33Audits
@solidityauditor
Followers
2,510
Following
111
Media
98
Statuses
1,680
Your guide to the best knowledge on Smart Contract Security | Linktree for inquires ⬇️
Follow Me
Joined January 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
jeonghan
• 232505 Tweets
#JollibeeBESTFest
• 136163 Tweets
#JollibeeXBINI
• 135146 Tweets
READY FOR JOLLIBINI
• 119182 Tweets
#TrainAccident
• 60092 Tweets
梅雨入り
• 59748 Tweets
पश्चिम बंगाल
• 53957 Tweets
Boom Boom Bass
• 39061 Tweets
रेल मंत्री
• 35212 Tweets
Railway Minister
• 26597 Tweets
अश्विनी वैष्णव
• 16614 Tweets
マッサマン
• 15736 Tweets
Ashwini Vaishnaw
• 14652 Tweets
Happy New Week
• 12882 Tweets
線状降水帯
• 11445 Tweets
無痛分娩
• 11336 Tweets
#JxW_THISMAN
• 10985 Tweets
#꿈에서_디스맨_정한원우를_본적있나요
• 10752 Tweets
JxW LAST NIGHT OUT NOW
• 10540 Tweets
Pinned Tweet
If you're a new auditor this is all you need to study before being ready to jump into contests.
- Patrick's Foundry Course
-
@intogateway
Course to level up and learn the advanced stuff
- Read 3 previous audit reports(Jpeg'd,beedlefi, one of your choice)
- Start doing contests
7
34
193
KyberSwap had a $200,000 max bounty on
@immunefi
The hacker still chose to exploit the bug for $47 million instead.
My guess is that this will end up leading to a 10-20% "reward" for the hacker.
I wonder if at any point the hacker thought about submitting this as a bounty
26
38
250
WARNING TO ALL AUDITORS.
There's a group of bad actors currently targeting auditors.
They've reached out to me from three different accounts telling me they want to hire me and asking to me install some software to get an idea of the "job" Clearly this is a scam.
But don't
14
35
154
If you started Smart Contract auditing today there’s no way by July of 2024 you won’t be making at least $1000 a month.
Here’s the step you need to take to become great by end of next year.
Give it six more months and I’m sure you could create a $10,000 a month business.
The
6
14
149
I remember seeing this in Discord over a year and a half ago. A DAO was looking to hire a Solidity developer for $900,000 a year. I remember this was at the TOP of the bull run.
I want to put that screenshot on my wall as a reminder that those with the right skills will reap
9
14
148
I’ve had a small squad of auditors who I’ve been learning Solana Programs/Rust development and auditing with these past few months. I saw the narrative before it happened due to my previous days as a degen. It was clear to me that the Sol ecosystem would be a HUGE opportunity for
25
11
140
I just closed another client on retainer for $1000 a month for the next three months at just 5 hours a week. Super excited to start working with this team.
They reached out because they want someone to sit down with them for a few hours a week who will answer their questions
12
5
135
This repo is awesome! It compiles a ton of different resources related to oracle manipulation including previous hacks and some preventative measures.
Take a look!
4
29
133
OTHER AUDITORS ARENT PAYING YOUR BILLS YOUR CLIENTS ARE
Let me repeat that again. Auditors on Twitter don’t pay your bills, they’re not hiring you, they’re not sending you money.
You know who is?
Developers, protocols, CTOS and CEOs. So why are you so worried about what
13
13
128
Bored waiting for contests to start next week?
Don't worry here are some fun Solidity Exercises to help keep your skills fresh while you wait.
1
20
124
People have been DM'ing me lately asking how they should get started in Smart Contract Auditing.
This is how I would accelerate my road to $10,000 in my first six months in Smart Contract Security if I got to do it over. 💰🛎️
4
24
110
This is probably one of the best sites I've seen so far to get an aggregated view of security blogs.
If you're a Smart Contract Security Auditor check it out.
You can specifically search for any type of blog or bug type.
7
18
103
With October closing last week it has been my most profitable month so far. Closing in just a little over $5000. 10 months ago when I quit my full-time Solidity role working at Consensys a lot of people told me I was a complete idiot for doing that in a bear market.
Granted I'm
19
3
103
Are you a Smart Contract Auditor that wants to learn how to find vulnerabilities in proxies?
Don’t worry I got you covered.
Check out this repo with awesome examples in Solidity!
0
13
102
Just published a new blog about a few of the ERC20 bugs that I found in the 5 different contests that I participated in last month!
