We're honoured to be partnering with
@Agos_Labs
, marking the beginning of an exciting journey for Shieldify in expanding our presence within the Asian Web3 Community 🌎
Another Shieldify Private Pool ⚔️
@ionprotocol
🥷
🗓️May 6th 15:00 UTC - May 19th 15:00 UTC
💰You will be rewarded based on these tiers:
⚠️Not Audited by anyone else
Critical: $2700
High: $2100
Medium: $800
If you are interested in joining, like or drop us a comment below 👇
Another Shieldify Private Pool ⚔️
@Possum_Labs
🗓️April 17th 14:00 UTC - April 28th 19:00 UTC
💰You will be rewarded based on these tiers:
High: $2500 (2.5M PSM)
Medium: $1000 (1M PSM)
Low: $150 (150k PSM)
If you are interested in joining, like or drop us a comment below 👇
Planning to grind between the holidays? You are our guy! 🫡
We seek auditors to participate in one of our private bug bounty pools with PPV. Lasting from 28.12-02.01.24.
A single contract with 268 nSloc 👀
If interested drop us a comment below and a DM with a short bio. 🎄
Sometimes Web3 auditors claim that our space is saturated, it's hard to win in contests when there are such big names and so on. In the end, they quit.
Right now, there is a great opportunity in front of our eyes — Move. It's a language that is used by dApps on Aptos and Sui.👇
Alright, guys, it is official - we are thrilled to announce our biggest partnership to date! 🤯
The amazing team behind
@Geode_Finance
has trusted us with adding another layer of security to their protocol!
Report coming out later today👀
Unfortunately, after our yesterday's exploits digest,
@GoGalaGames
has been hacked for $212M, which is several times more than the entire April.
The problem was in inappropriate access control. The Mint function in the Gala Token contract has a Minter Role check and was
Welcome to another Shieldify Private Pool ⚔️
@ionprotocol
🦾
🗓️Feb 28 19:00 UTC - 12 Mar 19:00 UTC
💰You will be rewarded based on these tiers:
Critical: $2700
High: $2100
Medium: $800
If you are interested in joining, drop us a comment below 🫡👇
Details below:
We are thrilled to announce our first audit for
@DarkMythosIOTA
We would like to also extend our gratitude to the latest addition to our auditors' team that played a key role for the audit -
@marcobesier
Read the report here:👇
#IOTA
#Shimmer
#SMR
@iota
Seven months ago a fellowship joined a common cause: To help secure Web3
We are proud to announce Shieldify's 2023 recap!
- Pioneering Bulgarian Web3 Security firm.
- More than 16 successful security audits.
- 45,000+ Lines of code secured.
Building momentum 🧵👇
The announcement is now official!
Shieldify has joined the
@CairoLang
ecosystem.
Teaming up with the Web3 Security OG
@RealJohnnyTime
and his
@ginger_security
, our mission is to enhance the safety of Starknet. 🔐
We are thrilled to announce our latest published report for
@steakhut_fi
🙌
The security assessment spanned 16 days,
@steakhut_fi
effective communication and dedication significantly contributed to the working process.
Link:
Inflation attack: from idea to code
- What is a Vault and how does it work?
- Inflation Attack: Theory (Deposit, Withdraw)
- Inflation Attack: Scenario
- Inflation Attack: Code
- Inflation Attack: Mitigations
Signature Malleability is a well-known but hard-to-understand vulnerability in solidity. But, to talk about it, we need to understand what an elliptic curve is and how it works.
We’d appreciate a repost, spread the knowledge 🫡
Now follow the thread 👇
1/ Signature Malleability is quite a complex Vulnerability, so we created a thread for you to understand it!
Simply put, an attacker can get another user’s signature, copy it and, for example, double-spend the amount, essentially stealing from the protocol.
Follow the thread👇
@Uniswap
is one of the greatest DEXes. It's used not only by lots of users but by lots of protocols as well. Therefore, as a security researcher, it's essential to understand how it works.
