptation is to start spending that way - to buy luxury cars, watches, motorbikes, boats, and other toys, as if the easy money will never end. This is an easy trap to fall into especially when you are young. It may feel good flashing your bling on twitter and getting likes but it will feel much better during the next business cycle downturn if you have many years worth of savings put away for a rainy day, a house/apartment paid off, multiple passports, no debt and the freedom to do as you please while everyone else is suffering. Food for thought.
17
9
137
13,057
Free @CyfrinUpdraft courses, exam & cert $199. 10K exams = $2M 100K exams = $20M 1M exams = $200M Highly scalable biz naturally grows with our industry & prints $. Cyfrin going to billions in market cap without raising any VC $ => Cyfrin stock options 🚀🌙
8
135
6,610
Writing smart contract test suites in Javascript using Hardhat is like using a shovel to cook eggs. It's 2024 - use Foundry to build first-class test suites with stateless & stateful fuzzing!
11
13
137
11,490
Cyfrin is growing at a very fast pace, there is insane demand for our entire range of services. Private Audits, Updraft, Exams & Certifications...yet these are just building blocks, even bigger things coming later this year. Very exciting time to be part of @cyfrin
6
7
132
5,784
New EPIC Deep Dive which complements my workshop at @summit_defi dacian.me/find-highs-before-… DSS amazing experience connecting with devs & researchers, special thanks to: * 🇧🇬 army for Fri night dinner * Spearbit LSR for invite to Sat night Cantina after-party 🫰DSS was great!🫰
9
12
139
7,344
$CULT 12th attempt to crack crucial resistance around $0.000009 level. Spent last 4 months putting in a rounded bottom stage 1 base. #CULT was deflationary, has been made hyper-deflationary by @theruggame, and will become insane-deflationary with #Modulus L2 #zk chain
8
37
119
6,500
Very smart people take risks they shouldn't. But web3 has a way of humbling even the smartest as there's always someone smarter than you & sometimes that person is a blackhat. The last audit before mainnet should feel like it wasn't worth it.
9
7
137
4,171
New EPIC Deep Dive: Exploiting Precision Loss Via Fuzz Testing! Learn to: * Uncover hidden precision loss vulns * Uncover optimal inputs for exploitation using fuzz testing * Verify correctness of simplified equations via fuzz testing (great for devs!) dacian.me/exploiting-precisi…
9
34
128
16,331
The downsides of the contest model no-one tells you about is: * countless hours of back-and-forth arguing with strangers over the Internet trying defend the uniqueness and validity of your findings, while also attacking the uniqueness and validity of others' findings since unique findings are what pays the big $ * your payout and rankings are completely in the hands of whichever judge gets assigned and many decisions can go either way which can drastically improve or decrease your results * judging decisions can be highly partial to certain "big names" who dominate particular platforms. For example @trust__90 is a huge name on C4 while @IAm0x52 is a huge name on Sherlock; if this contest had been on C4 I'd wager Trust would have been successful in his appeals simply due to his name power there * anonymous judging doesn't solve this issue as auditors are typically de-anonymized during the crucial appeal phase so the name power is still extremely important when arguing with strangers over the Internet * at times there have been very clear agendas to discredit certain auditor's findings with the judges virtually cycling through reasons to invalidate particular auditors' findings * there have been cases where a high profile name has found a finding in one contest on a platform, then on another contest on that same platform another lower-profile auditor found the exact same finding with even more impact and the high-profile name missed it, and immediately a campaign began to invalidate the finding of the lower-profile auditor * when frustrated auditors have appealed the above behaviors and asked "what is the ultimate epistemological standard for truth? How can it be valid when high-profile auditor finds it in one contest but invalid when lower-profile auditor finds it in a different contest with even more impact?" the answer was SILENCE - if contest platforms and judges want to ignore you they can and there's nothing you can do about it unless you want to air the dirty laundry in public like Trust has chosen to do in this instance When you see contest rankings understand that it is not just pure skills of the researchers finding vulns that got them there - it is literally hundreds of hours of arguing and debating with strangers on the Internet. If you are the type of person who loves PvP, loves zero sum games, and loves arguing with strangers on the Internet, then you will absolutely LOVE audit contests! But if you find this whole process emotionally draining and not fun at all, then you will have a much more enjoyable life doing private audits. It is no wonder that the vast majority of auditors grind out enough audit contests to build a reputation then transition to doing private audits and rarely go back to doing contests.
