Cryptanu 🥷

I witnessed firsthand how a protocol could live with a live bug (and possibly never catch it) because there's no way to responsibly disclose these issues. In a review with @QuillAudits_AI , an RWA project had forked a portion of @DinariGlobal's code but requested we treat it as a black box. (Un)fortunately, I tend to digress when not working with code I'm familiar with -- and stumbled on a sizeable vulnerability in their codebase Thankfully it wasn't exploited before it was patched, but they had ~$3m at risk (which grew to $60m in less than 4 months), big liquidity injection in RWA's this year (and likely for the next few years)💰 While this isn't Yearn-scale, many small drops fill a barrel. Josselin has been talk about the need to beef up internal security -- this awareness is something I expect to grow as well, and this exploit is another example why (ty for your talk with Rajeev and Alex at DSS).

Integrating credentials into pool execution using v4 hooks is a very interesting paradigm! This win doubles as a great birthday gift too!

Today marks 8 years of QuillAudits. Most Web3 security firms didn't exist 8 years ago. Most won't exist 8 years from now. We've built through 3 bear markets, 2 exploit waves, and the full evolution of smart contract attacks from simple reentrancy to cross-protocol economic exploits. 1,500+ protocols. $3B+ protected. The biggest lesson from 8 years and 1,500+ engagements : One team, one method, one pass doesn't cut it when you're protecting hundreds of millions in user funds. So we rebuilt the model. Multi-Layer Audit → four independent security layers, delivered in the same timeline as a traditional audit: > Senior auditors who've collectively reviewed 1,500+ protocols > AI security agents trained on 5,000+ real exploits since 2017 > Independent bug bounty through curated security researchers > Continuous monitoring, because threats don't stop at deployment 4 layers. Each one catches what the others miss. Web3 has a $100T addressable market if institutions show up. They won't show up until security is embedded in every layer, every transaction, every deployment, the way HTTPS is embedded in the internet. That's the problem worth solving for the next 8 years. QuillAudits built the foundation, QuillShield is the next chapter — an AI security agent that brings what we learned from 1,500+ manual audits into every developer's workflow, before code ever hits mainnet. 8 years in. Still early.

@bigrkg @QuillAudits_AI security going end-to-end will increase retention as well as adoption still building 🥷🏾

@QuillAudits_AI 8 years taught me that security is not a service category, it’s foundational infrastructure. If Web3 is going to onboard serious institutions and billions of users, trust has to be engineered into every layer by default. That’s the direction we’re building toward.

Multiple asset classes (backed / unbacked loans) + mistimed check that silently continues execution = open season. Flagged this issue 6 months ago and still catching more timing bugs.

There's such a wide surface area to train agents to hunt.

@MartinMarchev @0xGreed_ aptly put.

@0xGreed_ Appreciate it, mate 🙏 The hardest part is it doesn't feel like a shortcut when you are doing it. It feels like efficiency. That's what makes it dangerous.

@kingmessang_ @preciousftw @KayDUnusual @msjoedor @shefinigeria @shefiorg @shefiafrica @social_queenn @maggielove_ @JustYhukay @whakee_ Messang and BCJ in the same room, small world!

Yesterday wasn't just an event, it was proof, Proof that when women lead, the whole space levels up. Grateful to have spoken alongside powerhouses like @preciousftw @KayDUnusual @msjoedor and witnessed @shefinigeria shine. Thank you @shefiorg @shefiafrica @social_queenn Let's keep building, queens 😍

PRO TIP for beginner protocol founders: If a Web3 security firm offers to audit 4,000 lines of smart contract code for $5k in 4 days, you better save your money. Cheap + fast audits usually mean one thing: nobody actually audited your code. Don't fall for this.

@naruto11eth sign me up!

holy shit, i built a better Cluely. introducing: Obscura, a better, more performant Cluely. Obscura helps you during your meeting and interview calls, in real time, with more context and a built-in agent to websearch in less than a second. it is completely INVISIBLE to your screen recorder, screen share and cannot be detected during your google calls or zoom calls no matter what. some functionalities: 1. toggle visibility: so that only you can see it 2. panic kill: if you wanna kill it in a second 3. screenshot ocr: for screenshot capabilities 4. context window: pass any context in .md or .docx file for it to read before your calls and Obscura will understand it 5. performative built-in agent: to search for anything in less than a second. it uses @DeepgramAI for STT model and @AnthropicAI / @OpenAI api keys to generate answers. it takes $1 for 20 hours of your calls as compared to cluely's $20/mo or $75/mo plan (but that depends on tokens consumed on both models). releasing a .dmg for people for people to use. access will be given to people who share this with their friends. I will roll out a referral program so that people can share it with others. feel free to give some feedback. thanks to @Rahatcodes for being on call with me and testing it.

to see what nobody else sees. peak skillset!

The Ethereum Foundation Bug Bounty Program (bounty.ethereum.org) has increased its maximum payout from $250K to $1M.

" I will soon " ➡️ " Daily incremental progress "

BLOCKCHAIN UNIBEN CONFERENCE 3.0 February —the same month we marked our 6th anniversary was truly special.🧡 The room wasn’t just filled with people; it was filled with momentum. What started as a gathering quickly felt like a movement. Let’s talk about what actually happened🧵

@kokebsolomon you're getting the hang of it 🤣

@cryptanu e dupe

kaabo Koko, welcome!

read about it here: @cryptanu/HumanLayerSecurity" target="_blank" rel="nofollow noopener">hackmd.io/@cryptanu/Huma…

I ran a security experiment at a Web3 conference. Attendees opened an official website. Over 200 people unknowingly landed on a different domain. No malware. No drainers. Even perfectly audited contracts can't protect users from this.

@asen_sec Possible to engineer something around this?

@cryptanu 100% MEV bugs, temporal state bugs etc seems like a blind spot to AI i.e the state changed between operation A vs operation B

I've been running AI on real codebases for the past few months. Client work, contests, bounties. Not toy examples. Here's what I've seen it catch and what it completely misses.

@asen_sec I caught a Time of Check - Time of Use bug recently that was missed by AI runs. Surprisingly could tackle everything else asides this. Was the only critical present too. Regardless was a great aide.

What it misses: MEV. Anything that requires thinking "what would an attacker do if they saw this transaction in the mempool." Zero. Protocol-specific logic. Bugs that require understanding intent, not just code. Callback patterns. Unexpected state changes when control leaves the contract. All of these are solvable though. It's an engineering problem, not a fundamental limitation.

@asen_sec Extremely good with math. Totally agree.

What AI is good at: Accounting errors. Math bugs. State corruption. Anything where the answer is "does this arithmetic check out." I've found it to be relentless at this.