Truly honored to be recognized by a legend in the space!

Asking AI to secure your code is a coin flip. Adding "secure" cuts vulnerabilities up to 42%. I tested the other 58%. SMS login. AI chatbot. Stripe billing. What slipped through could bankrupt a startup. Security is a process — not a vibe.

i installed OpenClaw on my MacBook. 2 hours later an attacker had full access to my machine and injected a malware that spread itself to every developer who pulled our repo it went undetected for DAYS. I only found it by accident i was debugging a build error, opened babel.config.js. Cursor flagged obfuscated code hiding at the end of the file, past column 300, hidden behind hundreds of invisible spaces. a wall of encrypted JavaScript invisible in every editor we pasted the wall of code into Cursor and said "what is this." it decoded the three layers of obfuscation, 1. string shuffling cipher 2. hidden eval() 3. then the real payload it was a remote access trojan that could run any shell command on the targets computer, the javascript would pull the remote code from deployed code on the blockchain so the attacker could control it anonymously but even more insidious was this: every time a developer pulled main and ran dev, the malware executed on their machine, injected itself into their other repos, and pushed using their credentials. a self-spreading worm. It then modified git history to cover its tracks full forensic breakdown and detection commands: tylerhenkel.com/blog/opencla…

Your AI assistant: The most helpful insider threat you will ever hire. x.com/_jasondoyle/status/200…

Another audit done and dusted 👊 Excited to help bring more apps to the @AbstractChain Portal for official listing.

I bypassed MetaMask’s security filter by swapping a decimal value for binary. 🔍 Pentesters, add this evasion technique to your arsenals... JavaScript parsers don’t always normalize all four types of number literals. Decimal and hexadecimal are the most common, but overlooking binary and octal can lead to an exploit. For example, in JS these are all the same number: 1000000 === 1000000; // true (Decimal) 1000000 === 0b11110100001001000000; // true (Binary) 1000000 === 0xF4240; // true (Hexadecimal) 1000000 === 0o3641100; // true (Octal) Substituting these values is exactly how I found a bypass of Blockaid’s security filter inside MetaMask—turning a red phishing alert into a yellow error message. And in a real crypto phishing attack, that’s often the difference between hesitation and clicking "Confirm" on the wallet draining transaction. Here’s a quick video demo from my private report to Blockaid last year—showing how a simple format change prevented Blockaid from recognizing a malicious wallet address. 👇

I bypassed every anti-scam browser extension in Web3 before the scammers could. Pentesters will enjoy this one… Old news, but wallet drainers as a service have been including built-in bypasses for anti-scam extensions like Pocket Universe and Wallet Guard—letting attackers phish users undetected. Instead of waiting for scammers to exploit them, last year I went ahead and found more detection bypass vulnerabilities in over six security extensions, including Blockaid’s integration inside MetaMask—and reported them before they could be weaponized. One particularly interesting bypass in Wallet Guard involved spoofing an invalid chain ID to manipulate detection logic—potentially allowing phishing pages to slip through. Here's a quick clip demoing the proof-of-concept bypass.

One of the most common security vulnerabilities I see in web dApp assessments is relying on signed messages (i.e., personal_sign) for authentication. Web3 dApps often use personal_sign for authentication, assuming it’s secure because only the owner of the wallet can sign messages. But what if attackers trick users into signing something they shouldn’t from a fake site? The Risk: An attacker can phish a signature from a user and reuse it to impersonate them, transfer offchain assets to a new onchain wallet, or execute layer-2 transactions—without needing their private key. Actual Findings: - The ability to phish admin account signatures to access their cloud hosted airdrop portal for unauthorized minting of assets. - The ability to takeover player accounts and their in-game NFT assets. How to Fix It: - Require two-factor auth for sensitive state changing actions - Implement strict CORS policies to prevent phishing attempts - Require domain-bound signatures (EIP-4361: Sign-In with Ethereum) - Use a nonce in signed message requests to prevent replay attacks **The risks vary depending on if you're operating on a layer 2 protocol, use a Web2 backend, or are using pure web3 infra without a backend. If your dApp uses personal_sign, how do you prevent signature reuse?