ERC20 attacks are common finds nowadays but are still fun to learn about because they're all so unique!
4
16
94
This is the ultimate repo for anyone looking to learn about Account Abstraction. Most of the alpha of been posting related to ERC4337 is from here.
0
10
89
Are you an auditor looking for you next easy find?
ERC20 bugs are pretty easy to spot so you should learn about them!🏖️🕶️
Check out this article I wrote to get you stared!
2
15
87
This notion template is a requirement for Smart Contract Auditors.
@Sm4rty_
is awesome for creating this and sharing it for free.
It’ll help you organize yourself during your next audit and during report creation.
2
10
82
I just looked back at the first notes I took when I started studying Smart Contract Auditing in January of this year and it says...
"Use Call instead of send or transfer"
I think at the time I was doing the
@TheSecureum
BootCamp as it was the main resource to find out about
4
3
80
ERC4626 is quite common to see in Defi these days.
But if not implemented properly they can be a goldmine for hackers.
Let's dive into what they are and one of the issues you can look for when auditing.🧵
5
7
76
I've shared this link before but will share it again. If you don't know where to start when it comes to zk auditing study material, this is for you.
The million-dollar contest on
@code4rena
is about to be crazy. Can't wait to see some people score six-digit payouts.
4
12
77
Six vulnerabilites every new Smart Contract Auditor should study!
1
18
77
For anyone new to Solidity
@BuildOnBase
did a great job of creating a Solidity BootCamp for newer devs to learn the basics quickly.
Topics include.
- Introduction To Ethereum
- Smart Contract Development
- Token Development - ERC20
- Token Development - ERC721
And more!
Check
8
15
72
This is the best repo for reviewing ERC20 bugs.
1
17
72
Really enjoyed this article on ERC4337 security.
Learn about the following
- Gas Fee Calculation Logic
- Signature Generation & Usage
- Reuse of Signatures
- Front-running
And more!! Check it out below.
4
12
70
For my auditing, full-time has been more about how long can I survive and not how much I'm making at the moment.
The first couple of months were really rough. I was making little to no money and was living off of savings. I knew if I stuck around long enough I'd hit a point
11
3
72
1/ Excited to announce that starting today, I'm a member of the
@QuilAudits
Red Team, focusing on web3 security!!!🎉 🥳
Excited for this new adventure in the cutting-edge world of cybersecurity. Why did I choose to work with Quill Audits when they reached out? 🔍 📊
14
5
72
I think the real alpha for 2024 is carving out a niche for yourself and building a business around it. There’s so many things that are still low competition relative to Solidity auditing.
Things like gas optimizations, writing fuzz tests, building and auditing in Rust, building
5
7
74
1/ Are you a new auditor and looking for a layup in your next contest?
Something that isn't too hard to find but could lead to a decent payout and some points on the leaderboard.🧵
This one issue led to a $250 payout PER auditor in a recent
@codehawks
contest. Let's dive in!
5
13
70
This is probably the bible of Gas Optimizations.
What an amazing resource for anyone looking to learn.
1
12
69
Every Smart Contract Auditor should know about Rounding errors. Check out this article!
2
14
69
Are you auditing a protocol that uses NFTs?
Here are some attack vectors you should know about then!
1
11
68
Smart Contract Auditors can benefit by using this checklist regularly when starting a new audit.
Don't go through all of it line by line. Instead, do a quick scan to see if there's anything you forgot to look for and remind yourself of things you should be checking for.
1
15
68
Persistence is key if you want to be a Smart Contract Security Researcher.
It took me almost six months of work before I made my first $1000. But if you want to...
✅Work for yourself
✅Make good money doing it
Then you HAVE to stick with it. The key is not giving up.
6
8
66
Here are some common Defi related attack vectors every smart contract auditor should know.
- Governance Attacks
- Oracle Manipulation Attacks
- Flash Loan Attacks
- Replay Attacks
Check out more here!
0
9
67
Five types of cross-chain attacks every Smart Contract Auditor should know.
✅Signature replay
✅Hardcoded Contract Addresses
✅ERC20 decimals
✅Contracts Interface
✅Contracts Upgradability
1
9
63
If you're an auditor looking to learn more about Account Abstraction bugs then I got you covered!
Check out this article detailing some ERC4337 bugs and how to mitigate them.
1
13
66
This zkEVM Audit sessions is a pretty awesome resource for anyone looking learn more about zk.
2
11
64
If you're just getting started with Solidity and looking for some practice this repo is a great place to get started.
It covers the following topics.
