Chinmay Farkya
@dev_chinmayf
Followers
3,282
Following
707
Media
155
Statuses
3,131
Smart Contract Auditor | Associate Security Researcher @SpearbitDAO
India
Joined June 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Apple
• 578474 Tweets
seokjin
• 204120 Tweets
iPhone
• 163895 Tweets
Pelosi
• 160586 Tweets
renjun
• 129348 Tweets
RETURN OF OUR PRIDE JIN
• 100907 Tweets
National Guard
• 93924 Tweets
OpenAI
• 90269 Tweets
ARMY FOREVER BANGTAN FOREVER
• 86230 Tweets
Lakers
• 77211 Tweets
WE MADE IT
• 61164 Tweets
Thug
• 60246 Tweets
BIGHIT
• 55066 Tweets
Siri
• 47948 Tweets
Nodal
• 41727 Tweets
#WWERaw
• 40259 Tweets
Comicstorian
• 37177 Tweets
Benny
• 36897 Tweets
ESTREIA NA CAMA COM PITANDA
• 35680 Tweets
kcon
• 33325 Tweets
Palacio Nacional
• 31446 Tweets
#ラヴィット
• 31290 Tweets
Cazzu
• 30663 Tweets
iOS 18
• 27523 Tweets
Ángela Aguilar
• 26444 Tweets
Aye Alfonso
• 25908 Tweets
Chiquita Brands
• 25745 Tweets
Grok
• 24473 Tweets
Airbnb
• 21429 Tweets
#ローソン盛りすぎチャレンジ
• 13252 Tweets
FAMILIA FURIOSA UNIDA
• 12794 Tweets
Pinned Tweet
Happy to announce that I have joined
@SpearbitDAO
as an ASR
Thankful to the Spearbit team, and everyone who helped some way or the other in my journey
Especially
@0xOwenThurm
,
@Jeyffre
and
@PatrickAlphaC
for leading the charge in educating me and countless others.
Fellow
40
1
181
Releasing my Solidity notes accumulated over the past few months
If you are starting out as a developer/auditor, this is all you need to start learning Solidity, then practice
Will appreciate a RT 🫡
Hope this is helpful
20
95
275
@ninja_writer21
The government wants to promote indigenous manufacturing, so lesser of our money goes to China.
Reliance hops on to any tech-profitable business opportunity, I'm sure other brands/startups will too.
There will always be mega-brands. This isn't lobbying.
12
2
214
When I first started learning web3 security I was dumbfounded by the lack of guidance and structured education
it was overwhelming to find resources and even more overwhelming to validate if what advice is being shared is good
Now after almost 8 months, I'm still getting a lot
9
53
232
I am publishing my EVM notes - accumulated by reading tons of articles and resources
These are from the time when I explored how the Ethereum network and EVM execution works in depth
I hope that you find value in it anon 🫡
Soon I will also post the list of EVM resources I
10
28
208
I plan to become a legendary auditor in the next 6 months
I have been feeling this drive to kick things up and direct effort properly, mainly because of goals shifting every month
To achieve peak performance, more than speed you need the right direction
This is what I'm going
33
15
200
3 Days ago, my metamask wallet got hacked.
It was a private key leakage
Based upon inputs from various security researchers, I have compiled preliminary info you need to protect your precious funds
Please RT and share among web3 fellows
55
61
177
So many achievements with this one :
- First four digit payout
- First time two findings accepted in a contest
- Largest earning in my auditing journey
- Largest codebase I have ever tackled and cracked
on
@sherlockdefi
Just a reminder - results are gonna come! Keep at it
35
11
194
printed Uniswap v3 book today.
Why did I print it ? Because I love studying a subject in its entirety.
Next few weeks/months will be amazing 😈😈
24
3
147
As a security researcher, it is very important to understand Compound finance, one of the major Defi primitives
This resource will help you gain understanding in depth:
2
24
131
Defi Math can be overwhelming at times
To dive deep into defi security, you first need to understand the basic concepts
This offers a great starting point :
3
25
122
Do you know we already have a few Auditing job boards
1.
2. by
@FuzzingLabs
3. by
@Raiders
Share with your auditor frens
4
26
123
This is the best introductory foundry tutorial you'll ever read
Explains cast, forge, project initialization and gets you setup with all sub commands that you need regularly
Thank you
@jtriley_eth
5
24
115
Found this awesome audit contests walkthrough
The idea is pretty simple : Read about protocol and its findings in brief and understand the root cause
what auditors have been talking about : identifying questions
We need more of this
0
22
105
For economic attack vectors, study this repo by
@bl4ckb1rd71
Never miss a chance to skill up auditor frens!
