During the next few days, I will share some of my private security research work that I have done in the last year. ​ All those projects are @aave related, and I feel very proud to have been chosen as one of the security partners to review them. I'm pretty sure that the

Nice to see that three of the authors of "Mastering Ethereum: 2nd Edition" are Italians 🇮🇹

A couple of days ago a client said to me "I know that you ask a lot of questions [...]" I think that my approach could be seen by some clients as "overwhelming" but I also think that, as a client, you should be much more preoccupied by the level of interest and quality if the

I'm doing a security review and I can't really see how an AI agent could do what I'm doing right now. It would probably crash badly or explode. I really would love to see what would be the result of running it and compare it with what I'm discovering.

I need a contest or a security report with the following requirements - report must be public - foundry support - non trivial - has no external dependencies/integration or at most they must be as part of local dependencies (but better if none) I need to have a base testbench

Building AI agents for Web3 security review is both frustrating and fun at the same time. At least you never get bored 😄

Google should really burn down the Google Cloud Console and start from scratch. I just want something like OpenAI where I top up with X euro credits and call it a day. It's impossible to navigate that UI, and I'm quite sure they want my CC for "infinite allowance".

I'm ashamed to share the @immunefi points I received😁 But you can't do everything and I had to give priority to my private client's reviews and my @spearbit work. I think that it's where I shine the most and give me pure enjoyment. Maybe next year, who knows!

"You're absolutely right!" it hurts my nerve so much. I'm just waiting for the subscription to end and I'll switch to @windsurf + GPT5 codex. I want to see what @swyx has cooked. @claudeai tbh feels very pushy and oppressive for my test, I feel overwhelmed too many times.

But it has been very helpful to spend time to just think, reflect and write it down. It's very challenging to give form to what has become "automatic" and almost an instinct for you and can't be explained.

I have tried to distill in a single document everything I do, I think, I reason about while I perform a security review. It came out as a document of ~11005 words (~66066 characters). I could probably refine it and add more but I'm awful at writing and it takes a ton of time.

gosh I would really love to smack CC in the face sometimes.

Discussing difficult topics with Claude is like discussing them with someone who has a basic knowledge, just enough to be able to put some coherent words together, but that is super confident to be able to pretend to know what the hell it is referring to. You need to remember

Ok I'm quite sure that CC is slowly degrading with the latest versions. And I really wish they could remember what they have done in the past. Plan mode is useless if I always need to repeat over and over why it's wrong.

Am I crazy or are projects lately using more and more @HardhatHQ compared to Foundry?

Does @claudeai (vscode/cursor plugin) remember past conversations for the same project? It seems almost that it does not. Am I wrong or do I miss some config?

it seems that Bartender 6 with macos tahoe 26 is a mess. Buggy as hell and it mostly never works. Do you have any alternatives?

I find the OZ ERC4626 `max*` behavior incoherent. The `maxRedeem` returns the user's balance but `maxDeposit` returns INF and not `min(userUnderlyingBalance, userAllowanceToVault)` Should have they implemented it in that way? Is there a reason to avoid that?

I'm thinking about removing the whole severity categorization from my reviews. It makes sense just for "marketing" or for contest/bounties. In private security reviews I think that it's pointless. A finding can just be in two category: - must be fixed: the client must address

Writing is really hard 😭

The @AragonProject team has experimented the full "StErMi experience package"😁 Can't wait to work with them on the next project! https://t.co/2YFmpi06hj