Joe | Audit Wizard

@pcaversaccio Honestly I use 6 months. 7 days is a good minimum, but I prefer to have more Lindy on my dependencies. A week will prevent most takeovers, but multiple months can prevent many 0-day exploits (thinking about attack discovery and exploit times)

i have updated all of my actively maintained repos that use npm packages in some form to only install package versions that have been published for _at least 7 days_ (this includes transitive deps as well); 7 days is currently my hope that will be enough to catch the some-dev-account-got-compromised-and-published-something-malicious as well as the more sophisticated worm hacks. anyone who currently does not enforce a min release age for deps of at least 3 days imho is simply irresponsible.

In 2022, we performed one of the first ever OpSec audits for a web3 company, pulling from over 7 years of experience securing the most sensitive and high value teams at companies like Apple and Amazon. We built a bespoke audit process from the ground up that covers all of the weak points that code and infra audits don't. Over the past 4 years we've reviewed OpSec for VCs, startups, mature companies, and teams ranging from 5 people to 50+. Including crypto-adjacent orgs with no on-chain presence, and crypto-native orgs with dozens of multi-sigs and hot wallets. We started with ad-hoc reviews tailored to each organization: Meet with the team to ask all the questions we could think of, build a threat model, and write a report highlighting risks and recommending mitigations. But we quickly learned that, while there are unique risks each team faces, much of the topics we covered were shared between orgs. We wrote guides for securing Discord servers, Twitter/X accounts, email servers, and developed both targeted and generalized trainings for whole teams. We also learned that these audits ran most smoothly with some sort of structure in place to define what each meeting should cover, who we needed to talk to in the org, and when we knew we were done. And when we spoke about OpSec to teams they didn't have a solid understanding of what it even meant or what the scope included. We built a very detailed internal process and set of resources outlining all of this. Since then, we've taken that internal playbook and refined it across multiple audits, each with their own unique risks and challenges. But this was something we felt we could not keep to ourselves. Last year, we converted that playbook into a comprehensive set of requirements, guides, and tools - all open source and free for anyone to use. We called it the Web3 OpSec Standard (W3OS). What sets W3OS apart from other OpSec resources is that it aggregates a comprehensive set of guidance into one place; presents everything as actionable checklists; and provides concrete guides for configuring platforms, setting up secure development environments, and training teams to stay secure. This year, we've also started building tools to support these guides and requirements and enable teams to take their OpSec seriously without having to build complex monitoring tools themselves. Auditware has been doing OpSec audits for over 10 years, we wrote the book on web3 OpSec, and we continue to build open source public goods for tackling OpSec issues because we truly believe that our industry cannot thrive without preventing the many, easily preventable security failures we have seen over the years. We highly encourage everyone to put these resources to good use and tighten up your OpSec before you have an incident! The best way to get started with this is making an account on our free OpSec collaboration platform platform, Sentry, which allows you to navigate W3OS requirements and guides with ease, track tasks across your team, and set up monitoring tools: sentry.auditware.io

0/ Clear signing is now live. An open standard to end blind signing, making human-readable transactions default. This effort brings a major UX and Security upgrade to transaction signing on Ethereum.

@sendmoodz @griffgreen @thedaofund @EkuboProtocol You say you are trying to raise money to further the development of ERC-8255 but all of the funds will go towards victims. Noble as that may be, I don’t see how that advances development…

We reached out to @griffgreen from @thedaofund to seek funding for making token approvals safer with ERC-8255. We intended to direct 100% of any funding towards victims of the recent @EkuboProtocol exploit. It looks like we will not be receiving any support--not even inclusion in current or future quantitative funding rounds. It appears @thedaofund is not focused on solving real security problems under leadership of @griffgreen. The entire conversation is attached. We will still be pushing to get ERC-8255 as widely adopted as possible. However, I have no faith in @thedaofund's ability to distribute funds faithfully according to their mission. Token approvals are even mentioned specifically in Ethereum Foundation's Trillion Dollar Security initiative: ethereum.org/trillion-dolla… If you wish to donate to the development and adoption of this ERC, you can send any tokens or ETH to erc8255.eth. Any funds received will be directed towards reimbursing victims of the recent @EkuboProtocol exploit. Read the ERC here: eips.ethereum.org/EIPS/eip-8255 Check out our draft implementations: • OZ: github.com/OpenZeppelin/o… • Solady: github.com/Vectorized/sol…

Imagine someone mugs you, and some good Samaritans stop the mugger and get some of your money back but before they can hand it to you some random lawyer claims that mugger owed him money so he gets to have it. How could that make sense to anyone?

@coinspect @Rabby_io It’s 2026 and we still don’t have mistmaching SIWE domain detection in every wallet. Where are our priorities 😢

People get surprised when their favorite wallet ranks lower than another (@Rabby_io has passionate fans!) But our rankings are fully transparent, with evidence behind every score. You can check what we found and decide if it actually matters to you. Use the report comparison tool to see why OKX ranks higher than Rabby. Don't trust. Verify. We test, you decide.