0
29
108
For those living under the rock, I have a solidity notes repository that I created when I was learning solidity
Here it is :
3
23
106
Best Discord servers for smart contract auditors
-
@SpearbitDAO
-
@Web3SecurityDAO
-
@GuardianAudits
-
@TheSecureum
- DefiHackLabs
-
@QuillAudits
11
22
107
Two of my audit reports for
@GuardianAudits
are now published
Take a look at my portfolio : (inspired from
@gogoauditor
)
DM for security audits 🫡
Fellow auditors, RT for better reach
7
5
101
Another set of achievements with this one :
- First Time in Top 3
- 2 Unique Medium findings for the first time
Got 2 solo M and 1 shared High finding for
@ajnafi
on
@sherlockdefi
The developers from Ajna were one of the most helpful I have seen.
19
1
105
I'm actively looking for an auditing team that wants a new member
My preference is : not a job, flexible work like Spearbit
DM me or connect me please with someone who is willing to work with me
RT for reach
5
22
100
Do you need a summary of the foundry book ?
@milotruck
built a cheatsheet that has all foundry wizardry to help you set up any kinds of tests
- using foundry in an existing repo
- all cheatcodes
- fork testing
You name it, its there
Link below
7
12
99
Looking for a place to practice solidity questions ? Fortunately we have some quizzes to tickle your brain 👀
Don't forget these before your interviews !
1.
2.
4
12
95
Another top 3 in
@100xfinance
contest on
@sherlockdefi
Had lot of fun in this audit
The trajectory is upwards 🫡
11
5
94
Seeing a kind of euphoria in the web3 security space.
@cantinaxyz
has come up with contests and audit IDE
@0xOwenThurm
has come up with free courses
A range of new contests popping up on
@code4rena
and
@sherlockdefi
and
@HatsFinance
@CodeHawks
has come up with first flights
10
5
90
My 2023 goal : Read every audit report on
@code4rena
( + every repo under the sun) and understand those findings
Smart contracts - I'm coming for you
What's your goal ?
11
3
90
Looking for bugs in smart contracts ? The most common issues are ::
- Proxies
- Input and return validation
- Differences in ERC implementations
- Improper integration
- Re-entrancy
- Decimals and Precision
Read
@code4rena
/
@sherlockdefi
reports for alpha
1
9
89
This is such an inspiring auditing journey from
@0xVolodya
Do give it a read if you're a beginner
2
7
87
To get a general understanding of the mechanics of Defi lending protocols, read this comprehensive article series slowly :
I bet you'd grasp the math easily next time you read such code
1
18
86
Introducing you to a goldmine of web3 security by
@officer_cia
🫡
Everything you need to master auditing is here in this ultimate database
3
23
80
Been seeing independent security researchers hopping onto private audits rn
As
@pashov
said, the solo audit market is growing rapidly
so I thought of creating a collection of those audit reports
Add any independent researcher's reports you know of
3
10
78
Found an awesome resource to understand how to deal with math expressions in Solidity
: The Math in Solidity series
2
18
80
Knowing about past bugs helps a lot in learning patterns and finding similar issues
You should know of all bug classes when auditing a smart contract
Here are Top 7 famous bugs on
@code4rena
, source
@tom_eth_dev
2
15
77
@heyeaslo
The TLDR is : When you're curious about something, delve deep into it. If it's tech, build projects revolving around it. Success is directly proportional to efforts :)
0
5
77
Scored 62.5 % in the
@RareSkills_io
Solidity test
As a reference point, likes of
@pashovkrum
and
@zachobront
get 65 % 👀
Onwards and upwards with security research 🫡
6
3
69
Happy to announce that I have been accepted to Block 6 of the
@yAcademyDAO
fellowship 🫡
Very excited to join the chads in there and get to experience collaborative audits. Only upwards from here lads
Lets chat if you have been accepted too !
8
0
70
This function doesn't return anything
Any Yul wizards know why ?
11
5
66
Some insights that I got after reading numerous audit findings
There are 5 types of bugs in auditing : go through the code 5 times with these mental modes and you'll get the highest coverage of bugs :
1. Common sense and logical errors : what should happen and what shouldn’t
4
9
69
Scared of those mathematical equations and calculations in Defi protocols ?
This article will give you insights on how to approach numerical analysis in security audits
Banger by
@SpearbitDAO
3
11
68
@thesadiqueali
This isn't maturity, this is just your individual vague response to a fun celebration.
