Jacopod

935 posts

Jacopod banner
Jacopod

Jacopod

@jacolansac

Auditor and bug hunter on Smart contracts. Slow is good.

Katılım Eylül 2014
223 Takip Edilen468 Takipçiler
Sabitlenmiş Tweet
Jacopod
Jacopod@jacolansac·
Apparently, the @spillways10 staking contract was hacked, and funds have been draining for the last 200 days. I was approached by a stakeholder to investigate the hack and I happily agreed. A thread:
English
11
23
89
28.2K
Jacopod
Jacopod@jacolansac·
One year ago "how-to" was a valuable skill. Now with Claude code, "how-to" is cheap and has barely any value. Now, "what-to" is the important skill.
English
0
0
2
156
revert
revert@revertfinance·
⚠️ Security update: We hace received a report of an exploit affecting our newly deployed Aerodrome USDC vault. Deposits are disabled. User funds are safe. ~50k USDC was lost (mostly Revert funds). Other vaults are unaffected. Full report soon.
English
4
1
29
8K
Jacopod retweetledi
Security Alliance
Security Alliance@_SEAL_Org·
Crypto Drainers using React CVE-2025-55182 We are observing a big uptick in drainers uploaded to legitimate (crypto) websites through exploitation of the recent React CVE. All websites should review front-end code for any suspicious assets NOW.
English
16
69
270
31K
Jacopod
Jacopod@jacolansac·
@HatsFinance Sad news for the industry. Even more for me, cos here is where I got my first #1 in a public audit contest. Great job to the team for the platform. See you in the next venture
English
0
0
7
430
Hats.Finance 🦇🔊
Hats.Finance 🦇🔊@HatsFinance·
🚨 Important announcement: Sadly, we’re announcing that Hats.finance is entering a final wind-down of its hosted operations. After a lot of reflection, we’ve reached the point where keeping a centralized UI and servers running is no longer sustainable, and there isn’t a new legal or operational wrapper planned to continue that hosted stack. This is not easy to share. Hats have been a long, fascinating, sometimes brutal journey. Since 2021, we chased one belief: a decentralized market deserves decentralized security. Vitalik’s narrative about systems sharing Web3's DNA was a compass for us, and Hats was built in that spirit. But reality didn’t match the original thesis. Smart contract security budgets did not scale to DeFi-level volumes as we expected, and rapid progress in AI security tools, along with the maturation of secure, reusable smart contract building blocks, reduced the need for a protocol like Hats to sustain meaningful long-term demand for the HATS token. What happens now: * The Hats.finance hosted frontend and backend (UI and servers) are expected to go offline on Dec 31, 2025. Most functionality that depends on that hosted stack will be phased out. * The Hats protocol remains deployed on-chain and governed by the DAO. Core contracts are intended to continue functioning according to their code. * An IPFS build of the frontend is available today and may remain accessible via public gateways as long as it is being served (e.g., by pinning providers or community nodes). As payments to our current pinning provider (e.g. Pinata) will stop, we cannot guarantee its continued availability or performance. Action for users with deposits: If you want to withdraw via the hosted UI, we recommend starting a Withdraw Request by Dec 17, 2025 (7-day cooldown plus 7-day withdrawal window). If you miss the window, you can re-initiate a new request, or interact directly with the contracts at any time, subject to their logic and network conditions. Thank you to everyone who believed in this experiment, used it, partnered with it, and pushed it forward. We’ll do our best as contributors to support the community through the wind-down. Shared in our capacity as individual contributors to the Hats protocol, for information purposes only.
Hats.Finance 🦇🔊 tweet media
English
69
8
273
53.1K
Jacopod
Jacopod@jacolansac·
@0xKaden @zora That feels like a low payout for such a find
English
0
0
1
142
kaden.eth
kaden.eth@0xKaden·
