Dacian

1 Hour with @PatrickAlphaC where I cover: 1⃣ how I break down stateful fuzz testing by invariant types and contract lifecycle 2⃣ my favorite general heuristics which I use to find all sorts of bugs in many different codebases 3⃣ mindset and ultimate recipe for success Link👇

💡Subtle Oracle / Math Bug💡 When a price aggregator uses multiple feeds to calculate on-going Moving Average (MA), it shouldn't also use as input previous MA values to avoid the MA increasingly reflecting itself rather than the market data. Using previous values as input is useful to calculate Exponential Moving Average (EMA) where each new observation is blended with previous EMA using a "smoothing factor", causing recent values to have more weight while older values decay exponentially. The correct way to implement both: 1⃣ aggregate multiple raw feeds into one clean price per desired time interval 2⃣ run either MA or EMA on that single price series

@0xCharlesWang A similar pattern I've seen in multiple historical 2023-2024 audits is not implementing a way to withdraw/redeem, especially when tokens were transferred to an external protocol.

A very simple bug pattern is transferring tokens to a contract without accounting for it. These will just be lost.

@p_tsanev fair enough, but that said I think the only "true test" for these tools is on new never-before-seen codebases

It does not directly query the contest into solodit and grep everything, it greps it's own findings from analysis and searches solodit against what it thinks it found to increase it's confidence score. If you read the linked repo with the scratchpad, you will see they weren't matched

😱A FREE Open-Source AI Auditor just delivered the same output as a $47,000 audit contest! Plamen ran twice on the same DODO contest as other tools and achieved 90+% coverage both times! Check the entire process below and integrate Plamen in your development workflow now

The solution: A custom Security Council contract to veto proposals and increasing timelock period from 0 to 2 days, improving response to attacks. We reached out to @cyfrin for auditing the contract, they were extremely helpful and agile, so we could deploy asap. Github: github.com/blockful/shutt…

@DevDacian has crafted a powerful AI tool for his work and I’m very much enjoying reading the reports it makes. It’s good to see another perspective on security.

@0xcastle_chain @1337web3 Not really searching for vulns, just checking for quick things like exposed private keys because it is best to let the dev know asap before they share the repo around more

@DevDacian @1337web3 Why searching for vulnerabilities in the quoting stage? Does this impress the client and help with closing the agreement?

I’m not joking when I say that we see deploy scripts using plain text private keys almost every day… I already have a templated finding that I just add to a report once I see such instance. Please please please… protect your private keys and don’t store them in plain text 😬

Shout out @0ximmeas @Kiki_developer @BengalCatBalu @JuliusRaynaldi AMAZING output: * 7 High * 22 Med * 29 Low Very ambitious perpetuals protocol trading an unusual asset class, super cool audit where @cyfrin delivered tons of value including a Formal Verification suite!

@xKeywordx @PatrickAlphaC i'm currently recovering from severe food poisoning, will be back to work in 1-2 days

Yo @PatrickAlphaC can you please tell @DevDacian to check his DMs?? Also, look at the "Requests" tab in case my DM doesn't show up. Please and thank you!

So by now it has been established that *everybody* uses AI tools in web3, either internal or public (or both). It would be interesting which are the favorite platforms of choice (they may seem obvious, but not so much), so please let me know so I can serve you a treat 😈+ 🤖:

Vitalik doesn't know that 2 years after this post, I've made automated formal verification of medium complexity solidity smart contracts a working reality

@GalloDaSballo @maurelian_ see github.com/z0r0z/majeur/p… for the contents

@GalloDaSballo @maurelian_ you inspired this but for formal verification; in 5 hours my specialist AI created all the invariants and a working certora formal verification suite from scratch

Shill me your AI for smart contract auditing tools. I want everything from claude plugins to open source CLI tools to proprietary SaaS. Why is it any better than just asking the machine god to "find all the bugs, make no mistakes"?