Over the past week, @sherlockdefi and the @Optimism team made what I believe is an erroneous re-scoping of the security contest rules. The direct consequence is invalidation of ~90% of the unique bugs submitted and re-shaping the payout. Long-term, this threatens to be a precedent for resolving rules against the supermajority of honest competitors. Here's the in-depth take gist.github.com/trust1995/fd… Contest link audits.sherlock.xyz/contests… Bugs link github.com/sherlock-audit/20…
23
18
129
26,901
Mismatched precision bugs occur in large smart contract protocols when different contracts modify the same common storage slots using different precision. These bugs are usually Critical/High leading to loss of funds or denial of service. Find them using this easy guide 👇
5
21
129
5,845
First day of new private audit, beast mode engaged 💪
11
3
132
7,580
Being Audit Team Manager @cyfrin is really a dream job for me. Why? Because I get to organize & run private audits the way they should be run. For every Cyfrin private audit I assemble an elite team from our proven & skilled internal and external Eagle auditors, matching specialist skillsets & experience of auditors to each audit. The private audits I run are highly-efficient machines producing great security output at a very competitive price point. And they are beautifully gift-wrapped using the very valuable Cyfrin brand name with a thoroughly professional service, report & co-marketing/branding benefits. This is what I am aiming for every time: great customer service, excellent security output + high brand value at a very competitive price point. The clients are very happy, the auditors are very happy and Cyfrin is also very happy - everyone wins. I really love putting together win-win audit deals, living the dream really🚀
8
4
133
6,511
Large upgradeable protocols use EIP-7201 Namespaced Storage Layout - easy to gloss over these 1-liners trusting everything is all good. But don't trust, verify: - recursive grep for each slot constant - chisel to verify each constant is correct Found 2 clashing slots today 💥
7
10
127
4,654
Over the last 9 months I've tried out a lot of independent auditors to compliment our full-time team, with varied results. Here are some independent auditors that I keep giving work to because they consistently display a very strong work ethic, provide good security output for the $ and are generally great to work with. If you need a solo auditor these would all be great choices: @TamayoNft @1337web3 & @PeterSRWeb3 @Al_Qa_qa @dev_chinmayf @alexzoid for Formal Verification
8
4
132
18,346
Q) What 10 personality traits most excel at auditing? 1⃣ independent critical thinker 2⃣ no need to belong to group or follow crowd 3⃣ not easily persuaded, especially by authority claims 4⃣ very logical mindset 5⃣ "don't trust, verify" personality 6⃣ attention to small details 7⃣ somewhat paranoid 8⃣ loves learning new things 9⃣ ambitious, competitive, desire to succeed 🔟 high risk appetite
12
12
124
5,954
This year at least 5 auditors who: * were @Cyfrin Eagles working with us as contractors * I gave multiple shout-outs to for their good work on our private audits * were subsequently hired by Tier 1 firms Is anyone selflessly promoting great private auditors more than me?
12
1
130
24,378
When I was only an auditor, the best part of my job was finding sweet high impact findings. As Audit Team Leader I'm still auditing, still producing sick findings, still writing stacked reports - but the best part of my job has become creating opportunities for other auditors to succeed. I'm especially happy and proud of having opened the door into private audits for a number of skilled & talented researchers who didn't have that opportunity until I created it for them. Watching them produce great findings and stacked reports for our private audit clients makes me very happy to see them succeed and our clients happy. Since the start of this year I've personally given out $100K+ of private audit work and looking to continue scaling this up as demand continues increasing for Cyfrin private audits.
