Usman

2.5K posts

Usman banner
Usman

Usman

@0xusmanf

🥷 Security-First Solidity Dev 🏅 SSCD+ | QWS+ certified @CyfrinUpdraft ✍️ Co-authored SSCD+ study guides 🤝 Ambassador @Cyfrin

Katılım Ekim 2012
390 Takip Edilen664 Takipçiler
Sabitlenmiş Tweet
Usman
Usman@0xusmanf·
Blessed to have earned my second certification from @CyfrinUpdraft! Now, I’m officially a QWS (Qualified Web3 Signer) certified along with SSCD+. A huge thank you to the @cyfrin team and @PatrickAlphaC for creating such amazing tools like Safe Hash and Wise Signer.
Usman tweet media
English
36
5
113
19.5K
Usman retweetledi
Mike @ HTML All The Things 🇨🇦
Now that you're all back in the timeline. I've got a handful of really solid devs that I've worked with over the past 3 years that I couldn't recommend more. They're AI pilled, love Svelte and are good with the full stack. They got solid infra experience as well. Please reach out if you're hiring and I'll connect!
English
2
2
27
998
George Gorzhiyev
George Gorzhiyev@ygorz01·
It’s pretty crazy how we stopped seeing each others posts for a year
English
1
0
5
159
Usman
Usman@0xusmanf·
28 days into this series, I've spent more time inside the @_SEAL_Org Multisig Ops framework than any other document this year. It's a serious piece of work, built collaboratively by security firms and researchers who understand these failure modes from real engagement with protocols. Which is why I want to raise a few things I've been wrestling with. Not as criticisms. More as open questions I'd genuinely like to see the community think through. Some of these may already have answers I'm not aware of, and if so, I'd love to be corrected. On DAO signers. The framework's language is written for human signers throughout, personal emergency contacts, quarterly key confirmation, signer training. But the Ronin Bridge incident involved the Axie DAO itself as a signer behind one of the compromised validator keys. When the "signer" is a governance structure rather than an individual, how do the lifecycle and training controls apply? I can see an argument that the framework governs the address and not the entity behind it, but I'm not sure that fully resolves it. On external signer compliance. The framework requires all signers, including external parties, to meet hardware wallet, signing environment, and key management standards. That's the right requirement. But I've been thinking about what compliance actually looks like in a certification assessment when two of your five signers are from a different organization entirely. Does a signed attestation satisfy the evidentiary requirement? Does the accredited assessor need to independently verify? I'm raising this not because I think the requirement is wrong, it isn't, but because as more protocols go through the assessment process, what passing looks like for external signer controls seems worth defining clearly. On post-incident certification. The framework covers how to get certified. It doesn't cover what happens to a certified protocol that experiences a breach. Does certification lapse? Is there a review process? What are the disclosure obligations? Mature frameworks like SOC 2 and ISO 27001 have defined processes for this. Given how new the program is, this hasn't been tested yet, but protocols considering certification will eventually want to know. On classification consistency. The framework requires classification review after significant TVL shifts, new products, and protocol upgrades. What counts as significant is intentionally left to the protocol's judgment, and that makes sense since a $5M TVL shift means something very different to a $10M protocol than it does to a $1B one. But with 20 accredited firms now conducting assessments independently, I wonder whether @_SEAL_Org plans to publish worked examples to help assessors evaluate those judgment calls consistently across engagements. The subjectivity is appropriate at the protocol level. The question is how that subjectivity gets evaluated consistently at the assessor level as the program scales. These frameworks get better through use and community engagement. 28 days of studying this one have given me a lot of respect for the thinking behind it, and a few questions I haven't been able to resolve on my own. Day 29 of 30.
English
0
0
6
383
Usman retweetledi
barryseconomics
barryseconomics@barryeconomics·
The biggest trick in economics might be convincing people that wealth is just about working harder. Because if that were true... Why do so many people work incredibly hard and still struggle? And why do some people become richer simply because they already own assets? A thread
English
1
1
3
61
Usman
Usman@0xusmanf·
Your hardware wallet is the last place in your signing workflow that an attacker can't fake. Not the Safe UI. Not the simulation. Not the chat message describing the transaction. The hardware wallet screen, where the device independently receives and displays the transaction it's being asked to sign. Bybit's signers had hardware wallets. When Lazarus Group compromised Safe's infrastructure and injected malicious JavaScript, the Safe UI showed Bybit's signers a routine cold-to-hot wallet transfer. Their hardware wallets were being asked to sign a DELEGATECALL that handed control of the multisig to an attacker-controlled contract. The hardware wallet screens showed that. The signers didn't look. Three @_SEAL_Org Multisig Ops controls speak directly to this failure. Transaction Handling Process requires hash cross-checking across at least two independent interfaces before signing; a second interface not sharing Safe's compromised infrastructure would have returned different data and surfaced the discrepancy. It also explicitly flags DELEGATECALL operations to untrusted addresses as high risk. Hardware Wallet Standards requires clear signing support, a device capable of displaying what it's actually being asked to approve, independently of the interface serving the transaction. Signer Training and Assessment requires training specifically on transaction verification, not just how to initiate and approve transactions, but how to verify what the hardware wallet itself is being asked to sign. A signer trained to check the hardware wallet screen, not just the UI, is the human control that catches what the technical controls surface. Would these controls have prevented the attack? The hardware wallet screens were showing the true transaction the entire time. Any process that required signers to verify what was on those screens would have surfaced the discrepancy before a single signature was collected. The truth was visible. The process to see it wasn't in place. Day 28 of 30.
