Caducus

1K posts

Caducus

@chain_linkd

Optimizing Automated Cross-Chain Yield @Judge_Finance Blockchain Evangelist Security Researcher OG Link Marine

Moon Katılım Ocak 2018

729 Takip Edilen361 Takipçiler

Sabitlenmiş Tweet

Caducus@chain_linkd·26 Kas

Working with the chainlink stack to build something real and meaningful. Dream come true. @chainlink More to come.

Charles Holmes@CHolmeseth

What can we build with @chainlink's CRE? @Judge_Finance is building YieldCoin as our first offering with CRE at its core. YieldCoin (Chromion Winner) is the stablecoin money market fund the industry has been praying for. One token. One job: Continuously route your stables to the highest risk adjusted real yield across @aave @compoundfinance @Dolomite_io @FolksFinance @0xfluid All APY's shown as net of our streaming fee. No deposit/withdrawal fees. No hidden fees.

English

1.4K

Caducus@chain_linkd·2d

@octane_security Pure bliss to have amazing security researchers build an amazing security AI tool

English

Octane Security@octane_security·2d

How ARE works: Phase 0: We work with the client to define the context of their codebase: architecture, threat model, economic assumptions, etc. Phase 1: AI explores at scale. It maps the codebase, traces execution paths, and explores the long tail of edge cases humans can’t exhaust on their own. Phase 2: Human researchers evaluate the AI’s signals. They cut down the noise, note the serious attack paths, prune hypotheses, and refine the overall context. Phase 3: Repeat. Each pass goes deeper along the paths that matter, until meaningful attack vectors have been covered.

English

225

Octane Security@octane_security·2d

Introducing Adversarial Research Engagements – the apex of AI-native security analysis. ARE brings the highest level of researcher-directed iterative AI analysis to your codebase. Here's how it works and why teams like @OstiumLabs escalate to ARE.

Octane Security@octane_security

x.com/i/article/2038…

English

3.6K

Caducus@chain_linkd·2d

Be Adversarial! It's the skill separating devs from vibecoders. Your tools need to become adversarial too!

Octane Security@octane_security

x.com/i/article/2038…

English

121

Caducus@chain_linkd·26 Mar

Going to be essential for every new launch, what a tool!

Cyfrin Audits@cyfrin

As of today, BattleChain testnet is LIVE. The pre-mainnet, post-testnet blockchain, where whitehats legally attack your smart contracts before they reach production. Deploy. Get attacked. Ship stronger. Here's why we built it, what it is, and how you can get involved 🧵

English

Caducus retweetledi

Octane Security@octane_security·24 Mar

Octane delivered @sparkdotfi findings "equivalent to a world class auditor." Here's how Spark protects a $7.4B+ ecosystem with Octane's AI-native security analysis.

Octane Security@octane_security

x.com/i/article/2036…

English

5.9K

Caducus retweetledi

0x15.eth@0x15_eth·24 Mar

Condolences to Balancer, but the deeper issue is this... You can’t build a safer ecosystem by assuming people will choose the moral path. In practice, the default path is often the immoral one, because doing harm is easier than doing good. You can’t control human nature. You can control incentives. And as long as the incentive to be a blackhat is greater than the incentive to be a whitehat, hacks like this will keep happening. Protocols need to do more than say “do the right thing.” They need to make doing the "right thing" easier We need faster triage, faster payouts, faster and clearer communication, and a better experience overall for whitehats. Imho security is more of incentive design.

bbl4de@bbl4de_xyz

This is why, as a moral human being, you should NEVER even CONSIDER exploiting a live bug you have found. You don't just take magical money from magical protocol. You make users lose money, investors lose money, protocol lose reputation and money, protocol employees lose jobs and all that for your own personal gain. forum.balancer.fi/t/on-the-futur…

English

2.2K

Caducus retweetledi

Octane Security@octane_security·20 Mar

Octane brings continuous coverage to @capmoney_’s multi-layer security stack. Every pull request gets AI-native security analysis right at the source.

cap@capmoney_

Security at Cap runs deep. Along with 6 completed audits, our layered, proactive approach includes: 🔒 Quarterly Audits (upcoming one from @cantinaxyz) 🕵️ @sherlockdefi bug bounty program 🛡️ @octane_security ai-native code analysis 🔍 @HypernativeLabs on-chain threat detection

English

2.3K

Caducus@chain_linkd·17 Mar

another banger

sudo rm -rf --no-preserve-root /@pcaversaccio

idk man, maybe it's just me but most devs/engineers nowadays are simple translators not true understanders. We're drifting away from a first-principles-based world toward prompt-to-slop engineering where the prompter can't even challenge the output lol. This fucking concerns me! Too many don't understand (or already forgot) how computers work. Ask them how program memory looks and you get nothing. They don't even try since they can always LLM it. IMHO true knowledge and _first principles_ build great things, everything else is temporary slop. My contrarian view is that in the age of LLMs you gain a real edge by not going down the slop engineering route.

