Lee | 33Audits

Happy to announce that 33Audits is one of the whitelisted service providers for @UniswapFND. We've been involved in building and auditing hooks for over a year now and are excited to help secure Defi's future and the narrative continues to grow. It's pretty crazy being on this list together with a bunch of Tier 1 auditing firms but we see this as a direct reflection of the hard work that we've put in over the past two years in growing and building with and in the web3 security community. Shoutout to @UniswapFND and @areta_io for putting this awesome initiative together. While many builders come on here and discuss how audits are useless it's clear that the biggest names still understand the importance of web3 security and make sure that risk doesn't get passed on to our users. Looking forward to 2025 and what comes next.

find crits in your cca deployments in minutes github.com/33Audits/cca-a…

@4lifemen fire thread and pretty easy to understand bug, nice find wardens!

Full report on Code4rena. code4rena.com/reports/2025-0… Credit to the wardens who found these. Thanks for reading. Follow for more breakdowns. 🫡

The Monad audit is done. 4 high-severity findings were reported by other wardens — here's a breakdown of each one. This thread breaks down H-01 🧵

@gakonst seems like tempo is still undergoing audits, any idea when they'll be public?

We just launched Tempo Mainnet & the Machine Payments Protocol. Last 5 years our team also created: - Reth: high performance node SDK for Ethereum L1 & L2s. - Foundry: testing framework used to deploy/test >$100B in DeFi. - Wagmi/Viem: Typescript for all crypto web apps. AMA.

v1 of the @uniswap CCA audit agent is live on GitHub. It catches the Critical integration bug we found in our recent audit of an auction built on CCA and a lot more. Tested it against a few scanners currently getting buzz on X, which currently miss the critical. CCA configs are deceptively dangerous. Tick spacing, decimal accounting, a bunch of nuanced gotchas that are easy to miss if you haven't gone deep on the spec. This agent catches most of these CCA-specific bugs so you can fix them before your code ever hits an auditor's IDE. Btw, I don't think any of these scanners should be a replacement for your auditor; a better framing is to think of them as dev tools. Run it early, catch the low-hanging fruit, and let your auditor focus on the stuff that actually requires a human. Personally, I'm way more bullish on domain-specific scanners than generalized ones. Less context upfront leads to better results. That said, you can absolutely pull from this and add it to your current workflow to train your favorite agent. github.com/33Audits/cca-a…

still bullish on ai agents for auditing, but there's a long way to go and a lot of work to do. And most of the things we've seen in the past week are just a lot of hype. i think the current wave of agents will converge. they'll all find the same bugs eventually and become glorified static analyzers on steroids. we've seen this movie before. bot races on c4. super cool at first, genuinely useful, but over time they all stopped being unique. one bot dominated market share (shoutout to LightChaser) and the rest died off. meanwhile bugs kept getting found by researchers, hacks kept happening, and the high-paying findings still came from people who sat down and actually digested the codebase. that's where this is headed... NEAR term. let me emphasize that for the people in the back. NEAR TERM. long term, the future is super bright for web3 security, there will be agents that outperform more than 90% of auditors, and they'll be much faster, not only at finding bugs, but also at learning about new bug classes unknown to most. i think all the experiments we're running on auditing agents are an extreme net positive for the space. we're innovating at a rapid pace, every day. i'm hyper bullish that as models keep getting better, the improvements we'll see in ai finding bugs will be exponential. its an exciting and kinda weird time. even still, with all this bullishness for the long term, im still convinced that a dev/auditor with experience and a $20 dollar subscription to some LLM will continue to perform at a high enough level to provide value. its really just a matter of your mentality at this point.

yea once you start building your own you realize whats being said on X is the usual marketooor stuff we auditors love throwing around (mostly cause it works) only problem here is we may have convinced a few founders that just running these skills is good enough, and obv thats not true

Any concerns about AI tend to disappear once you actually spend time understanding the tools and integrating them into your workflow. There was a real boom in Claude skills. At first I felt like I was falling behind, but I spent a couple of days catching up and digging into them. Here are the ones I found most useful so far. For security work: 1) audit-context-building, entry-point-analyzer (@trailofbits). Great starting point for any audit. I run them early to build context and get a structured view of the codebase. 2) claudit (@MartinMarchev). One of my favorites. Very useful for research and generating vulnerability ideas. 3) solidity-auditor (@PashovAuditGrp) and SCV (@0xKaden). Both analyze the full scope and generate their own reports. Good for spotting missed issues or exploring additional attack surfaces. But don’t rely on them blindly — they miss things and can have a high false positive rate, obviously. 4) fix-review (Trail of Bits). Helpful for validating fixes and reviewing changes. For smart contract development: 1) Solskill (@cyfrin). Useful for writing and reviewing Solidity code according to best practices. 2) @OpenZeppelin skills. Helps align generated code with modern OpenZeppelin standards and patterns. 3) building-secure-contracts (Trail of Bits). A collection of small, focused skills that help depending on the type of protocol you're building. All of these appeared fairly recently — but they’re already enough to noticeably improve your workflow. I’m genuinely excited about this wave of Claude skills. Used correctly, this is exactly the kind of tooling that makes your work better — not replaces it.

