Coinspect Security

@rashmor_eth Impressive. Being able to predict strengths/weaknesses from the methodology alone is not trivial. We've seen quite a few cases where tools that look strong on paper (based on design or prompting strategy) don’t necessarily perform as expected once you run them against evals.

Mostly my own experience, plus reasoning from how the tools are designed. Once you look at their methodology, you can usually predict the kinds of bugs they’ll be good or bad at finding. I also ran them against the findings of different agents in github.com/z0r0z/majeur.g…, and the results were broadly consistent with that.

Your favorite crypto wallet might not be as secure as you think. @Coinspect's latest ranking shows a wide gap between top wallets and the rest, with some popular ones scoring below 50% on threat prevention. Read more: thedefiant.io/education/defi…

@Walodja1987 Great suggestion! We are currently evaluating and prioritizing a backlog of new checks. We'll be launching a GitHub repo soon where you can dive into detailed data and submit your ideas as issues.

@coinspect Add: Has notifications the subscriber of an ENS name recently changed. Most wallets fail this test, resulting in fund loss as funds may be routed to an unintended recipient.

UI experiments for a wallet security ranking. Each score comes from a reproducible checklist of security tests.

@xnsname @julianor Probably because, on the surface, it resembles naming systems people are already familiar with, leading to claims such as “names are less intimidating than long hexadecimal addresses.”

@coinspect @julianor Gave him a follow. Thanks! Why do you think ENS is still used although it increases risks for users?

🛑Don’t type. 🛑Don’t paste. 👉Bookmark trusted addresses in your wallet. Address poisoning risk is real. Bots brute-force lookalike addresses to hijack your copy-paste. Typosquatting an ENS name is possible. ENS names also expire: miss renewal and someone else gets your funds.

@rashmor_eth This is a excellent idea! 👏👏

G I T F I X F I N D E R The Patch Historian 🧵 /1 I built Git Fix Finder — a tool that turns a repository’s git history into a corpus of real vulnerability fixes. It extracts security-relevant patches and turns them into structured findings. Essentially adding another source of real-world vulnerabilities for auditors and AI agents to learn from.

🔐How safe is your crypto wallet? @Coinspect just dropped its latest Wallet Security Ranking, and 13% of wallets still allow the risky eth_sign function. Know before you hodl👇 thedefiant.io/education/defi…

@xnsname Our CEO @julianor long argued that ENS may increase attack surface rather than reduce risk. Human-readable names improve UX, but they also enable attacks. In many ways it echoes the dot-com domain mode where selling names took priority over security.

@coinspect Good to see that there are security firms that highlight expiring ENS names as a risk. We still have hope for this space.

@theSouilos Web2 security

What would you do if you weren’t doing Web3 security?

@_JcryPto_ Yes, hardware wallets.

@coinspect can wallets protect users from this attacks?

⚠️Coruna: A powerful, intelligence-grade iOS exploit kit used in web attacks to drain crypto wallets. 1. Keep your iPhone updated. 2. Enable Apple's Lockdown Mode. Google's GTIG published report tracking this operation. Here is exactly what you are protecting yourself from 👇

"Hooking " means the malware acts like a wiretap on the app's internal functions. It doesn't have to randomly scrape memory. Instead, it intercepts specific operations. When a wallet app executes a command like decrypting a private key the hook cleanly captures that data right as it happens.

@coinspect Jesus. What does it mean exactly to "hoook into" the installed crypto app? Some sort of out-of-bounds memory-read from the malware?

Google's report: cloud.google.com/blog/topics/th…

Security Recommendations • Keep devices updated • Try Lockdown Mode • Never store seed phrases in Notes, screenshots, or cloud storage. • Use a hardware wallets

@trq212 Thanks!

@Montyly Now model improvements matter more than clever agents. Experts can contribute model curation and routing, signal > noise, and rigorous validation with PoC building frameworks.

Honest question: if LLMs keep improving at coding, what's the point of building an AI audit SaaS? Won't we hit a point where anyone can vibe-code their own auditing agent? Or could we just customize claude/aardvark?