7
4
123
3,932
Permit2 `SignatureVerification::verify` calls `claimedSigner::isValidSignature` if `claimedSigner` is a contract. This is pretty standard, however if the contract you are auditing: * integrates with Permit2 calling `permitWitnessTransferFrom` * allows anyone to play a user's signature (for example to implement gasless swaps) * generates a transaction id based on the user's signature or other fields an attacker doesn't need to change * reverts if that transaction id already exists Then you've likely found a permanent grief/DoS vulnerability where an attacker can grief all honest users at the cost of 1 wei per user request by: * deploying `AttackerContract` which always returns true in `isValidSignature` * change `permit.permitted.amount` = 1 wei * change `user` to `address(AttackerContract)` * front-run to call the vulnerable function using the above modified params This effectively bypasses the signature validation, costs the attacker 1 wei but creates the transaction record which causes the subsequent honest user's txn to revert!
2
9
130
7,141
Concise Basic #zk Math Cheatsheet: * Modular Arithmetic * Groups * Fields * Finite Fields * Finite Field Generator * Elliptic Curves * Group Pairing / Bilinear Map * Polynomial * Polynomial Commitment Schemes
4
13
121
7,550
🚨 Fuzzing Challenge UPDATE 🚨 After 6 fuzzing challenges the strongest competitor is... 🚀 MEDUSA 🚀 Medusa in "unguided" mode was able to break harder invariants which both Echidna & Foundry missed in challenges 5 & 6 and it breaks them SUPER FAST! github.com/devdacian/solidit…
6
14
116
12,049
Fuzzers (Echidna/Medusa/Foundry) vs @certora - solvers for a denial of service to an `executeFlashLoan()` function which shouldn't revert if the reasonable preconditions are satisfied. The Fuzzers are written in pure Solidity and require a manual setup, but the actual invariant definition is extremely simple. With Certora there is no manual setup; instead we define relationships between contracts in a `.conf` file then in a `.spec` file a much more complicated invariant (using a Certora `rule`) which: * expresses any preconditions to be satisfied, not using actual values but as relationships between objects * defines the order of operations (`executeFlashLoan()`, `f()` which can be anything, `executeFlashLoan()`). The attached Certora output (2nd pic) shows that Certora figured out if `f()` is one of the `transfer` functions which directly transfers a small token amount to one of the contracts, this causes the second `executeFlashLoan()` to fail. Certora can also "HAVOC" storage and function calls where it changes storage state or behavior/returns of function calls; part of writing the config & spec is restricting this behavior sufficiently so that it doesn't cause something to fail improperly due to a havoc but which could never occur in the real protocol. Certora feels a lot more powerful compared to the fuzzers as there is no manual setup instead everything is specified using relationships, however this requires to learn their domain-specific language and programming model which is completely different to using Solidity and the Fuzzers. Writing my first solver was quite a challenge, actually felt like a great achievement when I finally got it working!
4
18
120
7,880
In 2 weeks, my AI Auditor Primers repo got almost as many stars as my Solidity Fuzzing repo got in 2 years.. * AI Auditor Primers - 2 weeks, 160 stars * Solidity Fuzzing - 2 years, 164 stars AI is HOT🚀🚀🚀
4
7
124
5,553
New EPIC Deep Dive Released! * Solidity Inline Assembly Vulnerabilities * My favorite one so far, researching this has been a blast! Contains simplified stand-alone versions of real-world subtle inline assembly related vulnerabilities together with walkthroughs through the opcodes, stack and memory using Foundry's debugger to see exactly where subtle errors creep in! Check it out now! dacian.me/solidity-inline-as…
5
14
121
9,297