Question 1: Voting System
Question 2: Escrow System
Question 3: Withdraw Funds
Question 4: Rent Storage
Question 5: Staked
1
17
66
Wanna build a c4 bot?🤖
Want to automate a ton of low-severity findings for your private audits?⏩
Here's a sick bot that does a ton of that work for you made by
@thePicodes
4
11
61
Seriously
@PatrickAlphaC
seems to be one of the few people who understand the importance of community in this space. A person in his position could be taking advantage of people and yet he consistently surprises me by always putting community first.
Judges on
@CodeHawks
won't be able to see the auditor's identity when judging submissions - huge move to remove bias towards big names!
Other platforms said this was too hard to implement but apparently it wasn't too hard for
@PatrickAlphaC
!
6
11
90
2
5
61
No contests in the pipeline
Auditors: OMG it's so hard to make a living as an independent researcher. Only the best make money doing it. We won't be able to scale cause new auditors will leave to do other work that actually pays.
20+ contests in the pipeline
Auditors: This is
7
3
61
If you want to do a deep dive into the EVM check out this aggregated list of resources. Tons of alpha here.
1
6
57
If you're a Smart Contract Auditor who's auditing a lending protocol here are some great questions to ask yourself during the audit.
I've collected these from various Twitter threads, Github repos, and issues on
@SoloditOfficial
that I've seen over the past week while auditing
2
10
57
If you're a Smart Contract Auditor participating in the
@MorphoLabs
contest on
@cantinaxyz
this article could help you uncover some bugs.
The awesome
@DevDacian
always does a great job of writing these and I find them extremely helpful when needing to revisit specific bug
3
4
57
Are you a Smart Contract Auditor who's new to Account Abstraction?
Want to learn about ERC4337 attack?
I went through
@soloditOfficial
and detailed some ERC4337 bugs that were found.
Let's take a look.🪐
The validateUserOp should always return SIG_VALIDATION_FAILED
5
10
54
This year has been one of extreme growth for me and my private auditing business!
I recently joined
@TheBlockChainer
for an interview discussing everything about growing my independent private auditing business!
This interview has helped me reflect on how far I've come since
9
2
56
I find this checklist for auditing cross-chain projects a real gem. There's a section specific to
@LayerZero_Labs
integration and security checks.
@windhustler
I wonder what you think about this🧐
1
6
54
Really enjoyed the writing in this article about ERC777.
Recommend it for any Smart Contract Auditor wanting to learn more about ERC777 reentrancy.
1
10
54
This repo is amazing. It has reproduced attacks of all the major defi hacks using foundry. Great for new auditors looking how to build PoCs or see what actual attacks look like.
0
6
51
Are you a Smart Contract Auditor looking to learn more about TWAP oracles?
I recently did a private audit that used TWAPs and I learned a lot!
Let's dive in to learn a bit more about them and to see what gotchas you should look out for when reviewing them!
6
11
59
Becoming a Smart Contract Auditor is possible for anyone who wants to put in the work and is willing to grind day in and day out.
I'm seeing folks who started six months ago starting to get their first big wins in contests. Proof that consistency is what leads to rewards.
3
6
50
If you think there’s too much competition in crypto wait until the bull run. The demand for you Solidity skills will bring make you so much $$$. Employers think they’re cute by being selective right now, can’t wait for it to become an employees market. They’ll be begging for us.
4
4
51
If you’re a Smart Contract Auditor doing a security review of an AMM here’s a check list to get you started.
Checklists can be a powerful tool for guiding your mindset in the right direction during an audit. They can be effective in sparking creativity, as you work through them
2
6
50
Here's a trick I've used to get a few leads through Twitter for private audits and turn them into repeat customers.
QUICK NOTE
DO NOT ever spam protocols in their Twitter DMs or on other platforms for leads. Sales will come to you if you know what you're doing. Dont be annoying
7
6
50
Quick checklist for your next audit.
Click the link to see the details!
1: Architecture, Design and Threat Modelling
2: Access Control
3: Blockchain Data
4: Communications
5: Arithmetic
6: Malicious Input Handling
7: Gas Usage & Limitations
8: Business Logic
9: Denial of
1
9
50
2023 has been a year of a lot of struggle for me in my personal and work life which has eventually led to much success, which I’m grateful for.
However that doesn’t come without a cost.
I’ve seen my mental health deteriorate a bit over the past few months. So I’ve decided to
8
0
50
Im planning on tripling my monthly income by this time next year to at LEAST $30,000 a month.
