Kotya Security

Finding crits, as usual 🤯

🖤Hackers with hearts showed up 📷 Look at all of you. Our gatherings are for people who genuinely care about this space. The builders, the researchers, the ones who stick around through cycles. Grateful for everyone who came through. @EthCC On Wednesday, we're hosting dinner for a smaller group. If you're leading a project and security is on your mind, link 👇

Consensys Diligence is heading to @EthCC! 🇫🇷 Good time to talk security, AI-assisted auditing and ZK fuzzing. If you're planning an audit, connect with our team in Cannes: - @T_Birb - @KotyaSec - @nicht_tintin

@BreakingOtter @LefterisJP @Balancer For some reason, black hats choose to steal all the money so that they will never be able to withdraw fully without getting caught. And while they do that, they are directly killing the whole ecosystems, years of development. Ex. - Bera chain halt after Balancer hack

@BreakingOtter @LefterisJP @Balancer So you're basically saying, don't hate the player - hate the game I don't think it's applicable here, not only because of the fact that Balancer doesn't require anything except PoC. But also, that you can usually return 90% of the money as a white hat.

Seems that @Balancer Labs is shutting down 😕 Protocol is gonna stick around with some tough changes and a much smaller team.

Over-prompting dropped discovery rates from 50% to 20%. Structured workflows produce results an auditor can actually evaluate. "Prompting AI is like giving tasks to an intern - you have to be very specific to get results." - @KotyaSec

@KhanAbbas201 Space is still immature, devs still write low quality code, projects don’t hire QA testers, internal security engineers, lack of unit testing. And all of that while the code is public, protocols are hacked on average every second day for millions.

One of the biggest reasons why it's hard to experiment in crypto is security audits and their costs. I've spoken to more than 10 teams in the last month who are all currently ready to launch on mainnet, but are held back by audits and their insane cost. A basic audit can cost up to 50k for a small codebase, which makes it hard for bootstrapped projects to launch and explore if they should even be spending their time on this. The industry did a terrible job of overpricing security audits and it has strongly held the space back.

$1.9 billion stolen in 28 days. That was February 2025. Felt like the right time to share what we learned. Our 2025 Security Recap brings together a year of documenting, analyzing, and learning alongside the industry. 192 incidents. $3.14 billion in losses. The exploits that shaped the year and the patterns everyone building in Web3 needs to understand. Some hard truths. Some open questions. We hope it's useful. Full report below 👇

@VitalikButerin Reading this message genuinely made me happy, thanks for publicly acknowledging it

There have recently been some discussions on the ongoing role of L2s in the Ethereum ecosystem, especially in the face of two facts: * L2s' progress to stage 2 (and, secondarily, on interop) has been far slower and more difficult than originally expected * L1 itself is scaling, fees are very low, and gaslimits are projected to increase greatly in 2026 Both of these facts, for their own separate reasons, mean that the original vision of L2s and their role in Ethereum no longer makes sense, and we need a new path. First, let us recap the original vision. Ethereum needs to scale. The definition of "Ethereum scaling" is the existence of large quantities of block space that is backed by the full faith and credit of Ethereum - that is, block space where, if you do things (including with ETH) inside that block space, your activities are guaranteed to be valid, uncensored, unreverted, untouched, as long as Ethereum itself functions. If you create a 10000 TPS EVM where its connection to L1 is mediated by a multisig bridge, then you are not scaling Ethereum. This vision no longer makes sense. L1 does not need L2s to be "branded shards", because L1 is itself scaling. And L2s are not able or willing to satisfy the properties that a true "branded shard" would require. I've even seen at least one explicitly saying that they may never want to go beyond stage 1, not just for technical reasons around ZK-EVM safety, but also because their customers' regulatory needs require them to have ultimate control. This may be doing the right thing for your customers. But it should be obvious that if you are doing this, then you are not "scaling Ethereum" in the sense meant by the rollup-centric roadmap. But that's fine! it's fine because Ethereum itself is now scaling directly on L1, with large planned increases to its gas limit this year and the years ahead. We should stop thinking about L2s as literally being "branded shards" of Ethereum, with the social status and responsibilities that this entails. Instead, we can think of L2s as being a full spectrum, which includes both chains backed by the full faith and credit of Ethereum with various unique properties (eg. not just EVM), as well as a whole array of options at different levels of connection to Ethereum, that each person (or bot) is free to care about or not care about depending on their needs. What would I do today if I were an L2? * Identify a value add other than "scaling". Examples: (i) non-EVM specialized features/VMs around privacy, (ii) efficiency specialized around a particular application, (iii) truly extreme levels of scaling that even a greatly expanded L1 will not do, (iv) a totally different design for non-financial applications, eg. social, identity, AI, (v) ultra-low-latency and other sequencing properties, (vi) maybe built-in oracles or decentralized dispute resolution or other "non-computationally-verifiable" features * Be stage 1 at the minimum (otherwise you really are just a separate L1 with a bridge, and you should just call yourself that) if you're doing things with ETH or other ethereum-issued assets * Support maximum interoperability with Ethereum, though this will differ for each one (eg. what if you're not EVM, or even not financial?) From Ethereum's side, over the past few months I've become more convinced of the value of the native rollup precompile, particuarly once we have enshrined ZK-EVM proofs that we need anyway to scale L1. This is a precompile that verifies a ZK-EVM proof, and it's "part of Ethereum", so (i) it auto-upgrades along with Ethereum, and (ii) if the precompile has a bug, Ethereum will hard-fork to fix the bug. The native rollup precompile would make full, security-council-free, EVM verification accessible. We should spend much more time working out how to design it in such a way that if your L2 is "EVM plus other stuff", then the native rollup precompile would verify the EVM, and you only have to bring your own prover for the "other stuff" (eg. Stylus). This might involve a canonical way of exposing a lookup table between contract call inputs and outputs, and letting you provide your own values to the lookup table (that you would prove separately). This would make it easy to have safe, strong, trustless interoperability with Ethereum. It also enables synchronous composability (see: ethresear.ch/t/combining-pr… and ethresear.ch/t/synchronous-… ). And from there, it's each L2's choice exactly what they want to build. Don't just "extend L1", figure out something new to add. This of course means that some will add things that are trust-dependent, or backdoored, or otherwise insecure; this is unavoidable in a permissionless ecosystem where developers have freedom. Our job should make to make it clear to users what guarantees they have, and to build up the strongest Ethereum that we can.

