Secured 1st place in Sherlock's @aegis_im contest 🥇 A year into full-time Web3 security, and I've landed my first proper contest win. This comes after: - 10+ Top 5 finishes; - 100+ C/H/Ms; - Thousands of hours spent auditing; And I’m just getting started.

Since Monday’s @Balancer v2 exploit, we’ve worked hand in hand with their team to develop the first root-cause analysis of the issue, identify all affected and potentially vulnerable pools, and determine whether v3 was susceptible to the same attack. Our analysis breaks down

👀 @ETHSofiaBG had a special vibe! Thank you @vdramaliev! And ofc, the panel discussion with @0xriptide, @iamandreiski, and @faizannehal1 😎

Grateful to be part of such an awesome event 🫡

Honored to be part of the @ETHSofiaBG speaker roster, and this panel.

If you want to make DeFi safe and assist the most interesting protocols with sophisticated technology and security services, this is your dream job.

Finished a Move on Sui audit with @CertoraInc It's fulfilling to review a project & weeks later an additional component of the same project It's like seeing a kid grow, following & supporting his journey Was also my 1st collab with @iamandreiski and this was literally us:

After almost two months of radio silence, proud to announce that I have recently joined @CertoraInc as a Security Researcher. Looking forward to the next chapter of securing web3, and working alongside with some of the brightest people in the industry. 🫡

Hot takes that I think shouldn’t be hot, and should be “the default” 1. The contest platform is ultimately responsible for the payout. It is the contest platform that promises payout, so if a platform doesn’t pay out, no matter the drama, it is the platform’s fault. 2. The

Devs need to thoroughly test out all of their integrations and happy paths prior to commissioning an audit. Otherwise, audit reports become a giant list of broken functionalities, with less time for auditors to properly stress test the protocol and find the hidden gems.

Another🥇1st place, this time it's @Starknet Staking. My second time auditing Cairo, and I managed to win the contest. Another proof that no matter the technology, language, or chain, your hacker mindset and framework are what matter most.

Audit tip of the day: When basing anything on a hash, make sure that it contains sufficient unique values, a nonce which is incremented with each new hash, and a chain id divisor. Avoid abi.encodePacked for value encoding prior to hashing them, especially for dynamic types.

An inherent skepticism toward every norm throughout life will get you labeled a conspiracy theorist. In web3 security, it will get you a very lucrative career. You're one assumption away from letting the bad guys win. Question everything.

Time to drop the really big bomb: Sharing my successes throughout the last year has resulted in 50+ people reaching out to ask for guidance, etc. Some as far as 8-9 months ago. I've only seen like 2 of them winning some $ in contests. Consistency is key. Have a nice day.

Audit tip of the day: If a protocol employs cross-chain mechanics: - Beware of any core components that can be DoSd/manipulated due to the cross-chain transfer delay - Account for situations in which said delay could be significantly prolonged due to problems with the transfer

As an auditor, your confidence is a key asset in discovering vulnerabilities. - Approach every codebase assuming numerous bugs exist, regardless of the protocol-in-question or the team behind it. - A single shred of doubt can be detrimental to your ability to find anything.

I've participated in 15+ audits/contests involving cross-chain mechanics, and I’ve ranked Top 5 in 5 of them. Audited integrations with CCIP, LayerZero, Stargate, Wormhole, and more. Here are 3 things you should focus on when auditing or implementing cross-chain integrations:

Audit tip of the day: - If a protocol has implemented a mechanism which calculates gas cost and charges users some kind of a fee based on it; OR - It forwards an exact amount of gas based on a calculated execution cost or similar; 9/10 times, there's a vulnerability there.

I've received a lot of questions about my audit framework, and the techniques I use. Although unique to every auditor, here are my 4 fundamentals that I've incorporated into my auditing routine, which have helped me to constantly rank in the Top5 during public audit contests:

Secured 1st place in Sherlock's @aegis_im contest 🥇 A year into full-time Web3 security, and I've landed my first proper contest win. This comes after: - 10+ Top 5 finishes; - 100+ C/H/Ms; - Thousands of hours spent auditing; And I’m just getting started.