--- Real Talk --- "If I want to be a Web3 Security Researcher, where should I start?" I get this question pretty often from people who want to go full-time into Web3 security. I feel humbled by the question every time because I'm not like some of the people out here who make

Banger, but I'm afraid it's closer to reality than we think.

@samczsun @SEAL_911 @tayvano_ @pcaversaccio @_SEAL_Org But mostly I'm grateful that public goods like https://t.co/6TZSGS1W5M and especially @_SEAL_Org exist.

I think the reason for this is, we (the Web3 sec people) evolve every year. We learn new attack vectors, build different mental models, etc. If you audit {protocol} today you may find X bugs. If you audit {protocol} again 3 years from now, after learning a lot of new things in

Okay, 2025 is almost over and I was thinking yesterday about "what did I learn this year?" I'll write down all the things that I can remember on the top of my head. I'm doing this because this just goes to show how much you need to learn if you want to stay relevant.

Is it just me, or is ChatGPT's "Thinking" model unusable lately?? By lately, I mean last ~4 weeks. I hoped that it would "go away" but it doesn't. The model spends ~12-15 mins before answering my queries, and then I get something like: - stopped thinking - network connection

They both got downgraded to High ... I did not escalate any of them, but I guess others did, and during the "dispute period" severity changed, although the initial comment from the protocol didn't mention anything about not agreeing with the severity. It is what it is.

My comment has more views than the original post. Quality content at its finest

Tomorrow is Monday, so I get to audit more

How protocols think an SR's calendar looks like for December

Sent it. Hope it's not some false-positive (due to me hallucinating at almost 2 AM) or an "already known/acceptable risk" type of thing. We'll see

Ok, it's 1AM and I'm grinding the @aave V4 competition on @sherlockdefi and I think I might've found something. Sending it soon 👀 @0xSimao

Both confirmed, both Critical. The protocol didn't argue the severity.

Is he clickbaiting, or did he really get fooled by Anthropic's post?

After you look at the article and see that the "root cause" of the Balancer hack was ... checks notes "an authorization bug", I can confidently say that: They don't have Web3 security people in their team, so that study was (probably) made by great developers, but not Web3 SRs.

Michael Saylor DMed me guys, what do I do now?

Are you just trying to "farm points" for the Academy? :))

I checked the code, and it is as I suspected. If you looked at the `Hub::add` function, that function is not meant to be called by users directly; it is meant to be called through a Spoke. Users call the `Spoke::supply` function to add collateral and the Spoke will be calling

They were escalated last week by the protocol (I think). Waiting for either "Confirmed" or "Closed" status update. Pretty sure they're valid though.