Auditware

Announcing our latest product: Sentry Sentry is a platform for continuously monitoring OpSec for web3 organizations W3OS compliance, security training, domain monitoring, credential leakage alerts, GitHub repo compromise detection, and our own custom EDR - all in one platform

🚨🚨 WATCH ME VIBE-AUDIT A SMART CONTRACT > end-to-end without an IDE > from skills and prompts to a google doc report > result report and repo below ▶️ youtube.com/watch?v=5jcZ85… I didn't risk my auditing career posting this just to have fun with prompts. This is a social demonstration of the power that's at hand of the new version of our adversaries. I literally just sat down and showed you a summarized way of my first 15 minutes starting an audit (before the first coffee ends) - it's obviously not enough for a professional audit, not even close, it's a really good starting point though (still have an entire week after that in industry timelines). I want you all to start interacting with code like this, exploring it through the agents, asking questions, creating creative skills and gain more and more ways of asking the right questions and improve and learn always Skills I've used can all be found at the Auditor Skill Registry: ✨ forefy.com/skills Skills used (other than the ones under github.com/forefy/.context): - solidity-auditor by @pashov github.com/pashov/skills - security-auditor by @archethect github.com/Archethect/sc-… - hackenproof-triage-marketplace by @HackenProof github.com/hackenproof-pu… - web3-poc-foundry by @shuvonsec github.com/shuvonsec/web3… - code-sleuth by @ZeroCool_AI github.com/zerocoolailabs… Repo and Report: github.com/forefy/vulnvau… Would've used much more, but wanted to make this fit under a 15 minutes video and improvised what came to mind at the moment ▶️ youtube.com/watch?v=5jcZ85… Please repost, comment, share and raise awareness for what's coming!

Oracle manipulation exploits like this often succeed when liquidity checks are absent and price feeds lack deviation monitoring. Common safeguards include liquidity thresholds, median aggregation across sources, and circuit breakers for anomalies. quillaudits.com/blog/hack-anal…

The attacker bought 0.05 USTRY for $106.74 in a market with under $1 hourly volume, inflating the price 100x. This manipulated price fed into the oracle, valuing their 153k USTRY at $16M instead of $160k, which let them borrow $1M USDC and 61M XLM before exiting as prices fixed.

YieldBlox on Stellar lost $10.97M on Feb 22 through oracle manipulation. An attacker exploited an illiquid collateral market to inflate asset prices, allowing them to borrow against the manipulated valuation. They manipulated it due to the pool’s low volume.

While initially run on a test account, in the real use case, the context was too large and compaction resulted in a truncation of the protections in the prompt. This is a great reminder that, even if you think you know how AI will behave, it is ultimately non-deterministic.

A Meta security researcher ran an OpenClaw AI agent on her inbox with one rule: confirm before deleting anything. The agent lost the instruction and started deleting emails until the process was stopped. x.com/summeryue0/sta…

Great discussion today featuring our CTO @forefy on the future of auditing.

@savantchat True!

@audit_wizard auditing the contract is the easy part. auditing the key management, the deploymet pipeline, and the dependency tree is where most teams have zero coverage

Web3 exploits hit billions in losses last year, but the attack surface is shifting. Compromised keys, malicious dependencies, and social engineering now cause more losses than reentrancy bugs. Here's what's actually getting exploited:

🪐 Livestream tomorrow 📻🎙️ to share thoughts about the recent AI auditing changes Hype is only usefull if the right people step up to channel it to practical secure and professional flows that will shape our future Set an alarm ⏰ ⏰ and don't miss it!

Being the 1st public auditing skills author I can share this: •⁠ ⁠AI can't write skills as well as actual auditors •⁠ ⁠Over-verbose skills (e.g more than 5000 tokens a page) are creating context rot •⁠ ⁠Installing other people's skills is much scarier than npm install I solved this by utilizing my profile site to host the Auditor Skills Registry •⁠ ⁠Skills I personally use (including skills from @pashov , @trailofbits , @QuillAudits_AI , @auditmos myself etc.) •⁠ ⁠Security reviewed, guardrails, AI reliance rating •⁠ ⁠Easy and secure 1-click installation to claude code / copilot cli / gemini cli / codex IMPORTANT: Like or repost if you plan on using it, to let me know if I should keep it live: forefy.com/skills

Sentry and Multisigmonitor are built for this. Free and open source: auditware.io

The real threats: * Compromised accounts deploying malicious upgrades * Dev machines with leaked keys and env files * AI assistants suggesting poisoned packages * Forgotten token approvals These are the things code audits don't include.

Protect yourself: * Lock your package dependencies to known-good versions * Scan packages with Socket before installing * Keep sensitive keys off dev machines entirely Full technical breakdown: socket.dev/blog/sandworm-…

The attack works through AI coding assistants like Cursor and GitHub Copilot; they suggest malicious packages during development, devs blindly install them, and the worm gets full access to local files and environment variables. Automated infection through AI-suggested tools.

A new supply chain malware, SANDWORM_MODE is spreading through npm packages right now via poisoned AI recommendations. 19+ malicious packages are stealing crypto private keys, CI/CD secrets, and API keys from developer machines.

Radar is free and open source. Hunt for vulnerabilities at scale with shared detectors across Solidity and Rust contracts. github.com/Auditware/radar

The new EVMbench from OpenAI + Paradigm finds 70%+ of critical smart contract bugs in benchmarks. If attackers have this, assume automated vulnerability discovery is happening at scale. Radar helps you scan at scale more efficiently than AI to defend your contracts.

Test your organization's operational security with Sentry 👁️‍🗨️ Free and open to everyone: sentry.auditware.io

At an @EthereumDenver side event, an employee of a security firm left their laptop unlocked at a table for 10 minutes. That's enough time to grab SSH keys, install malware, exfiltrate documents, etc Anyone can fail at OpSec. Use things like screen locks so you stay secure.