How to be a good auditor: 1. Stare at boring code for 8 hours and not find anything (because there are no bugs) 2. Do it tomorrow too (because there might be 1)

The `private` keyword in Solidity doesn't mean what you think it means. Marking a variable as `private` only restricts other contracts from reading it. Anyone can still read it directly from the blockchain. This misunderstanding has led to real security vulnerabilities. 🧵

As a smart contract auditor, I've seen math bugs drain millions from protocols. Here are the four main math libraries I see in production that every smart contract developer should know (and what causes issues with each): 🧵👇

If you are using LLMs to find bugs, you should use all of them — their blind spots aren’t exactly the same. As you know I’ve done extensive testing on LLM limitations. One particularly damning example. I was doing mutation testing on UniswapV2. Introducing one-line obvious bugs that allow draining the contract. Opus 4.7-4.8 looks at it “thinks”: this is just UniswapV2, how do I tell the user its safe without sounding condescending? Opus 4.6 finds the issue but thinks its minor and buries it among 20 info issues. GPT 5.5 Pro actually has the trouble of looking at the code line by line and finds the introduced bug and leads with it at correct severity. This is partially the reason why I think Anthropic isn’t in a good place. Im not sure what nonsense they are doing with RL and system prompts but their models are getting measurably worse in many ways. In this particular example youd be way safer using Opus 4.6 than 4.8 — even if you’d have lots of false positives. Of course this is a toy example. But those things tend to get worse at larger scales. And as a final note: you should also have human review. Obviously. But this is the sort of trivial thing devs should have automated tools for catching right away at this point.

The Reality of Becoming a Top 1% Security Researcher Most people think it's about intelligence. It's not. It's about surviving years of confusion, rejection, self doubt, and failure long enough to become dangerous. Here's what nobody tells you Let's dive in ➪ The internet only shows the wins. You see: ➣ Accepted bug bounties ➣ Audit reports ➣ Conference talks ➣ Hall of Fame achievements ➣ Research publications You don't see: ➣ 100 rejected findings ➣ Failed exploit attempts ➣ Weeks spent understanding one vulnerability ➣ Thousands of lines of code read for nothing Success is visible. The struggle isn't. ➪ Security research will make you feel stupid. A lot. You'll open a protocol and understand absolutely nothing. You'll read a Solidity function 20 times. You'll stare at an exploit writeup for hours. And you'll wonder if everyone else is smarter than you. They're not. They've just been confused longer. ➪ One lesson I learned: Feeling lost is not a sign you're failing. It's usually a sign you're learning. The best researchers aren't the ones who avoid confusion. They're the ones who stay with it long enough for understanding to emerge. ➪ Nobody talks about the 3 AM reality. The monitor glow. The cold coffee. The failed PoC. The endless transaction traces. The attack path that doesn't work. Then doesn't work again. Then finally works. The world sees the report. You experience the thousand failures before it. ➪ Security research is mostly being wrong repeatedly until you're finally right. That's the job. Not glamour. Not recognition. Investigation. ➪ Most people don't fail because they lack talent. They fail because they quit too early. The learning curve is brutal. Progress feels invisible. Validation is rare. Rewards are delayed. So people leave. The few who stay become dangerous. ➪ Consistency beats talent more often than people want to admit. Read code every day. Study exploits every week. Write research publicly. Repeat. Small efforts compound. ➪ The most underrated security skill isn't intelligence. It's curiosity. Elite researchers ask questions longer than everyone else. Why is this here? Why is this unchecked? Why did this exploit work? Why did nobody notice? Curiosity uncovers vulnerabilities. ➪ Most vulnerabilities hide inside assumptions. Attackers know this. Researchers should too. ➪ Another uncomfortable truth: Security research is mostly pattern recognition. The best auditors don't magically spot bugs. They've simply studied enough failures to recognize familiar attack surfaces. Experience is pattern recognition in disguise. ➪ Want to improve faster? Study: ➣ Historical hacks ➣ Audit reports ➣ Post mortems ➣ Exploit writeups ➣ Attacker behavior Every exploit teaches a lesson. Every lesson becomes intuition. ➪ Let's talk about the emotional cost. Nobody warns you about this part. Security can be lonely. You miss events. You skip outings. You spend weekends reading code. Sometimes you become obsessed. And sometimes that obsession is exhausting. ➪ Then imposter syndrome arrives. You compare yourself to famous auditors. Respected researchers. Top bug bounty hunters. You feel behind. Here's the truth: Even experts feel this way. They just keep moving anyway. ➪ Top 1% doesn't mean: ➣ Knowing everything ➣ Finding every bug ➣ Never making mistakes ➣ Being a genius Top 1% means: ➣ Showing up consistently ➣ Learning relentlessly ➣ Staying curious ➣ Refusing to quit ➪ If I could give one piece of advice to aspiring blockchain security researchers: Stop chasing shortcuts. Read code. Study exploits. Think like attackers. Build things. Break things. Write about what you learn. Depth beats hype. Every time. ➪ One day people will see your audit reports, findings, and achievements. They'll assume you were naturally gifted. They won't see: ➣ The confusion ➣ The failures ➣ The rejected reports ➣ The late nights ➣ The moments you almost quit But that's the reality of becoming a top 1% security researcher. Not brilliance. Persistence. ➪ The researchers who change the industry are rarely the smartest people in the room. They're the ones who refused to leave the room. If you're building a career in Smart Contract Security, Blockchain Security, or Web3 Security: Keep going. Your future expertise is being built in today's confusion. Repost if you're on the journey.