The pessimists will read this and say it’s “impossible”. Good, your pessimism only leaves more money in the space for me to collect. It’s the most counterproductive quality you have
7
0
50
Are you an auditor that whats to know more about Account Abstraction and ERC4337?
I've been researching the topic for the past few weeks and want to share some of the things I've learned.
Helping you feel more confident when auditing ERC4337 implementations.
Lets dive in!
3
11
48
If you’re finding H and M vulnerabilities in contests but not really making much money cause of dups don’t be hard on yourself.
You’re actually probably a really good auditor and could potentially do well at a firm as JR or in easier private audits.
Thing is contests are
5
4
48
Just finished the Chainlink contest on
@Code4rena
with
🟥High: 1
🟨Medium: 4
Pretty confident about at least two of these being valid as we were able to write stong POCs and test cases for them. Let's see what happens though. Excited to get my name higher up on the board.
3
4
49
The notion is amazing detailing recent defi hacks.
3
6
46
Great repo with with a ton of vulnerability examples every Smart Contract Auditor should know.
1
8
47
Gas Optimization 1️⃣
Ever wanted to get your first issue submitted to
@code4rena
but don't know where to start?
There's a ton of really simply gas optimizations you can scan for in a codebase without needing a deep knowledge of Solidity. Let's look at one of them below 🧵👇
1
11
48
Six vulnerabilities every Smart Contract Auditor should know part two!
4
6
48
Are you a new auditor and looking for a layup in your next contest?
Here's an issue that isn't too hard to find when you're just starting out but depending on impact can get you that Medium or High.
Let's dive in! 🧵
1
7
44
When doing an audit on
@code4rena
these are the lowest paying findings.
-Use safeTransfer, safeTransferFrom instead of transfer, transferFrom when transferring
-Use call() instead of transfer() when transferring ETH
-First depositor issue
-Silent overflow
-Did not Approve to
4
4
47
1/ Found a neat big recently when doing a
@code4rena
report. Check out the code below to see how downcasting can lead to precision loss and ulitmately loss of users funds. Every Smart Contract Auditor should know this.
4
10
46
Just finished a private audit for a client for a codebase that was 2000 SLOC.
Was one of my favorite projects to work on and the clients seemed extremely happy with the work I did.
6
1
42
Private audits are the easiest way to make big bucks in this industry. If you think c4 audits have picked up then you don't even know how many private audits are picking up steam. Want more private audits? Read, write, and breathe Smart Contract Security.
3
5
43
1/
@code4rena
Audit analysis is a great way to make some extra bucks as an auditor.
As I mentioned before there's some auditors getting three digit payouts for a quality Analysis report.
Let's dive in together and see how you can take advantage of this amazing feature.
1
9
44
Every Smart Contract Auditor should know about rounding errors and precision loss issues.
I wrote about a recent finding that I found in a
@CodeHawks
related to rounding issues. Check it out.
0
11
44
Had a few of my reports selected for the recent Beedle contests on
@CodeHawks
. Feels good to know my writing is improving. Six months ago I couldn't even get a gas report validated cause my submissions were so bad.
4
2
43
Check out some of the previous
@zksync
audits while you're studying this next week. These tend to be a goldmine for finding bugs as devs tend to make the same mistakes. Especially when it comes to codebases as large and complex as this one.
2
2
44
If you're doing the
@zksync
audit here are some common zk bugs to look out for.
✅Under-constrained Circuits
✅Nondeterministic Circuits
✅Arithmetic Over/Under Flows
✅Mismatching Bit Lengths
✅Unused Public Inputs Optimized Out
✅Frozen Heart: Forging of Zero Knowledge Proofs
0
3
42
Over $500,000 in rewards coming up this next week.
It's about to be a HUGE month for auditors. Hope everyone took some time off during the lull these past two weeks.
If your bank account is looking a little bleak let's get to work and get to this money! No excuses, just bug
2
2
42
1/ 1/ Gas Optimization⛽️🔥🚨
Here's a quick gas op from a recent report on
@code4rena
. These are easy wins that you can get when submitting private reports and just getting into auditing.
1
6
43
This repo is amazing to get all the latest write-ups on some of the major hacks in Defi.
1
2
44
Locked in our biggest private audit last week all through word of mouth and referrals. Team and I have been drowning in complex code but we’re definitely on to finding some interesting bugs.
Also received three leads in my inbox this weekend alone for potential new clients. This
6
1
44
1/ Gas Optimization⛽️🔥🚨
Here's a quick gas op when dealing with functions marked with modifiers such as onlyOwner. These are easy wins that you can get when submitting private reports and just getting into auditing.
