Abhishek Shukla

@N_and_ni Where is cybersec? Ahh man people still dont count this as a career?

I have ranked tech influencers …. Do you guys agree ?

@hetmehtaa Dayum

If you don’t have these certificates in Infosec, are you even a hacker?

Most security firms are quietly moving away from audit competitions. This is one of the biggest mistakes happening in crypto security right now. There is a simple way to think about audit value: what does it cost to find a critical vulnerability? We looked at the actual data on what it costs to find critical bugs in crypto, and the numbers are not surprising. Finding a critical vulnerability in an audit competition costs $6,548 on average. The exact same severity bug through a bug bounty program costs $114,000. That is 17x more expensive for the same result. Now look at the traditional audit model. Some top firms charge $100 per line of code. Others charge as high as $25,000 per auditor per week. A single engagement can easily run $200k to $500k+, and you are getting maybe 2 to 4 people looking at your code. But cost per critical is not even the most interesting part. The interesting part is the structure of who is looking at your code. When you hire a firm, you get 2 to 4 auditors. Maybe they are great. Maybe one of them is having a bad week. You are making a concentrated bet on a small number of people. An audit competition attracts hundreds of security researchers. These are some of the best hackers, people who have found real vulnerabilities in major protocols. These hundreds of researchers are now armed with AI tools. They understand codebases faster. They write PoCs faster. They find bugs that would have taken DAYS in just hours. Think about what that means. You are not just getting hundreds of humans. You are getting hundreds of AI-augmented humans, each running their own workflow, each with their own intuition about where bugs hide. The scaling dynamics are extraordinary. The firms moving away from competitions are optimizing for predictable revenue, not for their clients’ best outcomes. That is understandable from a business perspective. But if you are a project choosing where to spend your security budget, you should optimize for bugs found per dollar spent. Audit competitions now also have scaling pots. The prize pool grows with the scope of the codebase. This aligns incentives in a way that fixed-fee engagements never can. But what about AI spam, low-quality submissions, and the time it takes to triage all of those submissions? Immunefi is addressing these with mechanisms like pay-to-submit, managed triage, and AI triaging agents, which are already showing very strong promise. The best security strategy is not either or. But if you have a limited budget and you want the most eyes, the most diverse skill sets, and the best cost per finding ratio, audit competitions are still the obvious choice.

which distro do u prefer and why ?

Whoa this solves many problems

@hetmehtaa Dont prep for jee just get to picoctf

@cantinasecurity Applied ser 🫡

We're hiring a Staff Security Product Engineer. What we're looking for: - Security engineering, AppSec, detection, or incident response background - Ships code (TypeScript / Node.js) - Reasons through ambiguity and surfaces risks early Apply: jobs.ashbyhq.com/cantina.securi…

If you are someone who wants to work with cloud environments , you must be proficient with linux : and this will help you in that : learntocloud.guide/dashboard

If you are someone who wants to work with cloud environments , you must be proficient with linux : and this will help you in that : learntocloud.guide/dashboard

🚨Junior/Advanced secruity researchers - this is for you!!! A new Training Hub that teaches you web3 vulnerability patterns and thinking as an attacker. Thanks to @ValvesSec, great job👏 URL: training.valvessecurity.com/train

Here's a breakdown of what happened in the Kelp DAO hack and how $292M was drained : The attack exploited LayerZero's cross-chain messaging infrastructure. LayerZero relies on a DVN (Decentralized Verification Network) to verify that a message sent on one chain was actually committed on another. The attacker found a way to forge this verification step entirely. > Phase 1 — Forging the cross-chain message. The attacker's EOA directly called commitVerification() on the LayerZero ULN302 contract, submitting a fake packet header and payload hash. This function is meant to be called only by legitimate DVN verifiers, but the attacker either exploited a missing access check or compromised/impersonated a DVN. This tricked the LayerZero EndpointV2 into believing a valid cross-chain message had been verified. > Phase 2 — Triggering the token release. LayerZero's endpoint then called `lzReceive()` on Kelp's RSETH_OFT Adapter contract — the contract that bridges rsETH across chains. Because the forged message looked legitimate to the endpoint, the adapter minted/released 116,500 rsETH out of thin air to the primary attacker's wallet. > Phase 3 — Splitting and laundering. The attacker immediately split the rsETH across 7 sub-wallets (A1–A8) to avoid triggering limits and make tracing harder. Each wallet either: supplied rsETH as collateral to Aave V3 on Ethereum, or bridged it to Arbitrum via LayerZero OFT and did the same there. > Phase 4 — Borrowing and consolidating. Against the rsETH collateral, the sub-wallets borrowed ETH — ~75,700 ETH on Ethereum and ~30,765 ETH on Arbitrum — then funnelled everything into a single hub address (A2) for consolidation. The core vulnerability was that the DVN verification step could be called by an arbitrary EOA, meaning the entire security model — which assumes only honest verifiers can attest to cross-chain messages — collapsed at that single point.

@0xCharlesWang do you think web2 devsecops should be taken seriously as a thing in web3 now , because most of the bugs we see are a part of secops failure ?

The security game just shifted. Attackers using all possible attack angles now. It is required that protocols change their approach to the full stack of security and include a continuous monitoring of risk parameters and governance settings.

another $290 M Hacked ? dayum !

x.com/i/status/20128… The only roadmap you need to get started into cybersecurity.

after building the MCP project : > Next project I am working on is a fully fledged production ready SIEM + Network Security + Threat analysis Dashboard 🔐 Open for suggestions on what should i incorporate in this (also thinking of a good name xD)

after building the MCP project : > Next project I am working on is a fully fledged production ready SIEM + Network Security + Threat analysis Dashboard 🔐 Open for suggestions on what should i incorporate in this (also thinking of a good name xD)

@saen_dev glad to hear that , how did you get good at drawing those systems and states ? what did you do

State machines are the best mental model for any system with side effects not just smart contracts. Every production bug I shipped was a transition I never drew.

Recently read about the idea of thinking about smart contracts in terms of state machines, the concept felt a bit confusing at first. Then I stumbled upon a blog that made it click. It seems like a great way to better understand the intricacies of a system overall. Will definitely read more about this. > For context — I am into Web2 security full-time, working across SIEM, DevSecOps, detection engineering, SOC operations, and related areas. In the meantime, I am learning Web3 security because I want to pivot into Web3 as soon as I can. My goal is to do at least 40 hours of code reading every week, no matter what else I am involved in. I do believe Web3 security is a niche I want to see myself in .