English
0
0
2
229
Mahima Thacker
Mahima Thacker@mahima_thacker·
Turned 21 today❤️ This year gave me family challenges, job loss, uncertainty, rejection, and a lot of days where I didn't know what came next. But I'm still here. Still learning. Still building. Still trying. Last year wasn't easy. There were days when I was breaking down, but I kept going anyway. One of the biggest lessons I've learned is that you have to be there for yourself, no matter who stays, who leaves, or who shows up when you need them. And I've started believing that if God has placed a dream and ambition in your heart, it's there for a reason. So you keep going, no matter how hard it gets, no matter how lost you feel, and no matter what your current situation looks like. Not where I thought I'd be at 21, but still moving forward. And today, that's enough🤍
English
20
1
57
1.9K
Usman
Usman@0xusmanf·
Not every protocol has a dedicated security team. Not every team has the bandwidth to implement 24 controls on day one. That's not negligence: that's the reality of building with limited resources. So here's the honest version of this conversation: which controls from @_SEAL_Org's Multisig Ops framework cost the least to implement and cover the most dangerous gaps? Multisig Registry and Documentation. A spreadsheet. One hour to build. Lists every multisig you control, every signer, every threshold, every controlled contract. Free. The protocol that doesn't have this doesn't know its own attack surface. Signer Address Verification. When you add a new signer, how do you confirm that address actually belongs to them? Message signing with the address, confirmed via an independent tool, with documented proof. Costs nothing. Without it, you could hand signing authority to an attacker-controlled address while onboarding someone you trust. Signer Key Management Standards. A hardware wallet costs around $100. A dedicated address costs nothing. Hardware wallets for all operations, fresh dedicated address per multisig, these are the cheapest high-impact controls in the entire framework and the foundation everything else in signer security builds on. Secure Signing Environment. Hardware wallets protect the key. This control protects what the hardware wallet is connected to. Radiant Capital's signers had hardware wallets. Their devices were compromised. Malware manipulated transaction data between the software and the hardware. The wallets signed what they were shown. What they were shown was wrong. $50M. For a small team, network isolation or a dedicated signing device for high-value operations is a low-cost implementation of this control. Transaction Handling Process. This one costs nothing except discipline. Every signer independently verifies chain ID, target, calldata, value, nonce, and operation type. Hashes cross-checked across two independent interfaces before anyone signs. Bybit lost $1.4B because this step was skipped. Signer Diversity. A design decision made once, at setup. Get signers from different organizations. Different geographies if possible. Ronin Bridge lost $625M partly because one entity controlled enough keys to meet threshold. Avoiding that costs nothing if you think about it before you configure the multisig. Signer Lifecycle Management. A process, not a tool. When someone leaves the team, remove them within the required window. Run a quarterly check confirming every signer still controls their key. Calendar reminders. Free. Multisig Monitoring and Alerts. Free tiers exist across multiple platforms. A basic alert on signer/threshold changes and transfers exceeding a defined amount is not a full monitoring stack, but it's the difference between detecting a breach and finding out on CT. Eight controls. Seven of them cost nothing to implement. One costs the price of a hardware wallet per signer. The other 16 controls matter. Build toward them. But if resources are the constraint, this is where you start. Day 27 of 30.
English
1
0
4
113
Usman
Usman@0xusmanf·
After 25 days breaking down 24 controls, here's the path from self-assessment to certified. Step one: score yourself honestly. @_SEAL_Org uses a four-tier scale: Implemented, Partially Implemented, Not Implemented, N/A. Self-assessment doesn't grant certification, but it surfaces exactly which controls need remediation before you engage a reviewer. Step two: build your evidence. For every Implemented control, you need five things: procedure documentation with versions and approval dates, operational proof showing active use, testing and validation results, ownership details, and technical artifacts. Evidence isn't supplementary; it's what a reviewer verifies your claims against. Step three: remediate gaps. Any control scored Partially Implemented or Not Implemented must be fully remediated during the review process. Certification isn't issued until every control is Implemented or N/A with justification. Step four: engage an accredited assessor. 20 firms are currently being accredited to conduct SEAL certification reviews. Protocols can join the waitlist at securityalliance.typeform.com/CertsWaitlist or reach out directly to an accredited firm, i.e., @cyfrin. Self-check: → Have you completed a self-assessment with honest scoring across all 24 controls? → Is evidence collected and ready for every control you'd score Implemented? → Is there a remediation plan for every control that isn't? Certification is a process, not a moment. The self-assessment is where it starts. Day 26 of 30.
English
0
1
3
81
pyseal
pyseal@pyseal·
Received the SSCD+ certificate, and I think it does a great job covering a wide range of Web3 areas Great job by @CyfrinUpdraft Overall, it was a really good learning experience, and I’d recommend it Godspeed Web3! profiles.cyfrin.io/u/pyseal/certi…
pyseal tweet media
English
1
0
3
52
Usman retweetledi
Vitto Rivabella
Vitto Rivabella@VittoStack·
Truth has been spoken.
Vitto Rivabella tweet media
English
83
1.8K
13K
338.6K
Usman retweetledi
Security Alliance
Security Alliance@_SEAL_Org·
He’s not exaggerating. We broke down those five things, what they are, why they keep working, & what actually stops them. Our 2Q 2026 Threat Intel Summary is available here: radar.securityalliance.org/2q-2026-threat…
bbsz@blackbigswan

