0xChiAi

Congratulations to Me🎉 I Earned the Advanced Web3 Wallet Security achievement on @CyfrinUpdraft! Learnt a Lot - Wallets - Multi-Sig - Safe - CallData - Tx Type 0, 1, 2, 3, 113 Big Thanks @PatrickAlphaC Security on Signing Takes a Lot of Skills Still More to Learn

@kxrd36 @HackenProof Niceee are you allowed to write about the bug? for explanation...

i found chain halting bug on a network carrying $120M in stablecoins and $1.85B in market value. anyway, good morning! @HackenProof #HackenProof

@0x3b33 🤣Upgradeability plan is "we’ll figure it out"

Patterns I keep seeing in web3 audits: – Developers add whole new feature 3 days before the audit – There are no scripts to 1 click pause everything – Upgradeability plan is "we’ll figure it out" - Admin permissions are "they are our guys, nothing bad will happen" None of those are Solidity bugs. All of them can cost 8 figures.

@SCRT_Intern @Jeremybtc don't panic

@Jeremybtc what did we learn from that costly mistake?

A single mistake once locked $150,000,000 in Ethereum forever. No hacker stole it. No scam. Just one mistake. In 2017, a self described Ethereum newbie was exploring the Parity wallet. Software used by hundreds of crypto projects to store funds securely. Parity’s multi-sig wallets relied on a shared library contract. A single piece of code that every wallet depended on to function. That library had never been initialised. Meaning anyone could claim ownership of it. While testing, he did exactly that and accidentally became the owner of the master contract controlling hundreds of wallets. Panicking, he tried to undo it. He deleted it all. Because every Parity wallet depended on that library to operate. Deleting it instantly froze over 500,000 ETH across 598 wallets. Worth around $150 million at the time. Minutes later, he posted on GitHub: “I accidentally killed it.” Nobody could reverse it. Nobody could recover the funds. The coins are still visible on the blockchain. Today they’re worth $1.19 billion. But they can never be moved. One mistake. Hundreds of victims. $1.19 billion frozen forever.

@mrconsistent001 @Jeremybtc not so much lol

@Jeremybtc The $1.19B delete key. What's wild is that multi-sig wallets existed then, but convenience won over security architecture. How many projects today are making the same trade-off?

@zzebra83 Congratulations to you... So You might not Audit Again?...

I haven't posted in a while so thought i would share a life update. It looks like I have retired(or semi retired) atleast for now from web3 security. I started a new position as tech lead in fintech. The team is great, the work is a ton of fun, and I still get to use my adversarial mindset everyday to make sure funds are SAFU. Also i'm based in Dubai, and as you know things are a bit unsettled atm, but surprisingly, life has been mostly normal.

@only01Essential hmm why so??

Bug Bounty 101: Don't hunt on what everyone else is currently looking at.

@soarinskysagar @dexalot @HackenProof Not sure if i might join this contest, maybe... but either way... Goodluck to u

Day 107 of sharing my progress till I make it as a web3 SR Started the @dexalot contest on @HackenProof. For this audit, I'm adopting a new methodology to see how it fares. I am done with a lot of the codebase now and have a good idea of what it does.

@xKeywordx nahh lol

I always confuse these 2 guys because of their pfps. Anyone else?

@rosarioborgesi "Private" is only invisible to other Contracts... Every other thing can read "Private"

📌 Why “private” variables in Solidity are still public Most people think private in Solidity means hidden. It doesn’t. Everything stored onchain is public 👇

@RealJohnnyTime 1. liquidate() forgives borrower debt, setting to 0, without transferring collateral to the liquidator 2. liquidate() can allow anyone to liquidate anyone 3. getETHPrice() has no staleness validation on Chainlink ETH/USD price feeds

Weekend Challenge #8: What issue would you submit if you saw this in an auditing context, Mr. Hacker?

@soarinskysagar Mahn we in those days ahhhhh

Day 104 of sharing my progress till I make it as a web3 SR Continued bug hunting on the codebase and applying my tool, still no luck :')

@WakeFramework @karenkether @poapxyz @dev3pack What does the extension look like??

@karenkether @poapxyz @dev3pack Congrats on graduating. Building from here is the best part. If you start writing contracts, Wake's VS Code extension gives security feedback as you code. Nice companion for the next phase.

I minted an amazing @poapxyz! collectors.poap.xyz/token/7572840 oficially graduated from solidity Bootcamp @dev3pack

To every Web3 builder grinding right now This is for you. You're learning Solidity at midnight while your friends are watching Netflix. You're submitting hackathon projects that don't place anywhere. You're applying to grants that take weeks to respond. Sometimes they don't respond at all. You're building in public with 200 followers while others with half your skill seem to be getting all the opportunities. And some days you genuinely wonder is this even worth it? I want to tell you something nobody says out loud in this industry: The people you admire in Web3 right now the ones with the protocol job, the grants, the ecosystem roles... Most of them had 12–18 months where nothing was happening. No replies. No opportunities. No traction. They just kept showing up anyway. Here's what I've learned watching builders succeed and fail in this space: The ones who made it didn't have better skills than the ones who didn't. They just refused to disappear during the quiet months. Web3 is still early. Embarrassingly early. The infrastructure being built right now will be used by billions of people who haven't heard of blockchain yet. The developer who grinds through 2026 when the market is uncertain. That developer becomes the senior engineer, the protocol lead, the ecosystem architect that every team is desperate to hire in 2028. But only if they don't quit now. So if you're in the quiet months right now. Keep building. Keep shipping. Keep showing up. The compounding hasn't shown up yet. But it will. And when it does it will feel like it happened overnight. It never happens overnight. It happens because of exactly what you're doing right now. Don't stop. ♻️ Repost this for a builder who needs to hear it today.

@de_jay0 @immunefi @FolksFinance You know Solidity lang??

@immunefi @FolksFinance How does it work? What's the next step??

The @FolksFinance Audit Competition is live! 💸 A $25,000 reward pool is up for grabs for finding bugs in project's Staking Contracts. 📅 Ends: March 17, 2026 💰 Reward pool: $25,000 ⌨️ Scope: 365 nSLOC of Solidity ✅ No KYC required Get hunting: immunefi.com/audit-competit…

@chunmei8871 @immunefi @FolksFinance Loll

@immunefi @FolksFinance Nice bounty 👀 bug hunters eating well.

@Emmit32oz @immunefi @FolksFinance When you say Cybersecurity...I believe you're speaking from the web2 aspect This one you see here is Web3...Solidity lang to be precise You would need lil knowledge of Smart Contract Auditing to start this If you know abt S.Contracts then you can join this from their site

@immunefi @FolksFinance As someone going to school for cybersecurity I would like more information on how to enter, how to participate, or even just more information on it in general really interesting

@x_owner_elon_ @immunefi @FolksFinance No KYC Required

@immunefi @FolksFinance Must verify identity first to submit report?

A single bug in an ERC-4337 smart account can be as catastrophic as leaking a private key. We've audited dozens of smart accounts and found six vulnerability patterns that consistently reappear across codebases. 🧵

@HackenProof Constructor can bypass this ".code.length == 0" in the constructor... So the bug is that a Contract can Mint

Spot the Bug 🧠 EOA-only gate What’s the issue in this code?👇

@shubhamtwtt @CyfrinUpdraft @grok Alot... About 1.15 × 10^59 ETH.

@CyfrinUpdraft how much ETH does uint256 hodls ? @grok

A uint64 can only hold ~18 ETH. If your contract collects more than that in fees, the number wraps to zero. Silently. This is exactly the bug in PuppyRaffle. 🧵