guhu
@Guhu95
Followers
1K
Following
2K
Media
48
Statuses
295
Hot takes about the attack:. 1. "Upgradeability is a vulnerability" for one more reason. 2. UUPS was always a mistake. "Premature (gas) optimization is the root of all evil". 3. Reliance on web2 infra was root cause again. Without etherscan bug attack is useless.
Just mitigated: The CPIMP Attack – a stealthy front-running exploit infecting 100s of DeFi proxies across many protocols. Attacker inserts hidden proxies that self-restore, spoof Etherscan, and lie dormant for high-value strikes. Tens of millions at risk.
0
0
13
There are just two types of bugs:. 1. Input validation. 2. Logic bugs. Can also be called "output generation". ̶3̶.̶ ̶O̶f̶f̶-̶b̶y̶-̶o̶n̶e̶.̶.̶ that's a logic bug. Access control, price oracle, reentrancy, external calls, are all because of unchecked inputs of some type.
1
0
18
Simplest form: num solos ≈ num unfound
You can measure how vulnerable the code is after a contest. This can help:.- Projects and users to estimate hack risk.- Bug hunters to scope targets.- Ecosystem to track what works best.- Platforms to manage reputation risk. TL;DR: More solo findings -> more hidden bugs. This
0
2
23
### Links.- - - ### Stats nitpicks. Directionally most nitpicks don't matter here, since "more uniques -> more hidden bugs" remains true. But: . 1. We assume mostly independent auditors, because of.
1
0
2
You can measure how vulnerable the code is after a contest. This can help:.- Projects and users to estimate hack risk.- Bug hunters to scope targets.- Ecosystem to track what works best.- Platforms to manage reputation risk. TL;DR: More solo findings -> more hidden bugs. This
9
10
104
Stared at the code so hard that a 5 year old bug crawled out. Nothing like finding an attack that hundreds of people missed for years to want to keep hunting. The 60k helps too😎. Plenty of bugs out there, even in simple ol' Solidity. Thanks to the project and @immunefi!
18
12
225
Linea is living in the future: in the one where a 100k bounty is enough to secure 370M of user funds on a ZK L2 😰. No need for "highs" either: users there don't mind liveness failures or frozen funds for any duration.
Linea is now 100% proven/verified, no emulation, no translation. Linea is just Ethereum, 100%. Internal milestones are getting knocked down. The major arc of the Linea story is starting to unfold.
2
2
62
Tip for POCs in big codebases: use git blame to find the tests to use. It's the closest thing to just asking the devs. Can be annoying to find the best test for a POC setup (even with AI) manually. Instead, blame on the buggy line -> check the commit / PR, and it will often have
3
2
57
The whole thread is great, but this insight is my favorite. It's also why perps dexes keep rising and dying. Each incumbent is killed by new ones, eager to lose more money (LP or incentives) in order to grow. Reflexivity of liquidity does the rest, and a new incumbent is born.
27. If your AMM competitors for a pair are boneheadedly losing money, there may be no possible way to be profitable, since to compete for trades you would have to lose more money than they do.
0
0
3
Wild payouts for the winners for an absolute masterclass - finding highs in a huge, shifting scope; very strong code; so many languages; with the time pressure of "no dups". Epic performance. Surprisingly, while it felt like everyone was participating, only 13 people on the.
A landmark moment for @Ethereum security. 🪐. The $2,000,000 Pectra competition, run in collaboration with @ethereumfndn, has officially concluded. Your top-ranked researchers:.🥇 @alexfilippov314 - $342,159.94.🥈 @zigtur - $287,159.95.🥉 NDKoo - $203,733.19. Details follow.
4
0
61
The "dark side" only wins if there are bugs to exploit. If there are no bugs, the sides don't matter. This is what crypto is about. Systems for enemies. Also, the "dark side" label is delusional, it's a "fundamental attribution error". If you were in their circumstances.
C’mon folks. Don’t let the dark side win.
1
1
15
"Stack too deep" makes you write better code. "Code is read more than it's written", especially Solidity. Yes it's annoying, but you know what's more annoying? Error-prone ugly spaghetti code with too many variables used in the same scope. Humans barely handle 4 items in
5
1
36
To clarify: this is not me complaining, venting, or being negative. I'm suggesting a mental model I find more helpful, and pointing out similarities. Contests are great, here to stay, people are doing their best, and as a whole provide a lot of value for literally everyone. I.
0
0
11
Audit contests are just a spectator sport. That's the only sane way to treat them. Proof:. - Endless drama all the time. - Top 0.1% are worshiped as demigods. - Top 1% make more money from selling other stuff (audit days). - Bottom 99% are there because of top 0.1%'s winnings. -
6
0
64
My bet on highest usage of EIP-7702 accounts:. 1. CEXes for deposit accounts. 2. Large scale airdrop farmers for sweeping / consolidating. 3. "Trusted" UIs (telegram bots, one-click trading interfaces). Basically, accounts operated by custom software (not wallets).
1
0
8
Some Pectra contest thoughts:. The Good:.- Client diversity is an ETH superpower. Always liked it, but now 10x more. - Testing sophistication is unbelievable. Beyond each client's tests, and the testnets, there are independent external tests (in python), a tool to run devnets
5
0
39