I am working on a quarterly threat intel report for SEAL and goddamn blockchain projects are basically constantly getting rekt by the same things over and over again. And when I say 'the same things' it is literally the same things that somehow everybody claims to be 'well aware off' or 'not that stupid to fall for it'. And 90% of those things is actually easy to stop but that doesn't happen because nobody bothers with the actual recommendations made by security / threat / appsec / opsec people even if those are made for free or near-free if you include tooling. Like, it is honestly ridiculous when you finally get to creating the 'big picture' view. It even fooled me. I somehow thought - Omg, we deal with so many different things, tens of different things, 20 tickets and tips and signals a day, how am I supposed to cover it all! The answer - it is maybe like FIVE different things just over and over and over again. DPRK campaigns literally exists because of that massive discrepancy between signaling ("We are audited") and the reality ("... but we don't know what that means"). Yes, there is some adaptation/evolution on Norks part but only against nerds that chase them and not against geeks that get rekt by them. TTPs are EXACTLY the same, EDRs are DETECTING their malware, goddamn, I think in one or two instances we've seen their attack chain failing because of the firewall setting and they just gave up and moved to someone who just doesn't give a F at all? The bar is in hell and we only do not get another record hack front page news because the whole industry is in massive bear market.

English
1
2
10
3.4K
Usman retweetledi
bbsz
bbsz@blackbigswan·
I am working on a quarterly threat intel report for SEAL and goddamn blockchain projects are basically constantly getting rekt by the same things over and over again. And when I say 'the same things' it is literally the same things that somehow everybody claims to be 'well aware off' or 'not that stupid to fall for it'. And 90% of those things is actually easy to stop but that doesn't happen because nobody bothers with the actual recommendations made by security / threat / appsec / opsec people even if those are made for free or near-free if you include tooling. Like, it is honestly ridiculous when you finally get to creating the 'big picture' view. It even fooled me. I somehow thought - Omg, we deal with so many different things, tens of different things, 20 tickets and tips and signals a day, how am I supposed to cover it all! The answer - it is maybe like FIVE different things just over and over and over again. DPRK campaigns literally exists because of that massive discrepancy between signaling ("We are audited") and the reality ("... but we don't know what that means"). Yes, there is some adaptation/evolution on Norks part but only against nerds that chase them and not against geeks that get rekt by them. TTPs are EXACTLY the same, EDRs are DETECTING their malware, goddamn, I think in one or two instances we've seen their attack chain failing because of the firewall setting and they just gave up and moved to someone who just doesn't give a F at all? The bar is in hell and we only do not get another record hack front page news because the whole industry is in massive bear market.
English
12
8
86
18.9K
Usman
Usman@0xusmanf·
If the last 24 days revealed gaps in your protocol's multisig operations, you're not alone. The question is which ones to close first. @_SEAL_Org's framework isn't arbitrary in its structure. The controls in later sections only function correctly when earlier ones are in place. Here's the priority logic: Governance and registry come first. You can't manage signing authority over addresses you haven't documented. A missing multisig in your registry is an unmonitored, unclassified, unreviewed signing surface. Classification comes second. It determines the required threshold, quorum, review cadence, contract-level controls, signer diversity requirements, and emergency response times for every multisig you operate. Every other control calibrates to it. Signer security comes third. Address verification, key management, lifecycle management, training. Operational procedures built on top of unverified