Before tools like Claude Code/Codex, for each project I had a note template where I would write every thought, analysis, questions, leads I had about a project I'm auditing. The notes would become really huge after 2 weeks. But I noticed that the more time passes, the less I'll write down notes (outside of in-code comments) I think that this is probably wrong, and I should get back to writing more notes again. So from today I'll work on that. What's your thoughts about this? Did you notice the same thing on your end?

Hey everyone This is a scam and impersonation. Please report @ArcherFND @ArcherFND is a fake account There is no official announcement on Archer token as of now Thanks 🙏

Nice ZK resource on common MPC Pitfalls It is also filled with interesting resources if you're learning about MPCs mpcsec.org/

Adevar Labs is an official STRIDE vendor partner. STRIDE is a joint security program from @asymmetric_re and the @SolanaFndn. It defines security requirements across eight pillars, independently assesses protocols against them, and publishes the findings publicly to promote transparency and trust across stakeholders. Exactly the kind of standard Solana needed. Ship Safely. 🚀

This is insane how writing a question sometimes instantly fire the answer in my head right after when I press enter. Writing down your thought does help when thinking about a problem.

new news website, and now everyone can sign up! news.zksecurity.xyz/

3 tips for Bug Bounty Hunters: - Don't submit critical bugs to Cosmos SDK based blockchains. Just check my pinned tweet. - Don't submit ANY bugs to Cosmos SDK. They will straight-up close your report because you're a new HackerOne user. - Fuck Cosmos.

I've been down the ZK rabbit hole daily for the last 3 weeks, and oh boy I'm starting to really love this, more than I expected Trying to not bloat my tabs too much

I've been on this platform for a bit over 15 years so it's time to introduce myself. I grew up in 1990s Romania. Bikes disappeared overnight. Car owners took their cassette-player with them and wired their side mirrors down so thieves couldn't snap them off. Nothing stayed safe unless you protected it. I didn't have a word for it then. But I was developing an instinct: know what's exposed, what's vulnerable, where the gap is. I started learning programming when I was 11 but I didn’t know how fragile software was. Then in 2001 I watched Swordfish. A Hugh Jackman heist film. Not technically accurate. But one idea landed: someone finds the gap before anyone else notices it's there. I already thought that way. I just hadn't applied it to software. Got my master's in security in the Netherlands while interning at Deloitte as a penetration tester. After my master’s, I started working at Philips. Security work on DRM and copyright protection. Hackers vs. companies trying to stop them. There was a real adversarial dynamic to figure out. I was engaged. I went so deep down the rabbit hole on DRM that it ended up determining my PhD thesis topic. PhD in Munich researching software protection and reverse engineering. Published enough to go into academia but chose industry instead. BMW next. I expected embedded security. I worked on cloud security instead. Implementing standard security protocols from the 1980s and 90s. Nobody was hunting anything. We were manufacturing compliance. Quantstamp reached out in 2017. I joined full time in 2018 as a Senior Research Engineer. Over three years I rose to Head of Quantstamp Germany. One year later, I was also appointed CEO of Chainproof, the first smart contract regulated insurance carrier. A lot of codebases. A lot of time in the details and also discussions with regulators about crypto back in 2019-2023 when Gary was cracking down on crypto. In 2024 I joined Asymmetric Research as a security researcher. What pulled me there was how they thought about the problem. They were genuinely innovating on how security work gets done. That environment, and the people in it, gave me the confidence and the backing to start Adevar Labs. Solana did not have as many security teams. Projects were waiting months for audits that might never come. That was a gap we decided to fill. But the engineers we attracted brought expertise across chains, across environments, across languages. The scope grew because the talent demanded it. Adevar Labs is not the loudest name in the room. We don't need to be. We do serious work, quietly, for teams that realize that security is not just a checkmark, it’s a mindset and a continuous process.

The fall started with a competitor that decided to get clients at all costs, while knowing what was the risk. Sad to hear, thank you @code4rena.

so our DPRK Contagious Interview friends have advanced in the meantime and now have started reking people for which you only need to _unzip_ a file and run a git checkout or commit operation. so this how the attack works: 1. the attacker distributes the repo as a zip archive (which is pivotal!). this is on purpose because git clone explicitly strips hooks (since cloning goes through git's _own_ protocol which excludes them) from remote sources as a security measure but unzipping is just a _normal_ filesystem ops that git cannot control (yeah fml but also simple fact). the zip restores file permissions exactly as the attacker set them (expect `rwxrwxr-x`), so the two active hooks (`pre-commit` & `post-checkout`) arrive on disk already executable (yeah fml). 2. git _automatically_ runs a hook when two conditions are met at the same time. the file must have the correct bare name with no `.sample` extension _and_ the executable bit must be set (like `rwxrwxr-x`). both of these are already satisfied by the attacker _before_ the zip is distributed. no fucking user action, config change, or approval is needed, git's own hook dispatch system triggers everything lmfaooo. software is great innit? 3. some of the custom `.sample` files in the shipped `.git/hooks` directory are the malicious payloads. they are basically payload components _disguised_ under innocent names. once the victim does anything beyond passively inspecting the repo (e.g. git checkout or git commit), the _active_ hook copies those files into `~/.vscode` (a directory devs usually trust and ignore but well you should not trust it guys) and then starts a detached background process using `nohup` so it does not block or visibly affect the git command. the git operation still completes normally and nothing looks suspicious. fucking evil, but hey here we are! 4. now that background process then bootstraps a node.js runtime if it is not already installed, runs npm install using an attacker controlled package.json, and executes an obfuscated payload (this can ofc differ and change over time). from that point the attacker gains clipboard access, a persistent c2 channel over socket.io (usually) and the ability to read browser credential dbs

Consider helping @opensensepw ! I got a lot of help on their Discord when I first got into Web3 security. They also ran many interesting interviews with top-tier Web3 hackers, and I learned a ton from them. And much more. No doubt they’ll put that money to great use 🫡

I've seen this happen too many times: 1. Project starts an audit right after finishing coding without any internal Q&A. 2. Auditors find dozens of issues that could have been quickly found & fixed by the team via quick scans. 3. Final report looks scary. Preaudit fixes this!

After reviewing dozens of web3 protocols, the #1 avoidable audit finding is code that was never stress-tested internally first. Auditors shouldn't be your QA team. That's not what you're paying them for & this is exactly what teams need before the real audit clock starts

In January 2025, we demonstrated Winternitz Signatures as @Solana’s first line of quantum defence; the only Solana PQC solution to be cited by Google in their recent whitepaper. Today, we're bringing it to production 🔽

This exact string of bytecode has been deployed more than 40 million times, averaging more than 25 times per unique contract on ethereum. It makes up 8.16% of all code on Ethereum. What is up with this? Thread... 1/4

Will this help to find some tricky "race condition" issues? I don't know but I find it fun and interesting to try visual representation sometimes (functions on columns)

Nice article from @asymmetric_re on AI agent coverage. It seems that GPT 5.4 is more depth-style, while Opus is more breadth-style (see bottom figure) Both model a kind of complementary in a sense and might beneficiate from one another. blog.asymmetric.re/understan…