We all know how V2 and V3 work, but today we've created a thread to learn
@Uniswap
V4 👇
Thank you for the Trust! It was a pleasure working with the Yeet
@eatsleepyeet
team and help the
@berachain
ecosystem 🐻 ⛓️
The audit report will be out soon here: 👇
The 3 most infamous hacks to date are:
• Ronin Network ($624M)
• Poly Network ($611M)
• BNB Bridge ($586M)
Guess what they all had in common: all three have been *unaudited*. 🙄
Recently, the
@eigenlayer
was launched and from the first sight, many can find it hard to understand what EigenLayer does.
Jump into our thread and learn what it does and how it works 👇
Welcome to another Shieldify Private Pool ⚔️
@Possum_Labs
🫡
🗓️Mar 11 14:00 UTC - Mar 24 19:00 UTC
💰You will be rewarded based on these tiers:
High: $2500 (2.5M PSM)
Medium: $1000 (1M PSM)
Low: $150 (150k PSM)
If you are interested in joining, drop us a comment below 🫡
The vulnerability of usage of the Uniswap slot0 function is widely known, but we still see protocols implement it.
For example, we found such an issue in the recent SteakHut security review.
The slot0 function returns lots of values but we're interested in sqrtPriceX96 👇
Today we've prepared a thread for you about ERC2771, Multicall and Arbitrary Address Spoofing attack.
Appreciate a repost, spread the knowledge 🫡
Let's dive in and learn what it is, how it works and how to mitigate it. 👇
It's important to understand what L2s are and how they work.
Today we created a thread for you explaining the workflow of Optimistic Roll Ups.
We’d appreciate a repost, spread the knowledge 🫡
Let's dive into it👇
Another Code Quiz! 🚨
Today let's look at a simple function to get the signer of the signature from hash, v, r and s values.
What is the vulnerability here and how to fix it?
Look for hint in the comments 👇🫡
Here's a short list of exploits that happened in Web3 this month:
1. OSN lost $109k by incorrect reward distribution.
2. SATURN lost $65k (15 BNB) due to price manipulation.
3. GPU lost $34k with safe transfer.
4. Saturn suffered a loss of $140k due to isufficient validation.
5.
Recently we released the results of our recent ion protocol with only *one* issue found by
@MarioPoneder
The problem was in unsafe casting from int256 to int24 leading to the variable silently truncating and proceeding with incorrect data.
If you want to see the details, check
Smart Contract Audit Approaches: Pros and Cons 📓
- What is a Smart Contract?
- Are smart contracts secure?
- How Are Smart Contracts secured?
- Centralised Smart Contract Audit
- Bug Bounty Smart Contract Audits
- Introducing the Hybrid SC Model
Have you ever taken your interest from deposited funds in advance?
Yeah that's a super cool niche in web3. And we hope that our partners
@Possum_Labs
will dominate it!
@HatsFinance
Audit Competition Soon
Read our security review of their protocol here:
Being creative as a security researcher can often differentiate a mediocre auditor from a good one.
For example, protocols are often protected against slippage. Still, this critical edge case in SteakHut’s code allowed an attacker to front-run deposits by manipulating the fees.
Reentrancy and Denial of Service (DoS) attacks, what are they and example mitigation strategies: 🫡
- Reentrancy attack
- How to mitigate Reentrancy attacks
- Denial of Service Attack
- How to mitigate DoS attacks
- Other common security threats
The Shieldify team completed another DEX Protocol Audit, which was 2500 nSLOC 🫡
The Findings Summary is:
Critical/High: 5
Medium: 13
Low: 11
The audit report is coming soon!
To abstract (away), in computer science, refers to intentionally obscuring the details of how something works to simplify things conceptually.
This is what we strive for at Shieldify - abstracting away the worry of web3 security.
Thanks a ton for the trust,
@AmbireWallet
🙏🚀
Extremely thrilled to audit ERC-6492 by
@ivshti
and the
@AmbireWallet
team!
