Joined July 2014
- Tweets 1,973
- Following 749
- Followers 2,790
- Likes 2,988
209 Photos and videos
Coinspect Security retweeted
Jun 12
Key-generation are such a uniquely hard class of bugs to handle.
Even after "patch & update", bad keys can live for years. Vulnerable code gets reused elsewhere.
Disclosure is hard here because you can't realistically reach every affected key owner.
We need a different playbook
Jun 12
RSA private keys biased toward 0 bits can be factored by swapping a hard math problem for an easy one: integer factorization becomes polynomial factorization.
We found hundreds of real-world keys vulnerable to this. Many traced to a type mismatch in CompleteFTP (now patched): each 32-bit limb got only 8 bits of randomness. We recovered 603 RSA and 74 DSA private keys. blog.trailofbits.com/2026/06…
1
5
21
4,364
Jun 10
Wallet Security Ranking testing round completed.
To avoid delaying updates, we'll publish browser extension results first. The data is already available in our public repo and will be merged after final checks before going live on our website.
May 6
📢Wallet Security Ranking: We're getting ready for the next round of testing. If there's a wallet we're not currently testing and you think we should include it, now is the time to suggest it.
We already have 81 wallets lined up: 30 iOS, 29 Android, and 22 browser extensions.
5
970
Jun 10
🚨 Attackers are exploiting a flaw in wallet generation to drain addresses created as far back as 2018, even if completely dormant.
Unexplained missing funds? Treat your recovery phrase as compromised.
Move remaining assets to a new wallet and recovery phrase.
Check all chains!
12
16
79
15,959
Jun 10
We want to be more specific about which wallets were vulnerable, but we don't have enough evidence to make that claim yet.
1
8
1,758
Coinspect Security retweeted
BlockThreat - Week 23, 2026
📈$3.6M stolen across 14 incidents
💰 Zcash patches infinite minting bug
🪲 Full Disclosure and DeFi
🔖 Latest security research and tooling
1
4
9
1,149
Coinspect Security retweeted
zcash is actually up, it's a node issue for many explorers (since not updated apparently); people should first verify before claiming a network is down
here to verify the latest block:
```
grpcurl -d '{}' zec.rocks:443 cash.z.wallet.sdk.rpc.CompactTxStreamer/GetLatestTreeState
```
Jun 3
INTEL: ZCASH NETWORK IS DOWN, NOT PRODUCED ANY BLOCK IN THE PAST 4 HOURS
28
18
116
18,353
Jun 3
Needed.
About "No composite scoring" (we ♥️ rankings): sounds neutral, but in the vertical interfaces we scroll every day, something always goes first.
Ordering can be hidden in UI defaults, or explicit with raw data, methodology, expert-voted weights, and adjustable by users.
Jun 2
1/ The EF App Relations team is putting out an open RFP for a neutral DeFi risk intelligence aggregator.
Public good, open source, no composite scoring. If you're the team to build this, applications close June 15.
Apply here: esp.ethereum.foundation/appl…
Here's how we got here 👇
1
6
302
Coinspect Security retweeted
Jun 3
BOMB "... found myself back in 2012. That year, Juliano Rizzo and I discovered CRIME, a compression oracle that recovered cookies from compressed HTTP headers. I was at Google at the time, so I was asked to review the fix, ... I just re-read my notes from that review..."
Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex.
Blog post: blog.calif.io/p/codex-discov…
PoCs: github.com/califio/publicati…
2
12
1,837
Coinspect Security retweeted
Jun 1
Unfortunately, there is a hack related to @gnosispay and the "delay module".
Please be patient while we try to contain the damage. Rest assured, Gnosis will cover all user losses.
63
140
767
174,545
May 28
Thanks to @Giveth, @thedaofund, and the Ethereum community for backing our Wallet Security Ranking in the QF Round.
We're proud to be part of this ecosystem-wide effort.
We'll keep shipping transparent and open resources that help improve web3 end-user security — with more public goods to come.
1
8
18
592
Coinspect Security retweeted
BlockThreat - Week 21, 2026
$7.7M was stolen across 11 incidents this week.
10 hacks a week is the new baseline.
This week’s BlockThreat focuses on three attack vectors DeFi projects and security auditors should prioritize immediately.
1
3
12
856
🛡️ The results for the @thedaofund’s Ethereum Security QF Round are LIVE!
This historic round is closing with a HUGE last minute contribution:
@wintermute_t has added $200K to the matching pool 🔥
Wintermute is a well known liquidity provider, and one of the leading supporters of Ethereum security, in fact exactly a year ago today they donated $1M to @_SEAL_Org.
This year they teamed up with TheDAO, @Quantstamp & several other community partners to allocate over $1.6M worth of funding to Ethereum Security Public Goods 👇
79
105
377
142,267
May 27
"secure" has ingredients
May 27
In an ideal world all software and hardware would have "nutrition labels" that provide a full list of trust dependencies - what math and which actors' honest behavior (and on what time scale) the system is relying on to provide its core functionality and implied guarantees.
1
2
8
634
May 27
👀 The new Wallet Security Ranking repo started to move
Wallet teams: if you've improved your app since our last review, open an issue!
1
5
258
May 26
In wallets, the challenge is building features that are secure, respect privacy, and are usable at the same time.
A weak privacy feature can be worse than no privacy feature: it gives users confidence without giving them protection.
1
131
May 26
Privacy was on the checklist when we started the Wallet Security Ranking.
We tested security first because security is what makes meaningful privacy possible.
2
144
May 26
📢 Wallet Vendors:
Our Wallet Security Ranking is fully open & collaborative.
Spot a testing mistake?
Fixed an issue we flagged?
➡️ Let us know.
Just click "Report an issue with this check" on any wallet report (one-click GitHub issue template in our repo)
4
294
Coinspect Security retweeted
May 23
1/ From all the recent writeups, I pick a few to read carefully and enjoy while drinking 🧉 and eating chipa, the way I did before with every (yes) Bugtraq post.
This week:
Qualys ptrace LPE, CVE-2026-46333 — no AI
Linux PDF RCE, CVE-2026-46529 — human AI
Both are worth reading:
1
8
62
5,983
Coinspect Security retweeted
May 20
🚨GitHub CONFIRMS breach of ~3,800 internal repositories.
Root cause: Poisoned VS Code extension on employee device.
Exfiltrated: GitHub Actions, Enterprise, Copilot, CodeQL, billing/auth platforms more.
✅ No customer data impacted
Log analysis and secret rotation in progress.
3
13
5,879
Coinspect Security retweeted
May 20
TeamPCP post 4 hours ago:
We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.
5
64
395
75,202