How ✨I found a critical vulnerability✨ in @zora's ERC20Z contract via a little known Uniswap v3/v4 property When Zora put out this article: zora.co/writings/oncha… outlining their new protocol, I was intrigued and had to learn more From a high level, the system works by allowing creators to sell NFT's where a portion of the revenue from the sale is taken and placed in a Uniswap v3 pool along with an ERC20 wrapped version of the NFT, instantly creating a liquid secondary market. Pretty cool mechanism. I had to dig deeper Reading the contract, I quickly spotted something that set off alarm bells in my head. When minting liquidity, the amount0Min and amount1Min parameters were 0. Looks like a classic sandwich attack vulnerability, was this too good to be true? (spoiler: kinda) I quickly wrote up a (messy) PoC realizing that I was looking at a pretty good payday for the little amount of time I'd spent on this. The PoC worked by frontrunning the liquidity mint to provide a small amount of liquidity to the pool and swap the token price to the maximum price, then backrunning the mint by selling the token into the newly placed liquidity, draining the position of its ETH and dropping the token price to near zero I sent the PoC off to Zora's security team expecting the best, but alas they pointed out a significant flaw in the PoC. I dealt ERC20Z tokens to the contract to provide liquidity so that I could make the frontrun swap, but Zora had designed the system with this in mind, making it impossible for anyone to get the ERC20 token before liquidity was placed Feeling dejected, I played around with the PoC to see if there was any way I could still make the attack possible. What if I try swapping with no liquidity in the pool? I run the updated test. I see green. It worked! It turns out that you can freely manipulate the price of Uniswap v3/v4 pool by swapping zero amounts when there's no liquidity in the way. This was exactly what I needed for the exploit Zora acknowledged that this attack was indeed possible, patching the issue and ultimately awarding me a bounty of 11k USDC To security researchers and smart contract developers: make sure to prevent price manipulation by using safe amount0Min/amount1Min parameters and beware of 0 amount swaps! Shameless plug: this is the third high+ severity confirmed bounty I've reported on a protocol which leverages Uniswap v3, so if you'd like to get coverage on your Uniswap v3/v4 adjacent protocol, my DM's are open! And if you'd like to book me on a team audit with the best of the best, you can book me through @SpearbitDAO
kaden.eth tweet mediakaden.eth tweet mediakaden.eth tweet media
English
30
38
551
59.1K
Jacopod
Jacopod@jacolansac·
@rifthq Very cool product. I'm confused about something though: is it undergoing audits right now while the protocol is active?
English
0
0
0
21
RIFT
RIFT@RIFTHQ·
Rift is actively undergoing audits to ensure the highest levels of confidence in our implementation. Use at your own risk. End of thread 🚀
English
1
0
12
1.2K
RIFT
RIFT@RIFTHQ·
Rift runs Bitcoin and Ethereum nodes inside cloud TEEs to escrow and release funds upon user receipt of funds. Since security is enforced by hardware rather than staking, Rift has best in class capital efficiency for Market Makers and users. Let's deep dive how swaps work ⬇️
RIFT tweet media
English
20
12
136
28.5K
Jacopod
Jacopod@jacolansac·
@samczsun Perhaps it is not the protocol who should decide to allocate funds to a security fund. Perhaps it should be the users of the protocol through governance or similar
English
0
0
0
49
samczsun
samczsun@samczsun·
so how do we secure protocols after they earn "survived the test of time" status? seems like - bug bounty doesnt justify low ev - not worth paying for new audits if its clean - impossible to insure because no way to estimate risk are we cooked or am i missing something (please)
English
72
23
289
64.9K
SHERLOCK
SHERLOCK@sherlockdefi·
Sherlock AI discovered a Critical vulnerability affecting $2,400,000 in a live lending protocol. This is the first known instance of an AI uncovering a multi-million-dollar bug on mainnet. Here's how Sherlock AI surfaced the vulnerability:
SHERLOCK tweet media
English
84
86
622
934.7K
Jacopod
Jacopod@jacolansac·
So well deserved
miri@mirionics

