Proud to have placed 2nd in the @code4rena Monad competition. 1,614 wardens, 164K SLOC of Rust and C++. Submitted the most valid findings in the contest. Shoutout to @monad for putting this one up. Huge respect to everyone who competed!

The most underrated thing about AI in security is speed, not accuracy. A 2 hour review instead of a 2 week review means more coverage, more iterations, faster feedback loops. That compounds.

Also observed the same. There are some bugs which fully autonomous AI are better at catching than humans. Similarly, there are some bugs which humans are better at catching at than fully autonomous AI. I think the best security outcomes will result from combining both approaches.

It's changed how I spend my time. Less arithmetic, more thinking. Still figuring out where the ceiling is. How are you using it?

Here's what surprised me though: AI doesn't find fewer bugs. It finds different ones. Stuff I'd catch in 10 minutes, it misses. Stuff I'd need 3 hours to trace through, it flags in seconds.

What it misses: MEV. Anything that requires thinking "what would an attacker do if they saw this transaction in the mempool." Zero. Protocol-specific logic. Bugs that require understanding intent, not just code. Callback patterns. Unexpected state changes when control leaves

On one codebase it caught that a game's multiplier schedule guaranteed players positive expected value. The house always loses by design. Not a code bug. A game design flaw. AI found it by just doing the math.

What AI is good at: Accounting errors. Math bugs. State corruption. Anything where the answer is "does this arithmetic check out." I've found it to be relentless at this.

I've been running AI on real codebases for the past few months. Client work, contests, bounties. Not toy examples. Here's what I've seen it catch and what it completely misses.

If you're not using AI to build the things that automate your current workflow, someone else is building it for you. And they'll charge you for it.

it'll be obvious in hindsight that AI will be(already is) able to find complex bugs at top human level it's better to embrace it

Working hard every day to secure the web3 space 🫡

Bounties are a game of luck with high rewards and $0 bets. You can either play more or increase your odds. Your coin is your time, energy, and health. Spend it well to level up the stats you need to increase chances. Reach perfect balance to meet the luckiest version of you.

Weekend view @immunefi dashboard

the best hiring process is a paid one-week internship

Seeing posts on the TL from audit tools claiming: "We've found the Balancer bug" Which reminds me of something I've realized some time ago that changes slightly your mindset while bug hunting We're not actually hunting for "bugs". We're hunting exploits. A bug might not cause

Wishing a Happy Friday to brand new security researcher "yesofcourse" for scoring $10,000 via Immunefi on a High severity bug report. Enjoy your weekend. You've earned it. P.S. Don’t spend it all on energy drinks.

I just found a bug and got paid on @immunefi This was a long one but worth it at the end. Thank you Immunefi 🙏 #immunefitribe

Less code, more proofs. Spend lines on tests and invariants - not on fancy abstractions.

Don’t wait to be “ready.” Read code, pick an invariant, try to break it. You learn faster from failing tests than from tutorials.