🤯An AI security tool has 1st-place performance on security contests from just 1yr ago. Solidity-auditor v3 is out, FREE & Open Source. Thousands of Solidity developers are using the tool already. Upgrade your security baseline, use the tool🫡 pashov.com/solidity-auditor-…

Invariant testing is one of the most powerful features in Foundry. It's also one of the core pillars for security. This is one of the best tutorials you will ever find. paragraph.com/@horsefacts/in…

also covers the AI angle properly because "just use AI" is not a strategy tools, checklists, methodology, all free github.com/Raiders0786/web3-… like/rt if it helps someone. want to add something raise a PR

auditing broker-based prediction markets is a trap if you audit them like an amm. there may be no on-chain price discovery at all. the real invariant is: user intent → escrow → keeper fill → position → refund/claim so hunt the breaks between those arrows. can a delegate debit the wrong account? can a keeper-only path be reached by a user? can `cancel` and `fill` both touch the same order? can `close` and `claim` both settle the same position? does payout use stored ownership or caller input? in broker systems, price is often trust. custody, routing, and state transitions are where the critical bugs live.

in bridge audits, don’t just verify the cross-chain message is authentic. verify the payload still means the same thing on both chains. recipient on chain a might mean “wallet address” but on chain b it might mean “account object id” same bytes. different meaning. stuck funds.

I unlocked 19.329 Ξ (40,590$) on Ethereum and returned them to their original owners. The funds had been stuck in two old contracts for years, recoverable through public functions that nobody had ever called.

Oracle attacks are a reminder that clean code can still encode bad assumptions. You can pass reviews, tests, and style checks - and still fail adversarial reality. The move is learning the attack *class*, not just memorizing one incident. Patch Euler but miss the class behind it, and the same assumption takes down a different protocol. smartcontractshacking.com/at…

New: We just launched the BEST Web3 opportunities page! Bug bounties & Audit competitions aggregated all in one place in a beautiful customizable UI. Check it out here: smartcontractshacking.com/to…

One of the best articles for Web3 bug bounty hunters. Explains: • how to choose high-ROI targets • why complexity hides critical bugs • what not to waste time on • how to avoid getting lowballed Must-read for serious hunters. 🔥 whitehatmage.github.io/posts…

6 AMM exploit writeups that teach real security. ○ Kyberswap 🔗 100proof.org/kyberswap-post-… ○ Raydium 🔗 immunefi.com/blog/all/raydiu… ○ Balancer 🔗 t.me/defendor_eng/792 ○ Yearn Pools 🔗 t.me/defendor_eng/932 ○ dHedge Bounty 🔗 t.me/defendor_eng/1106

Ironically bugs don't matter in bug bounties. Only exploitable paths do.

This repo taught me more Solana security than any course.

For all the auditors getting scared by this contests market shift - let me walk you through bugonomics history 🐛🪨⏬ 1⃣9⃣9⃣5⃣ Netscape (old browser) paid researchers for bugs which was radical at the time 2⃣0⃣1⃣2⃣ @Hacker0x01 and @Bugcrowd dominated the bounty space and no notion of contests they had private invite-only events which is close, but a contest model didn't fit large web2 companies e.g. Uber Airbnb etc - don't want 500 hackers hammering their servers at a single week 2⃣0⃣2⃣1⃣ @code4rena realized that contests are of different nature: - Smart contracts store loads of money directly, and get hacked like crazy - Smart contracts are "immutable" - once deployed must find bugs before launch - Open source means auditor can fully understand logic, not just probe blindly - More auditor attention, better results For protocols - contests costs more than bounty Let's think like a protocol for a second 🤔 contest = coverage, more eyes, pre-launch safety net - Pay $200k pool upfront - Runs 1-4 weeks - Payout regardless of findings quality (money still gone) bounty = sparse coverage, reactive not proactive - Pay $0 until valid bug reported - Only pay on confirmed severity - Treasury preserved until hit in bull markets - protocols don't want to get hacked, they spend what they can (contests bounty after) in bear markets - same, but now protocols have no funds - bounty is cheaper 2⃣0⃣2⃣5⃣ bear market gets worse, AI spamming submissions left and right making triaging costs increase exponentially 2⃣0⃣2⃣6⃣ even worse - still bear market, MORE (way more) AI and there are less new protocols on top of it all That's why today we are back to web2-style bounties. The protocols that make real money, real impact. In 2015 people made a living of web2 bounties, this ain't different @immunefi @HackenProof @xyz_remedy all are live and kicking, and there's money on the table for you to take, harder than before, true - but since when hard stopped us?