It will become harder than ever for new market participants to "make it" and be able to this full-time professionally. I wouldn't expect charity from anyone - new market participants will have to find their own ways to make it. It is better for established audit firms if there is a shortage of skilled auditor supply, though if the shortage becomes too great they will likely have to start training interns and upskilling them internally. Some firms already do this so new market participants should apply to those internship programs when they open.

@DevDacian @joranhonig So shall we assume that with time, as the AI auditors giving service now, it will be very very hard for new auditors to enter the mainstream ?? What should they do? Shall audit firms give opportunity to them to assess their skills ?

Audit contests solved the web3 security talent problem. Now those same companies that were running contests are producing agents that will make it near impossible for new auditors to get in the space.

aidit-ing in public h/t @DevDacian @Certora

Shout out @0kage_eth @Al_Qa_qa AMAZING work on cross-chain audit, finding: * 1 Crit * 7 High * 17 Med, 8 Low Very interesting protocol implementing legal framework for Controllable Electronic Records with cross-chain invoicing/purchases. @cyfrin blessed to audit this one!

US has allies such as the country I live in which have great stockpiles, powerful industry and are very happy to produce and sell more weapons - we can mass produce weapons and everything else basically 24/7 at scale. US also has many other suppliers of raw materials and is continually diversifying. US is also the #1 destination for China's exports, so China can't just cut off the US as doing that hurts itself. Many people don't like it, but US is still the dominant power with the greatest military and zeal, even hunger to frequently exercise it to enforce their will. This is what is backing the US dollar, and hence why the US dollar remains dominant in global trade.

@DevDacian you mean the military that is short on missiles, depleted stockpiles, aging shipyards, non existent industrial capacity and importing all critical materials to sustain it from china? you know the US military only exists because of china, right?

if nation states and central banks do not want to hold dollars, why should we as regular people hold stablecoins? every USDC in your wallet is backed by US treasuries. the same treasuries that central banks are selling, the same treasuries backed by tax receipts that AI is about to disrupt, the same treasuries from a government spending 100% of its tax revenue on interest and entitlements before a single dollar goes to anything else. you are holding a tokenized version of the asset that nation states are actively dumping. these nation states are accumulating gold so they can diversify away from the US dollar. this is exactly what is happening right now: old system: USD centric -- india sells goods to brazil -- 1. brazil pays in USD (borrows if needed). 2. india receives USD. 3. india has USD, what to do? buys US treasuries because its "safe" and pays interest. 4. US gets cheap financing because everyone is buying their debt. 5. Fed prints USD to fund spending, treasuries lose value. 6. india loses. they funded US spending and got paid in a depreciating asset. 7. the US can block indian payments anytime new system: Gold settled -- india sells goods to brazil -- 1. brazil pays in BRL or INR. 2. india holds BRL. doesn't need BRL. can't buy much from brazil with it. 3. india converts BRL to gold on the open market. no government can print more. 4. gold sits in india's central bank reserves. no counterparty risk. no one can freeze, sanction or debase it. 5. fed prints more USD, gold price goes UP, india's reserves INCREASE in value. 6. india wins. the more US prints, the richer india gets. 7. no state has authority to block gold payments. in 1944 Keynes proposed exactly this at Bretton Woods: a global currency called the "Bancor" pegged to a basket of 30 commodities and used for international settlement. the US rejected it because they had all the gold and all the power after WWII. they said "just use dollars". that system is now 80 years old and breaking. we need a stablecoin pegged to a basket of currencies USD, EUR, CNY, JPY, GBP... and redeemable for physical gold, anchoring the whole thing to something that no single government can print, and since it's on-chain it will be auditable, transparent and functional 24/7. PS: does bitcoin... fix this?

@infosec_us_team @axelar @wormhole Have TVLs decreased as well? Makes sense in crypto bear market that as TVL decreases, so do the corresponding bounties.

Recently, @axelar decreased their max. bounty from $2m to $500k, @wormhole from $5m to $2m, and the list goes on and on.