1
0
59
Foundry is recommended by all in-the-game auditors like
@pashovkrum
@sjkelleyjr
@1nf0s3cpt
-fast
-highly customizable and
-complete portable toolkit
@crisgarner
has an awesome repo with plugins, utilities, templates the tutorials to build them all up
3
13
64
Auditor's Digest is here. It is a series of articles dedicated to a comprehensive security outlook at various code components in Defi
The first article is around the vulnerabilities associated with using EIP712.
EIP712 is a standard for typed structured data hashing and
2
10
64
My first contest on
@sherlockdefi
and got a 3 digit payout
audit was for
@ajnafi
Feels great to contribute to web3 security!
Thank you Sherlock 🤠
10
3
62
Any solidity wizards here :
a *= (b * c )/d
Will this evaluate as (a * b * c )/d or as a* [(b*c)/d] ?
22
2
63
Hello Indian web3 developers / auditors, I want to ask a very important question to you guys
I'm basically asking about independent auditors / developers like me who receive payments in stables and then sell it to fiat via platforms like wazirx (of course zero profits coz
18
1
63
This video helped me understand exactly how the Merkle trees in Ethereum work :
0
13
62
Got a nice reward in the
@zerolendxyz
contest on
@cantinaxyz
Much more to come this year, bullish on myself ✌️
8
1
61
I'm starting to write articles for auditors
First piece dropping soon
Follow to stay updated 👀
7
4
61
To be on leaderboard of
@code4rena
@sherlockdefi
you need to build up creatively for unique findings
To cover entire breadth of attacks, study this exhaustive list of categories of smart contract vulnerabilities
From
@0xKaden
RT to spread the knowledge
0
17
56
2 podcasts that will help you learn a ton of web3 security and dev knowledge
@ProofOf_Podcast
by
@hake_stake
@ScrapingBits
by
@DeGatchi
All the inspiring researchers are giving out the alpha you do not want to miss to upskill as a security guy
2
8
56
Wrote an ERC20 token implementation in Yul
Will be adding more as I attempt to write other contract structures
A good exercise indeed 🫡
You can see the contract here :
1
8
54
One thing that I did wrong at beginning of my auditing journey was to jump into reading findings without understanding the system logic
You need to start exploring different popular defi protocols once you're confident with Solidity. That knowledge translates well
4
5
55
Understand in depth how Ethereum stores the world state in Merkle Patricia tries through this article :
0
4
56
This All about Solidity series simply blew my mind with its in-depth information 🤯 by
@JeanCavallera
Highly recommended
3
8
54
Solidity surprise Sunday
#1
An immutable variable cannot be read in the constructor even if it has been assigned in the very same constructor
3
2
52
Want to master web3 security in 2023 ?
You'll need these nuggets of guidance by
@trust__90
, from his interview with
@andyfeili
Trust is the
#1
auditor on
@code4rena
leaderboard, do not miss this !
1
7
52
This blogpost by
@trust__90
has all you need to set your mindset for auditing, anon.
"The informal verification through all code branches" and the state machine concepts are my favorite in web3 sec education till date.
I read this almost every day.
1
7
52
Want to dive deep into EVM opcodes ? Well, the yellowpaper is not your best bet
This instruction set by EVM degen
@jtriley_eth
has a simple description for everything
Time to study it is now. Time to RT is now.
0
9
49
Auditing a protocol and want to look at past audit reports of it and similar protocols in a single place ?
This tool got you covered :
Just search for your favorite defi app
2
8
46
You have to believe that there are bugs in a codebase no matter how many audits it has gone through.
Currently auditing a protocol which has gone through 5 audits yet I got a lot of findings when I got deep enough
Strong belief is the key.
4
5
49
"one can indeed force a stack depth limit error when making an external function call — without buying all the gas in a block — by calling some number of internal functions before making that external function call"
Chad researchers at
@Arbitrary_Exec
0
11
43
I'm blown away by
@audit_wizard
beta
- Direct code import from c4/sherlock/hats or from github/contract address
- Add findings and generate a report
- Generate contract interaction graphs
- Slither scan, Integrated AI chat, notes
Have a look :
5
3
48
Web3 security auditing is incomplete without guidance from successful researchers
Everyone knows
@pashovkrum
from his massive strides in private audits
He's a part of oak security and
@SpearbitDAO
too, so you DO NOT WANT TO MISS THIS
alpha from his interview with
@andyfeili
::
1
7
45
Repeat after me, TWAP is manipulatable!
Before employing TWAPs as price oracles and calling it a day, there are certain risk factors you need to look at.