💡10 Steps To Easily Use 3 Fuzzers💡 Did you know that by following 10 simple steps you can easily use Foundry, Echidna & Medusa fuzzers on the same codebase? 1⃣ Use Foundry to write your regular unit tests, even if using Hardhat for package management/deployment. As all 3 Fuzzers require writing tests in Solidity, using Foundry to create your test suite ensures you'll already have the test setups written in Solidity. Even if you don't want to write the fuzz tests yourself but engage an external auditor to do this, having all your existing test suite in Solidity using Foundry will reduce the time & hence cost since the auditor will be able to leverage it when setting up the fuzz tests. 2⃣ Write your fuzz tests using Foundry's native fuzzer first, call the file something like `MyFuzzFoundry.t.sol`. You can use Foundry's in-built line-by-line coverage reporting (github.com/devdacian/solidit…) to ensure it is executing all the lines you want. 3⃣ Copy the Foundry fuzz test file and rename it for Echidna to for example `MyFuzzEchidna.t.sol`. Remove the inheritance from `Test` contract and associated import. Rename the contract to `MyFuzzEchidna`. 4⃣ Create a constructor with no arguments & move the code from inside `setUp()` into the constructor, then delete the `setUp()` function. If you need Echidna to give the test contract some initial eth, ensure the constructor is payable! 5⃣ Create the Echidna config file `MyFuzzEchidna.yaml` and specify any required options (github.com/crytic/echidna/wi…). You may wish to set `prefix:"invariant_"` so you don't need to rename Foundry invariants. Setting up initial eth, sender addresses, target contracts & other parameters which Foundry does programmatically are instead configured in Echidna's yaml config; put these there then delete them from the constructor. You can also configure Echidna's coverage here to get line-by-line coverage output. 6⃣ Replace Foundry-specific calls & cheat codes with Echidna ones (github.com/crytic/building-s…). This can be made easier by using platform-agnostic input restriction in your Foundry tests (github.com/devdacian/solidit…). 7⃣ Change the `invariant_` functions to return bool instead of using asserts. 8⃣ You should now be able to run Echidna from the base project directory using a command such as: `echidna --config test/MyFuzzEchidna.yaml ./ --contract MyFuzzEchidna` 9⃣ Using Medusa doesn't require any code changes to the `MyFuzzEchidna` contract , just a new json config (raw.githubusercontent.com/wi…); use `medusa init` to generate the json config `MyFuzzMedusa.json` then change any required settings. Settings of note are: * `propertyTesting.testPrefixes` to `invariant_` * `platformConfig.target` to point to the main project directory * `testing.stopOnFailedTest` to false * `testing.testAllContracts` to true * `deploymentOrder` to ["MyFuzzEchidna"] * `corpusDirectory` to `coverage-medusa` * `timeout` to 10 (or more if you like) 🔟 Run medusa from the base project directory with `medusa --config test/MyFuzzMedusa.json fuzz` Using these 10 steps you too can benefit from fuzzing your code with Foundry, Echidna & Medusa! Check out some working examples that use all 3 fuzzers @ github.com/devdacian/solidit…
5
33
114
11,992
Daddy's cooking today, we're eating good 😋
8
1
112
5,339
.@CyfrinUpdraft dominates its niche, nothing else even comes close. 🔥all courses are 100% free empowering anyone in the world to upskill and change their lives - no thousands of dollars in tuition fees required! 🔥even bigger things coming to Updraft later this year 👀
3
1
120
3,837
self-inflicted
6
7
116
5,766
After 2 days of guided evolution, Amy has replaced Junior Auditors. Amy can instantly find the same types of bugs as Junior Auditors but also go deeper by thinking in invariants then attempting to break the invariants, finding bugs which Junior Auditors typically miss. Amy can also evolve herself, leveling up much faster than a human. If you are a Junior Auditor you only have two options: level up or find another profession. Amy will not replace Senior Auditors but can greatly enhance and complement them, if they become friends with her.
28
2
116
15,817
Many severe Crit/High vulns can be traced back to 1 faulty line of code. Auditor's job is to find diamonds hidden within the giant nSLOC haystack. Every line which looks innocent could actually be the diamond you are searching for! 5 examples from my current private audit:
6
6
111
4,626
Easy money mostly gone in auditing. Many skilled auditors w/great portfolios looking for work + tons of new firms => more competitive market than ever, hence recent ambulance chasing / grave dancing. If you haven't made it already, consider pivoting to AI or learn plumbing.
24
2
120
48,777
Q: I'm a Solidity dev, what is fastest way to transition to #web3sec ? A: You just need to develop attacker mindset. Do shadow audits of CodeHawks Beedle & Sherlock USSD then compare your findings to reports and learn to find what you missed. Afterwards start real contests.