English

103

Caducus@chain_linkd·14 Mar

@ygorz01 @p_tsanev @DevDacian time to level up!

English

George Gorzhiyev@ygorz01·14 Mar

@p_tsanev @DevDacian CLI? I’m still copying and pasting into Gemini/Grok 🥰😭🫠

English

199

Plamen Tsanev@p_tsanev·13 Mar

So by now it has been established that *everybody* uses AI tools in web3, either internal or public (or both). It would be interesting which are the favorite platforms of choice (they may seem obvious, but not so much), so please let me know so I can serve you a treat 😈+ 🤖:

English

2.4K

Caducus retweetledi

Octane Security@octane_security·12 Mar

We responsibly disclosed it, MUX fixed it, and no pool was drained. This is the future: continuous, automated, adversarial security that catches and patches bugs before attackers can exploit them. At the end of the day, the best security incident is the one that never happens.

English

1.3K

Caducus@chain_linkd·13 Mar

@yieldsandmore @roschamomile YAM account manager on a generational run these past hours👌👌👌

English

YAM 🌱@yieldsandmore·13 Mar

@roschamomile incredible how easy it's to recognise you fully wrote this with AI

English

1.2K

vm 🌹🍵@roschamomile·13 Mar

What confuses me isn’t the $50M loss. It’s the execution. If you’re moving that kind of size: •Why swap directly through a UI? •Why not use a trading desk or OTC? •Why not check liquidity depth and LP distribution first? At that scale, slippage isn’t a minor detail. And everyone in DeFi knows MEV and sandwich bots exist specifically to exploit large swaps. Normally whales buying size like this would: •split the order •use RFQ / OTC desks •or route liquidity manually across multiple pools So the real question isn’t just “why was the routing bad?” It’s Why was a $50M order executed like a retail swap?

YAM 🌱@yieldsandmore

0x98b...7ac8 just lost $50m in an attempt to buy AAVE using USDT through @CoWSwap. This swap was very likely executed through AAVE's UI using the collateral swap feature, as it swaps from aEthUSDT to aEthAAVE, which represent deposits of USDT and AAVE into the AAVE protocol. The cause is mostly bad routing done by most aggregators. Below is a screenshot from @matchametaxyz and @CoWSwap, showing that all aggregators struggle with this. It doesn't seem to us that @CoWSwap misrepresents the price of aEthAAVE. Transaction: etherscan.io/tx/0x9fa9feab3…

English

15K

Caducus retweetledi

deadmanwalking@0xdmanwalking·11 Mar

In times where AI dominates and intelligence is being replaced by .md fikes it is finally time to get a voice and develop deep and meaningful human connections. The era of the nerd is over.

English

183

Caducus@chain_linkd·10 Mar

@dionyziz @MetaMask Really sorry to hear this Dionisi, but what the FFffuck are those replies in this post man. Crazy

English

151

Dionysis Zindros@dionyziz·10 Mar

@MetaMask Can't make this go away, all the money I had in this browser is lost. Your AI-based support doesn't work...

English

162

1.4K

Caducus@chain_linkd·9 Mar

@Jeyffre Congrats, you just described every megacorpo dystopian future ever written and ended with "deal with it". You are so edgy and cool, I'm falling already

English

131

Jeffrey Scholz@Jeyffre·9 Mar

Not only will pay-to-submit-bugs become the norm to prevent spam... Pay-to-work as a junior developer will also become the norm. Nobody will spend time mentoring a junior when that time is more effectively spent talking to an AI. Junior engineers (even intermediate ones) cannot get work, but they desperately need experience to be able to secure those $100,000 / yr jobs. It's only a matter of time before companies charge $10,000+ per year for an apprenticeship that touches real production systems. And the ROI would still be better than college. College (and AI) cannot teach you how to handle the jagged edges of reality. What we used to call "junior engineers" was really "apprenticeships" with a different name. The only way to quickly learn to handle the chaos of the real world is to watch an experienced person up close and in action. The new world will be like this: 1. Skip college. Maybe even skip high school. 2. Pass certain exams that show you have a reasonable level of technical and communication skills. 3. Pay an employer for an apprenticeship. 4. Earn six figures per year because you have experience. Deal with it. The world is changing.