Being one of the key ERCs in the AA space, it proposes an ingenious way to validate a signature of a SCA that’s not deployed yet 🤯
We all know that even if the contract doesn’t have a receive or fallback function, they can still receive tokens if someone uses selfdestruct opcode.
But what happens when there, if a contract Malicious Sender has 10 ether and tries to send it via selfdestruct to the Victim.sol
Automated Market Makers Specifics:
1) Is there a slippage protection?
2) Working for different token types and decimals?
3) Rebasing tokens can break the functionality (consider creating a blacklist).
A new player in the Web3-sec space is up in town. Look out for its audit reports, due to go public soon! ✌️
Psss, the legend says that if you "star" the repo, you will be eligible for some cool Alpha 🕵️♂️
Zero Knowledge becomes more and more popular leading to more auditors getting into it.
If you're one of them, dive into our thread to learn what are zk-SNARKS and upgrade your ZK knowledge level.
Now follow the thread 👇
Web3 Security has significantly evolved in the last years and there are plenty of different types of audits.
If you're building a protocol dive into our thread explaining the pros and cons of them to see what suits your protocol's needs best 👇
As of today we are officially launching our latest service!
The Protocol Design consultation is targeted at newly-conceived protocols that are yet to assemble their blockchain team.
The consultation consists of two meetings and a research period in-between them.
1/3 🧵👇
Shieldify team completed another audit of ERC-4337, Account Abstraction. Two additional researchers from Shieldify's newly formed fuzzing team conducted Fuzz tests, leveraging Halmos and Echidna ✅
Findings Summary:
Critical/High issues: 2
Medium issues: 3
Low issues: 5
Over the last 7 months, we completed +20 security reviews and provided the same amount of in-depth reports for each individual audit.
These are 20 teams with happy faces, and more than 45,000 lines of code secured. We aim for 100% hard-coded commitment and quality of service.
As a security firm in Web3, our focus is on safeguarding protocols from malicious actors. The industry has quite matured over the last couple of years. The last bull market pushed the space mainstream with millions of new users joining the revolution.
The volume of projects has
📎 When conducting an audit of an Account Abstraction implementation, it is essential to meticulously review the checklist from our friend and external partner
@agfviggiano
and refer to example audits for a comprehensive examination. 👇
Something big is cooking ...
The report for our biggest client to date is due to go public in a week. Make sure you hit that star in the top right corner on Github, you would not want to miss this 🚀
Last month we saw the creation of the new token standard — ERC404!
Now, there are already a couple of tens of ERC404s with a 300M+ market cap, which can be easily applied in RWAs, Gaming, NFT liquidity providing, etc.👇
As a Final Security Layer after 2 OpenZeppelin audits and Hats Finance competition 🛡️
Shieldify Private Pool (SPP) report is live for
@ionprotocol
🫡
Link: 👇
1/ Questions you should ask yourself while reviewing liquidation functionality:
- If add collateral is paused, can the user get liquidated even if he wants to deposit more?
- Is the eligibility for liquidation calculated consistently everywhere?
Want to support *all* ERC20 tokens in your protocol?
Sorry, but you're asking for trouble.
Here are 10 issues with ERC20s that can ruin your smart contract.👇
Super grateful to
@ipor_io
's team for helping us battle-test and enhance the in-house tools that we use as the first step of our 6-layered security methodology that we enforce across all our customers! 🙏
📚In our latest blog post we cover the interesting topic of Solidity Storage Management and security considerations revolving around it.
🤓Give it a read!
We are happy to announce our partnership with
@phi_xyz
!
We would like to thank their team for the given chance to add another layer of security to their amazing project! Congrats on the successful launch, Phi Team! 🚀
Read the audit report here: 👇
What is ERC-404?
Another potential narrative shift that is next on the line.
ERC-404 is an experimental Ethereum token standard that merges the features of ERC-20 and ERC-721. This hybrid standard aims to bring versatility by allowing tokens to represent both fungible and