0xDimo

524 posts

0xDimo banner
0xDimo

0xDimo

@0xDimo

Web2 Team Leader transitioning to Web3 I tweet about my journey, goals, successes and milestones

Katılım Şubat 2023
173 Takip Edilen361 Takipçiler
0xDimo retweetledi
nisedo
nisedo@nisedo_·
I finally managed to convince the best Web2 dev I know to give Web3 auditing a try What would be the best audit contest you’d recommend for a shadow audit to help him get started? Ideally, a simple Solidity DeFi codebase, <1000 nSLOC, with ~10-15 H/M in the final report
English
8
3
71
4.5K
0xDimo retweetledi
Mr Anon
Mr Anon@ShieldifyAnon·
List of Some Attack Vectors/Smart Contract Vulnerabilities! 🗒️ - Reentrancy - Reentrancy via Modifier - Read-Only Reentrancy - Cross-Function Reentrancy - Cross-Contract Reentrancy - Front-Running - Front-Running - Unprotected withdraw - Front-Running - Sandwich attack - Front-Running - ERC20 approval - Front-Running - Signatures - Back-Running - Flash-Loan Governance Attack - Flash-Loan Price Attack - Denial Of Service (DOS) by complex fallback function - Denial Of Service (DOS) by gas limit - Denial Of Service (DOS) by non-existent address or malicious contract - Floating Point Arithmetic - ECDSA Signature malleability - ECDSA Signature replay - Replay Attack - Price Oracle Manipulation - Cross-Chain Bridge Manipulation - Initial Supply Mint Issue - Divide before multiply - Integer Underflow - DeFi Slippage attack - Amplification Attack Double Spending - Malicious Honeypot - Unsafe Delegatecalls - Loops Gas Limit - Phishing With Improper Authorization - Unexpected Ether With Forcibly Sending Ether - Block timestamp Manipulation - Unchecked return values - Insecure Randomness - Proxy Storage Collision - Strict equalities - Timestamp Dependence - Use of Deprecated Functions - Requirement Validation - Absent modifiers - Force Feeding - Rounding Down To Zero What would you add? 👇 I’d appreciate a repost, spread the knowledge! 🫡
English
12
79
262
25.3K
0xDimo retweetledi
nmirchev8
nmirchev8@nmirchev8·
Win $1000! At @EgisSec, we were inspired and supported by other researchers, and we want to do the same for those who are starting right now. That's why we plan to give $1000 to the winner of the following challenge. ↓
English
53
37
91
25.1K
0xDimo
0xDimo@0xDimo·
Taking a shot at it 👀
nmirchev8@nmirchev8

Win $1000! At @EgisSec, we were inspired and supported by other researchers, and we want to do the same for those who are starting right now. That's why we plan to give $1000 to the winner of the following challenge. ↓

English
0
0
2
339
0xDimo
0xDimo@0xDimo·
Writing sleek PoCs is satisfying the developer's urge that I still have left in me 🫠
English
0
0
2
306
0xDimo
0xDimo@0xDimo·
0xDimo tweet media
ZXX
0
0
1
270
Cyfrin Solodit 🟪
Cyfrin Solodit 🟪@SoloditOfficial·
@0xDimo Please activate the Edit mode. A new issue will be created on the GitHub repository.
Cyfrin Solodit 🟪 tweet media
English
2
0
4
323
0xDimo
0xDimo@0xDimo·
Just saw @SoloditOfficial's checklist tab. I've seen quite a few SRs developing their own version of this. How can we contribute to this one?
0xDimo tweet media
English
1
1
8
900
0xDimo
0xDimo@0xDimo·
Had some more and some less productive days during the holidays. However, the routine is back and @renftlabs on c4 is the current target.
English
0
0
4
281
0xDimo retweetledi
@bytes032.xyz
@bytes032.xyz@bytes032·
Here's the strategy I used for winning 99% of my solo audit opportunities: 1. Spend 2-3 hours looking for low-hanging fruits. 2. Compile a table with all the findings. 3. Provide the pre-audit to the prospect along with the quote. The result should resemble this:
@bytes032.xyz tweet media
English
13
28
219
17.4K
0xDimo
0xDimo@0xDimo·
That’s pure gold
deadrosesxyz@deadrosesxyz

