Midwife tried to hold him, he said onlyOwner() Enrol your kids to @CyfrinUpdraft today 🍼

Weekend rodeo. Wrapped up Challenge 5 of Damn Vulnerable DeFi. Spent way too long chasing a dead end around the bitmap boundary (0 → 1). The actual bug was much simpler. Transfers execute per claim, but “already claimed” is enforced per token group. By repeating the same valid proof within a single call, the contract pays out multiple times before the claimed bit is finally recorded. The assumption: each (token, batchNumber) appears at most once in inputClaims per tx. The issue: state updates happen once per token per batch, not per claim. The contract relied on the structure of inputClaims instead of enforcing it.

🚨DeFi project Blend (Stellar blockchain) was exploited for $10.5M yesterday. Root cause - price manipulation of a virtually zero liqudity asset. Attacker inflated USTRY price 100x, price oracle reported collateral as 100x more valuable, so attacker borrowed >$10M and ran away.

Got caught up with some irl stuff and forgot to share my Damn Vulnerable DeFi progress. Just wrapped up Challenge 4 - Side Entrance (easiest so far, solved it and got the test set up under an hour). The pool relied on actual balance to enforce flash loan repayment, but internal balances mapping was treated separately. By repaying the flash loan through deposit() the contract credited the borrower internally while still satisfying the balance check. Flow was simple: >> flashLoan -> execute -> deposit -> withdraw This allows an adversary to completely drain the pool. Internal accounting ≠ actual ownership. Always align both.

Download all smart contract code executed in a transaction tx-graph-eight.vercel.app/ 1. Paste transaction hash 2. Click blue button on top right corner

Finally had time to solve Challenge 3 of Damn Vulnerable DeFi. It reinforced something critical about ERC20s: Ownership ≠ Control. You don’t need to hold tokens to move them, you just need approval.

Just finished challenge 2 (Naive Receiver) on Damn Vulnerable DeFi. This one really tested my understanding, took me 4 days to break it. I can already see the missing pieces connecting in my head 😅 Don't trust blindly, always verify!

just wrapped up a contest and jumped straight into Damn Vulnerable DeFi. solved challenge 1 (unstoppable vault) in ~30 minutes. on to the next!

not proud of my contest results lately -- taking a step back to recalibrate. after some honest introspection, I realized the gap isn’t theoretical exposure, but mechanical intuition -> the ability to reason about and violate systems beyond "missing access control". starting by working through all 18 Damn Vulnerable DeFi challenges. excited for what comes next!

really wish I could write like this. lowkey jealous of people who can articulate their thoughts this cleanly and deeply. biggest takeaway for me wasn’t “having multiple interests” it was that learning without a vessel is just dressed-up procrastination. curiosity on its own doesn’t move your life forward if it never turns into output. having many interests isn’t the issue. not building anything with them is. the idea of a vessel really hit: a way to channel curiosity → understanding → creation → leverage. research in public. think in public. write in public. not to perform, but to compound. we really are in a second renaissance where tools are cheap, distribution is free, knowledge is everywhere. the real edge now is synthesis which means basically connecting dots others don’t and turning that into something useful. also loved the reminder that brand isn’t aesthetics, it’s accumulated thought. people don’t follow profiles, they follow worldviews, need to do more of that fr. still learning how to express my thoughts better, but pieces like this remind me that clarity comes from reps, not waiting to feel “ready.” great read man ❤️👐

The core of Sherlock is the researchers. Every result we deliver comes from people who analyze real code, find what others miss, and push teams to fix it before deployment. 2025 was a major year for Web3 security research. Protocols grew more sophisticated, expectations rose, and the work translated directly into safer launches across the ecosystem. To recognize the Watsons who set the standard, we’ve developed 11 prestigious awards that recognize diligence, expertise, and impact. Here are the 2025 Sherlock Watson Award Winners 👇🧵

goldmine.

This weekend I analyzed EIP-712 implementations across major protocols so you don't have to! The main trade-off: should you compute the domain separator on demand or apply caching optimization to reduce hash operations? Let's check industry best practices 🧵👇

"This generation isn't gambling to survive, they're gambling to actually have a life." Extracted an insane amount of value from reading this!

just published my first medium article breaking down options from first principles, all the way to how Uniswap AMMs can be used to implement them. if you’re planning to participate in the ongoing @Panoptic_xyz contest, this should help build the intuition you need before diving into the technical details. medium.com/@32bitsToby/optio…

Beautiful watching the interaction between @0xFireFist and @0xSimao mentorship series #8. Simao: "what if the chainlink price is absurd?" Firefist: "I think there are some check here that ensures..." Simao: "okay! we need to see those checks" Takeaway: No guessworks. verify!

The SIMPLE success formula👀

just found this, should be illegal to have this out there for free. thanks @philbugcatcher

1/ Wondering how to make sure the math accounting adds up? I've got you covered, here's how you can become a human fuzzer 101. In the mentorship episode #14, we show exactly how to do it 0xsimao.com/blog/mentorship-…. Thread 🧵

just wrapped up my second contest for the month. pretty excited for this one, found some interesting bugs! on the side: - took a course on assembly - currently reading the proxy book on rareskill - started reading mastering ethereum as a hobby - catching up on the deep dives from @0xSimao contest academy 2026 is going to be amazing!