#web3 dev auditor | @SpearbitDAO LSR, @immunefi bug hunter, sage of AAVE codebase :D
Joined April 2008
- Tweets 10,051
- Following 1,406
- Followers 4,631
- Likes 10,076
296 Photos and videos
During the next few days, I will share some of my private security research work that I have done in the last year.
All those projects are @aave related, and I feel very proud to have been chosen as one of the security partners to review them. I'm pretty sure that the dedication and knowledge that I have demonstrated on their codebase has been a pretty good investment 😁
Those projects were very challenging, but at the same time it was fun and a pleasure because you always feel motivated and engaged when the quality of documentation, specifications and code is high quality.
When @avara or @bgdlabs contacts you, you know that you are going to enjoy it. They are both a top-notch team to work with.
The first one that I want to share is a.DI (Aave Delivery Infrastructure)
It's a cross-chain communication abstraction layer for decentralised systems like the Aave DAO to communicate across networks, minimising the risk of underlying individual bridge provider failures, via consensus rules.
ALT a.DI (Aave Delivery Infrastructure)
8
6
107
16,082
The new Siri AI, as far as I can tell, pulls data/context from a Spotlight index, which is built with data "donated" by apps.
Apps like WhatsApp, Telegram, and so on will probably never donate those entry points. Why would they?
Users will have access to that information via Siri AI instead of opening their app (fewer ad views, fewer premium features paid, and less data/behavior harvested from the user to be later on sold).
I guess that maybe we could try to build apps that will ingest exports of the chat backups from those apps and donate those chats (on behalf of the original app) to the Spotlight index?
I'm not sure if the result would be the same. Also I assume that Apple needs to have some security logic/mechanism to prevent to get the Spotlight index from being spammed by fake donated data?
Any iOS/Apple dev that can enlighten me on these topics?
I think that 99% of the non-US users have zero usage of the iMessage system.
323
Correct me if I'm wrong, but from what I get, every context index in the new Apple OS 27 will be built with the data that is available on that device and won't be merged/shared across devices.
This means that if I don't have an app installed (or it's not available) on a device but it's available on another one, those two devices will have different contexts/memories, and so they will provide a different experience, one less relevant to me.
I understand the privacy reason but it does feel quite wrong and will be super confusing to the end user that won't understand why a chat "works" on a device but not on another that is connected to the same Apple Account.
Users are expected to be in a synched ecosystem when using their Apple devices.
This behavior is breaking Apple's ecosystem magic.
251
Since yesterday I was trying to build a small macOS electron app that would allow me to take quick screen captures and chat with them...
With codex gpt-5.5 xhigh I have burned for 2 times the 5h window token limit without being able to get the app request and approve the needed system permission on macOS.
I don't get if the problem is the electron docs, the macOS docs, or codex itself but it really doesn't get to make it work.
It's really really frustrating as an experience. At this point the only option is to just take control and manually check what the hell is not working and see if the electron docs have a solution.
I mean, I assume that it's a common problem for any electron app that needs to request any kind of system permission, right? It should be well covered by docs or even by stackoverflow questions.
1
729
And I'm 100% sure that because it was stuck in that situation without really knowing how to solve it, it has tried any kind of shitty workaround to make it work, making the code a mess.
After 25 years of coding experience as a fullstack developer you can feel it just by looking at the reasoning and what he's trying to do. It's like looking at a junior dev that does not know what to do and trying to stitch ugly code together to make it work in some way 😄
1
482
It's fascinating to realize that in the world of AI, nothing is known and written in stone. New terms are created and replace "old" terms and concepts, no one knows anything, and everyone is experimenting, no one knows how these "things" work and so how to properly use them.
1
2
413
I need to transcribe an audio file and recognize speakers. What's the best AI service/mac app for doing that?
I'm using MacWhisper and trying both WhisperKit Large v3 Turbo and Parakeet v3 but they don't seem very reliable at least when they have to deal with Italian audio.
1
414
I'm looking for open and engaging discussions with protocols, clients, and fellow security researchers on how you're actually using (or planning to use) AI, LLMs, and Agents in smart contract security audits and day-to-day workflows.
If you're experimenting with them (or thinking about it), DM me and let's chat.
Topics I'd love to cover:
- Which model providers and models are you using?
- What tools or services have you integrated into your workflow?
- Where do they fit in your workflow and day-to-day work?
- Are you planning to adopt new tools or build internal solutions?
- Real results: have they helped find vulnerabilities, improve architecture, or improve code quality? Any concrete examples?
- What problems, frictions, or pitfalls have you encountered when using or integrating them?
- How much do you trust the outputs? Any concerns around over-reliance, bias, or becoming less thorough?
- How do you feel about the current state of the art and what's coming in the next 6–12 months?
Looking forward to hearing your real experiences and swapping thoughts on where AI is taking our industry.
DMs open, let's chat!
1
1
9
1,476
@nikitabier there's something wrong in my "Following" timeline.
I'm starting to see posts from people that I do not follow and there's no context attached to the post. Usually it would happen (in this timeline) if those posts were retweeted/fav/commente by someone that I already follow. But that information is not bound to the post I'm seeing.
We have two options: the timeline alg is picking from the "For you" feed or you are not showing "why" I'm seeing those posts (who from my follow list has interacted with that post and how) anymore. In both cases there's a bug to fix.
2
1
307
StErMi retweeted
May 26
My first blog post for @monad's security team is out.
We spent a month building an AI system to hunt vulnerabilities in the Monad blockchain
here's what we learned
38
20
242
36,529