Web3Sec

"...AI agent itself becoming the new insider threat" - @wendiwhitmore, CSIO, Palo Alto Networks. "The CISO and security teams find themselves under a lot of pressure to deploy new technology as quickly as possible, and that creates this massive amount of pressure - and massive workload - that the teams are under to quickly go through procurement processes, security checks, and understand if the new AI applications are secure enough for the use cases that these organizations have," Whitmore told @TheRegister

🧰 aether - github.com/l33tdawg/aether by @l33tdawg AI-assisted smart-contract auditing framework that generates reproducible Foundry PoC tests and filters false positives #PoCGeneration #Foundry #LLMforSecurity #StaticAnalysis #Slither #BugBounty #DevSecOps #VulnerabilityResearch

rugs.fun-fork - github.com/lorine93s/rugs… by @kakamajo_btc Solana-focused rugpull-detection platform fork with enhanced risk analytics and “RugScore”-style scoring. #Solana #Web3Security #RugpullDetection #HoneypotDetection #RiskAnalytics #MemecoinSecurity #TokenSafety

Audityzer - github.com/romanchaa997/A… Web3 security toolkit for dApp testing + smart contract analysis + vulnerability research workflows. #Web3Security #DAppSecurity #SmartContractTesting #VulnerabilityResearch #BugBounty #SecurityToolkit #AppSec

Bytecode-Truth-Not-Source - github.com/AmirhosseinHon… Bytecode-first security research repo on why verified source can mislead (proxies, optimizations, hidden/unreachable logic). #Web3Security #BytecodeAnalysis #EVM #ReverseEngineering #ProxyContracts

ML-Meets-Etherscan-Realtime-Scanner -github.com/AmirhosseinHon… Real-time ML-driven scanner for newly deployed contracts using Etherscan data + static risk checks. #Web3Security #DeFiSecurity #RealtimeMonitoring #ContractScanner #EthereumSecurity

🚨 ALERT: A victim lost $908,551 due to a phishing approval signed 458 days ago. 🔐 REMINDER: Regularly review and revoke old approvals - your wallet security matters! 💰

This is literally the best Web3 Security resource, I learned a lot from it.

Look at this graph, and let this sink in. This is the state of Web3 security. It's the graph between $ lost from security-reviewed codebases vs those that have not been reviewed. Notice how much lower the number is for projects that have received a security review?

Top3 Web3 Security communities on Telegram (join them all): Solodit | Auditors - t.me/+SEZ0HWPBWn80O… ETHSecurity Community - @ETHSecurity Web3 Security as a Business - @web3securitybusiness

🚨 Security Alert It appears that the @TrustWallet browser extension may have been compromised via a supply-chain attack in the Dec 24 update. Reports indicate that importing a seed phrase into the extension can result in immediate wallet draining. ⚠️ Do NOT use the Trust Wallet extension for now, and never import seed phrase until an official clarification and fix are released. ❗ As of now, there has been no official communication from the Trust Wallet team regarding this incident. Exploiters are using multiple addresses and More than $2,000,000 appears to have been drained

wrote up a really interesting newsletter on supply chain attacks and their defenses. expected to be published on 4th jan, stay tuned :) open.substack.com/pub/web3secnew…

Thrilled to be awarded an Ecosystem Support Program @EF_ESP grant for Digibastion.com We're developing a public good security platform that offers a centralized hub for real-time security tools, actionable checklists for personal privacy and protection, threat intelligence, and supply chain monitoring. Here's why this matters... 🧵

Hot take I keep hearing: "Never rely on AI for security, it's 100% hackable." 100% is a bold claim. But here's the thing: neither do human-only audits guarantee 100% security. Every audit report comes with a disclaimer "no liability, no responsibility" for a reason. The uncomfortable truth? Security isn't a checkbox. It's not something you "complete" before launch and move on. What actually reduces your attack surface: • Security embedded in CI/CD, not bolted on after • A dedicated security researcher monitoring incidents onchain/offchain, 0-days, and emerging exploits in real-time • Active bug bounty programs that incentivize external eyes • Full-stack auditing: smart contracts, infrastructure, frontend, supply chain • Operational security that's practiced, not just documented The projects that stay secure aren't the ones with the most audits. They're the ones treating security as a continuous discipline, not a one-time deliverable. AI tools, human auditors, automated scanners, they're all inputs. None of them alone is the answer. Mature security posture comes from layering defenses and never assuming you're done. What's the one security blind spot you keep seeing projects ignore?