1
9
43
May just be me but I feel like I’m seeing a little bit more negativity in web3sec Twitter recently. Seems like some folks are going out of there way to mock other auditors, or just overall throw hate when someone else is trying to grow their business by taking action and failing.
4
5
40
Understanding the EVM is essential to level up as a Smart Contract Auditor.
I've seen this EVM Handbook shared a few times here but wanted to share it again since it's packed with some much alpha.
Take a look!
2
6
40
If you’re a smart contract auditor here’s an example of a return bomb.
It’s one of the most commonly found issues on
@immunefi
@realgmhacker
dropping bug bounty alpha 👀
TOP 3:
1. Rounding errors
2. Re-entrancy
3. Return bomb
6
9
79
0
4
42
This is the audit contest I always recommend to newer Smart Contract auditors who are looking for a decent-sized contest to shadow audit. You can compare your results to the final report.
DON'T CHEAT
3
3
40
Made a quick video on how to improve your report submissions on
@CodeHawks
.
This video will walk you through one of my selected reports and explain how to increase your chances of getting your issues validated by judges!
2
7
42
Killer month last month. Locked in two private audits for a total of $10,650. Found three highs and 10 mediums plus a ton of QA and Gas ops. Looking for more clients for private audits. DM me if you need any work!
3
0
40
Are you an auditor who's looking to learn more about ERC4337 vulnerabilities?
Well lucky for you this bug is pretty simple and most auditors have already seen it before.
Let's dive in and take closer look at what it is!
3
6
41
1/ Recently learned about an interesting overflow issue when combing through
@solodit
.
Fairly simple to understand but may be a bit difficult to spot in large codebases if you're not paying extra attention.
Let's check it out.
3
4
41
Excited to see where 2024 takes us. Already people like
@bytes032
and
@ShieldifySec
are creating new ways for private auditors and clients to connect. My guess is this is just the beginning. We’ll see tons of new services and platforms connecting auditors to protocols as things
1
3
40
Five attack vector every Smart Contrat Auditor should know when auditing a multchain protocol.
✅Block time is not the same on different chains
✅Block production may not be constant
✅Chainlink Price Feeds
✅AMM pools token0 and token1 order
✅Modified Opcodes
Read more
2
5
39
Audit Analysis on
@code4rena
is a great way to get some extra cash without necessarily finding bugs. I see a few folks submit some that say they spent 8-20 hours on it to come out the other end with $500+ depending on the prize pool size. That's okay for the amount of work if
2
2
39
1/ Gas Optimization⛽️🔥🚨
Gas optimization audits are starting to generate a lot of money. Some audits could bring up to $10,000 dependning on SLOC.
Let's check out some awesome ways you can save your clients some gas!
1
6
39
1/ Gas Optimization⛽️🔥🚨
Here's a quick gas op from a recent report on
@code4rena
. These are easy wins that you can get when submitting private reports and just getting into auditing.
Struct packing!
3
4
38
1/ Most people tend to go for the biggest wins when auditing smart contracts.
Truth is I think it's the way to make the most money in the LONG RUN, but I found its not the best fit for me and how I audit.
I tend to take more of a War Dogs approach.
3
5
37
This repo has some useful solidity tricks for auditors. I especially like the assembly tricks directory. That is a gem.
1
9
38
Amazing checklist for anyone auditing a multi chain project!
◦Block time is not the same on all chains
◦Block production may not be constant
◦L2 Sequencer Uptime Feeds in Chainlink
◦Chainlink Price Feeds
◦AMM pools token0 and token1 order
◦Modified Opcodes
◦Support for
2
10
38
1/ Some of the best auditing productivity advice that I've learned is directly from
@0xOwenThurm
on how to boost your performance as an auditor.
I'd say watch thing video if you want to 10x your productivity as an auditor.
Here's some key points I took from watching the video.
1
7
35
Smart contract security is a skill that you must practice everyday. Want to make $100k plus without having a boss?
You can do it but you gotta put in a lot of time, I’m talking hours on hours.
And persistence is key, most people get stuck and stop 🛑
Keep pushing! Don’t stop
1
0
36
Awesome opportunity for anyone who's a bit newer to Smart Contract Auditing/Solidity Development.
@BuildOnBase
has been hosting free bootcamps aimed at turning senior-level developers into Smart Contract developers.
Cool part is they pair you up with a mentor so its also a
1
3
35