lucyoa

If you've followed RareSkills NTT thread, the inverse is the half that actually makes polynomial multiplication usable. Worth a read for anyone going deep on ZK. rareskills.io/post/inverse-n…

Move's type system kills whole bug classes Solidity devs sweat over, no silent drops, no dynamic dispatch hijacks, ownership enforced at both type and runtime layers. But novel guarantees breed novel footguns. Sharp writeup on what still bites in real Sui audits. openzeppelin.com/news/critical-…

There's a cool beginner guide to spaced repetition, worth a read if you want to remember what you learn: entropicthoughts.com/spaced-repetit…

Audit results by @OpenZeppelin: 21 findings on Stellar Contracts RC v0.7.0 - 1 High, 6 Medium, 9 Low, 18 resolved. Zero criticals. Solid showing for a Rust library shipping toward production. openzeppelin.com/news/stellar-c…

Firefox patched 271 bugs surfaced by Claude Mythos preview and Mozilla notes none were beyond what a top human researcher could find. The interesting number isn't 271, it's how fast one model burned through that backlog. blog.mozilla.org/en/firefox/ai-…

@trailofbits @dguido Serious question, how will you sustain expertise over time? The setup you presented seems short-sighted, as it largely focuses on exploiting existing knowledge and not developing it.

The fastest way to get a team to adopt AI is to make them put in reps. We run hackathons as a forcing function. @dguido at unprompted

This is really cool productivemoney.org

A security council freezing 30k ETH mid-exploit is the quiet admission that L2s aren't trust-minimized yet, they're trust-delegated to a multisig fast enough to push the pause button. Useful today, awkward for the decentralization pitch tomorrow. forum.arbitrum.foundation/t/security-cou…

@trust__90 Yet more questions and no answers

CT focusing on the low-hanging fruit takes - "How could KelpDAO be this negligent to configure 1/1 DVN?" "Why is LZ supporting such unsafe config?" "How did AAVE risk management team not flag this setup?" While valid, these are the wrong questions to be asking. As an industry after each exploit we always seem to point fingers at the most easy to blame component, pretending we'd be fine if only "X wasn't this stupid". I read this as a psychological coping mechanism designed to sidestep the existential question - can we ever truly achieve the required level of security guarantees to replace TradFi? Vanilla crypto usage (e.g. BTC, ETH transfers) is generally as secure as the weakest link between cryptographic attacks, key safety, and consensus layer. This is a fairly formal mathematical surface. Then contracts were introduced, each one creating a new, unique attack surface. It wasn't good enough apparently. We decided the contracts should be arbitrarily changed at runtime, so now every company sporadically calls people together to sign bytes they don't understand, but the Safe UI says are safe. But we were too greedy to call it a day, so we devised protocols that secure billions of dollars using hot wallets (AKA bridges). Automated infrastructure operating off of RPC calls to route billions of dollars. What we've ended up with in the de-facto state of DeFi is a system of software and network layer trust assumptions similar or inferior to TradFi, without benefiting from its defensive mechanisms - transaction voiding, regulatory compliance, legal accountability, money trail etc. In other words, the on-chain aspects are a distraction for a traditional, completely trusted setup without all its upside. We need the collective narrative to finally accept the fact that threat actors have an arsenal of 0days which they weaponize to get access to highly privileged systems. With AI assisted/automated exploitation patch gapping 1days has also become a central threat. The fact we don't see 9-fig exploits every day (although it feels so lately) is not because our security is airtight, but due to operational capacity and prioritizing highest EV ops. The security endgame questions every corp needs to answer are: How many unique exploits or supply chain attacks are needed to compromise critical assets? How do we implement security barriers that cannot be bypassed by device compromise? For example, the security guarantees of a 3/7 MS of top hardware wallets is drastically different from compromising an RPC endpoint. On-chain time locks and volume thresholds add another friction point to bypass and drastically reduce worst case scenarios unless another bypass is chained. Would a 2/2 DVN setup have made a big difference? I don't know. LZ likely has much greater resources and depth to secure a validator than smaller orgs, and evidently was still compromised. What's almost certain though is that when, not if, 2/2s will get compromised, we'll just see the industry continue moving the goal posts, to cope with security nihilism which has only one (taboo) conclusion: TradFi is far superior than the current mess we call DeFi. Until we come back to effectively paper-wallet security, we'll continue to witness ever more sophisticated software exploits tarnishing whatever is left of user trust. And if we can't reach that level of confidence while providing a competitive service to TradFi, then I rather we go to zero on our own terms, rather than sent to zero by DPRK hackers.

@DevDacian 100% agree, but we shouldn't focus on a single party to blame. @LayerZero_Core's DVN got compromised, @KelpDAO used only one DVN, and @aave failed at due diligence. Imho, all three should cover the losses and prepare a recovery plan, otherwise, it's over for DeFi.

Once a protocol finds product-market-fit attracting significant TVL, it is wise to re-evaluate security-related design decisions made when the protocol first launched. 1/1 verifier works fine when TVL near $0 but less effective when TVL ~$300m.

This was a complete failure across the board: - @LayerZero_Core - DVN got compromised (no root shell needed, logic manipulation was enough) - @KelpDAO - relied on a single DVN - @Aave - total fail on due diligence

@0xCharlesWang Interesting, havent audited this one so don't have context but just for the lulz I dropped to AI to grade it :)

github.com/lista-dao/mool… github.com/lista-dao/mool… Two audits. Commit same. Findings not same.

@SzymonRybczak @ycombinator @TesterArmy @o_kwasniewski @p_matyjasik Super! Powodzenia!

we just moved to San Francisco to participate in @ycombinator P26 batch 🇺🇸 we're taking @TesterArmy to the next level and building the future of testing web & mobile apps 🪖 we're so back

@chiefofautism Found blind SQL injection in Linux kernel? Damn what a smart AI 😂

someone at ANTHROPIC just showed CLAUDE finding ZERO DAY vulnerabilities in a live conference demo claude has found zero day in Ghost, 50,000 stars on github, never had a critical security vulnerability in its entire, history... it found the blind SQL injection in 90 minutes, stole the admin api key, then did the exact, same thing to the linux kernel

@pashov It's already like that. The only reason you don't experience it is because you use Claude Code + skills, whose cost is heavily subsidized by Anthropic (the $200 Claude Max burns tokens worth ~$5k). Try using the API and your costs will go through the roof.

XBOW, the unicorn company building "the best web2 AI hacker" has $4k/$8k price per run. Do you think we are about to see this in web3 security? How much do you think is fair for an "AI audit" as of today?

@TrustSecAudits Website looks great! One thing I'm curious about: what's your take on having a brand that's very similar to the well-established TrustedSec, which has registered trademarks? Don't get me wrong, but I feel you might face a cease-and-desist at some point.

‼️ MAJOR ANNOUNCEMENT TLDR: - Trust Security is now TrustSec. New name, new logo, new website. - We’re setting industry standards on how security teams communicate their work. Our entire portfolio is now on open display - every audit, bounty, contest win. Full transparency, zero gatekeeping. - Going further, we present every competitor audit ran in parallel to us, on same commit. No cherry picking. It’s a pure measure of skill, and the results are conclusive. - Same team, same standard, same depth. The quality never changed. Now the visibility catches up. Everything's in place to hit entirely new ceilings. Full breakdown below ⤵️

Curious if it's a legitimate human mistake or just a coordinated marketing campaign.