Dacian

1 Hour with @PatrickAlphaC where I cover: 1⃣ how I break down stateful fuzz testing by invariant types and contract lifecycle 2⃣ my favorite general heuristics which I use to find all sorts of bugs in many different codebases 3⃣ mindset and ultimate recipe for success Link👇

@thebensams Additionally have and reference files like trust-model.md, known-findings.md etc which provide valuable context & info that are very difficult for agents to accurately infer. Especially the trust model when using role-based access control is very useful.

PSA: If your project gets a ton of low quality vulnerability reports, you can filter those reports out with very little effort. All you need to do is update your project’s claude/agents.md file to set your preferred quality threshold and criteria. Use the researcher’s own tokens to verify their work. - clearly state your project’s threat model - give examples of a high/medium sev vulnerability. - instruct the model to spawn adversarial subagents to critique its work. - PoC or GTFO just because there is a mountain of security researchers out there who don’t know how to prompt/verify their work, doesn’t mean your project has to suffer in triage overhead

Korea very beautiful this time of year

@cyfrin @0xspiralstake @Morpho It was a pleasure working with Cyfrin. The team goes above and beyond to deliver on what they commit to!! Excellent audit and equally great post-audit support.

Happy to share, Cyfrin has wrapped our audit of @0xspiralstake v2, a non-custodial protocol that amplifies yield using flash-loans on @Morpho. Read the full report 👇

Some sessions Opus 4.7 is an absolute genius. Other sessions it is mentally handicapped. The work is fundamentally the same, only difference is LLM variance & potentially Claude nerfing it to handle extreme load. Still useful but very unreliable.

@aviggiano One of the most important lessons in using AI for large workflows is to avoid using AI for anything that can be done mechanically/determinstically. Have the AI code python scripts and use them, use AI only for reasoning. Saves tokens & gives much better consistent output.

It’s easy to forget that you can just automate things instead of asking AI to do stuff for you A common smell is having too many skills If you’re constantly, manually, reusing those skills, maybe they should become a job trigger Even better if they’re deterministic

2/ We've worked with each provider to curate three security packages purpose-built for Ethereum subsidy program applicants. The tools have come a long way, and we're proud to bring some of the best of them into the program for Ethereum builders. Big thanks to @cyfrin, @NethermindSec, @DedgeSecurity, and @OlympixSecurity for being a part of this program 🤝

1/ An exciting unlock for @ethereum builders participating in the Ethereum Security Subsidy Program… As of today, we're onboarding a select group of AI scan and security tooling providers to the subsidy program, making sure projects at all stages of funding and audit readiness can harden their security with industry-leading providers.

Beautiful composite exploit found by my AI Solace in @cyfrin private audit. Solace automagically chained together 3 individual component findings into a devastating critical drain attack 🚀 solodit.cyfrin.io/issues/onchain…

@pashov "Whatever works" is a good answer for the individual, but "whatever scales" is a great answer for the industry. Where we are heading is at least 70-80% of smart contract bugs will be found via autonomous AI scans and human-AI hybrids find the rest (before blackhats).

Everyone is asking "what to do in web3 security in the AI era" I've been observing multiple masters of web3 security and their AI usage. While everyone starts with just "summarise/explain the codebase", mostly everyone ends up building their own toolings. Tools are usually vibecoded Python & Bash scripts plus Markdown files for the AI. It's packaged expertise. Why would you build such tools? Because they do in 1hr what you did before in 5 days or more. Still, many of the great auditors are not all-in into AI. Many of the top 1% are using A LOT of AI, but their own judgement is still driving the car. Whatever works - that's the right solution. You need to have the correct metrics, KPIs, Key Results or whatever you want to call them. Measure rigorously, constantly and iterate. You must find more and better findings than others, faster. Do what works. Now go🫡

Effective humans leverage AI to both work & produce way more. Humans need to keep feeding the pipeline with ideas, plans & workflows, check output, spot & correct errors then update workflows to prevent same errors in the future. Future of many jobs is Agent Orchestrator.

It depends what the sessions are doing; eg if I'm doing just different enhancements, dev stuff or planning then I can do a lot with the max plans. Last week on Friday Claude reset weekly limits and I was able to use up all the new weekly allocation by Tuesday when they reset again. They also increased the weekly max limits now which is much better as well. Also if I'm auditing then I'm not running 3 continuous sessions as I'm focused on the audit - this is during non-auditing time when I'm doing active dev work improving Solace etc.

@DevDacian How are you not hitting rate limits?

I'm continuously running on avg 3 parallel claude code sessions drafting/executing/reviewing plans using pre-defined workflows I've created that are working very well. How many productive parallel AI sessions are you continuously running?

@thepantherplus I've been at 4 and 5 before but it got too much, it can work if one or two of them are running solace scans. But it in terms of active development, 3 seems to be the sweet spot for me at least at the moment.

@DevDacian in my case 4, n it fits best at my screen size, what’s your max?

@carlos__alegre i have a micro-test infrastructure setup

@DevDacian How do you measure improvement quickly?

While humans sleep or take time off on the weekends, I've built a system for Solace to continuously improve itself 24/7. Token maxxing every weekly allocation, not a single token is left unused.

@LuboslavLubeno1 custom workflows but similar principles I suppose

@DevDacian Dspy + gpo?

The only "show-stoppers" can occur during the plan-review loop where sometimes new information or something unexpected is discovered & the planner needs me to make a decision before proceeding or we may choose to abandon. Otherwise everything runs very smoothly and I'm able to make significant changes while avoiding significant breakages due to the infrastructure and processes I've setup.

@sahuang97 @DevDacian Have you ever encountered a situation where a prompt exploded or evolved into a dead end? @DevDacian

Great thing about AI adoption is removal of "pure manager" jobs in favor of "tech leads". Requires hiring filter for highly-capable, self-driven individuals who are entrusted to consistently deliver without micro-management. More efficient teams 👉 more efficient companies.

Future of web3sec: Arms Race - Defensive AIs vs Offensive AIs, with teams of elite humans continually improving them. Protocols that aren't monthly scanning their existing code using continually improving Defensive AIs will fall behind the curve & more likely to be exploited.