I taught a killer training of glibc malloc heap exploitation for several years. After some effort, the content is now open source and mostly ready to consume! Half of the videos are posted for the course. 🔥 https://t.co/4ewnAmO3Z1

Recent private audit client was thinking about launching fast after an audit by another firm produced only 1 Crit. But they postponed the launch after our on-going audit produced 6 Highs and counting! The last audit before mainnet should feel like it wasn't worth it.

Fuzzing and vibe hacking is addicting like gambling: 1. Spend cash to buy token credits or compute 2. Hope to get bugs 3. Repeat

Most of the bugs I find while fuzzing are simply issues with the fuzzer I wrote. Improper bug detection and incorrect modifications to the target are good examples. Just keep iterating and iterating some more until it works as planned.

Clearing my office today and found a @lauriewired puzzle cube! Only took me 3 years to solve ;)

LLMs are pretty good at some things and bad at others for security engineers. I use them a lot but very strategically. https://t.co/tE3fKsURXe By @Dooflin5 at @asymmetric_re As Google, Stack Overflow, and now LLMs become embedded in our workflows, we must ask: are they

LLMs are pretty good at some things and bad at others for security engineers. I use them a lot but very strategically. Here are my thoughts: https://t.co/UIBI8GIbNa

Threat Contained: marginfi Flash Loan Vulnerability by @_fel1x A new instruction broke the flash loan logic, creating a way to borrow without repaying and putting $160M at risk. We explain the vulnerability, potential impact, and how it was fixed. Full post below ↓

i never saw this coming

This is how I first learned binary exploitation. Absolutely amazing content! The students who made this deserve an award from the school.

The last few @ctbbpodcast episodes have been amazing with great topic curation and discussions. 🔥 The new alpha of the self-XSS exploit method using the new “fetch later” casually being dropped was mind boggling. 🤯

You find a bug at 03:00. Two options: - Sleep and submit it tomorrow - Stay up, work hard and submit it One makes the odds of owning a Lambo in ur favor, the other ensures tomorrow will be the same mundane day. Make your choice! 😎

PSA: Pretty much every "Solana/Anchor top vulnerabilities" checklist I've seen has numerous entries that are wrong. Either the remediations are wrong or entire bug classes are made up (perhaps hallucinated?)

I want to break into the field of "cybersecurity". Can anybody explain to me what "Bitcoin style encryption" is, and how it applies to encrypted chat? There's so much I don't know.

New blog post: An Intro to Differential Fuzzing in Rust, by @nl_gripto & @anarcheuz. It walks through building a pure-Rust JSON fuzzer from scratch, then extending it into a differential fuzzing harness capable of surfacing consensus bugs. https://t.co/yrwtnxAozi

Sometimes you find a stinky code pattern that's not exploitable now but may be in the future with some foreseeable changes. Write these down and revisit them in the future - you'll be happy you did.

Did the laser really burn a whole in the device!? That’s wild.

Fun talk at #CSW2025 on voice cloning and deep faking! This type of attack is part of my upcoming AI for Cybersecurity training at Recon and Hexacon! (It’s on the hexacon syllabus but I need to update Recon)

The best feedback one can receive ❤️ let’s talk turkey and not waste time with fluff.

New blog post: Navigating Vulnerabilities in Solana CPIs, by @dooflin5. It breaks down how unchecked programs, signer privileges, and account handling pitfalls can lead to exploits—and how developers can design defensively. https://t.co/1RV6OglX58

I'll be speaking at CanSecWest in Vancouver, BC on Friday about blockchain bridge security. I'm stoked to share innovations in security from the web3 space with the rest of the world! https://t.co/fwuyYF6nFV