If my son ever tells me that he wants to become a doctor instead of #1 on all contest platforms

Pectra upgrade is live and malicious calldata exploits are now more dangerous than ever before. Cyfrin Audits developed this cool interactive resource to help you learn to recognize malicious calldata, so make sure to check it out: wise-signer.cyfrin.io

There are no right or wrong ways when it comes to auditing: 🧩You can create threat models, complex graphs or draw every nested function call of better visualization. 🧠Or you can audit directly in GitHub and take pen&paper notes only. Results are the only thing that matter.

Secured 1st place in Sherlock's Aegis contest 🥇 A year into full-time Web3 security, and I've landed my first proper contest win. This comes after: - 10+ Top 5 finishes; - 100+ C/H/Ms; - Thousands of hours spent auditing; And I’m just getting started.

I've received a lot of questions about my audit framework, and the techniques I use. Although unique to every auditor, here are my 4 fundamentals that I've incorporated into my auditing routine, which have helped me to constantly rank in the Top5 during public audit contests:

Audit tip of the day: - If a protocol has implemented a mechanism which calculates gas cost and charges users some kind of a fee based on it; OR - It forwards an exact amount of gas based on a calculated execution cost or similar; 9/10 times, there's a vulnerability there.

I've participated in 15+ audits/contests involving cross-chain mechanics, and I’ve ranked Top 5 in 5 of them. Audited integrations with CCIP, LayerZero, Stargate, Wormhole, and more. Here are 3 things you should focus on when auditing or implementing cross-chain integrations:

As an auditor, your confidence is a key asset in discovering vulnerabilities. - Approach every codebase assuming numerous bugs exist, regardless of the protocol-in-question or the team behind it. - A single shred of doubt can be detrimental to your ability to find anything.

Audit tip of the day: If a protocol employs cross-chain mechanics: - Beware of any core components that can be DoSd/manipulated due to the cross-chain transfer delay - Account for situations in which said delay could be significantly prolonged due to problems with the transfer

Time to drop the really big bomb: Sharing my successes throughout the last year has resulted in 50+ people reaching out to ask for guidance, etc. Some as far as 8-9 months ago. I've only seen like 2 of them winning some $ in contests. Consistency is key. Have a nice day.

An inherent skepticism toward every norm throughout life will get you labeled a conspiracy theorist. In web3 security, it will get you a very lucrative career. You're one assumption away from letting the bad guys win. Question everything.

Audit tip of the day: When basing anything on a hash, make sure that it contains sufficient unique values, a nonce which is incremented with each new hash, and a chain id divisor. Avoid abi.encodePacked for value encoding prior to hashing them, especially for dynamic types.

Another🥇1st place, this time it's Starknet Staking. My second time auditing Cairo, and I managed to win the contest. Another proof that no matter the technology, language, or chain, your hacker mindset and framework are what matter most.

Devs need to thoroughly test out all of their integrations and happy paths prior to commissioning an audit. Otherwise, audit reports become a giant list of broken functionalities, with less time for auditors to properly stress test the protocol and find the hidden gems.

Hot takes that I think shouldn’t be hot, and should be “the default” 1. The contest platform is ultimately responsible for the payout. It is the contest platform that promises payout, so if a platform doesn’t pay out, no matter the drama, it is the platform’s fault. 2. The

After almost two months of radio silence, proud to announce that I have recently joined Certora as a Security Researcher. Looking forward to the next chapter of securing web3, and working alongside with some of the brightest people in the industry. 🫡

Finished a Move on Sui audit with Certora It's fulfilling to review a project & weeks later an additional component of the same project It's like seeing a kid grow, following & supporting his journey Was also my 1st collab with André and this was literally us:

If you want to make DeFi safe and assist the most interesting protocols with sophisticated technology and security services, this is your dream job.

Honored to be part of the ETHSofia.eth speaker roster, and this panel.