Hari@hrkrshnn

I'll tell you something that people don't want to talk about. Crowdsourced security is at a breaking point. There are no winners here; the security researchers hate it, the customers hate it, and the platforms at the crossroads also hate it. I spoke to someone last week who described it as a necessary evil. Why is that? - The security researchers hate it because no matter how you do it, a portion of security researchers will always disagree with the outcomes. Because the severity of a bug is ultimately subjective, you can almost always make an argument to upgrade or downgrade your finding. This is the ugly truth: the people that make a lot of money are particularly good at arguing about the findings. And they know it too; some of them are the nicest people you've met in your life, but when it comes to arguing why something is a critical bug, they morph into ruthless lawyers. - The customers hate it. Imagine you're Monad here; you just spent half a million dollars (!!) to secure your software before even launching to production, and you see posts like this. It's natural to leave a bad taste. It's also not just anyone who wrote this critique, but someone who got #4 and a $32K reward for a 4-week security competition. - The platforms that host it (us included) end up in the crossfire. No matter what you do, you end up in a lose-lose scenario. It takes up a lot of mental space, and in this case, CodeArena hosted this for free! They probably even lost money judging the competition. There's also a fourth actor that's adding fuel to the fire, which is AI: - LLM-powered reports started as complete slop that you could ignore, but now it's not that obvious anymore. It's starting to be genuinely useful at finding bugs. - The only sustainable long-term solution to crowdsourced competitions and bounties is a pay-per-bug or staking model where invalid submissions get a cash penalty. This is controversial, but it's the only way to scale. - AI is also a glimmer of the future: a future where... P.S. I don't mean to call anyone out in particular; in fact, Dontonka, Monad, and Code4rena are all doing their best here. It's just that the golden age of crowdsourced security is probably over. It was necessary, just like how it was necessary for humans to write open-source code so that the machine god could be built.

English

100

12K

Caducus retweetledi

bbl4de@bbl4de_xyz·8 Mar

Vibe-coding smart contracts is terrible, but what if the vibe coder is an auditor with knowledge on how to design a secure project and the resulting code is manually reviewed by them before following-up with external audits/tooling/FV etc. Seems like a great opportunity and productivity boost, no?

English

1.5K

Caducus@chain_linkd·6 Mar

@Raacfi Monitoring THIS situation👀👀👀👀

English

116

Caducus retweetledi

RAAC@Raacfi·6 Mar

x.com/i/article/2029…

ZXX

164

48.7K

Caducus retweetledi

Tenderly@TenderlyApp·5 Mar

Aave is also the first team to run cross-chain tests using the CCIP bridge integration on Virtual TestNets built in collaboration with @chainlink. This is the first time cross-chain testing with native CCIP bridging is available directly in a development environment.

English

568

Caducus@chain_linkd·6 Mar

@contractlevel For that there's a final so... Ah fuck it, $50 min deposit it is

English

Contract Level@contractlevel·6 Mar

@chain_linkd The old purchasing third world credentials to increase deposit time by 10 hours trick

English

Contract Level@contractlevel·6 Mar

Time-of-check to time-of-use (TOCTOU) is a race condition vulnerability when state that is read could change before it is used. This is useful to think about in crosschain systems that requires state on one chain in order to execute something on another chain.

English

179

Caducus@chain_linkd·6 Mar

@contractlevel Taking the ordered route, indeed. Grief needs to be stopped with early checks or at the source(CoMplIaNt griefers?) Flawless failure handling needs to be implemented regardless.

English

Contract Level@contractlevel·6 Mar

@chain_linkd CCIP tx times + ordered execution sounds like a recipe for grief attacks non-ordered execution sounds like a recipe for manipulation

English

Keşfet

@octane_security @OstiumLabs @sparkdotfi @capmoney_ @ygorz01 @p_tsanev @DevDacian @yieldsandmore