another big win 🥉. just secured 3rd place in the @Aptos @aave contest hosted by @cantinaxyz. despite live fixes downgrading some of my other findings High→Low, still pulled 1H+1M. this was my first time auditing in Move lang, but as @zigtur always says: “Language doesn't

move has a sneaky footgun that can break your entire security model. test functions without the #[test_only] attribute become publicly callable by any module → your "internal test helpers" become production attack vectors → unauthorised operations everywhere. wen auditing.

Introducing Grok Imagine.

Never skip deployment scripts of forks like this, one mistake in deployment script can lead to 67k $ pot 🚀.

In move aptos there is no equivalent of hardhat and foundry yet, who gonna build it?.

Elon's "10 years → 6 months" principle can work for security audits too. he said take your 10 year goals and try to do them in the next six months. even if you fail, this is the correct mindset that wins. hot take, got 2 weeks for audit? attack it like you have 7 days. you.

move's hot-potato pattern enforces security via type system constraints, making policy bypass impossible by design. hot-potatoes are basically structs with zero abilities can't be stored or dropped → must be consumed within same trx → vm aborts if left unhandled → this forces.

August was a wild ride . wrapped up 3x private audits (1 sui move + 2x solidity). started a fresh one yesterday. explored a lot about sui move & ton (tact) in my research. loving the private grind, but kinda miss the contest adrenaline.

gm. be a quick learner and it’s an edge you have in web3 security . if it’s a new lang, new tech or new protocol … the quick learner always win.

i am preparing for a private audit written in tact built on ton, here are few resources which are really helpful in exploring ton, tact and it's common issues. ✔️ for tact the best resource is tact by example. ✔️ the awesome ton

gm. if you are new into aptos move and want to test your skills, must dig into this first flight by @Eman_Herawy ;).

RT @movebrah: Thinking of learning Move?. Here’s some no shit advice:. You don’t need to learn Rust first. A lot of people will try to ove….

gm. Every good firm I know is looking for move auditors, learn move, do move contests, do private audits, explore the ecosystem, talk about move. The demand is on peak!.

move auto-checks for overflows in math ops, failing txns on detection. but bitwise ops? no such safeguards are present by default, potential overflow risks lurk unchecked. as a security researcher when auditing a move code, always check all bitwise instances in code for hidden.

move has very interesting features & was architected with security as the foundational principle. in ethereum, contract calls another contract mid-execution → callbacks can manipulate state before original call finishes → leads to bugs like re-entrancy. in sui move, objects.

in eth we use token.approve(contract, amount) to approve tokens → contract can spend your tokens. in sui move, there is no built-in approve mechanism . devs solution is to build a custom "token vault" contract. users deposit → protocol act on it → magic happens ✨.

Look who is live on SoloAudit 🔥.

💯.

this is really important point, llm addiction weakens critical thinking by replacing routine cognitive work with AI assistance, imo it is really harmful for SRs who depend on independent analytical reasoning.

ranked 10 out of 506 auditors in the @Circuit_DAO contest on @cantinaxyz . chialisp felt weird at first, but complex code never stops a determined security researcher. big thanks to @cantinaxyz and @Circuit_DAO for hosting an incredible competition.

the power of lows in public contests. everyone’s chasing highs in audit contests.but the real gamechanger?.a clean low. (most are downgraded med/highs which adds value for sponsors). in the aptos × aave contest, top 3 tied on high+med. but 1st? broke the tie with a unique low —.