2
7
112
4,086
💡Easy Stateless Fuzz & Symbolic Test💡 Foundry + Halmos => use the same test contract for both stateless fuzz & symbolic tests. Here is an example from my current private audit where I'm using Halmos to verify a hashing algo produces unique results for the possible input set:
7
14
107
15,235
current market dynamics
12
4
114
6,479
Thank you @cyfrin Santa for the new LG UltraWide 34'' Curved Widescreen - major quality of life improvement!
11
110
6,295
Q1 @cyfrin private audit clients included huge names like: * Metamask x2 * Wormhole * Linea * StakeDotLink x2 * Dolomite * PancakeSwap * Benqi * TradFi1 AUM ~$1T * TradFi2 x2 AUM 🤯 Most of these were happy returning clients; we also did audits for many new protocols 🚀
5
5
115
4,307
My first audit @cyfrin thrown into the deep end on a project with 100% test coverage & 2 prev audits. So far I've found 2 absolutely SICK criticals + many H/M & my teammate also has a bunch of findings. Looking forward to sharing this STACKED report full of SICK exploits!
11
5
105
7,059
In my previous software engineering career for 2 multi-billion $ entities I worked on 2 distributed high performance transaction processing systems, one military & one civilian. In both projects we used to write *thousands upon thousands* of automated tests, building an elaborate test suite that would be run after every change to catch regressions and bugs which slipped in during development. For a piece of new functionality to be "delivered" it had to come with a thorough automated test suite; the test suite was considered a "deliverable" along with the functionality itself. No test suite or only a shallow one = no deliverable. After all this effort from the developers, our code releases would be taken and given to a separate internal blackbox testing team who would run blackbox testing at the interface & integration level creating all sorts of scenarios to try and cause misbehavior and exploitation from the interactions between multiple components using all sorts of crazy inputs. It was only after all this was complete that an external security contractor may be engaged to perform an external security review. Nothing close to this appears to be currently happening in mainstream DeFi development; developer-created test suites are often very shallow primarily testing expected behavior using expected inputs + can be very light on testing integration between components & there are virtually no internal blackbox testing teams. In DeFi today almost the entire responsibility for security is shifted to the external security contractor and when teams inevitably get hacked many shamefully deflect responsibility onto the external auditor instead of realizing that the responsibility for security starts and ends within the organization and its processes.
I actually love this question. I feel like it’s a compliment. At the height of building protocols, you actually will spend more time defending them than building them. Writing tests is a big part of that process.
10
10
102
22,994
🇧🇬 Bulgarian users from a relatively small country in Eastern Europe (6.5m population) are consistently the #3 readers of my smart contract deep dives, behind India (1.42 billion) & USA (333 million).
7
5
112
12,388
If you're worried about AI taking your job, specialize in cross-chain and integration audits; two areas where AI is weakest! Humans are much better at finding integration bugs relying on subtleties of external third-party libraries and/or using custom attacker contracts!
11
8
109
4,293
Foundry vs Echidna - "Unstoppable" Damn Vuln DeFi Invariant Challenge. * Unguided mode * 2 invariants - 1 generic (hard to break), 1 specific (should be easier) Echidna breaks both. Foundry sometimes breaks the easier one. Foundry can break both with a lot of extra guidance.
7
10
101
16,953
Endless learning without serious application is just procrastination disguised as progress
10
13
112
4,075
The final audit before going live should feel like it wasn't worth it.
11
7
112
4,975
If you're making a good living working as a smart contract auditor, take a moment to be grateful, then get back to work! There are thousands of hungry aspiring auditors wanting to take your place.
