thaddeusdev 🍕

Un hack más ahora para #MoonwellDefi x.com/CertiKAlert/st… 1/ El problema fue una explotación por mal precio del oráculo, el detalle es que todos se asustan por que dice Chainlink. Pero...

🚨 $5.87M drained from TrustedVolumes in ONE transaction. No private key leak. No oracle manipulation. No governance attack. Just 3 bugs chained together. 🧵👇 - 1/7

La trazabilidad ganadera no debería ser una carga más. En nuestro artículo entenderás la gestión documental, blockchain y el historial verificable de la explotación👇: blockfarm.es/trazabilidad-g…

Don't wait until your protocol is hacked to request an audit; do it before a hacker steals all your protocol's funds and your users' data. Contact us via DM here or by email through our website: seclat.xyz

Seclat Security blog is online. We'll be sharing content on web3 security, blockchain, and smart contracts. You can read it in English or Spanish; select your preferred language on the website. Support us by retweeting and following to reach more people. seclat.xyz/es/blog

hackers + AI = asymmetric threat ☠️ auditors + AI = structured defense 👍 sounds balanced but it isn’t. hackers don’t wait for deals or scope. they move fast, test aggressively, and monetize asap. auditors wait to get paid to start. hackers get paid because they start.

"Coded" by Claude on Feb 1st. "Audited" by Claude on Feb 2nd. "Fixed" by Claude on Feb 3rd. Deployed to mainnet (by Claude?) on March 19th. Funded on April 24th. Rekt (by Claude?) on April 28th. Welcome to the future. 🤡🤡🤡🤡🤡🤡🤡

Litecoin update: • A zero-day bug caused a DoS attack that disrupted major mining pools. • Non-updated mining nodes allowed an invalid MWEB transaction allowing them to peg out coins to third party DEX’s • A 13-block reorg reversed those invalid transactions — they will not be included in the main chain • All valid transactions during that period remain unaffected • The bug is now fully patched, and the network continues to operate normally

Node.js y cURL cerraron sus Bug Bounty uno de los motivos: exceso de reportes basura generados con IA. Gente marcando vulnerabilidades que ni entiende. La IA no falla. La gente sin bases, sí. La IA no reemplaza devs. Los expone.

Las attestations digitales en blockchain permiten verificar diplomas en segundos, evitar fraudes y reforzar la confianza institucional. Descubre cómo funciona 👇 blockfarm.es/attestations-d… #Blockchain #EdTech #EducaciónDigital #Ciberseguridad #CredencialesDigitales #Blockfarm

1/2 Las Attestations Digitales usan #DLT para sellar la huella criptográfica de documentos y acreditar su existencia e integridad en el tiempo. No sustituyen al notario, pero refuerzan la #SeguridadJurídica digital.

We leverage not only the power of smart contracts but also that of Bitcoin. Instead of saying “written in stone” I prefer to say “written in Bitcoin”—it has more power! #Bitcoin #Blockchain

i genuinely think everyone in this space should immediately switch to using Vim. DPRK started abusing VS Code hooks that run _automatically_ in the background when you open a folder. ZERO fucking user interaction required _after_ trusting the repo (the trusting part is important here). Yes, read it again. ZERO. INTERACTION. REQUIRED. so what happens is the following: they (in the usual case the Contagious Interview group, meaning some fake recruiting guy) share GitHub, Bitbucket, and GitLab repos containing a `.vscode/` subdirectory with malicious hooks. the one example I share here executes a fake font that's actually heavily-obfuscated JS and will absolutely rek you. all your fancy software that feels "convenient" makes tradeoffs. those tradeoffs are now being abused to silently rek your devices. use Vim. and use Qubes. Thx.

