Always remember Kerchhoff’s principle and make sure you build your protocol security on secure design, and not on hidden details (which can always be discovered especially for onchain info)

That is why most important topics in web3 are educating users, account abstraction and zk login.

Web3 security is about risks analysis. And that requires structured creativity, to put the whole protocol into your mind and imagine all possible flaws and risks. Key part here is "creativity" - you can analyze only what you can imagine. So, boost your creativity- and have fun 😎

Security starts before the development start: you need to understand precisely what your protocol should do - and think on exact parameters limit and exact behavior. Security starts from understanding your requirements.

Weeks #33-36 in my web3 sec Abandoned this thread for a while, got quite a lot into the bag: - lending protocol advising on (!) accuracy loss and overflows: nasty bugs with a lot of headache to find them - fullstack audit for RWA protocol Just 2 things, but quite enormous in size

⚠️Vibe coding is the high-interest loan of software development. ❗️Never trust, always verify. ✅️ Build skills, not shortcuts. Good piece on dangers of incorrect overusing of AI in development. hackernoon.com/vibe-coding-is…

One more tweet about necessity of proper testing strategy from day 1 of development. You can't just have bunch of isolated unit tests to "get the coverage". Work with actual scenarios on how users and admins may behave.

You can tell how secure the protocol is based on the quality of tests, and ratio of scenarios/edgecases vs isolated unit tests.

Being gone for a while - inspected closely how governance works on one of the lending protocols. Not to say that it is slow, but I'd say that close monitoring of proposals expiration and renewal dates is a must have for any protocol. Just in case, to avoid highjacking.

Great read on the newly discovered supply chain vulnerability. It brings several important topics: ❗️why decentralization matters - even in zero-trust systems ❗️why cryptography and zk particularly matters ❗️why SRs should have damn good qualification infosecwriteups.com/the-god-mode-v…

These days I'm getting into auditing Defi perpetuals. If you'd like to know more and discover about them with me, you're invited to read the first piece of the series. More to come! PS: Any corrections are appreciated! mirror.xyz/0x9663a2287FA1…

Great event on post-quantum cryptography, organized by Prof B Buchanan OBE FRSE The framing thought ❗️it is not a sci-fi, but a real threat - just delayed in time ❗️ It is good the world already started work on compliance and migration planning, but we are still procrastinating this.

One of points which I liked in PQC discussion - that blockchain is an actual technology reviewed to become a component of PQC frameworks Maybe it will finally achieve its initial technological goal.

Another thought I liked from the discussion - that while PQC expects certain technical and hardware updates, it is still heavily based on crypto-hygiene, awareness and understanding of foundations of integrity and confidentiality.

Another thought why PQC awareness matters - even now principle works ❗️Harvest Now, Decrypt Later❗️ Adversaries harvest data, waiting around for quantum computer to crack it later. Even if you have strong confidentiality, encrypted data breach is still a breach (just delayed)

Another point from event - live demonstration of PQC readiness assessment by automated tools. Example shown on panel - analysis of TrustWallet core repo. That was ... well ... impactful to see how web3 industry is still in procrastination phase for PQC (even from single example)

Currently attending another webinar - on modern approach to cybersecurity. And the framing thought resonates a lot within me: ‼️Cybersecurity is about risk management, and risk management is about money (loss). The one should never underestimate the necessity of security budget

It was a fun event on PQC (post quantum cryptography) migration. Thanks to Prof B Buchanan OBE FRSE and guests for that youtu.be/W6uSo3uohmU?si…

I really enjoyed our International Conference in PQC and AI today, and where we had an amazing opening talk by Jaime Gómez García: youtube.com/watch?v=W6uSo3…