Crossed $150M TVL today🎉 Honestly so proud of what our team has built at @origami_fi over the past year >$108M TVL in hOHM (attracting almost 1/3rd of the gOHM supply!) >$15M+ in oriBGT (50% of all staked iBGT!) >$13M in incredibly well-loved @InfraredFinance LP auto-compounders and auto-stakers >The #1 place for $SKY staking and the best risk-adjusted $USDS yields >Most hyped Boyco vault attracting $69M USDC Crazy to think the next 12mos may just be even bigger and better The paper has been creased Still early🌱

English
1
0
3
339
Jacopod
Jacopod@jacolansac·
@0xFlint_ So you need to learn English before being good at security :p Jokes aside, I agree. I wouldn't say grammar errors, but natspec errors in general, pointing to codebases being shipped fast / not paying enough attention to details
English
0
0
1
103
Flint
Flint@0xFlint_·
Flint's Law: An exponential relationship exists between the number of grammar errors and the number of findings in any codebase In over 50 contests, private and firm audits, I have never seen this rule not hold true.
Flint tweet media
English
7
0
78
2.9K
Jacopod
Jacopod@jacolansac·
@Jeyffre I haven't looked into it myself, but I heard that Panoptic competition (code4re a) was quite interesting. Using uniV3 Lp for an options market because the underlying math was equivalent. Perhaps a nice extension to the existing Uniswap content
English
1
0
2
168
Jeffrey Scholz
Jeffrey Scholz@Jeyffre·
Show me the absolute hardest math Solidity function/codebase you’ve seen. Preferably ones that gave you nightmares. Uniswap V3/V4 not permitted, already wrote on those. Also, the automatically generated Solidity ZK verifiers aren’t interesting either. Hit me with your best shot.
English
6
0
41
2.9K
Jacopod
Jacopod@jacolansac·
@aviggiano Interesanting. What kind of output would you expect? A paginated API endpoint, a huge file... To get a better idea of what you want
English
0
0
0
50
Antonio Viggiano
Antonio Viggiano@aviggiano·
I have a product request (would pay for it) an indexing service where you query new events on demand for arbitrarily long historical data anyone building this?
English
10
1
5
1.3K
Jacopod
Jacopod@jacolansac·
@Jeyffre Good tip. There should be a phone app that has gestures-actions so you can start/stop the cronos from a blocked black screen
English
0
0
2
175
Jeffrey Scholz
Jeffrey Scholz@Jeyffre·
Here’s a productivity hack similar to pomodoro, but not quite the same. Get yourself one of these watches. It has a stopwatch built in, all you have to do is press the start/stop button on top. (This kind of watch is called a “chronograph” but it’s a stopwatch…). Make sure it can track up to 12 hours because a lot of these watches only go up to 30 minutes or so. A cheap knockoff will do, no need to buy a branded one unless you are into that. Now throughout your day, make the stopwatch run when you are being productive By productive I mean you are literally producing something such as: - code - an audit report - a project - a technical article - cold outreach Whenever you: - check twitter - check email - go to the gym - transit between places - eating a meal - taking a walk to clear your head - do anything pseudo-productive (ice bath, sauna, meditation) Then stop the stopwatch and don’t start it until you get back to being productive. The problem with recording a stopwatch on your phone is you have to do multiple clicks to start and stop it, and it has distractions. You want this to be frictionless. Just reach to your other wrist, press button. You could also hang a stopwatch around your neck, but people might think you are weird. Here’s what you will learn: you thought you were “working” 10 hours a day when in reality you were working 3. Then course correct.
Jeffrey Scholz tweet media
English
6
6
105
6.7K
Jacopod
Jacopod@jacolansac·
@shafu0x What do you use remix for that you can't use foundry/cast?
English
0
0
1
131
shafu
shafu@shafu0x·
Smart Contract Tech Stack I use everyday Foundry Tenderly Etherscan Ponder Solidity Remix Anvil OZ Defender Dune CDP Viem Alloy shafu formatter Cast
English
28
24
354
17.7K
Jacopod
Jacopod@jacolansac·
Here is one of the latest audits I've done, for @iMacroMillions. The most interesting issue is [C1]. Not because it is critical, but because it is a small edge case magnified to the point of breaking the entire protocol. The team response was great, and they fixed all essential issues. github.com/JacoboLansac/a… See my complete audit portfolio: #jacopod---smart-contracts-audits" target="_blank" rel="nofollow noopener">github.com/JacoboLansac/a…
Jacopod tweet media
English
0
0
1
186