signers using unmanaged keys are procedurally sound and structurally compromised. Transaction procedures come fourth. Independent verification, simulation, audit trails, tool evaluation. This is the layer where most exploits actually execute. Communication and emergency operations come fifth and sixth, the resilience layer that determines how your protocol responds when the first four layers face a real test. Self-check: → Which layer is your weakest right now? → Are there gaps in an earlier layer that are undermining controls you've already built in a later one? → Is there a named owner driving this work forward at your protocol? Security maturity is built in sequence. The sequence matters. Day 25 of 30.
English
0
0
1
87
Usman retweetledi
Mattmatt 🌸
Mattmatt 🌸@0xMattmatt·
Scam alert feature every wallet should adopt: Address poisoning detection Alerts whenever users about to send tokens or a transaction to an address that's similar to one they've interacted with before Nice implementation @ambire 👏
Mattmatt 🌸 tweet media
English
4
5
23
930
Usman retweetledi
Vitto Rivabella
Vitto Rivabella@VittoStack·
🚨 Introducing: WallBreaker V1 🚨 An open-source AI red teaming CLI to help you research LLM jailbreaks and security. - Probe LLMs guardrails - Harmbench goals ready - Find universal jailbreaks - Fully autonomous or assisted campaigns - Learns and improves after every successful run - Computer use and MCP ready for live API testing Set your attacking model, a target, select a goal, and you’re good to go. WallBreaker will start probing different techniques and combinations based on its learnings and hundreds of data points until it succeeds. This is the first open source tool coming out of the Jailbroken community. ⚠️ DISCLAIMER: For authorized use only. Point it only at systems you own or have explicit written permission to test. Unauthorized access can be a crime. Shipped as-is under AGPL-3.0: no warranty, no liability, zero endorsement of misuse. Link in the comments 👇
Vitto Rivabella tweet media
English
21
74
573
48.7K
Usman
Usman@0xusmanf·
That's 24 controls across 6 sections. This is the last one. @_SEAL_Org's Multisig Ops "Emergency Drills and Improvement" control closes the framework with the requirement that ties everything else together: regularly rehearse your emergency procedures and track what you learn. Annual minimum. After every major procedure change. Documentation covering date, participants, response times, issues identified, and improvements made. Every playbook, every escalation path, every communication procedure covered in this series only works if it's been tested. Drills are how you find out whether they do, before an incident does it for you. Self-check: → Is your next emergency drill scheduled? → Does your drill documentation capture all five required fields, including issues identified and improvements made? → Is there a process that connects drill findings to actual procedure updates? 24 controls. All of them matter. None of them work if they're never rehearsed. Day 24 of 30.
Usman tweet media
English
0
0
4
85
Usman
Usman@0xusmanf·
Most protocols monitor for large transfers. Few monitor for nonce gaps. A nonce gap, a transaction that was signed but never executed, or executed out of order, can indicate a failed attack attempt or a process breakdown. It's not obvious. It doesn't announce itself. And it's one of seven event types @_SEAL_Org's Multisig Ops "Multisig Monitoring and Alerts" control requires to be actively monitored. The full list: signer/threshold changes, transfers exceeding thresholds, nonce gaps, interactions with unknown addresses, failed transactions, module/guard changes, and low submitter/proposer balances. Alerting and escalation paths documented. Monitoring infrastructure protected against tampering. Self-check: → Does your monitoring cover all seven event types, or only the ones that are easy to set up? → Are nonce gaps and failed transactions actively monitored, or only visible after the fact in a block explorer? → Is there a documented escalation path for each alert type that defines who responds and how? The events easiest to miss are the ones most worth monitoring. Day 23 of 30.
Usman tweet media
English
0
0
1
76