I've made $500k+ from SSRF vulnerabilities. Here are my tricks:

Early detection, early peace of mind - automated tools in smart contract security. #EarlyDetection #CryptoSafety

📊 Gas optimization is important but not at the cost of security. Efficient code should also be secure code. #SmartContractDevelopment #GasOptimization

👥 Peer reviews in smart contract audits can provide invaluable insights. Different perspectives uncover different issues. #PeerReview #CollaborativeSecurity

"Scenarios", "Flows", "State Transitions", "Stories", "Threats", "Paths", "Levers". The used word doesn't matter: our ultimate ambition should be to identify all weird/edge/unexpected cases in the time we have on a security review. These words are just helpful representations.

rare footage of auditor trying to find a bug

Gotta recommend this extension again: marketplace.visualstudio.com/items?itemName… . With it, you can visually tell which line is fully covered, which line is partially covered, and which line isn't covered at all. Try `forge coverage --report lcov` and then use this extension to see what I mean

USDC has 18 decimals instead of 6 on the following chains: - Oasys - BNB - OKX Chain - Sora - Kucoin Chain - Telos - Conflux - Bitgert

Alpha alert: Speed boost I've been using this for years, and I know some others have their own ways with macros, but lots just copy-paste the tags. This is how I write the audit tags and other things (cmd + a number). Do Cmd+Shift+P, open keyboard shortcuts (JSON), and add those.

"There's plenty for everyone." That’s my mantra for sharing everything that worked out for me so far. I didn’t just scale from $0 to +300K by gatekeeping knowledge. I honestly believe none of my success would be here if I hadn't shared my ups and downs. By putting myself in

3 mandatory checklists to go through before doing a smart contract security audit on your codebase: 1. The Solcurity Standard - github.com/transmissions1… 2. Weird ERC20 tokens list - github.com/d-xo/weird-erc… 3. Solodit aggregated checklists - solodit.xyz/checklist

Recommended Read 🧐 The following comprehensive article on "Exchange Rate Manipulation in ERC4626 Vaults" from Euler Labs co-authored with the legendary alcueca euler.finance/blog/exchange-…

If you're auditing a protocol that uses Compound V3, you should read these papers! RareSkills 🫡 1. The Architecture of the Compound V3 Smart Contract Link: rareskills.io/post/compound-… 2. DeFi Interest Rate Indexes Link: rareskills.io/post/defi-inte… 3. Understanding Collateral,

ddimitrov22 Even rounding in the right direction could be exploited (stealth donation). I very, very much encourage everyone to read this: euler.finance/blog/exchange-…

The chart on theblock website left me stunned. The surge in stolen funds between 2020 and 2023 is alarming, indicating a pressing need for heightened security measures. Employing both manual and automated scans could help mitigate the risks effectively. theblock.co/data/decentral…

Ever tried to deal USDC with Foundry and seeing it revert? Well, 3 weeks ago, the support for USDC was added. Update Foundry frequently everyone! github.com/foundry-rs/for…

Security is 1% finding bugs and 99% understanding how the code works.

For those serious about account abstraction in Ethereum this 4-part series authored by @agfviggiano is a must: 💡A deep dive into the main components of #ERC4337 Account Abstraction Using Alt Mempool; addressing common questions, misconceptions, and security considerations.

One way to speed up PoC is to load data from external sources instead of from the chain Here’s an example btw don't forget to allow Foundry to read it in foundry.toml book.getfoundry.sh/cheatcodes/par…

Lesson of the day ... do not ever miss the escalation phase.