Everything I've learned about auditing in 2023 - Do what everyone does, get what everyone gets. I seriously can't emphasize this enough. If you're reading and learning from the same sources as everyone else, you basically can't beat the rest. If you want to be an outstanding auditooor, you have to go off the beaten track and dive deep into the unknown. - Stop learning unnecessary stuff. Seriously. You don't need to learn hardhat just in case. You don't need to know assembly just in case. Could you ever end up in a situation where it would've been better if you knew them? Well, yes. However, these things 100% don't offer the highest Expected Value. Focus on what's most important and always aim for the stuff which offers the highest Expected Value - We all suck. Sorry to break it to you, but we all suck. Tier 1 firms miss highs and criticals on a daily basis. And then we just cope and say "One audit can never be enough, there should be at least 5 different audits, 7-figure bug bounty bla-bla". One audit SHOULD be enough. We just aren't good enough yet. I've seen many people argue that the Kyber vulnerability was "Impossible" to be caught during an audit due to its complexity. If you seriously believe so, you ngmi - Private/ Solo audits isn't this magical utopia everyone should be aiming for. I don't know why everyone believes private audits should be their end-goal. It contains way too much dull work. (such as writing reports or checking the same functions for the 100th time as you need to be 100% sure in the service you provide) There's great value to be extracted from contests, bounties and working in a firm as well. - Know your worth. Since September I've received exactly 10 requests for audit. How many did I accept? Just 2. The reason why 8 times we couldn't reach a deal? There was someone who offered a lower price. In such cases just accept it and move on. No need to start undercutting the market. Let your results speak for themselves. - Do not rush audits. My favorite thing is when a project contacts me and needs an audit FAST. 4,000 sLOC and they need it audited in a week. You should never even consider accepting any offer of this kind. Best thing you can do is explain to them why this is straight up impossible and setting up for failure. - Know your strengths. I know I can get a good understanding of a codebases relatively quick. How do I utilize it? I hunt projects launched on Immunefi immediately as they launch. My fastest bounty was a Critical submitted 1h 15min after the protocol launched their bbp. I managed to submit it before the protocol even had publicly announced they've launched a bbp. Final thoughts: Web3 security is currently in its infancy. We all suck. This should never be an excuse to not improve ourselves. If you want to be an outstanding SR, you should never be okay with missing bugs. Keep improving yourself every single day. That being said, if you simply manage to suck less than the rest, you'll literally be able to print money. and last but not least... DM FOR AUDITS

English
0
0
3
376
Pyro
Pyro@0x3b33·
Recently I've been seeing a lot of shitposters on twitter, is this the new meta?
English
2
0
2
625
0xDimo
0xDimo@0xDimo·
When a new audit starts, it's all an equal playground again and only effort will determine the results. What a great feeling.
English
0
0
4
307
0xDimo
0xDimo@0xDimo·
To all judges, would you invalidate an issue if it doesn't contain "Manual Review" under "Tools used"? Is this some kind of a CAPTCHA?
English
0
0
2
215
0xDimo
0xDimo@0xDimo·
@WangAudit Would be great to not have binged all of Owen’s videos already 😅
English
0
0
3
49
Wang Security
Wang Security@WangSecurity_·
@0xDimo I would use that to either learn some reports/attack vectors or watch a video by Owen. Sometimes 20 mins cannot be enough to go in-depth, but it allows you to grain something to think about throughout the day for example.
English
1
0
1
67
0xDimo
0xDimo@0xDimo·
You have 20 min. How do you get better at web3 security in that time?
English
3
0
3
390
0xDimo
0xDimo@0xDimo·
@pashov The creator of this is saving the web3 space
English
1
0
3
496
pashov
pashov@pashov·
Pomodoro watch. The real ones know.
English
15
2
125
12.6K
Owen | Guardian
Owen | Guardian@0xOwenThurm·
You can tell how hard the code is by the type of music you can listen to: Rap music - Counter Contract Classical Music - Staking Rewards Binaural Beats - Perpetuals || Borrow Lending No Music - Concentrated Liquidity Protocol
English
9
1
59
3.6K