cvh
@cvhessert
Followers
660
Following
1K
Media
32
Statuses
591
build, automate, secure, validate, advise, invest & repeat | VP, Security & Smart Contracts @0xPolygonLabs | Re/Tweets are my own | ๐ฆ๐ท
Amsterdam, The Netherlands
Joined December 2008
Security shouldn't be hard nor expensive, you just need to know what's important... Hopefully this helps prevent future loses in this ecosystem in some way... https://t.co/eL2WlgkUkS
hackmd.io
This guide assumes you are:
2
2
16
AppSec in the AI era will be less about reviewing code and more about operating systems that: Attack. Triage. Improve. Repeat. AI swarms finding and exploiting weaknesses. AI triage validating impact, killing noise, scoring real risk. Even opening the PR. Continuous.
0
0
1
Everyone wants an AI red team swarm constantly breaking their own code But thatโs not the hard part The real bottleneck is triage If your system generates 500 findings a day and you canโt automatically validate exploitability, dedupe noise, score real business impact, and
0
0
4
About time! Thanks ๐
Introducing: built-in git worktree support for Claude Code Now, agents can run in parallel without interfering with one other. Each agent gets its own worktree and can work independently. The Claude Code Desktop app has had built-in support for worktrees for a while, and now
0
0
1
New: I'm sharing the @trailofbits Claude Code defaults. This is how we setup, configure, and use claude code: https://t.co/aEIXdpCztt
44
157
1K
Whoโs building a https://t.co/nEJBr1jTCT & https://t.co/DmDqCJmn07 marketplace? Seems like a no brainerโฆ
0
0
0
๐๐
Fully agree. This is exactly what keeps me in this space. Ethereum is not about winning the finance game on financeโs own terms โ that race makes no sense, and we would lose it anyway. The real game is resilience: permissionless access, censorship resistance, and the ability to
0
0
3
Community alert: Ledger had another data breach via payment processor Global-e leaking the personal data of customers (name & other contact information). Earlier today customers received the email below.
1K
1K
6K
๐
My son asked for an iPad for Christmas I said no โSon, tablets are closed-source walled gardens controlled by centralized corporationsโ Instead I gave him a Ledger He opened it with visible disgust Then something utterly shocking happened My wifeโs CrossFit trainer Luca got
0
0
2
Top-5 complex attack you must learn ๐ด Kyberswap bounty ๐ https://t.co/RWvPhiBjs4 ๐ด 1inch exploit ๐ https://t.co/mjmtvY3HNS ๐ด GMX $41M Hack ๐ https://t.co/OWi2i5ZHMa ๐ด VTHO accrual bug ๐ https://t.co/BSZejkhU9E ๐ด Euler Finance hack ๐
cyfrin.io
Euler Finance was hacked for ~$200M due to a missing check on the liquidity status. We explore a step by step of how this attack happened, including a proof of concept.
4
48
319
... after three long days with claude code, i have this to share: โ https://t.co/XuhC7uarbl a human readable web ui for evm storage visualization (supports Solidity + Vyper) โ Blog post documenting my learnings:
wavey.info
Techniques for mapping EVM storage slots back to variable names and decoding transaction traces
6
12
87
Basically every CIO out thereโฆ
Last quarter I rolled out Microsoft Copilot to 4,000 employees. $30 per seat per month. $1.4 million annually. I called it "digital transformation." The board loved that phrase. They approved it in eleven minutes. No one asked what it would actually do. Including me. I
0
0
0
@samczsun Nice article, to add a bit on the re-audit aspect. The way I plan and think of this is dividing your budget and yearly plans on GROW and MAINTAIN line items. GROW is what most projects normally do, bigger budget for new products, features, etc. They all get audited/pen-tested,
0
1
9
i wrote some thoughts on bug bounties payouts and how we should think about crypto security going forward https://t.co/kV1C6OCS8A
samczsun.com
Bug bounties are passive, but security is an active process
21
36
236
The good news? A lot of companies are hiring for their internal security: - Web3 Security Specialist at @binance (+ they have a lot of similar positions) - https://t.co/oPLZUztBUK - Security Analyst at @Figment_io - https://t.co/KsAM0gEuEX - Senior Security Engineer at
job-boards.greenhouse.io
Most protocols spend a lot on audits and bug bounties but have zero internal security Launching https://t.co/c3v75lXHdD to highlight the ones that do Having an internal security team should be in every protocol's New Year's resolutions for 2026
5
4
63
@0xKaden ๐ฏ Imho we have used exploit and vulnerability interchangeably for blockchain, because the exploits were somewhat simple so far ( https://t.co/3XPtomWpJU) But if you look at modern software exploitation outside of blockchain, there is a huge gap between finding a vulnerability
My main takeaway from the recent rounding hacks is that every incorrect rounding needs to be considered a bug Most of them are not exploitable, or not even vulnerabilities, but they are still bugs Think of it as: bug โ vulnerability โ exploit. Every exploit starts from a
1
2
36