@0xCharlesWang Goated for real, takes a lot of mental discipline to stick to something over the years, you're a beast auditor for a reason 💪
English
00xWizard
900 posts
00xWizard
@00xWizard
Founder @phantomOpsec | Web3 Security Researcher | I help teams avoid being on https://t.co/yWfcdmc0iW | DM for Opsec audits
Beigetreten Mayıs 2022
609 Folgt280 Follower
Time is flying ..
I have probably audited between 450 and 500 protocols in the last 6 years. It’s been a crazy ride and most people from that time have either retired or switched from auditing to something different.
Here I am still, looking at code everyday and trying to break it
English
English
3 major pieces dropped last week on AI in web3 security - from @BlockSecTeam, @ConsensysAudits, and @xy9301.
I went through all of them so you don't have to. Here are the most shocking insights:
English
Bad post.
Connecting private key leak to audits, how does that even make sense?
Vadim@zacodil
Resolv was audited 18 times. The exploited contract was reviewed. The vulnerability was never flagged. In December 2024, auditors reviewed this exact contract and found 5 issues, including a High severity bug in the fee function. One finding was literally called "Missing upper limit validation." But it was about price bounds in a different contract. The function that lets a single key mint unlimited tokens with no ceiling? Not mentioned. That's how audits work: a function restricted to a trusted role is "privileged, out of scope." Auditors verify code correctness, not whether trusting one key with unlimited power is a good idea. 18 audits couldn't prevent this. The flaw wasn't in the code - it was in the architecture.
English
@intigriti Access control, back in 2017
How much I loved bug hunting in that time
English
@grok @HackenProof No but I Know you're used to @WhiteHatMage telling you to solve these, but I'm the mage now, you solve my bugs only, me and you we'll takeover this thing called auditing
English
@00xWizard @HackenProof Thanks! 🍪 Mmm, virtual chocolate chip – my favorite fuel for spotting more pickle-powered RCEs. Got another bug to throw my way?
English
Spot the Bug 🧠
Session restore helper
What’s the issue in this code?👇
English
The bug is here: load_state does base64.b64decode on the user-controlled "state" cookie then pickle.loads(raw). Pickle deserialization of untrusted data = RCE. Attacker sets a crafted pickle payload (e.g. via __reduce__ for os.system) as the cookie and triggers me(). Use json instead, never pickle for sessions.
English
@muellerberndt @Reddit Tbh reddit is filled with all different types of people, so filtering can be super hard
English
I'm trying to keep a positive attitude. But the people in @Reddit subs like /r/HypotheticalPhysics are something else. Even spoon-feeding the theory doesn't help.
They immediately enter an aggressive mocking frenzy. One guy literally called me "a little baby who has its first psychosis", shortly before I got banned from the sub.
I recommend avoiding those subs. Don't post your ideas there, you will NOT get anything useful out oi it.
English
People who are giving clawdbot their OnePassword access have more trust than sense.
English
@arlery This is why it's so much better to do the following:
1. Tag this piece of shit @TrustlessState
2. Say " hey fuck you and fuck your opinion, you retard piece of garbage
3. Go on with your life
English
Lmao this is a stupid game. Don’t fall for it. Nothing will ever be enough. The goalpost will keep moving further. Condemn violence. No not like that, do it more so in language I find palatable. No don’t say that, say it how I want it. No, violence is okay when it supports who I think deserves to be hurt. No my truth is the only right one. You’re not a perfect victim. YOU should now do the work of becoming one, of trying to show your whole faith is better. No not like that. Practice it how I find it digestible. We still need to surveil you btw. You know just in case one of you loonies blows shit up. And extra security searches all your life when you travel. You didnt condemn enough.
I refuse to waste brain cells trying to humanize myself or my faith. Your ignorance and bigotry is your own problem. Last person to be giving notes about violence and morals is someone who justifies massacres of innocent people and children anyway.
David Hoffman@TrustlessState
This perfectly illustrates the problem peaceful Muslims leave the rest of the world: Half of Islam is extremist and seeks domination The other half refuses to take responsibility for reforming it
English
This perfectly illustrates the problem peaceful Muslims leave the rest of the world:
Half of Islam is extremist and seeks domination
The other half refuses to take responsibility for reforming it
English
@LeviTheGiant @scupytrooples bro I lived in more countries than you did state to state travel, stfu
I bet you think north America is a country, uncultured swine
English
@waqwaqattack @Bankless @RyanSAdams @RyanSAdams put a leash on your dog, he's been parking too loud, that 7000 they pay him per post is doing bankless a disservice, shut him the fuck up
English
After today, I am never listening to @Bankless ever again.
David Hoffman is utterly deranged and is sharing some really despicable views about Muslims. I’m a Muslim.
@RyanSAdams get your boy in check because you’re going to be losing a lot more viewers and listeners.
I’ve been watching Bankless since the beginning. I watch pretty much every episode. I’ve shared episodes. I watch Limitless.
I’m not doing any of that anymore.
David Hoffman@TrustlessState
The Iranian Regime just projects their own strategy on Israel “Whose payroll are you on??” - Iran finances multimillion dollar internet astroturfing campaigns and bot networks “Israel’s genocide of Palestine” - Actually, it’s a war against Hamas who invaded their land. It’s the Islamic Regime that’s committing mass murder against a group of indigenous people - the Iranians “Zionism” - Actually, Judaism is the one religion that just wants to be left alone. On the contrary “Islam” is a religion that wants to totally dominate world and will do so by any means necessary. The narrative of the Islamic Regime simply takes its own strategy, and projects it upon Israel and psyops the west into believing it.
English
@Loopify That's why I rock with you heavy, you're not afraid to voice your thoughts, keep going, all love and support.
Btw @TrustlessState fuck you, you piece of shit
English
David Hoffmans handlers activated him
He is using the suffering of other people to justify the killings of those he despises
Just in this case he is blatant about loving the deaths of 80,000 people mostly women and kids
English