2
6
111
3,545
EPIC New "DAO Governance DeFi Attacks" Deep Dive is OUT! Using @SoloditOfficial I read every single DAO & voting finding in the history of audit contests to absolutely smash my first private audit @cyfrin, and now I've distilled all that knowledge to help YOU build more secure DeFi voting systems! Featuring 12 vulnerability categories plus the heuristics used to find them that all DAO developers & auditors should be aware of, packed with real-world examples & exploit code! dacian.me/dao-governance-def…
12
16
101
12,525
Learning smart contract auditing has never been easier thanks to @CyfrinUpdraft! But now there's more competition than ever; only the most dedicated rise from newbie to full-time pro, unlocking that life-changing $. Are you willing to do what it takes to be one of the few?
13
4
108
3,862
We pay auditors FAST!
6
108
2,907
living that auditooor life
10
2
102
5,308
💡Top 8 Ways I Use My AI "Amy" Effectively💡 1⃣ Always do first pass manually 2⃣ Ingest Amy's Primer, ask it to analyze the contracts 3⃣ Explain why the false positives it found are invalid 4⃣ Ask it to explain what different functions / bits of code do, then ask it lots of "what if this happens" type of questions 5⃣ Show it some of my own findings then ask it to find similar bugs elsewhere in the codebase (ideally do this 1 by 1, issue by issue not all at once). Explain why false positives are invalid 6⃣ Explain specific attack vectors, heuristics etc & ask it to analyze the codebase with them 7⃣ Explain specific invariants and ask it to break them 8⃣ Ask it to come up with important invariants then try to break them In my last 2 audits the highest severity, most impactful findings came from Human-AI Symbiosis; from working together with AI to jointly explore, understand & attack the codebase. Human-AI Symbiosis is the future of many jobs including ours, don't sleep on it. 🧑‍🔧🤖/acc
10
10
137
7,522
Wrote this stateless fuzz test today for my current private engagement & found a cool "first depositor" style exploit. An attacker could front-run the first depositor to ensure they received 0 shares and hence couldn't redeem, losing their deposit. A useful vault invariant to prevent this is: "a vault depositor should always receive > 0 shares". When depositing callers should also be able to provide a `minShares` slippage parameter but even if this is set to zero the invariant should protect them from actually receiving zero shares. Preventing "donations" in this way not only protects users but can also protect the protocol from unknown advanced exploits, since "donations" have featured in a number of elaborate exploit chains.
3
9
104
4,795
🚨Foundry vs Echidna Fuzzing Challenge UPDATE🚨 In less than 24hrs Foundry team has created PR6530 which optimizes the invariant-breaking transaction chain to the smallest set it can find. I have tested the patch and it is working great! 🚀AMAZING work by the Foundry team!🚀
10
7
106
10,158
Symmetry vs asymmetry is the #1 best general-purpose heuristic to learn for finding all sorts of bugs. Train your brain to find asymmetry where symmetry should exist (and vice versa) then ask "why?" and "what is the consequence?" High from my current private audit 👇
5
8
103
4,061
Solidity memory<->memory is passed/assigned by reference, meaning: * if one reference changes, the others will also * when passed as input to a function (including view/pure), any changes to memory input parameters inside that function persist in the caller's context
2
9
103
4,108
💡 Find Highs Using Invariant Fuzz Testing & Formal Verification 💡 The replay of my workshop at Fuzz Fest 2024 is now available. Similar to my workshop at DeFi Security Summit which wasn't recorded plus some additional extras. piped.video/watch?v=Cqmu-mhS…
4
16
100
5,290
Shout out @giovannidisiena @0xStalin @alexzoid fantastic work on Uniswap V4 Hooks audit finding: * 6 Crit * 13 High * 11 Med, 15 Low * 29 Info, 26 Gas Set new all-time high for longest @cyfrin report at 123 pages! Client fixed everything - amazing value provided💪
8
2
105
9,353
💡Audit Heuristic - Loop Bypass💡 When seeing a loop with reverts inside, what happens if list is empty so the loop never executes? Especially if attacker controls list inputs being looped over! Does code assume success even though no checks were executed due to empty list?
6
9
104
5,520
Low-level call() returns true when called on a non-existent address. Attacker could fool a protocol into thinking a certain operation had successfully completed when in fact it hadn't. Allows remaining code to execute when developer was assuming it would revert!
5
8
95
8,542