Kalp

360 posts

Kalp banner
Kalp

Kalp

@kalp_eth

Security Researcher QuillAudits | 80+ Private Audits | 150+ Critical/High Vulns Found | Solidity Expert | Solana Learning | Securing Web3 One Contract at a Time

planet Katılım Eylül 2023
916 Takip Edilen261 Takipçiler
Sabitlenmiş Tweet
Kalp
Kalp@kalp_eth·
1. Deflation attack in @SiloFinance vault during a @code4rena contest Share = _assets.mulDiv(_newTotalSupply + 10^_decimalsOffset(), _newTotalAssets + 1, _rounding) What the problem here? totalAssets is based on redeemable market shares, but market rounding can cause an issue
English
5
4
58
5.9K
Ehsan
Ehsan@Ehsan1579·
This one has a bit of story behind it. Less than 12h after the report was submitted, it was confirmed by the team. The team didn’t even try to argue about how catastrophic the impact was. They were fast responsive and professional and transparent with their users, something I really admired. They simply straight told me because of a large hack last year that they suffered from they’re struggling financially and they’re letting a lot of their people go. The direct impact was around 7 million dollars. They were honest and I like honesty so instead of the normal 700k bounty, I accepted the 300k, I don’t regret my decision and I hope the project bounces back even stronger during these hard times, I admire them and their security standards and I wish them the best.
Immunefi@immunefi

Security researcher @Ehsan1579 just brought home $300,000 from a critical report via Immunefi. He's absolutely on fire in 2026. If you pledge $IMU behind him, you both earn $IMU when he finds more bugs: immunefi.com/pledge/bpop232…

English
74
45
836
43.8K
Kalp retweetledi
QuillAudits
QuillAudits@QuillAudits_AI·
Today marks 8 years of QuillAudits. Most Web3 security firms didn't exist 8 years ago. Most won't exist 8 years from now. We've built through 3 bear markets, 2 exploit waves, and the full evolution of smart contract attacks from simple reentrancy to cross-protocol economic exploits. 1,500+ protocols. $3B+ protected. The biggest lesson from 8 years and 1,500+ engagements : One team, one method, one pass doesn't cut it when you're protecting hundreds of millions in user funds. So we rebuilt the model. Multi-Layer Audit → four independent security layers, delivered in the same timeline as a traditional audit: > Senior auditors who've collectively reviewed 1,500+ protocols > AI security agents trained on 5,000+ real exploits since 2017 > Independent bug bounty through curated security researchers > Continuous monitoring, because threats don't stop at deployment 4 layers. Each one catches what the others miss. Web3 has a $100T addressable market if institutions show up. They won't show up until security is embedded in every layer, every transaction, every deployment, the way HTTPS is embedded in the internet. That's the problem worth solving for the next 8 years. QuillAudits built the foundation, QuillShield is the next chapter — an AI security agent that brings what we learned from 1,500+ manual audits into every developer's workflow, before code ever hits mainnet. 8 years in. Still early.
English
16
23
54
10.9K
Kalp
Kalp@kalp_eth·
zk × AI security × infra depth. 2026 grinding mode.
Română
0
0
8
125
Pyro
Pyro@0x3b33·
I made $140k auditing web3 projects in 2025 Here's the exact breakdown: - Contest winnings: $9k (5 contests, 2 - top3) - Working for firms: $131k (32 audits) - Bug bounties: $0 😅 Time investment: - 50-60 hour weeks - ~2k hours auditing - ~$70/hour effective rate The best part? Year 2 earnings typically 2-3x year 1. Most auditors I know are at $200k+ by year 3 (some even before that 👀)...
English
25
6
292
11.5K
Kalp
Kalp@kalp_eth·
Vibe audit = auditing based on assumptions without deeply challenging them. ✅ “Good” Side If you go live without a proper manual audit: - save thousands of dollars. - ship faster. - reduce short-term costs. ❌ “Bad” Side - A single broken assumption can collapse the system. - One exploit can lead to millions in losses. - Reputation damage.
Guillermo Rauch@rauchg

We've identified, responsibly disclosed, and confirmed 2 critical, 2 high, 2 medium, 1 low security vulnerabilities in Cloudflare's vibe-coded framework Vinext. We believe the security of the internet is the highest priority, especially in the age of AI. Vibe coding is a useful tool, especially when used responsibly. Our security research and framework teams are extending their help and expertise to Cloudflare in the interest of the public internet's security.

English
0
0
4
272
Sanford
Sanford@0xiSanford·
@kalp_eth When an invariant challenges core mechanics, that’s not friction, it’s feedback. Good protocols treat that tension as a signal to refine assumptions, not dismiss risk, for that doesn't remove the risk. Security improves when design and guarantees evolve together.
English
1
0
3
17
Kalp
Kalp@kalp_eth·
"It's not a bug, it's a design choice." The most expensive sentence in web3.
English
1
0
10
228
Kalp
Kalp@kalp_eth·
@0xiSanford True, i’ve seen valid invariants rejected simply because fixing them would require changes to core protocol mechanics,often time-consuming rewrite, but security shouldn’t bend to architectural convenience.
English
1
0
2
25
Sanford
Sanford@0xiSanford·
@kalp_eth Indeed, the most expensive, “design choice” often just means the threat model wasn’t formalized. If value can move in unintended ways, that’s risk. Clear invariants upfront would save everyone time, and a lot of rejected reports.
English
1
0
1
36
Kalp
Kalp@kalp_eth·
Generic AI audit = garbage output. Protocol-specific AI audit = actually scary good. 🥷
English
0
0
8
182
Kalp
Kalp@kalp_eth·
@cvetanovv0 truly understand it is progress in security, depth > velocity.🥷
English
0
0
2
54
Dimitar Tsvetanov
Dimitar Tsvetanov@cvetanovv0·
Jumping from project to project feels productive. But real findings come from sitting with the code long enough to understand it. In security, depth beats constant switching.
English
4
1
49
1.2K
Kalp
Kalp@kalp_eth·
AI audit tools are fast. Not deep. The sweetest spot right now bugs are sitting quietly, waiting for someone who actually thinks adversarially. New era. Same edge. Think deeper than the tool
English
0
0
9
147
QuillAudits
QuillAudits@QuillAudits_AI·
If your AI audit workflow is just asking: Find reentrancy > Check access control You’re not auditing. You’re autocomplete scanning. We just released the first version of 10 Claude Skills built specifically for smart contract security. These 10 Claude Skills weren’t built in isolation. They are derived from the same research and architecture behind QuillShield, our proprietary AI security engine used internally at QuillAudits. Most AI-assisted audits fail because they: - Pattern match - Ignore contract wide state - Skip exploit simulation - Don’t model severity Security requires reasoning not regex. Our 10 Claude Skills introduce: - Semantic state reasoning - Behavioral decomposition - Adversarial exploit simulation - Probabilistic risk scoring - Modular, targeted analysis Structured AI for real audits.
QuillAudits tweet media
English
3
2
21
992

Keşfet

@Ehsan1579 @Nilima_Nair03 @QuillAudits_AI @FirepanHQ @trailofbits @cyfrin @0xcastle_chain @0xKaden