Joe | Audit Wizard
@joe_vanloon
Followers
844
Following
1K
Media
20
Statuses
441
Professional security wizard, building @audit_wizard, making audits great again - previously worked @apple
Joined September 2021
SECURITY THREAD: Your .env file WILL get you drained (here's how to not be next) 🧵 👇 Private keys in .env files will get you rekt. It's not if, but when. You're one extension away from $0. The time between my PK leak to drain: 27 minutes.
34
102
511
Same thing has happened to me once with a malicious npm package. This is exactly why I have a separate device for touching wallets. In my case, Little Snitch blocked the secondary payload and I safely wiped the laptop. This WILL happen to everyone eventually. Be prepared.
I've been in crypto for over 10 years and I’ve Never been hacked. Perfect OpSec record. Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time. If it can happen to me, it can happen to you. Here’s a full breakdown. 🧵👇
1
3
7
I can't believe this outcome. Everyone in crypto knows how wrong this is. A sad day for the American people. 💔
This is a dark day for crypto and @rstormsf. The jury has found him guilty of conspiracy to operate an unlicensed money transmission business. The jury was deadlocked on the other counts. I don't even know what to say right now.
1
1
9
Thrilled to be awarded an Ecosystem Support Program @EF_ESP grant for https://t.co/r0P7IrfHTe We're developing a public good security platform that offers a centralized hub for real-time security tools, actionable checklists for personal privacy and protection, threat
digibastion.com
Enhance your Web3 security with our comprehensive checklist, tools, and resources. Learn best practices for crypto, DeFi, and blockchain security.
5
12
67
@jacobvcreech Really wish to see static analysis growing with anchor as well We made radar not just understand rust but specifically Anchor ⚓ https://t.co/RgubOtNJcB Hardest part is community template contribution, we tried to make it as simple as possible but still hard to hype
github.com
A static analysis tool for anchor rust programs. Contribute to Auditware/radar development by creating an account on GitHub.
0
1
3
Tomorrow, 12 jurors will decide whether writing open source code is a crime. This case is about Roman's future and it is also about whether developers can be held criminally liable for immutable smart contracts they can't control. The precedent here is terrifying. If Roman is
40
179
807
⏳ Final push next week. Our lawyers and experts are working around the clock — we’ve forgotten what normal sleep feels like. Every hour counts, and so do the costs. If you believe in fairness, open-source, and freedom, please help us finish strong. 🙏 👉
24
140
776
Ethereum core developer @preston_vanloon took the stand to testify in the defense of @rstormsf This is why I love Ethereum - ETH is being built with a vicious commitment to values and freedom. Rainbows and unicorns in the front, but claws and teeth in the back.
34
34
379
Actually, big tech companies usually have internal repo mirrors and their own review techniques and criteria. Verifying all dependencies is a tough thing to do. My advice is to skim the code to look for obfuscation, and use well known packages that have existed for a while.
0
0
1
I once used a new NPM package in a script I was writing. It had all the indicators of legitimacy on the NPM website and tons of usage. I quickly learned it was malware when I checked the source code and saw it was dynamically obfuscated. Had to wipe my laptop after that.
🚨 Always verify your dependencies! During a recent audit, I discovered that a team accidentally used an unofficial npm package instead of the official Wormhole SDK. This highlights a critical dependency verification issue we all need to watch for. What happened: - Team used
3
0
5
Hacks aren't just from vulnerable code. They happen because people use personal laptops for work, because a new dev hire was infected by malware, or because multi-sig ops were not perfect. We decided it was time to fix this, so we built Sentry, a platform that secures your OpSec
2
1
20
Cooking up the design for our new Blogs page on Web3SecNews with @navdeep1840 that too contributor-friendly, so anyone can write, publish under their name, and help others stay sharp on the latest in web3 security and OpSec. DM if you’d like to collab and write articles!!! PS:
1
2
10
Another wild twist. Cross-contract reentrancy! Does anyone remember that Vyper bug that allowed cross-function reentrancy when using the built-in guard? Auditors should always verify the mutex scope when you see the 'nonReentrant' modifier, it can be deceptive 🧙♂️
0
0
0
Good message. The unfortunate truth is that attackers very rarely return the money once they have stolen it. You have to hope it was just a dumb kid who is now scared and not DPRK agents who will never give a shit. Great to see GMX's huge bug bounty budget, though. What chads 💪
Posting this message in hopes of connecting with the individual responsible for the GMX V1 exploit. You've successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions. The white-hat bug bounty of $5 million continues
0
0
1
Wow, this is so wild and really demonstrates the importance of redundant data sources and invariant monitoring. Pretty spooky stuff to learn that a core piece of infra is vulnerable like this.
It gets even more fancy: the way Etherscan was tricked showing the wrong implementation contract is based on setting 2 different proxy slots in the same frontrunning tx. So Etherscan uses a certain heuristic that incorporates different storage slots to retrieve the implementation
0
0
1
Roman Storm's trial starts in 5 days. Just like my lawsuit against the OFAC sanctions, Roman is fighting for our fundamental right to financial privacy. Unlike me, however, he is also fighting for his life. I wish him all the best and hope he emerges as a free man 💜
1
1
5
Sad to see an organization that I know takes security very seriously getting hacked like this. I guess the takeaway from this is that hacks are not necessarily an if but a when, and preventative measures like on-chain firewalls should be a requirement for preparing for that day.
The GLP pool of GMX V1 on Arbitrum has experienced an exploit. Approximately $40M in tokens has been transferred from the GLP pool to an unknown wallet. Security has always been a core priority for GMX, with the GMX smart contracts undergoing numerous audits from top security
0
0
3
Sorry, how is this a "standard" if it isn't accessible to anyone else? Publish the framework or call this what it is, a closed-source marketing gimmick.
Institutions need a way to evaluate DeFi risk. Organizations need a path to institutional adoption. Introducing the Web3SOC, the framework that evaluates security, governance, financial resilience, and compliance.
1
1
23
Web3 security has grown beyond just on-chain hacks. Now, orgs are faced with ever-evolving threats targeting web2 and OpSec attack vectors, and we must evolve to combat them. We've frustratingly seen many organizations fall victim to easily preventable compromises (large
2
6
24
Wake up babe, new web3 phishing training just dropped. We need more initiatives like this or OpSec compromises will continue to plague our industry. I think there is some work to be done to make this more accessible to organizations (35 challenges is a lot), but this is a start.
🔥Unphishable project we've been working on for the past few months is officially launching. Unphishable 正式上線! 🚀 Big shoutout to @SlowMist_Team @realScamSniffer and @DeFiHackLabs @EF_ESP @Geodework @GoPlusSecurity for the strong support!
0
0
6