Raz0r
@theRaz0r
Followers
6K
Following
916
Media
57
Statuses
1K
CTO & Co-founder @DecurityHQ
Joined January 2012
Hey web3 hackers, this is for you 👇
https://t.co/7Sa3MDIMQk alerts are now public! Join https://t.co/Ro69fFnk4g to learn about DeFi incidents in real-time. For bug bounty hunters we indexed all smart contracts from @Immunefi to notify about: ~ Proxy Upgrades ~ Access Control Changes ~ Governance Activity and more
2
1
7
A DeFi hack protection protocol @cozyfinance has been hacked for $427k on Optimism: https://t.co/gWpWCyWcKO An attacker bridged the funds to a different address on the mainnet and deposited to Tornado: https://t.co/7zu1DfIlHv
etherscan.io
Address (EOA) | Balance: $49.94 across 2 Chains | Transactions: 22 | As at Sep-13-2025 03:07:59 PM (UTC)
17
19
118
H-1: Etherscan verification front-running If in the future contract they will just change `gdp_q2_2025` to `gdp_q3_2025`, it's possible to front-run the source code verification and insert any comments as soon as the contract is deployed.
0
0
1
I’m releasing a public version of Hound, my bounty-winning security analysis agent. It re-invents AI code audits from first principles by modeling the cognitive + organizational processes of real experts. Link in first reply.
10
9
129
The wildest thing in the Arcadia exploit is that the hacker triggered a circuit breaker on purpose to switch it to the cooldown period, so that a monitoring system could not pause it again. This is the first adversarial attack in a real DeFi exploit to my knowledge.
0
1
5
250$ for XSS from Etherscan? Hold my beer I received 30$ for XSS via ENS from them in 2021 https://t.co/N5FwDZkV2O
Posting a throwback to some old web2->web3 boundry crossing bounties I reported years ago as duplicate ENS names are being discussed again (using unicode). First was registering invalid names with script tags that would be parsed by @etherscan even though they were invalid as
0
1
7
Just mitigated: The CPIMP Attack – a stealthy front-running exploit infecting 100s of DeFi proxies across many protocols Attacker inserts hidden proxies that self-restore, spoof Etherscan, and lie dormant for high-value strikes Tens of millions at risk https://t.co/b4UX9KayL0
dedaub.com
CPIMP Attack: Clandestine proxies infiltrated DeFi protocols across chains—hiding in plain sight for weeks before discovery
3
19
69
Ethereum security is a public real-time attack-defense competition, good job blue team!
We @VennBuild just discovered a critical backdoor on thousands of smart contracts leaving over $10,000,000 at risk for months Along with the help of security researchers @dedaub @pcaversaccio, the seals team @seal_911 and others, we managed to rescue the majority of funds
0
0
4
1/ Today we’re excited to introduce the Radworks app — the most secure and verifiable way to access any front-end. A local-first launcher for dApps, built to solve one of the biggest security risks in Web3🧵
38
41
188
TIL an address labelled as "YDT Exploiter" by Etherscan ( https://t.co/zmn9WM2A00) is in fact a whitehat bot run by @BitFinding. Today it front-run an exploit targeting @holdsafecrypto ( https://t.co/zFEj1VJtAa). Good job @snfernandez!
t.me
Attack on Hold_Safe contract of holdsafecrypto.com An attacker abused referral system setting up a referral chain where dynamically created contracts refer to each other. After claiming the rewards...
0
2
7
Finally a funny idea of web3 OSCP got real. IMO a better way to prove your skills are audit contests and bug bounties.
‼ Looking to get a web3 security job or grow your auditing career? Today we are launching something massive. The first certifications for web3 security researchers published by a leading firm. 🔔Link in thread. Get certified now, prove your skills, and get to the top of
0
0
5
There are tons of audit checklists floating around the internet. I decided to gather them all and put them in one place: "awesome-audit-checklist". Over 50+ checklists, packed with pure Alpha 🔥 https://t.co/4Nagmd2kni
github.com
A curated list of smart contracts security audits checklists and resources. - TradMod/awesome-audits-checklists
8
10
92
The decentralised finance (#DeFi) market is booming—but the world’s best hackers are on the prowl for new ways to steal your crypto tokens. Listen to Arseny Reutov (@theRaz0r) of @decurityhq in the latest episode of #UnseenMoney from @newmoneyreview
https://t.co/25ZCo7ri96
0
2
1
2
26
123
📢 Published a new semgrep rule: `uniswap-v4-callback-not-protected` Detects Uniswap v4 hooks that have callbacks without onlyPoolManager, a root cause of the $11 million @Corkprotocol hack. https://t.co/yDe7zbbjcH
github.com
What's Changed add bad-transferfrom-access-control rule by @morsiiik in #67 Update GitHub Actions workflows to use Ubuntu 22.04 by @Raz0r in #71 Add Uniswap v4 callback not protected rule by @...
0
2
17
So the @Corkprotocol hack had nothing to do with the recently upgraded code, the beforeSwap callback in CorkHook had no access control from the very beginning and passed the @cantinaxyz audit.
THREAD: The $11M Cork Protocol Hack - A Masterclass in What NOT to Do with Uniswap V4 Hooks 🚨 @Corkprotocol just became a cautionary tale. Let's break down how missing access control and other weaknesses turned depeg insurance into an unfortunate loss. https://t.co/Cvs7gKBNzU
5
4
44
Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->
22
182
1K
We analyzed the smart contract hacks from 2020 to 2025 to answer the question: how fast the vulnerable smart contracts get exploited after the deployment? Read the research:
4
19
109
Synthetics Implemented Right @leveragesir has been hacked for $355k This is a clever attack. In the vulnerable contract Vault ( https://t.co/RycDbFY5Xq) there is a uniswapV3SwapCallback function that uses transient storage to verify the caller. Specifically, it loads an address
6
34
215
Releasing our new IDA Pro plugin for analyzing Solana's eBPF programs developed by @dewardgnome. Check out the blog post:
blog.decurity.io
One day, I decided to reverse-engineer a Solana program, only to realize that my usual go-to tool, IDA, had no support for it. The only…
15
27
111
I submitted the bug report with an initializeV3() call simulation to Immunefi 5 minutes before the malicious call, however no bounty received and Cyan even accused me of sending this transaction 🤡
4
1
11