Very concerned about the second-order effects of advances in AI auditors. The direct consequences are well understood by most: lower cost of entry, higher bar for exploits, bounty hunters and blackhats retroactively auditing old codebases, etc. There will come a point (expect 1-2 years from now) where more and more real projects will completely skip a human audit - it's an uphill battle to convince budget owners to spend 6-7 figures on security when a sub-$1k solution appears to find the same issues again and again. For everyone who doesn't grasp the true ingenuity of security research, this will feel like the moment thousands of accountants were replaced by Excel formulas, or travel agencies were displaced by Google Flights. But there are those of us that understand that bug hunting is as much an art as it is a science, and pattern-matching, no matter how exceptionally engineered, will never discover a complex, novel logic bug or bug class. It will be up to us to educate and to make the case for why the best hunters can never be replaced by neural networks that are, at the end of the day, extremely capable imitators. They will say we are coping. That we are decelerationists. That AIs that can write poems and solve Math Olympiad questions can audit code as well as any human. They will be wrong, and time will tell. The problem is that extremely complex bugs are likewise extremely rare, so trusting an AI audit could genuinely be 99.9% safe within a few years. And a fair argument is that even a human audit doesn’t necessarily capture the last 0.1% — we’ve seen projects exploited after top-tier audits, which has harmed confidence in the entire audit marketplace. So is the new “security through obscurity” going to become “security through low probability of a novel bug”? It might. My outlook on the security endgame looks different. There will be two battles fought in parallel. The AIs on both sides will have a light-speed shootout, determining who can exploit the vast majority of bugs quicker than the other. That contest will be over in a few blocks, and we’ll know who won by checking whether the contract still has funds. And then there's the "correspondence chess" match between the true savants on both sides - humans capable of more than imitation. This battle never truly ends, unless all critical properties are formally proved, flawlessly. This cannot be done for sufficiently complex apps and infrastructure. We know blackhats are not going anywhere. NK and similar aren't interested in post-hack negotiations and are going to pocket 100% of whatever value they steal. Meanwhile white-hats may well not be incentivized enough in a world where only very rare bugs remain, getting cents on the dollar per exploit compared to blackhats, if not completely rugged by the project. From that perspective it seems clear projects that truly care about their security have to recruit white-hats to their side, or they risk conceding an empty-net goal. Hiring a team of specialists with an exceptional record of finding deep-lying bugs raises the difficulty and adds a 2nd layer of PoW on top of an AI audit. In practice, blackhats will likely follow the path of least resistance and choose targets in ascending order of difficulty. Hiring teams (like yours truly) that have disclosed tens of live issues and earned dozens of public contest gold medals is going to push a project to the bottom of that "to do" list. AI tech is revolutionary and will change much of how the world operates. But let's remember: a bad poem earns at worst a thumbs-down. An undetected smart contract bug could be the end of people's financial lives. Let’s be careful not to entrust AI with millions of dollars in one of the few domains where human creativity still outperforms the machine.

Introducing MoveSecAI. A security-first AI model built by @Syntrei to tackle one of the hardest problems in modern blockchain development: reasoning about Move code at the logic level. MoveSecAI is a pre-season trained model, designed specifically for the Move programming language. It is not an API wrapper. It does not rely on external services. It is a pure, self-contained model built for deep code understanding. Trained exclusively on Move smart contracts, historical vulnerabilities, exploit patterns, and real-world failure cases, MoveSecAI is engineered to analyze execution paths, identify logical flaws, and understand security invariants native to Move. With 37 billion parameters at instruct level, the model is optimized for precise reasoning, structured analysis, and security-driven decision making not generic code completion. MoveSecAI exists for one purpose: to raise the security baseline of Move ecosystems through intelligence that actually understands the language. Built by Syntrei. Focused on Move. Designed for security.

6 books I recommend to every auditor: • Mastering Ethereum • Uniswap V3 Development • Upgrading Ethereum • Chainlight. Web3 Hacks • Web3 Security made easy • Tornado cash book It's literally must have read

Onchain-Security-Suite - github.com/AmirhosseinHon… AI-powered token auditing + deployer reputation scoring + on-chain risk analysis toolkit for Web3 threat detection. ⭐️14 @AmirHonardoust #Web3Security #DeFiSecurity #SmartContractSecurity

🧰 timelock-dapp - Smart-contract timelock analysis tool to review time-delayed governance/admin actions and reduce change-control risk. By @TimelockApp github.com/timelock-labs/… #Timelock #GovernanceSecurity #SmartContractAudit #AccessControl #UpgradeSafety #ProtocolRisk