Storm
1.5K posts
⚠️ Message to who executed the GYD bridge security incident To 0x7DD4075A6eAe9f18309F112364f0394C2DfA8102: This is Gyroscope governance. We propose a resolution to the GYD smart contract incident. You can return 200 ETH that you hold from this incident. Gyroscope is then in a position to consider the remaining over 100 ETH as a fixed whitehat settlement credit. This generous of a settlement is possible because it gives the protocol a chance of making users whole by canceling GYD’s system surplus. If you take this offer, Gyroscope will cease investigations and consider you as a whitehat who performed an emergency recovery of funds and made users whole. It’s a win for all. You will be taking a big everlasting risk if you take all of the funds, which isn’t even that much in total. With this offer, for the same order of magnitude of reward, your risk would be reduced massively and users would be made whole. If the funds are not returned, Gyroscope will alternatively offer the same deal to the public for anyone for information that leads to prosecution and full recovery of funds. Security researchers have already found significant leads that could aid in this direction. We believe it doesn’t have to go that way though, and we believe you can be a whitehat. To accept this settlement, return 200 ETH to the Gyroscope GovernanceManager contract 0x78EcF97572c3890eD02221A611014F30219f6219 on Ethereum by 18:30 UTC on February 5th. If you would prefer to communicate in private, you can contact security@gyro.finance.
Some Pectra contest thoughts: The Good: - Client diversity is an ETH superpower. Always liked it, but now 10x more. - Testing sophistication is unbelievable. Beyond each client's tests, and the testnets, there are independent external tests (in python), a tool to run devnets (kurtosis), and probably much more. - EF funding more big contests is great, and will pay huge dividends. With a pretty big low pot and the "public good" vibe it probably got a lot of eyes 🙌 - AI IDEs really help with new code: a huge complex codebase in a language you don't know - no problem. Was never as fast and easy to get going. - While all clients are well engineered, my appreciation for Go and Geth is even higher now. Amazing in balancing design & readability & flexibility. The Splinter of the clients. The Bad: - Despite the above, nasty bugs still make it through as evident from the issues announced in discord. More are likely to be still there. Clients with smaller network share qualified only for low severity issues, so probably have more remaining issues. - Cryptography integration points seem to be a hotspot (judging by the announced finds). - EIP-7702 is too powerful, breaks a lot of assumptions. It may become the new selfdestruct (always somehow breaking something), especially by making bytecode mutable again. Maybe in a few years 7702 will be nerfed too (limited to one-time action). The Ugly: - Scope was a changing hall of mirrors. Code is shifting as you review it, and hundreds of open issues and open PRs on each of the ten+ repos mean that any bug may be old news. - Unlike contracts, there's no "diff" to guide the review, all past, future, unrelated, and hypothetical code is all there all the time on the main branch behind feature flags. - Some codebases are much harder to follow and grok. Overall, an amazing challenge and experience. Can't wait to read all the issues and watch the upgrade roll in 🍿
My DMs are a wasteland of junior auditors I gave advice to and asked to update me on their progress, never to be heard from again. One day someone will have the sticking power 🙏
The @spaceandtime competition has wrapped. Researchers audited the full SXT stack, from the zk coprocessor to staking and payments. 🥇 @pkqs90: $12,888.28 🥈 @Chupinexx: $3,755.38 🥉 Rareone: $2,995.26 Congratulation to everyone that contributed.
Yesterday I shared that, over the past ~2 months, I’ve been working on AI agents for security research in the Blockchain/DLT space. It seems to have sparked some interest, so I’m wondering - would you be interested in seeing the actual results and stats from that period?
Age 20 ended, And Today, Officially retiring from @techfund_inc as Senior Security Researcher, The last few years there have been nothing short of brilliant. Had a chance to represent TECHFUND where I go. Along with it, Concluded by final private audit with @Hashlock_ !! Thank you for believing me throughout and giving me the opportunities. Some unexplored road awaiting my arrival 😉 Guess where I'm going nexttt!!
