Honored to be selected🫡

happens to the best of us

nice work zero cool. if this security thing doesn't work out maybe you should try hollywood 🤣 lmeow

yAudit has a secret weapon. 🤫 Earlier this year, we developed yAgent, our in-house AI auditor. We've run it on every review since March, and it's really changed the way we work and raised the bar on our security reviews. Our researchers can go deeper on the code, move faster, and explore more ideas as they go. yAgent handles the groundwork so the team can spend its time on the hard problems. The tool was built on top of the award winning vulnerabilitiy detection engine developed by @zerocool_ai. We added our own workflows, knowledge bases, and custom skills to replicate the expertise and approaches we've developed over the years through auditing DeFi's biggest protocols like Yearn, Euler, and many more. We'll be sharing more details soon, including case studies, experiences, and tips for those trying to implement AI into their security process.

I used property testing during a Solana AMM audit. This blog post walks through the seven properties and their reasoning, the sequence-based test structure, and a case where my own test had a bug that looked like a real finding: s3v3ru5.github.io/posts/sola…

The Tangent protocol has undergone extensive testing and auditing, including 100% unit test coverage, fuzzing, and a total of five audits. Many thanks to @EgisSec, @sherlockdefi, @PashovAuditGrp, and @ZeroCool_AI for their work, which helped us secure $USG. Links below 👇

Working with @ZeroCool_AI was a great experience. Their tool demonstrated a strong understanding of our codebase and its context, delivering relevant and valid findings. We’d encourage every protocol to give it a try!

amazing news!

A partial liquidation can leave bad debt and drain a borrower's entire collateral, even at HF = 0.99, if LT * (1 bonus) >= 1. @D4r3_D3v1L_ checked 22 protocols using partial liquidation. 4 are vulnerable, 6 have on-chain constraint. I wrote two posts breaking this down:

I was farming airdrops and reading the Ethereum yellow paper in the front seat of my Uniswap police cruiser when a ping came in. It was the chief. “Bad news, detective. We got a situation.” What? Did Solana go down again?” “Worse. Somebody just launched another layer-2.” The hardware wallet practically fell out of my hand. “My God. How many do we have now?” “Hard to say. Every time we count them, three more appear funded by a16z & Paradigm.” I lit a cigarette and refreshed the mempool. “What’s the damage?” “Billions in venture funding. Thousands of tweets about ‘Ethereum scaling.’ A whitepaper written entirely in diagrams of arrows pointing at other arrows.” “Do we have any leads?” “Only that the founders used to work at Coinbase.” I shook my head. “Typical.” “Listen,” the chief said. “We’re going to track this thing down and shut it off before it launches a token.” “Easy, chief,” I said. “Tokens are the foundation of the modern startup business model.” He sighed. “Just get down there and see what you can find.” Ten minutes later I was at the scene: a co-working space filled with beanbags, venture capitalists, and a giant TV displaying a dashboard that just said “TPS.” “Coinbase™ Presents The Police!®” I yelled, flashing my badge, my hardware wallet, and a laminated screenshot of Vitalik. “Nobody pivot unless you want to!” They didn’t. “All right,” I said. “Which one of you punks launched the new rollup?” A man wearing a hoodie that said “Zero Knowledge, Zero Revenue” slowly raised his hand. “It’s not a rollup,” he said nervously. “It’s a modular settlement-availability execution layer.” I squinted at him. “That’s a rollup.” The room murmured. “Listen,” I said. “Without a strong economic incentive, I’m not investigating anything. Are you people going to pay me?” A venture capitalist stood up. “We can offer you an allocation in the seed round.” “I don’t work for equity,” I said. “I work for tokens that unlock in eighteen months and immediately go to zero.” Just then an intern ran in. “Detective! The protocol just hit a billion dollar valuation!” “Already?” I asked. “We haven’t launched anything yet.” “Of course not,” I said. “That would be irresponsible.” Suddenly the founder made a break for the door. “Paradigm™ Freeze, Scumbag!®” I yelled. Too late. He was already halfway down the hallway tweeting “gm.” I chased him. “Stop right there!” I shouted. “You can’t keep launching infrastructure companies that only exist to make other infrastructure companies slightly more complicated!” He turned around. In his hand was a pitch deck. He fired. I ducked as a slide titled “The Future of Decentralized Modular Interoperability” whizzed past my head. “All right!” he yelled. “I confess! I built the protocol!” “Why’d you do it?” I asked, slapping a pair of Ledger™ Hardware Handcuffs® on him. “Because I was afraid.” “Afraid?” “Afraid there might be only twelve crypto infrastructure startups instead of thirteen.” I nodded slowly. Years ago, a man like this rugged my partner with an NFT project called Pixel Apes but With Hats. I looked him dead in the eye. “Listen carefully,” I said. “No matter how many rollups you launch, no matter how many seed rounds you raise, you will never destroy the dream of a decentralized financial system.” He lowered his head. “You’re right,” he said quietly. Then a venture capitalist walked up and handed me a term sheet. “Good work, detective,” he said. “We’d like to lead your next round.” I signed it immediately.

Here's how Zero Cool has performed in competitions: 1st place @Rain__Protocol (672 submissions) 1st place @DexlynLabs (72 submissions) 2nd place @MentoLabs (726 submissions) 6th place @0xsequence (664 submissions) 6th place @OpenEden_X (43 participants) 25th place @monad (952 submissions) $20K bounty (Immunefi) 100 confirmed findings across 40 contests. 25th all-time @HackenProof, 7 critical, 29 high severity. We're just getting started.

I think there is an interesting result here: Some skills actually perform worse than the baseline model. It'll become increasingly important to curate, maintain and prune the skills that you've got set up to find bugs.

fun and interesting to read

with skills quality is definitely > quantity

powerful. I watched this to the end

Amazing work

Announcing the Solidity Testing Handbook ✨ Fully free, one-stop resource for Solidity developers and security researchers. Resources are currently scattered across blogs, docs, and forums. I found it difficult to keep track of everything in one place. This handbook aggregates all testing patterns from basic unit tests to advanced mutation tests into a single, well-organized guide for quick reference. It’s built from my own learnings and best practices observed in popular codebases. soliditytestingbook.com/

I’m here for all the open sourcing of skills, techniques and, ai projects. it’s been quite a renaissance of people sharing tools and experimenting reminds me of the Huff days 👀👀

Happy Lunar New Year to those who celebrate! x.com/i/status/2023416426984…