@adeolRxxxx @Uniswap thanks dude, building one for CLOBs next. seems like the best route forward for our team as well, we can just scan for niche hard to find vulns and then use these other scanners for generalized things

@33audits @Uniswap This is cool, building an agent that specifically spot CCA integration issues would go a long way

@tayvano_ @TrustlessState @VitalikButerin @inversebrah

@TrustlessState @VitalikButerin They build the secure platform for everyone to build anything on with no risk of censorship, etc. You build for the real world. Or, more likely, you sit on the sidelines and suck off overlords that sell you out bc you still don’t get this after a decade.

Hey @VitalikButerin, if Ethereum doesn't build for the real world then what's the point

imagine letting AI outwork you

@0xnirlin @lotrydotfun this is dope and that report cover is super fire

Report for the Solana smart contract audit for @lotrydotfun is ready. Migrating from EVM to Solana doesn't just change the language, it changes everything. An onchain lottery where tickets trade like tokens on a bonding curve, until the VRF draws winner. Check report below 👇

@fresco_io test it on 33audits

Fuck it. I’m building personal ai assistant or business assistants / employees for local professional people in my area via openClaw as a side hustle. Charging $8k to do it for them. Will it work?

@stokasz @hrkrshnn only one way to find out

@hrkrshnn @33audits Does Minimax really achieve similar results as the audit agent? That's surprising

wait... what happens to our AI audit agents when claude raises the max price from $200/m to $1000/m? do we start shilling manual reviews again?

sure i mostly agree, ec2 is far cheaper than it used to be, but this assumes that most companies will pass on these cost decreases to their users and not shareholders. openai considering adding ads to the free tier is a great example of our ai overlords pleasing their investors at the cost of users. but yea in general moores law, hardware prices go down etc etc.

@33audits Secondly, if you look at tech and infra, the price for the same thing always go down.

@forefy otw hopefully this week just back testing mostly and fine tuning

@33audits Oh please do share, I would love to list it on the auditor skills registry

I just PR'd 3 different auditing skills repo's to adhere to the claude skill format specifications before I list them on the auditor skills registry github.com/JoranHonig/gri… github.com/kadenzipfel/sc… github.com/zerocoolailabs… my goal is to convince you all to start auditing with skills by ensuring on my spare time that they are solid and usable @joranhonig @0xKaden @ZeroCool_AI

there's a critical bug i've been researching that's somewhat unique to CLOBs. it can cause a DOS on the order book, leaving the protocol completely useless. this issue was recently found as a high in the GTE contest, and we've seen it appear again in private work we did after that contest. we've done about three order book audits at this point, and we're starting to catch consistent patterns across all of them due to the similar architecture they all share. the bug itself is fairly easy to spot, no pun intended. let's take a look a little deeper. most CLOBs have a minOrderAmount check when creating a new order. the intent is to stop dust orders from spamming the book and DOSing the matching engine every time an order tries to fill. good protection in theory. but where can we break this invariant? partial fills are a feature that most CLOBs support; the idea is you don't need to fill the entire resting order; you can take a piece of it. this benefits makers and takers alike. the problem is that if there's no check that the remaining amount after a partial fill is still above minOrderSize, these dust remainders can accumulate, either deliberately (by an attacker) or just naturally over time. the orders get partially matched and leave a dust remnant in the order book. over time, looping through matches can approach or exceed practical gas limits, leaving the matching engine unusable. on high-throughput chains with low gas fees, doing this at scale is relatively cheap. the attacker (or just normal flow) posts orders, gets them partially filled just enough to leave sub-minimum remnants, and repeats. the book fills up with dust orders. every future incoming order now has to iterate over those dust orders during matching, and in many cases the matching engine will revert entirely when it tries to compute a zero-cost trade against them. core functionality, completely unusable. the fix is simple: if you're enforcing minOrderSize on order creation, enforce it on the post-fill remainder too. remove the order from the book if what's left falls below the minimum.

New report added for our portfolio for FortuneFi. < 4 Criticals < 2 Highs < 8 Mediums The team did an amazing job on this one and the client was extremely happy with the results. github.com/leeftk/audit-r…