Web3 Security Researcher and Master in AI 🧑🔬 Working with @sherlockdefi and @cyfrin 🦅 @DefendersAudits chaindefenders.xyz
Joined May 2024
- Tweets 746
- Following 947
- Followers 1,425
- Likes 1,843
41 Photos and videos
Pinned Tweet
29 Nov 2024
Another day, another win! 🏆
I’ve managed to find a High vulnerability in one of the biggest projects in the web3 space @usualmoney!
Thanks for the opportunity 🫡@sherlockdefi
If you want me to secure your protocol, don’t hesitate to contact me! 🔥
11
2
126
8,273
Jun 1
One project that you should definitely check 🫡
Jun 1
4 out of 5 AMM liquidity providers lose money.
Not bad luck. Structural loss.
Helm changes that.
LPs stay hedged in real time.
Spot liquidity powered by Hyperliquid.
Private beta soon.
Follow and DM for access.
Take the Helm.
4
265
Apr 19
🚨 Kelp DAO hacked for ~$292M – 2026’s biggest DeFi exploit so far.
Attacker forged a cross-chain message via Kelp’s LayerZero-powered rsETH bridge, draining 116,500 rsETH (~18% of supply) in one lzReceive call. No core code bug—root cause tied to 1-of-1 DVN config compromised validator node.
Funds used as collateral on Aave/Compound/Euler, creating massive bad debt. Kelp paused contracts in ~46 min; Aave & others froze rsETH markets.
Lesson: Cross-chain bridges remain high-risk. Config errors trust assumptions = expensive mistakes.
Kelp LayerZero investigating with auditors. Stay safe out there.
#DeFi #CryptoSecurity
1
41
1,570
Apr 18
Two years since I watched my first Web3 security video from PatrickAlphaC (@PatrickAlphaC).
That single video completely shifted how I viewed smart contracts — it opened my eyes to the critical importance of security and sparked my deep dive into auditing. 🤿
Two years later, the difference is night and day! 🔥
6
1
123
5,284
Apr 11
Best part of Web3 security?
Diving headfirst into brand-new protocols.
Fresh code. New invariants.
Zero hand-holding.
You instantly become builder hacker at the same time.
Nothing else hits harder 🔥
#Web3Security
2
2
34
959
Apr 8
I'm currently auditing a protocol that integrates Curvance - and it's one of the most architecturally interesting DeFi lending layers I've seen lately.
If you're a web3 security researcher, this is worth your attention 🔥
Curvance = modular, risk-isolated, productive-collateral money market (live on Monad ~$57M TVL). Deposit LSTs/LRTs/LPs that keep earning yield while borrowing at high LTVs one-click leverage looping 💰
2
1
37
1,257
Apr 8
Key security features limitations auditors should check 👀:
• 20-min MIN_HOLD_PERIOD cooldown on deposit/borrow/repay/withdraw → anti-flashloan & oracle manipulation shield ⏳
• Fully isolated markets (no contagion risk) 🛡️
• Supply & Borrow Caps per market
• Dual oracles (Redstone/Pyth/Chainlink) circuit breakers conservative pricing
• MEV-capture liquidations modular plugin system with calldata checkers
1
7
385
Apr 8
Zero exploits since launch. Code fully open-sourced.
Audits (TrustSec, Trail of Bits, Sherlock, Cantina) public here:
→ github.com/curvance/curvance…
Contracts: github.com/curvance/curvance…
Docs: docs.curvance.com
App: app.curvance.com
Bug bounty live 🐛
Fellow researchers — what attack vectors or edge cases do you see around the cooldown, caps, plugins, or isolated pools? Drop them below or DM me 👇
3
356
There have been so many supply chain attacks recently…
Maybe @DefendersAudits we have a solution? 🤫
1
1
6
661
Apr 4
🚨 Why Most “Clean” Web3 Audits Are Still Getting Protocols Drained in 2026
Over 70% of major exploits in the last 18 months came from contracts that had been audited.
7
1
18
2,101
Apr 4
4/ What actually separates survivors from victims:
• Multiple independent audits (different firms different approaches)
• Full-scope review (contracts deployment scripts access control OpSec)
• Fix verification BEFORE mainnet
• Continuous monitoring bug bounty red teaming post-launch
• Treating security as an ongoing process, not a one-time event
1
2
224
Apr 4
5/ Harsh truth for founders:
Your users don’t care how many audit badges you have on your site.
They care whether their funds are actually safe when shit hits the fan.
A proper security program costs real money.
But losing 30-80% of TVL because you cut corners costs a lot more.
If you’re raising or launching soon, stop treating audits like a marketing expense.
Treat them like the insurance policy they’re supposed to be.
What’s one security practice you wish more projects took seriously? Drop it below 👇
185
PeterSR retweeted
Apr 1
🧠 Claude Best Practices for Web3 Auditors (Skills Prompting Edition – April 2026)
Claude (Sonnet/Opus 4.6 Claude Code) is now the #1 co-auditor for smart contracts. Here’s exactly how top auditors use it to catch novel logic bugs, economic attacks & invariants that Slither misses.
3
6
46
2,526
Apr 3
🚨 Why AI Security is CRITICAL in 2026
AI isn’t just a tool anymore — it’s the new perimeter.
Web3 teams use LLMs for email filtering, scam detection, wallet monitoring, threat intel, and even on-chain analysis.
But here’s the problem: AI has its own attack surface.
Prompt injection, jailbreaks, and model poisoning are no longer theoretical.
3
1
19
840
Apr 3
5/
This was one of the first public cases of attackers “speaking LLM” to bypass defensive AI systems.
Exactly why OWASP lists Prompt Injection as #1 LLM risk.
1
116
Apr 3
6/
In Web3, where millions can disappear in one click, we can’t afford to treat AI security as an afterthought.
Attackers are adapting faster than defenders.
If your stack uses LLMs for security — audit those prompts. Harden your inputs. Assume they’ll be injected.
1
101