I'm happy to share that I’ve joined @certora as a Security Researcher. After a year and a half working mostly solo, joining such a talented team feels like the right next step in my journey. Grateful and proud to reach this point. 🫡

Every AI auditor now does the same boring thing. So I went and fused the 4 security pillars into a singular pipeline: - Static analysis - RAG vulnerability search - Recursive depth analysis - Fuzzing and testing Fully autonomous 🤖 Fully open-source 🔓 Going live tomorrow 🚨

30 EPISODES LIFE ... ON THE BLOCKCHAIN

I just saw a “We warned Balancer” post from a multifollower legitimate account. I hope someone finds the private key for the zero address and this circus ends.

I miss the good ol CT with sick write ups, protocol break downs and tips, at the very least it was core protocol devs with near organ failure. These days it’s a bunch of whiny little cunts crying about their ai auditor had issues rejected, or some guy got sick with the flu.

man, Bulgarian aura not only helps auditing better, it helps grapple better. thanks for the cool rashguard, @zanderbyte.

web3 security Twitter lately: > Company A, B, C: Our AI tool outperforms all the bad security companies on the market > Pashov shows up at ETH Bulgaria in a Lamborghini > Certora onboarded the nation of Bulgaria to do audits for them crazy time to be alive

Hey chat, we’re hiring Formal Verification Engineers at Certora. I’ve noticed many security researchers in the space already use formal methods during audits, now it’s time to go deeper. We’re looking for solid professionals with backgrounds in math, computer science, or formal methods. If you want to work with a top-notch team and feel like this is for you, send me your CV, and please repost to help me find some legends.

Went sidequesting in Bulgaria and got to meet the boys. @nmirchev8 @n4nika_ @dethSCA @KrisApost1 @xb0g0 @zanderbyte @MartinMarchev

I watched a movie yesterday, and one quote I've heard stuck with me: "Don't doubt yourself, son. Doubt kills." It's a powerful mindset, don't second-guess yourself. Doubting yourself and your abilities is like ignoring your instincts, convincing yourself that the code is perfect. What you really need is a shift. Instead of doubting your skills, doubt the code. Very often, the issues are in front of your eyes, and what you need is a little shift in your mindset and how you look at a certain function. Don't verify it works, find when it doesn't. Assume there are bugs - believe it. Because doubting the code is one of the most effective ways to find a helpful idea. And once you find one, you're already a step closer to the solution. More on that soon.

Not sure about you but the toxicity in the space lately feels a bit sad. One of the reasons I joined web3 was the culture. Open, collaborative and low on ego. No gatekeeping & no politics. Lately, it feels like there’s more drama than building. Companies and SRs taking public shots at each other. We’re still such a small space. Most of us know each other. We’re supposed to be building this industry, not tearing each other down. We don’t have to agree on everything. But we do need each other to make this thing work!

I'm happy to share that I’ve joined @certora as a Security Researcher. After a year and a half working mostly solo, joining such a talented team feels like the right next step in my journey. Grateful and proud to reach this point. 🫡

Thoughts on bounty hunter life in light of this finding. To find this mainnet critical, 2 auditors spent 5 weeks doing nothing but auditing Bunni until in the 5th week they found a beautiful exploit which could drain user funds. This was psychologically "easy" because the auditors were being paid while doing a private audit. But what if they were not being paid and just bounty hunting? Could you do nothing else but bounty hunt one protocol for 5 weeks? During that time, would you say "no thanks" to multiple lucrative private audit offers, reject multiple contest opportunities, set aside all other potential work and income in order to remain 100% focused on Bunni's codebase - with no guarantee of successful finding or a payout? When would you give up? Week 2, week 3, week 4? How many auditors could dedicate 5 weeks sacrificing other lucrative opportunities all without any $ coming in, in order to remain 100% dedicated and focused to reach the mainnet crit in the 5th week - with no knowledge that the mainnet crit even existed? Makes me think that there are plenty of other mainnet crits available out there, but the required unpaid time to find them is too psychologically & economically daunting for many current market participants.

When the whole warden calendar looks like a desert… but @cantinaxyz goes brrrrrr

Secured 4th place in the @BitVaultFinance contest on @code4rena . It was a Liquity V2 fork with custom added logic. I focused on key parts the sponsor wanted to emphasize, with some of my findings directly addressing those areas. Despite providing extensive additional arguments, these were downgraded to QA. Ultimately, the judge has the final word. However, I’m happy to have contributed to the security of the protocol.

Another day in Wardens Twitter

PSA: If you're using `tx.origin == msg.sender` to prevent smart contracts from interacting with your contracts, please read this. The next Ethereum hardfork (Pectra on May 7th) includes a change that allows you to work around this check (EIP-7702). If you built your smart contracts to only be interactable from externally owned accounts (EOA), please double-check your assumptions. This was common in some early DeFi contracts. I heard from a founder of a DeFi protocol that blackhats are already testing for this. Do not wait!

If you ever struggle with fixed-point numbers while building or auditing smart contracts, this tool from @ABDKconsulting helps convert 64.64 or 128.128 HEX values into human-readable decimals: toolkit.abdk.consulting/math… Bookmark it and use it next time you're facing some weird numbers.