cyber
@cyberthirst
Followers
482
Following
1K
Media
42
Statuses
598
I stare into compilers, and they stare back
Joined January 2016
artificial intelligence, the descendant of the violent, cruel, and petty human mind pump more $$; race, race, all the way down. lead us to oblivion I feel scared
0
0
1
1. audited concentrated liquidity 1+ month 2. high threshold multisig in place 3. can decode calldata nibble-by-nibble 4. dedicated signing pc 5. custom safe scripts for UI downtime 6. co-signer convinced after work 7. ✅ you now may swap $PEPE for $FART
0
0
2
don't trust your calldata don't trust your ui don't trust your os don't trust don't
0
0
3
I built Ivy, an AST interpreter of Vyper serving as an executable spec. Main use case: differential fuzzing oracle for the Vyper compiler. This post starts a blog series about the project. It explains the core PL concepts and Ivy’s key design choices. https://t.co/MLXSNdFQOg
hackmd.io
This article starts a series on the AST interpretation of Vyper. I built Ivy, an AST interpreter for Vyper, with the goal of an easy-to-read executable specification of the language in Python. Ivy...
0
0
11
Throughout the history of the 'net, a number of security vulnerabilities were all caused by parsers being overly flexible. The mantra often is "be strict when encoding, be lax when decoding". I'm sorry, but this is *very* bad advice. If you get bad data, throw that thing out!
1
1
5
formal methods scale certainty, fuzzing scales coverage, code review scales insight
0
0
1
Fuzz in a different language than the target. If the target’s Solidity, fuzz in Python. Independent stacks cut shared bugs and reduce model bias.
Security is about building a model and verifying if it matches the target under test. Unit tests check specific inputs against the model; fuzzing scales that to thousands. Formal methods prove correspondence across the entire input space. Manual auditing thrives on fluid,
0
0
4
noir, darkfi, dusk, nightfall, manta, panther… funny how privacy tools always get names about darkness, hiding, or the underworld. for most people, it’s not about hiding, but exercising a basic right to be left alone.
1
0
3
Once a language captures the right moment, it rides the wave, no matter how controversial. javascript, php, solidity…
1
0
2
Don’t just check that your test failed. Check why it failed. I’ve seen many tests fail for the wrong reason, and bugs slip through.
0
0
3
Source-based static analyzers (Slither, Wake, etc.) would likely have missed the Vyper reentrancy bug - their analysis is based on the AST. They would have reported no reentrancy, even though the compiled bytecode was exploitable. Compiler bugs often appear below the AST:
0
0
4
sometimes i look up at a plane in the sky and imagine the plane itself vanishes. just people floating through the sky at the speed of sound, sipping coffee. it always fills me with joy - humanity is absurdly advanced.
0
1
3
Compilers can hide bugs that audits miss. Come and listen about compiler security and compiler fuzzing.
Compilers can hide bugs that audits miss. @cyberhtirst, Security Engineer at @vyperlang, will speak at DSS on “Differential Fuzzing of the Vyper Compiler”, showcasing a differential fuzzer of Vyper that utilizes an AST interpreter as the correctness oracle.
1
2
10
Security is about building a model and verifying if it matches the target under test. Unit tests check specific inputs against the model; fuzzing scales that to thousands. Formal methods prove correspondence across the entire input space. Manual auditing thrives on fluid,
0
0
3
Verifying sort() is the classic intro to formal specs. It's also a good analogy for prompting LLMs. The spec defines output properties. Input: [1, -1, 5, 6, 6] v1: Output should be increasing. [-1, 1, 5, 6] – missing 6 v2: Output should be non-descending. [] – trivially
0
0
4