0xGhost | Co-founder @ Shieldify Security

@nftgoy @absterxyz @Abstract_Eco @AbstractChain Even if the smart contract is properly audited, security doesn’t stop there. This incident shows that vulnerabilities can arise from off-chain components, so an off-chain audit is equally critical!

We've seen the reports around @absterxyz and users being charged more than expected when placing bets. We audited Abster's smart contracts, so naturally people are asking - did we miss something? Short answer: NO! Here's what actually happened 🧵👇

Our latest Abstract security audit report is out for @absterxyz 🤝 Serious team, good collaboration, and important findings uncovered! Read the report below👇 github.com/shieldify-secu…

That $50M loss wasn't a hack. It was just a brutal lesson in MEV. EigenPhi breaks down the slippage mistake that searchers jumped on. A prime case for why we need encrypted mempools ASAP. 🛡️ open.substack.com/pub/eigenphi/p…

Open rates for cold reachouts to protocols were sitting at 2%, so I had to escalate. If this doesn’t get me a discovery call, nothing will.

Crowdsourced audit competitions were the primary initial driver of the Web3 security space, most of the top talent was onboarded from them. Contest platforms operate on a percentage of the pool and applying an entry fee will prevent a large portion of the newcomers from joining. There should be a different solution to handle AI slop reports.

Sol-azy is a static analysis tool for the sol eco, allowing you to: - reverse ⏪ - analyze 🧐 - poke at Solana programs 👈 github.com/FuzzingLabs/so…

EIP-7702 is an auditor’s nightmare💀 Sticky storage can leave dirty slots behind between delegatecalls — wallets can get bricked. On top of that: huge init front-running risk. 🔎 A must-watch breakdown from @theredguild youtube.com/watch?v=ZFN2bY…

Ultimate Huff Resources Bundle 📚 1/ Huff Documentation docs.huff.sh 2/ Huff Mate github.com/huff-language/… 3/ Foundry Library for Huff github.com/huff-language/… 4/ Ethereum Yellowpaper ethereum.github.io/yellowpaper/pa… 5/ Huff Masterclass youtube.com/watch?v=5j0HmF… 6/ EVM Through HUFF youtube.com/watch?v=Rfaabj…

Want to start experimenting with AI for Web3 security? Check out Hound — an open-source project that’s still v1, but already a strong base to build on Huge thanks to @muellerberndt 🫡 🔗github.com/scabench-org/h…

After 1 hour brainstorming session with my AI assistant, we built great OKRs and KPIs. Clear targets, fewer blind spots, and a solid plan to scale. 🫡

New audit report for @onchainheroes, this time for their game - Maze of Gains✳️ Maze of Gains is turn-based roguelike dungeon crawler, playable on desktop and mobile, where every run competes for a shared weekly ETH prize pool 🎮 Read the report below👇 github.com/shieldify-secu…

Smart Contract Auditor on vacation☀️ Yess, butt....

Forgot to mention this due to how busy the last few days have been: Despite being in an early alpha state, every smart contract on Shiny has already been audited and approved by the amazing team at @ShieldifySec

If you're auditing a protocol that uses Uniswap V4 Hooks - these papers and articles are essential reading 🫡 🚩Questions To Ask Before Writing a Uniswap v4 Hook 🔗blog.openzeppelin.com/6-questions-to… 🚩Uniswap V4 Hooks Security Talk 🔗youtu.be/Fbxsv8rxHZw 🚩Uniswap V4 Hooks Security Deep Dive 🔗youtu.be/4o8yGcq6tfM 🚩Auditing Uniswap V4 Hooks 🔗hacken.io/discover/audit… 🚩Security Considerations 🔗quillaudits.com/blog/web3-secu… 🚩Integration Security Considerations 🔗certik.com/resources/blog…

The core of Prime Vaults is built on two pillars: Security and Strategy. To support a high-performance environment, our codebase has completed independent audits by @salus_sec and @ShieldifySec Continuous security is what allows Prime Vaults to operate reliably, 24/7 📄 Full audit reports below

Such a low number of contests 🧐 Pros: higher competition -> better results Cons: fewer opportunities, less talent onboarded in space The market is plateauing or it's shifting into a different direction.

Thanks for reading! 🫡 Re-Share this knowledge to strengthen security across the ecosystem and help prevent future exploits 🤝

3/ Moonwell (Base) - Nov 4, 2025 ~ $1M stolen + ~$3.7M bad debt The protocol followed standard Oracle best practices and used Chainlink’s off-chain oracle, which is designed to resist these attacks. However, the oracle incorrectly priced wrstETH at about $5.8 million, even though ETH was trading below $3,500. The attacker exploited the error within 30 seconds, depositing 0.02 wrstETH to receive roughly $116k in collateral. They used this to take a 20 wstETH flash loan and repeated the process across multiple transactions, ultimately draining 295 ETH. Security Considerations The project relied on a single price source and had no guardrails to flag unrealistic values, such as wrstETH pricing far above ETH, so a faulty Chainlink update directly enabled the exploit. Securing DeFi protocols requires anticipating supply chain failures and enforcing technical controls to limit the blast radius of upstream errors. halborn.com/blog/post/expl…

2/ Trust Wallet - Dec 24-26, 2025 ~$7 million+ The attackers gained access to Trust Wallet’s source code and Chrome Web Store API key, enabling them to publish a tampered extension that redirected PostHog analytics to the attacker-controlled domain api.metrics-trustwallet. Security Considerations This incident demonstrates the importance of strong deployment and monitoring processes for off-chain infrastructure as well as on-chain. Real-time monitoring of deployed code may have identified the unauthorized release and enabled it to be removed before it caused significant harm to the business. halborn.com/blog/post/expl…