The most basic bug finding skill is splitting up the code into every possible execution path, and then checking each one. Bonus: Each code universes created by splitting if's is simpler and easier to check than the original

"You can always make things worse in an emergency" - Hoot's law. It's always important to move at the right speed during a DeFi incident response. Everybody is willing to pull big levers, and you need to make sure you don't error.

The number of bugs found in your code is a good indicator of the number of bugs left in your code. More auditors should say this when its true:

A flash loan is just a funding mechanism, and we don't have a vulnerability category for "Binance attack". Nor do we call a bank robbery that bought a mask with a credit card a "Visa attack vulnerability".

When you fix your worst problem, your second worst problem moves up to take it's place. (But you are still better off).

This is clear progress!. The vulnerabilities that have dropped out or dropped down hard are the stupid ones and the tooling related bugs. Thanks to every one who has worked on the tools! You have made a difference!.

There's a surprising number of ludicrously bad blackhats. You don't hear about them because they rarely hack stuff, but if you watch everything sus on a blockchain for a month, they make up the majority of the action.

No context chart

31. More liquidity can be BAD. At first more liquidity on a pair makes the income go up, but that tops out once all trades are supported. But more exposed liquidity only increases the losses. There's a sweet spot between the two effects, and then it's pure downhill from there.

One of the positive effects of crypto currency: Whenever a world leader gets their twitter hacked, instead of trying starting a war, hackers just try to get people to send them money. Much lower overall cost for civilization.

30. People claim you can defeat impermanent loss by just creating a "Delta Neutral" LP position via borrowing the funds for one side of your initial LP position. No. You have _exactly_ the same impermanent loss doing this.

29. Most recent AMM designs headline reducing the cost of capital (via concentration or earning idle liquidity). It's easily understood. I think reducing the even bigger cost of assets exposed to price changes is under appreciated right now.

28. A more accurate profit equation for AMMs is:. (fee x volume).- (assets exposed * asset price changes).- (cost of capital).

27. If your AMM competitors for a pair are boneheadedly losing money, there may be no possible way to be profitable, since to compete for trades you would have to lose more money than they do.

26. For everyone concentrating liquidity around the 1:1 between an asset and it's more risky derivative asset that also has a time delay to redeem:

25. Orderbook based market making is the pinnacle of hundreds of years of evolution in traditional finance. The most efficient way humans have ever found to do this. But every time it's been tried onchain, it's failed. Pls don't build another one until you know why.

24. To a first approximation, LP profitabitly is . (fee x volume) - (assets exposed * asset price changes).

23. In the formula `profit = revenue - losses`, a small percent reduction in losses or a small percent increase in revenue can have a huge impact on profit.

22. I hate oracles. Not really relevant, but just throwing this in there. Because I hate oracles.

21. I never want to write bin based concentrated liquidity code. God bless everyone who has.