- Deep liquidity is needed in the selected pool for price source
- Underlying assets should have liquidity across broader
4
4
45
Foundry tip :
You can install a specific commit of a library in your local repository using forge install and @
I hadn't realized how much alpha I was missing with just relying on secondary tutorials for foundry
The foundry book is a gold standard writing, easy to understand
1
0
45
Want to excel at those low-hanging Gas pots on
@code4rena
I have a list of 7 gas optimizations tricks that are VALID
RT to help every Solidity developer/auditor
2
13
45
Just discovered an awesome place to find differences in EVM implementations across L2s
1
14
43
Are you thinking about the missing pieces of education in web3 security ? Or that very few are diving deep into researching technical stuff ?
EIPs, vulnerabilities, protocol logic, auditing methodologies shh - A lot of cool security content coming your way soon.
Follow to stay
0
6
44
WANTED :
A teammate/s for auditing contests so that we can improve better together
Please DM
6
1
44
Make a habit of reading whitepapers, will help you a lot as an auditor
2
3
42
Jai Shri Ram 🛕
India is undergoing celebrations that were never ever seen before.
500+ years of wait which culminates into a beautiful Ram temple in Ayodhya today, and the display of unity and cultural strength all over the country.
This is a part of the civilizational
5
2
41
How the EVM executes the init code (Creation Bytecode) of almost any smart contract
Marking a constructor as payable can save gas👀
2
7
40
Hey guys, my wallets have been completely drained, please help me figure out what happened ?
All my rewards from contests have been lost
Plz help 😭😭
51
3
24
@naruto11eth
Even I'm not that religious, but this is not about religion. It's about the re-rise of our own civilization and that's where I connect with it.
Jai shree Ram 🚩
0
0
40
Have you read this piece I wrote a few weeks ago, about the risks related to using EIP712 in your protocol ?
Incorrect use of this code can lead to - signature replay, DOS, bad UX and other issues
Read more here :
2
4
38
The feedback has been heard
@sherlockdefi
Now the Lead senior watson will earn at max 12500 (22500 previously) USDC per contest week which is good overall for contest participation
It will now feel more like a contest rather than LSW's private audit
I think this will go well
4
0
36
Having a structure during smart contract security reviews is very important. Goes for both, reports and POCs
I put up a collection of all such templates for audit reports/ foundry/ POCs I have come across
Choose your own :)
0
12
38
Found 1 Medium finding in Blueberry contest and 1 High in surge protocol on
@sherlockdefi
Added it to my portfolio 🫡
1
3
37
I started a article series dedicated to smart contract security researchers Its called "Auditor's Digest", has one post right now : The risks of EIP712
Another one dropping soon👀👀
Guess the topic if you can, suggest more topics that you want
RT & Follow here to stay updated :
1
5
37
This recent contest finding blew my mind
11
7
37
I have started to include checklists in my audit process
How I see the importance of checklists :
I am mostly concerned with the feature-level list of questions that are like undesirable states that you want to reach to find a bug. For example, for liquidations, a few
3
1
36
If you are looking for that alpha inspiration for auditing, I have a collection of tweets for you :
To perform a security review on a given protocol, one needs to fully comprehend it. Sure, you can speedrun it and get those surface-level bugs. As the industry matures, so will the bugs be covered under more and more layers of complexity and abstraction.
This is especially
4
20
84
0
8
37
This is what the protocol had to say for a private audit I did some time ago
Providing value for clients is my top priority even if they've already had audits 🫡
Give me that code I want to break it. Reach out if you want an audit😈
1
2
38
If you are auditing a protocol that makes use of twap prices, this one is an absolute must for you :
0
4
35
Not following EIP specifications gets accepted in a
@CodeHawks
contest and eats up 44 % of the total rewards pool
Everyone who submitted earned 640 $ 😭
Have a look :
2
2
35
Fellow devs/auditors from India
How do you convert your stablecoins to inr ?
Always used binance p2p till now, looking for ideas and alternate options
p2p has issues like bank account being freezed if a fraudster directs their money to you
11
3
36
The
@CodeHawks
sparkn contest results are in and I got a whopping 3 Low findings
Well I think you need a mindset change if you are participating on codehawks after you have participated on sherlock/c4
In the sparkn contest, I did not submit some very obvious bugs because I felt
12
1
34
I'm a smart contract auditor, yet I got scammed. That is because we keep shifting OpSec to the last of steps while it should be the very first step for everyone.
I lost around 1400 USD in value.
The hacker got my seed phrase and used it to sign malicious transactions.
24
1
17
Finally the
@sherlockdefi
leaderboard was adjusted with points from GMX update contest
Now ranking
#47
on the leaderboard 🫡
Yay 🤓
4
0
34
This stack exchange answer is worth reading for quirks of structs inside memory/storage
0
4
33
This presentation by
@BowTiedDravee
is one of the finest educational resources for web3 security
Personally liked the mental modes part of it
Auditors, you need this!
3
5
32