Ohwale

Introducing #DedEthAudits: Empowering the security of your Solidity contracts. Our experienced auditors (@DedOhwale, @Arzdev, @Solidityauditor), nurtured by contests and private audits, are your blockchain guardians 🛡️. DM 📩 me for a quote today!

@bytes032 I am interested in joining! Sounds like fun

have been actively investing for the last few months no fees or carry-on, everyone being equal if u want to become part of the group, reply, and I'll DM you

@arzdev @immunefi Arz the 🐐💯

After spending months bug hunting, i have finally found it! Many more to come!:)🍾🎉

@arzdev Lets go Arz!

🫡👀

@arzdev Amazing work Arz!

Like i said last time - Top 5✅🫡

@calyptus_web3 Don't overthink it, simply mint 10, transfer, then mint again.

Solidity Challenge #168 🕵️‍♂️ Can you find a way to manipulate this contract to create more than the MAX_PER_USER NFTs for yourself? 🤔

@zigtur The browser data alone would not have been enough though right? They would still need to log your metamask password via a key logger. Either way, really cool! Thanks for the interesting read.

@cantinaxyz Very cool!

We have some exciting news... Cantina Beta is Live! Before you dive in - let's talk about what all of this means for protocols and researchers today 🪐 ( Read to the end for researcher access codes 👀 ) 🧵👇

Absolutely delighted that my team, 7e1e (RED-LOTUS-REACH) won the best Analysis report on the MaiaDAO C4 contest! Great value can be given also in private reviews for clients delivering technical writing and expanded security research relevant to their protocol @reachauditing

@0xnirlin What was your toughest hurdle?

Can confidently say I have successfully passed all the initial barriers in smart contract auditing. Villian arc now?

@Quill_Academy Owner is not 0, and correct.

Can you find out what is the hidden assumption that the developer made? 🧐 Hint : An edge case

@Quill_Academy @akshaysrivastv Very nice finding you've selected. Will be looking for this in the future!

🔍 Report Analysis 101: Let's 🕵️‍♂️ analyze this unique bug 🐞 @akshaysrivastv from Symmetrical contest 👨‍💻, in hopes of learning the mindset of top security researchers 🚀. github.com/sherlock-audit…

📝 Solidity Quiz Time What can go wrong with `createPrivatePool()`? ⚠️ Note: `cloneDeterministic()` is from Solady.

@14si20 @code4rena Great effort! I hope it pays off. Keep it up 🔥

Final Chainlink @code4rena Update: It's Done! 1. Time Spent 90 hours over 18 days. 2. Submissions 🟥High: 1 🟨Medium: 4 🟩Low/NC: 7 🟦Analysis: 1 The high finding & 1 medium are rock-solid and I'm also really happy with the analysis I've written. The other three mediums depend on the degree to which documentation corresponds with intended design (so 90%+ chance they will go down to QA). All in all I'm very content with what I've done. Especially the high, which I found Saturday just randomly looking at the code while writing my QA report. Keep digging 'till the last second! 😂 3. What went well I made a detailed plan on how to approach the audit in separate stages in order to remain focused and I followed the plan very closely. The time estimated also corresponded quite well with the actual time spent. The second week I spent multiple days working in Foundry seeing if my notes & ideas could be expressed and validated through tests. I can definitely feel that my skill level in Foundry has vastly advanced, at the start of the week I was spending a lot of time looking up the Foundry Books and copying parts of other tests. By the end I was just writing, the ideas were flowing smoothly into code just thinking about it. I had also planned to dedicate a serious amount of time to the analysis and I'm fairly proud of what I've written. 4. What could I have done better - Mental Exhaustion Doing a marathon audit contest is mentally very exhausting and I could have done a better job of anticipating and handling this. I had planned to simply work 6 hours per day for 18 days straight and reality showed me that this was not a good idea. I was so exhausted that I didn't do any work on day 7 & day 14. Next time I will include planned rests in my planning - Test, Tests & more Testing In retrospect I spent to much time reading and not enough time testing. Simply building tests and trying them out to see state changes helps me more to understand the system than rereading the code for the n-th time. Also I feel there are a vast amount of state changes and scenario's that I did not explore at all or not sufficiently simply because writing extensive tests just to increase my understanding was a bit daunting. Next audit I will start testing much earlier and go much more in depth. I think there are many diamonds to be found in the depths of Foundry. 5. Expectations I'm hesitant to put a number on it, but I have 2 findings that are rock-solid and my analysis is also good, so given the pot size, I think low 4-figures should be very realistic. 6. Next steps 2 Days spending time with my family on outings and having fun. 2 Days examining the findings of other auditors and learning what I didn't see and how I can make sure that next time I will catch them all. 7. Conclusion/TLDR Exhausting but rewarding, regardless of the payout I have become a better auditor. And that is what is most important! 👊

@PaladinCharles Interesting... Looking forward to the proposed solution!

A thread 🧵 on how protocols can lock millions $ from innocent users ... Imagine you stake in a UniswapV2 farm, earning some passive income with your hard earned money. Then after some time you decide to withdraw your tokens - but it never works - the call always reverts. Your funds are now locked within the simple Masterchef contract ... But how is this possible?

@serverConnectd @CipherShastra The first parameter of `call` is the gas sent. In this case, it's 1. If you use `gas()` as the parameter instead of 1, you will send all remaining gas to the call.

@CipherShastra @dedohwale Might be a stupid question, but can you explain more on the not enough gas supplied , is it mentioned in code while making the assembly call or are we assuming not enough gas would be supplied while making contract execution?

📝 Solidity Quiz Time What happens when we call `doCall()` here?

@0xcyanide twitter.com/CipherShastra/… Cipher got the answer right! The low level call fails due to being out of gas, but the return value is not handled correctly, so the overall transaction still goes through.

@dedohwale Explain pls

@X3agleX @PoolTogether_ Great work on the solo! Creative griefing attack 🎉

The report for @PoolTogether_ is finally here! 🔍 Do check my first solo Medium and the Best Analysis

@Quill_Academy Assuming _timelockBalances is in charge of locking the balance of the user, they are assuming operator == to. Astute attacker Alice can have a contract mint shares for her, and avoid the timelock.

Can you find out what is the hidden assumption that the developer made? 🧐 Hint: The operator can be an intermediate address or user. 🤔

@0xSimeon @0xNihilist The getter is created by the compiler for public variables.

@dedohwale @0xNihilist How does Ivault interface have access to the someStateVar() getter?

📝 Solidity Quiz Time What does the `callSomeStateVar()` return?

@CipherShastra Great answer! Thank you for participating 🙏 have a wonderful day.

@dedohwale Don’t think so, as the return status is not being constrained!