Christian Vari

691 posts

Christian Vari banner
Christian Vari

Christian Vari

@christianvari_

Blockchain Security Researcher | Founder @CodezenSRLS | Head of Audit Operations @SecurityOak | 250+ Audits Across Solana, Cosmos & EVM

Italy Katılım Mart 2021
896 Takip Edilen569 Takipçiler
Christian Vari
Christian Vari@christianvari_·
Pre-mortems are useful for identifying risks. Simulated attacks are how you find the specific decision point where your team defaults to chaos. Those are not the same exercise, and only one of them is honest preparation. oaksecurity.io/agent
English
0
0
0
2
Christian Vari
Christian Vari@christianvari_·
I've seen teams with documented incident response plans completely lose coordination structure within 90 seconds of a simulated drain. The plan existed. The muscle memory didn't.
English
1
0
0
4
Christian Vari
Christian Vari@christianvari_·
A pre-mortem asks what could go wrong. A wargame shows you exactly where your team breaks when it does.
English
1
0
0
24
Christian Vari
Christian Vari@christianvari_·
If any answer is no, the protocol carries operational risk that no smart contract audit will catch. The code can be perfect. The signing ceremony is where the attack surface lives. That scope doesn't exist in most audit engagements yet.
English
0
0
0
14
Christian Vari
Christian Vari@christianvari_·
Three questions I now ask in every operational security review: Do you use durable nonces? Do your signers understand what they're authorizing when they sign one? Can a single compromised key escalate to admin privileges without a time delay or second factor?
English
1
0
0
16
Christian Vari
Christian Vari@christianvari_·
The Drift attacker spent six months building trust before sending the signing request. The smart contract audit was clean. The protocol still got drained.
English
1
0
2
100
Christian Vari
Christian Vari@christianvari_·
If you're auditing MEV infrastructure, the scope has to include bot-side execution validation. Does the bot confirm its tx landed in the expected block position? Does it verify state post-execution before acting on the result? These are auditable. Most audits never touch them.
English
0
0
1
22
Christian Vari
Christian Vari@christianvari_·
The bot assumed its sandwich would land in a specific sequence. When the mempool didn't cooperate, the execution state diverged from what the bot expected. No check caught it. The bot acted on a world that no longer existed.
English
1
0
1
27
Christian Vari
Christian Vari@christianvari_·
JaredFromSubway's vulnerability wasn't a contract bug. The contract logic was correct. The failure lived at the operational layer: the bot never validated that its transaction actually executed as expected.
English
1
0
2
293
Christian Vari
Christian Vari@christianvari_·
That's not carelessness, it's just never been written down. Wallet OPSEC for a protocol team is a set of auditable controls. Most teams haven't audited that surface once. oaksecurity.io/agent
English
0
0
0
17
Christian Vari
Christian Vari@christianvari_·
What I see in practice: one developer holds a hot key used for both testing and production signing, seed phrase lives in a password manager, and there's no documented procedure for rotating keys after a team member leaves.
English
1
0
0
24
Christian Vari
Christian Vari@christianvari_·
Telling your team to watch out for phishing is not an OPSEC policy. It's a hope.
English
1
0
0
77
Christian Vari
Christian Vari@christianvari_·
The gap isn't soft. It's architectural. If you've never rehearsed who calls the pause, who contacts the exchange, and who owns external comms, you have an incident response plan with no execution layer. oaksecurity.io/agent
English
0
0
0
7
Christian Vari
Christian Vari@christianvari_·
The SEAL 911 war-room model names this explicitly: you need a designated incident commander, pre-assigned roles, and a single channel before an exploit happens, not after. Improvised hierarchy under pressure doesn't form fast enough.
English
1
0
0
14
Christian Vari
Christian Vari@christianvari_·
An active exploit is unfolding. Your team is in four different Telegram threads, two people are sending conflicting pause instructions, and nobody has clear authority. The attacker has already drained 60%.
English
1
0
0
96