pinkman

@adeolRxxxx That's the beauty of Sherlock IMO The transparency and openness

Me: Escalated a findings on Sherlock Judge: I agree, this is a valid high. One bitch ass mfering SRs who knows nothing about the finding it self: “This is invalid and doesn’t fit Sherlock high standard”

@archethect Which tier 1 audit company? Ghost security I guess

Last week I sat down with a senior smart contract auditor from a top-tier security firm and tested my AI agent plugin on contracts his team had professionally audited. The AI independently flagged the same HIGH severity vulnerability that the audit team found. No hints. No context about previous findings. Just raw contract code. Here's what I built 🧵

@pubity Selling shovels. Smart move

Google just spent $4.75 billion to acquire an entire energy company to fuel their AI data centers.

@trunarla @HesJustJordy If it doesn't work out, I'm here for you

What do you guys think of the Christmas gift for my fiancé 😌

@0xT1MOH @Smacaud1 @sherlockdefi @gjaldon @10xhash @0xSimao What about fusaka?

@Smacaud1 @sherlockdefi @gjaldon @10xhash @0xSimao Top 1 should be from Babylon

2025 Web3 Security Wrapped (@sherlockdefi version) The Top 5 Single Payouts (Top 1 from each contest): 1. @gjaldon – $93,612 + 35,000 ZETA (Zeta, July) 2. @10xhash - $70,322.77 (Allora +fixed pay) 3. @woshilalala - $55,633.72 (Peapods +fixed pay) 4. @0xSimao – $50,026 (Symbiotic, August) 5. @KupiaSecurity - $49,570 (YieldBasis, October)

@KrisRenzo 100% correct about Lazarus group getting credit for hacks they no nothing about

If contest dies, just dust off your resume and start applying for jobs in a new industry. 1. Too many low quality security firms and scammers pop out of no where. 2. Bug bounties become too easy, and Devs begin to double think the need to pay 10-100k every week for a new critical. 3. Grey hats finally have no incentives to stay on the good side. Lazarus group keeps getting more credits for hacks they no nothing about. x.com/KrisRenzo/stat…

@sherlockdefi @ethereumfndn @ethereum @alexfilippov314 @alexfilippov314 is a demi god. Congratulations sir🏆

The wait is over, the final results for the @ethereumfndn Fusaka Audit Contest are here. Highs were found, unlocking $500k in rewards! Thank you to all the participants for helping secure the future of the @ethereum network, and congratulations to the winner, @alexfilippov314!

@sammyaudits @WhiteHatMage But DLT complexity is also a factor here. If Ai can secure DLT, it would be safe to say that it can secure all software

@WhiteHatMage True. And there are entire classes of bugs that haven’t even been discovered yet especially in the DLT/Blockchain stuff simply because there’s not enough top talent looking

I miss the enthusiasm amongst the SR community during the mid - late 2024 period. These days all I see on the feed is AI fud, projects scamming hunters out of a bounty, contests dying, etc..

I like revenue discussions

What makes the difference in auditing is not "HOW MANY HOURS YOU WORK" But "HOW MUCH YOU CAN LEARN" It's a game of knowledge and creativity

When will y'all start posting how much much money you earned this year? When 2025 wrapped?

@bbl4de_xyz @hrkrshnn Emoji’s is the best identifier Followed by verbose comments

Not exactly what you meant, but I find the syntax used for comments to be the best indicator of AI-generated code. I have never experienced any LLM creating a more complex Python code file without the """Function/Class description""" syntax. So funnily enough, a great way to find out if code is AI-generated is to analyze the words/text in the code... Not to mention the emojis in the comments 💀

You can do statistical text analysis of AI-generated text. Look for sequences of tokens/words that are more likely to appear in AI-generated text compared to samples from pre-GPT. I wonder if you can do the same for code? Intuitively, it should be less likely because code has to fit a more rigid grammar. But I bet there are some equivalents for "delve" or "you're absolutely right" in Python/JS.

