Just sent the audit report to the client. Right after, jumping on a brand new Move audit, all pumped up. Your attitude towards work is determining your performance in the long run. You don't have to audit, you GET to audit. Say it out loud and go find those bugs

When auditing, it can be hard to step back from the code and think of tricky attack vectors. This is why having an external POV from an auditor without prior knowledge of the code throwing ideas can be useful. Legend has it this is how @BowTiedDravee arrives to give you bug ideas

When starting your web3 auditing journey, your priority is to miss a lot bugs as fast as possible in contests. However don't miss them, cry and miss them in the next competition. Take this frustration to study them so they get anchored into your brain. Fail fast learn fast

Web3 security researcher after missing a bug in an audit contest

AI has been a game changer in my web3 security career. I mainly use it as a study buddy to help me learn more about the project I audit. When it comes to writing PoC, it is even better but I very often find myself looking at the wall while it finishes it 🤡

I can't be the only security researcher right?. Imagine you identified an exploit, you know it will make a great vulnerability to report but. You only see the end of the exploit path. All you need is that one PRECONDITION, that tiny oversight to rack up the money

This is why web3 auditing feels like magic:. You jump into a brand new section of the code, feel lost, have no clue what is going or what the maths are meant for. You struggle and the code is a mess so you take a break. You come back and now everything is clear. Dark magic✨

This was a thread about what happens under the scenes when transferring WSOL on Solana but there is an additional feature I'll discuss about later so stay tuned. In the mean time, keep interacting with WSOL like any other SPL Tokens since this whole mess is handled implicitly ;).

This seems like a lot to do for a simple transfer. Fortunately the SPL Token Program is aware of that and will do it under the hood if it detects you are interacting with the WSOL Mint (So11111111111111111111111111111111111111112).

To make the ATA's token balance reflect its new lamport balance, you must call the "syncNative" instruction from the SPL Token Program. This updates the "amount" field in your ATA to match the quantity of lamports it holds.

The amount of WSOL in an ATA represents the amount of native SOL (lamports) the ATA account holds. To wrap SOL, you don't mint WSOL out of thin air. Instead, you simply transfer native SOL (lamports) to your WSOL ATA. However 1 extra operation is needed for the lamports to sync!.

Transferring standard SPL Tokens from your ATA to another ATA will simply decrease the "amount" field from your ATA and increase the "amount" field from the receiver's ATA. The total supply of tokens is originally created out of thin air by the owner of the token. How about WSOL?.

Before using a standard SPL Token, you first need to create an ATA (Associated Token Account) for this specific token . Then you'll be able receive tokens from your friend's ATA to your own ATA or yourself transfer tokens from your own ATA to your friend's.

On Solana, fungible tokens are called SPL Tokens and just like on Ethereum, you can wrap the native coin to integrate it easily in DeFi protocols. However, the wrapped SOL coin (WSOL) needs to be handled in a special manner compared to other SPL Tokens. Let me explain 🔽

Been listening to @bountyhunt3rz podcast everytime I take a walk. For all security researchers wanting to reach god level but feel like they are stuck, I recommend checking out the episode with @0xFlint_. The discussion gave me fuel to work better/harder.

You have been auditing for the entire day, your brain is melted, one last function and you can finally rest!. Unless the function uses another function which calls another functions which in turn triggers another function. We hate to see it but that is what we signed for

Strongly believe we, security researcher, have a fundamental role to play in the web3 ecosystem. We are basically super heroes that are able to protect people from getting robbed.

Giga chad security researchers don't have time to date. Giga chad security researchers have to deliver a bug-free codebase

Spotted @cantardixyz at the @cantinaxyz event at Cannes

This audit was challenging. Not in terms of complexity but in terms of providing value to the protocol. I believe we made the dream team for this particular engagement, taking the project's ecosystem into our thought process and challenging each other ideas. A real bless 🙌🏼.