@jarrodwatts @deadrosesxyz @hosseeb This seems more like the truth, of the current tech skills of AI to hack stuff, to find exploits in the simplest token standards. And the root cause was probably access control, something very obvious

@deadrosesxyz @hosseeb They tested it on recently deployed ERC20 contracts and found exploits previously unknown The exploits they found were only worth $3694 and cost $3476 to identify however

Anthropic is now testing on smart contract exploits and discovering zero-days. This stuff is going from theoretical to practical scarily fast.

Thanks for the love @GalloDaSballo. Likewise, huge respect for your contributions. We know we’ve been pretty quiet. Just off in our corner breaking things and building tools like always. 2025 was about becoming independent. Now that the base is solid we promise to share more in 2026.

If you’re building anything on the EVM and don’t know about Consensys Diligence Tools You’re likely just rewriting stuff they did years ago Crazy how many times we’ve ended up finding tools and techniques we considered new as repos from them Huge shoutout to an insane technical team that should hire a marketer asap

Come to my talk in Buenos Aires! There will be examples based on past exploits, why war rooms are so important

Every audit report and protocol doc has smart contract diagrams, but none speak the same language. At DSS, @sick_nerdballer from @ConsensysAudits introduces SCDS, a shared standard for architecture, flow, and threat model diagrams that makes systems easier to understand.

Market manipulation attack on the one of the biggest CEXs, with the type of vulnerability, which is super common for exchanges. That's why we beleive in decentralized and transparent technoligies!

We have been nominated 2 times, 3 will be a lucky number when we are finally elected!

@PatrickAlphaC Some pure Alpha vibes! That's so cool 🚀

Took some time off from social media, man did it feel good, but it's important to come back. When I stop posting YouTube videos or tweets, it means we are cooking something up, or I need a break! This break, it was both! Every time I stop posting, it is followed up by something crazy. - 2020 -> Launched the most watched solidity tutorial on earth with Brownie - 2021 -> We did it again with Hardhat - 2022 -> We launched Cyfrin 🤯 (Yes, Cyfrin is less than 3 years old) - 2023 (again) -> We launched CodeHawks & Updraft - 2024 -> The most insane security, assembly, and formal verification tutorials ever - 2025 -> ...you'll see We are a couple months out from it, but you'll see. Ooohhhhh you'll see. For my break, I went to an international weightlifting meet and got 2nd in my age and weight class, so that was cool.

The vote has already started 🗳️ @arbitrum @ConsensysAudits Candidates need to secure 9.37M votes – quite a lot Link: tally.xyz/gov/arbitrum/c…

Good to see teams with real auditing & fuzzing experience stepping up for the @arbitrum Security Council. Consensys Diligence has contributed to security across many major protocols - including MetaMask USD Token, Linea airdrop contracts, Rocket Pool, 0x, and more. They’ve consistently delivered technical depth, transparent communication, and independent verification. Support a worthy candidate