@00xSEV A bunch of truth

Some thoughts on the number of deep work hours, focus, and specialization (my replies to a DM) > 1. I see everywhere that you need to work 8-10 hours, > 7 days a week in order to succeed now > but you mentioned only 4 hours of focused + 1-2 hours shallow 5 days a week. > Is it really enough? I have to audit, learn about other protocols(eg: uniswap, compond), languages(solidity,rust), concepts, read audit reports and i don't think it counts as shallow work. First, remember social-desirability bias When someone asks you "what's your average day like" most people describe their perfect day, maybe even a bit exaggerated Self-reporting is one of the worst sources of data en.wikipedia.org/wiki/Social-de… For me personally: - about 4h of deep work a day - + several shallow hours (can be mixed with deep work) - + meetings (N/A in solo. But I remember that for me, when meetings are in moderation, they give more energy than they take) Maybe I can manage around 8-11h of fairly deep work a day (still heavily mixed with lighter work) for a few weeks, then take a week off (or a research week, more focus on lighter load or different field) I've heard from a lot of firms that you always need to give auditors time to rest and do light research, otherwise they burn out like matches For example, @GuardianAudits give you 10 weeks per year for research guardianaudits.com/roles/role-gsr… > Take 10 research weeks a year to focus on whatever you’re interested in and effectively recover from engagement weeks For learning I'm usually fine with 8-10h a day if it's not deep thinking Even for deep math (I was learning ZK: rdi.berkeley.edu/zk-learning/) 8-10h felt ok But I'd say the first 4h of learning give me around 65%, the next 4h add maybe another 35%, and the last 2h are often dopamine-driven and make the next day less productive, so it can even be negative in the longer term. Unless you just listen to it in the background without thinking Most auditors talk about doing 3-4h of deep work per day, and the rest is probably communication, busy work, and lighter tasks like PoCs or writing reports I've also read in several books that most mathematicians only do about 3-4h of real deep work a day, then communication, maybe teaching a class, but that still feels more like anecdotes than solid data One auditor's example that comes to mind is @windhustler's routine " - A few hours of work: talks, messages, tweets, audit - Gym 1h - Lunch 1h - Another chunk of work, 4-5h - Family time - Some evening work, often just communication - Not every day is perfect, but tries to stay consistent " x.com/00xSEV/status/… > 2. Is it better to be specialized in a niche rather than jumping between protocols and contests? Maybe you've heard the idea of foxes and hedgehogs: a fox knows a bit about many things, but a hedgehog knows one thing really, really well You can be successful with either approach, it really depends on your personality A bit more about it from a Terence Tao interview (he’s a great mathematician) youtu.be/HUkBz-cdB-k?t=… > 3. How do i improve my focus and ability to deep work? My current thought is that we often forget the brain is a physical object, so you start from the basics to keep it well fed and maintained: exercise, healthy food, sleep, hydration, ideally no intoxicants And overall something like x.com/00xSEV/status/… For motivation, my current view is that the best kind often comes from working with other people and getting constant feedback And finally some smaller tricks: - strategic breaks (daily, weekly, monthly, yearly) - commit for 15 minutes, then renegotiate - don't hold ideas in your head, write everything down - GTD or a similar system on a higher scale

@DevDacian @_count_sum @sherlockdefi Then buy an old Twitter account Nice way to create the “wonder kid” effect.

@_count_sum @sherlockdefi Once you get good, you should just create a new username on sherlock; a lot of auditors have used this pattern to success due to the game mechanics there.

First confirmed finding on @sherlockdefi (Medium) Btw, is it possible to change a Sherlock username?

I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity…

@grok can I stop seeing people's comments on my TL. Instead show me posts relating to web3 security, zk technology and DLT.

I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity…

@0xMackenzieM It was done in Amplify contest and generally every SR performed well. It's very motivating knowing that the project wants to pay for just looking at their code

*SR excitement intensifies

@cantinaxyz @MentoLabs Long time

The @mentolabs audit competition is live on @cantinaxyz! Mento V3 advances the Mento Protocol as a leading onchain FX platform with a new AMM design: Fixed-Price Market Maker pools featuring programmatic rebalancing. 💰 $60,000 prize pool 📅 Live now -December 18 🔗 Below

@xKeywordx Sorry I thought you were a junior

Since when is an AI that uncovers 3/9 Mediums deemed "shit"? If you look at it from a business perspective and as a developer, it makes total sense, and the tool is actually good? Here's how I see it, an AI audit run costs ~150$, and in 1h you have 3 valid Medium findings that you can fix vs paying an independent SR for a full day, which will cost you 800$ - 4000$ depending on who you're working with, to get probably similar results because the SR can not parse the whole codebase in a single day ... From a development perspective, buying an AI audit before getting an actual audit makes total sense to me, and it only costs a fraction. Also, 3/9 is probably better than most juniors would find anyway. I doubt a beginner/junior would beat the AI in this competition so you can call it however you want, but I would not call it 💩 If someone is looking to test an AI Agent built for auditing smart contracts, try the one made by Nethermind auditagent.nethermind.io I think most people will be surprised by the results.