🚨 #ALERTA | Venden biométricos de mexicanos presuntamente extraídos del SAT Un usuario en foros de ciberdelincuencia afirma tener acceso en tiempo real a los servidores del @SATMX y ofrece el paquete completo de identidad: huellas, iris, firma, foto y RFC. Las pruebas expuestas sugieren que la vulneración es real, aunque hay que hacer algunas anotaciones. 🧵👇

🚨SlowMist TI Alert🚨 If you’re doing Vibe Coding or using mainstream IDEs, be cautious when opening any project or workspace. For example, simply using “Open Folder” on a project may trigger system command execution — on both Windows and macOS. ⚠️ Cursor users: especially at risk. Opening a maliciously crafted project directory can compromise your system instantly. This is a simple early warning — several AI coding users have already been affected. cc @evilcos

The Death of the Audit Contest? A 2025 Retrospective I will always be thankful for audit contest companies. They pioneered the open-sourcing of Web3 security knowledge, allowing security researchers (SRs) like myself to improve at a fast and consistent pace. However, looking back from 2025, it is clear that the landscape has shifted dramatically. 2024: The Golden Era 2024 was undoubtedly the best year in the history of Web3 audit contests. The volume of opportunities was unprecedented; almost every month featured a million-dollar prize pool, often with a dozen other contests running in parallel. The hype was strong, and the space was filled with highly trained competitors. During this time, the number of submissions was manageable, and "report spam" was significantly lower than what we see today. However, 2024 was also the beginning of the end for the traditional contest model. The Profitability Problem In the early days (pioneered by Code4rena), audit contest platforms typically charged a 40% margin on the total audit pot. Despite these large margins, most companies were burning through VC cash and failing to turn a profit. They were in "growth mode," prioritizing market share over sustainability. As the model's initial success became visible, it inspired a wave of new competitors. These companies introduced new models or used existing relationships with protocols to sell audits. This fierce competition was a win for protocols—they received high-coverage, deep-vulnerability reports as SRs competed to break their code—but it forced contest platforms into a "race to the bottom" on pricing. The Shift in Incentives To lower costs for clients, platforms had two options: - Reduce the SR Prize Pool: This led to "conditional pots" and custom rules that favored the client (e.g., defining a "High" severity only if >50% of TVL could be stolen). - Reduce Platform Fees: Platform fees shrank to 10%–20%, which is too low to sustain long-term growth or quality operations. This created two major shifts: For Platforms: They pivoted to private audits, which require less effort to manage and offer healthier margins. For SRs: The most capable researchers with personal brands grew tired of "unlocked" pots—where they could work for a month and earn $0 because a specific threshold wasn't met. These top-tier researchers moved to private auditing as freelancers or by joining major firms. The State of the Market in 2025 Today, most platforms are growing their profits by running fewer public contests and focusing heavily on the private/team audit sector. It no longer makes sense for them to sell a contest when a private audit is more efficient and profitable. For SRs, the ecosystem feels broken. The top talent has moved to private work, while public contests are increasingly flooded with low-quality spam reports fueled by the 2024 hype and AI-generated submissions. The original incentive alignment between SRs, protocols, and platforms has fractured. The Path Forward I want the "Golden Era" of audit contests to reemerge. To do this, we must fix the incentives: Healthy Margins: Platforms need to make enough profit to prioritize contests again. SR-Friendly Terms: We must enforce terms that protect researchers' time and attract top talent back to the public arena. Value for Protocols: By attracting the best researchers, protocols will once again receive the substantial security value that only a competitive environment can provide. I have avoided naming specific companies because my goal isn't to create drama or attack anyone. These thoughts are based on my own analysis and data from friends in the industry. My only goal is to propose a way for our space to innovate and thrive once more.

4/4 For developers and auditors, understanding Newton–Raphson is not optional: it is the foundation of fixed-point math, pricing logic, AMMs, and secure financial systems. Classical mathematics. Modern impact. #Blockchain #Solidity #MathInTech #SecurityEngineering

1/ ? Newton–Raphson in Smart Contracts: mathematics that moves billions The Newton–Raphson method is a classic algorithm for finding roots of functions, but in blockchain it is not just theory — it is critical infrastructure.

3/? The key is transforming the problem (e.g. √a) into a purely integer-based iteration: xₙ₊₁ = (xₙ + a / xₙ) / 2 With a good initial estimate and only a few iterations, full convergence over 256-bit integers is achieved.

2/? In Solidity, where floating-point numbers and real arithmetic do not exist, libraries like OpenZeppelin use it to implement fundamental operations such as sqrt(uint256) in a way that is: - deterministic - gas-efficient - safe against overflows

🔍 Now it’s time to interact directly with Uniswap V4 swaps. Having been part of the protocol’s audit gives me the confidence to use it without questioning its security — many auditors thoroughly reviewed this code. #uniswap #defi