InfectedCrypto

@0xnirlin main character energy

Fuck AI audit agents

@itsabinashb 🤝

@InfectedCrypto Its nice to audit with you sir🫡.

Something I like to do, is that when I think I have an interesting lead, I ask the LLM to verify it, and in the mean time I continue to verify it myself and see if I can confirm it before the agent finishes lmao

That's funny how LLMs tends to forget the atomicity of blockchain transactions. e.g.: "subsequent invoke_signed for allocate would fail — but the transfer at L193-202 would already have succeeded, resulting in lost funds sent to the wrong account" No bruh, this is a tx

Maybe a good idea is be to run automation after completing the audit, to cover possible missed spots? On my end I still use LLMs mostly to questions the code, explore, or verify leads. I find that LLMs are really good as smart-search-engine on steroids (not only that obviously)

@0x3b33 Chainlink data feeds also work on the same idea. Get a price report offchain, signed by multiple party, verify it onchain. Same potential issue. Can be fixed by registering the last verified report timestamp

@arsen_bt Very nice and well written codebase. We tried hard until the end to make this work 🙏

I audited the SPL stake pool. Integrated with Fogo Sessions. @InfectedCrypto and I found: - 1 high - 3 low - 3 enhancements And learned a lot in the meantime. x.com/AdevarLabs/sta…

@AdevarLabs For a long time during my contest period I skipped (or postponed for later, which never came) complex calculations as I thought the risk/reward to find issue against time spent was not worth it. In fact that is exactly where you'll find issues other misses.

security researchers, name 1 thing you wish you learned earlier in audits:

@Harvesto12 Gemini 3 Pro against Claude Opus 4.6

@InfectedCrypto which models were that?

After having two LLMs argue about the validity of a finding (one saying its valid, the other it is not valid), I finally understand how it feels to be a judge during contests escalations Both are so convinced they are right, or they don't care and just want to push their version Man that's exhausting I can't imagine doing this for 10s of issues

@bbl4de_xyz That's what I wrote at first, but I hope all AI sloppers don't escalate their slop, and only a few issues get escalated 🥲

@InfectedCrypto > I can't imagine doing this for 10s of issues you mean 1000s ? 💀

@testmachine_ai True and good point tbh in that case it implied cross program interaction (solana) and I knew LLMs would struggle af to make a working PoC so I didn't try

@InfectedCrypto You need systems like TestMachine that prove exploitability or refute it, otherwise you’re just arbitrating opinions.

LLMs couldn't solve that puzzle (took me more time that I want to admit) Baba is You might be an interesting benchmark tbh (it is bonus stage world 3 if you're wondering)

@Huntoor I've seen +$5k invalid bugs being validated more than once

sometimes i browse some finished contests randomly. its insane how some valid bugs for 5 figures can never be valid in 1 million years in a contest and be marked as spam in another contest. insane how trivial bugs are considered smart here and unrealistic there. i'm confused.

@Afriauditor @AnthropicAI Lmaooo It looks like BB platforms had a discussion with Anthropic to fight AI spam

Holy shit!!😂😂 Guy see what my AI is telling me... This was after numerous attempt to get it to write me the report. Should the model the able to this @AnthropicAI 😂😂

correct me if I'm wrong but this seems like the largest ever single-block builder profit in ethereum history, ~$33m to titan it also may be one of the largest MEV block rewards ever on eth, a 568 ETH proposer payment which falls just behind the SVB USDC depeg (had a 692 ETH payment), 2023 sushiswap whitehat hack (689 ETH), and 2023 curve whitehat hack (584 ETH) others already commented on the original issues with the order (illiquid route + insane $155k AAVE limit price), but here's where the $50m went: - $36k to the user's cowswap order (331 AAVE) - $619k cowswap solver fee - ~$9.9m to the MEV bot that backran the 17,957 ETH -> 331 AAVE swap (backrun was 128 AAVE -> 17,959 ETH) - another ~$2.6m to the same MEV bot from backrunning the $50m USDT -> $37m WETH swap over multiple txs - ~$34.3m fee to titan from the MEV bot (includes $1.2m to lido as the block proposer) - ~$3.5m in dex swap fees + residual smaller arb txs insane payday for titan, who sent their profits to coinbase, and this single MEV bot took the majority of the arbs in both the illiquid AAVE/WETH pool and the $13m slippage swap in the main USDT/WETH pool

Most smart contract audits slow down for avoidable reasons. Preparation is usually the difference. Here’s the audit readiness checklist to get the most value from your audit. 🧵👇