If web2 security continues foreshadowing what web3 security will do, @Xbow is scary for any manual auditors or bug hunters. They've got a strong team of web2 security talent, so perhaps that's the new job for web3 security people - training the tools.

I'm excited to see where this goes 👀.

@twyne In summary:.- Write happy path tests to achieve >90% test coverage ✅.- Write unhappy path tests to catch stop devs from being idiots 😄.- If you find a bug → write a new unhappy path test 🪲.- Add fuzzing tests to validate support for different assets 🧪.

@twyne Of course, getting fuzzing experts to test your code is even better, but I’m focusing on what mere mortals can easily do themselves.

@twyne When you combine Foundry fixtures with vm.assume, you can lock in your fuzzing tests to a specific set of values. Boom, now your tests cover all on-chain asset combinations. 💪. If you know a better approach, please tell 🙂.

@twyne Foundry to the rescue!. Foundry has a “fixtures” feature to test specific values while fuzzing. You can make a fixture with the assets you want to test. Foundry does the hard work testing the permutations of assets.

@twyne After writing the tests, consider any asset edge cases. Fuzzing to the rescue!. But how to fuzz the different token addresses that you want to support in the protocol? 🤔.

Imagine having tests that check for EVERY possible hack. Those should ALL fail. Unhappy paths are like little audits. Luckily at @twyne we caught this low hanging fruit before the real audit 🙈. The real audit:

But another key element is to write tests that are expected to FAIL. The unhappy paths. Happy paths verify functionality. Unhappy paths can catch embarrassing security bugs. Speaking from experience, you really need both 😄.

The happy paths are easy - this is how you make sure your code actually works as you want!. When I was writing tests, I found MANY problems in the code that I didn’t notice when writing it. Tests make these mistakes VERY obvious and help confirm a fix.

First, tests are crucial to making code work as expected. Having 90% test coverage on your code is the bare minimum. Start with the happy paths, the normal processes where users interact with the protocol as expected.

Devs leave testing for last. But tests are the first priority to avoid hacks. 🚨. So how does an ex-auditor write tests to catch bugs?. Time to break down my process 🧵. 1/.

Touching grass and going offline is one pathway to diamond hands 💎

RT @twynexyz: Higher liqLTVs = Leverage Multiplier Effect 📈. At 80% liqLTV, $1 = $5 .At 95%, $1 = $20.At 99%, $1 = $100. Twyne unlocks high….

Curious about lessons learned shifting from web3 red team to blue team? My #ETHBelgrade talk is now live:

I was lucky to have @savantchat look at the code I wrote at @twynexyz, and as an ex-auditor, I was impressed. It even found a bug that had been in the codebase for weeks that we only *just* fixed in the code <48 hours before.

Woke up and chose cynicism

This one simple trick will keep you flying during French air traffic strikes!

ngl feels like I should be vacationing not conferencing

Croissant a day keeps the bad vibes away