@pcaversaccio @kristovatlas I think a key callout is that you shouldn’t store a seed phrase/private key in a single place. It should require multiple pieces to recompose, all stored in different media and with different entities. Maybe part of that can be in a pw manager, but certainly not all of it.

putting pks into a pw manager is an insane thing to do and you should absolutely fucking not do this (you would be surprised how many projects do this still fml), but i have been yelling into the void (for now) that pw managers should stop offering this retarded and completely unnecessary risky feature; i mean i do like proton for example (to be clear, proton is unrelated to the incident i qt), but this is all non-sense, they give people "bad ideas" here. this is a perfect example where additional friction should be added to a product; eg the pw manager should be able to detect if a certain pk or seed phrase is pasted and generally disallow this. x.com/pcaversaccio/s…

@LundukeJournal What the fuck are you talking about. This is beyond disgusting bigotry. Go touch some grass you loser.

Why I think it's (at least somewhat) interesting that Ubuntu hired a Trans security researcher to look over the Rust-rewrites of CoreUtils: - The Rust programming language has been heavily promoted by, and associated with, Trans Activism. To the point where it has become a standard joke that everyone in Tech understands. - Rust is also tightly associated with people who pretend to be underage, anime style, animated girls on the Internet. Again, to the point where it has become a well understood cliche. - The motivation for replacing all of GNU CoreUtils with Rust-rewrites has appeared to be driven by a non-engineering motivation. Politics, a desire to remove GPL'd code from Linux distros, or both. - There are a *lot* of security research, code auditing, and consultant firms in the world. Ubuntu chose to go with one founded by someone "Trans". *And* who represents himself as an "underage, anime style, animated girl". Now, is this particular "Trans" / Anime person a good developer? Could be! But what is the likelihood of a "Trans" / "Underage Anime Girl but Actually a Grown Man" person being hired -- among all of the potential firms in the world -- without some sort of bias from Canonical / Ubuntu coming into play? I would suggest that "Trans Activism" and political bias likely played a large role in the choice of firm which got that contract. Maybe you are ok with that. Maybe you aren't. Either way, it's worth documenting as part of a broader movement within Open Source which has a heavy influence from both politics and Trans Activism.

April saw $630M lost to OpSec failures across DeFi: compromised multi-sig keys, malicious upgrades, and supply chain attacks. W3OS covers what audits miss. Thank you @griffgreen @jchaskin22 💜

You get the same level of security that you do on your home network, with a secure tunnel right to it. You are your own VPN provider! Goodbye VPN subscription services 👋 Bonus: You can set up pi-hole on that home server to block ads at the network level no matter where you are!

1. Set up a home server using a Raspberry Pi, Mac Mini, or an old PC you don't mind leaving on. 2. Install Tailscale (tailscale.com) on that server and set it up as an exit node 3. Configure Tailscale on your devices to use your exit node That's it!

If you are using a VPN service, you’re actually paying for a company to man-in-the-middle all of your traffic. They could be compromised, malicious, or compelled by authorities to reveal your network traffic. Here is what you should do instead 👇

Love this list and love the fact that my skills are on there I would just say to protocol dev reading this that just running all of these like mad is going to rain a false positive hell on your team and will also be a security risk, as all of those skills are possible supply-chain vectors that needs to be considered Solution tho: Trust your auditors to have nurtured their pick of favorite skills, capabilities, and experiments and trust that this is what we do we collect them like Pokemon cards, improve and cut out the slop, use the right tool for the job and honestly use more tokens

>90% of the losses due to OpSec failures - We are working on it sir: qf.giveth.io/project/the-we…

The most powerful security control is isolation. Containers for every dev project/tool, separate laptops for work/personal/signing, one browser for opening links and one for logging into accounts. You could literally do nothing else and this would cover 95% of your security risk.

@k1rallik "Input sanitization, output encoding". This is the security engineer's mantra and was completely missed. Robinhood is literally out here running completely unreviewed code SMH

do you understand what just happened to Robinhood.. Someone sent a perfect phishing email - real domain, DKIM pass, SPF pass, DMARC pass and Robinhood's own servers delivered it. Here's the chain: → Gmail treats john.doe@ and johndoe@ as the same inbox → Attacker registers a NEW Robinhood account using the dot trick of YOUR email → Sets the device name to raw HTML code → Robinhood's "unrecognized activity" email renders it unsanitized The "Review Activity Now" button? Attacker's phishing site. The email? 100% real.. Sent by Robinhood.. Signed by Robinhood.. Just because it passed every security check doesn't mean it's safe.

So many failures here - come on Robinhood... 1. Lack of email normalization 2. Unsanitized device names 3. No output encoding on emails These are literal day 1 security engineering principles. DKIM/DMARC is not a "security check", they literally had zero security review haha

Good to see more orgs investing in OpSec! Hopefully they will follow W3OS and SEAL Certs as their foundation. github.com/W3OSC/web3-ops…

@Oms_Garfito Terrible posture from laying down, no desk mat, rainbow LEDs blinding him, a keyboard with numpad, and not a single terminal window or even an IDE open. This guy is absolutely NOT locked in doing dev work who are you kidding💀

Así son Los Programadores en Yucatán.

So happy to receive a @thedaofund security badge! I’ve been nonstop building tools and securing projects in web3 for the past three years, and bringing my web2 OpSec experience to this space. I’ll use my power wisely 🧙‍♂️