Sabitlenmiş Tweet
Starting My Smart Contract Security Journey
Daily posts on real vulnerabilities, exploits, and lessons from audits. Learning in public, one bug at a time.
Let's build a more secure Web3 together
English
MkXploit | Security Researcher
282 posts
MkXploit | Security Researcher
@mkXploit
Smart Contract Security Audits | Solidity / Ethereum Building daily • Web3 security #Sharing bugs, lessons and experiments 🧠
Web3 Katılım Aralık 2025
58 Takip Edilen36 Takipçiler
MkXploit | Security Researcher retweetledi
MkXploit | Security Researcher retweetledi
Builders:
Do you involve auditors before or after deployment?
English
If you understand this, you understand why Web3 apps can scale cheaply
Math > brute force.
English
Day 34 of my SR journey
I learnt why Proof Size Matters
Here’s what blew my mind:
A Merkle proof for 1,000,000 users ≈ 20 hashes
Not 1M. Just 20.
That’s why:
• Gas stays low
• Verification is fast
• Systems scale easily 👇
English
That’s the magic of log₂(n)
Small proof. Big trust.
English
Day 33 of my SR Journey
I have learnt how to you prove you’re eligible for an airdrop without storing all users on-chain
Merkle Proof.
You don’t submit the full dataset.
You submit a tiny proof.
Just a few hashes that rebuild the root.
Even with 1M users → ~20 hashes only 👇
English
English
Talk about Investments from the past.
Solid codebases , great learning experiences.
Grateful to @sherlockdefi, @flyingtulip_ and @OpenCover for the opportunities.
Still building. No exit sign in sight.
English
You’re given $10M to build a protocol.
What’s the first security measure you would implement?
English
Everything else is verified off-chain.
That’s how most airdrops work today.
Efficiency = Security + Cost savings
English
Day 32 of my SR Journey
I learnt about why Devs love Merkle Trees
Imagine verifying 1 million users on-chain…
Without Merkle trees → impossible (too expensive)
With Merkle trees → cheap and scalable
Instead of storing all data, you store just ONE hash (the root) 👇
English
Why it matters in Web3:
• Airdrops
• NFT allowlists
• Token claims
• Governance snapshots
Only the root is stored on-chain → massive gas savings
Simple idea. Massive impact.
English
Day 31 of my SR Journey
Today I learnt about Merkel Trees.
Most people use Merkle trees.
Few actually understand them.
A Merkle tree hashes data in layers until everything becomes one root hash.
English
MkXploit | Security Researcher retweetledi
As long as you keep showing up, you’re making progress
English
That’s how exploits like:
• Reentrancy
• DoS
• Griefing
often begin.
Golden rule:
Check → Effects → Interactions
Update state before interacting externally.
One wrong call can cost millions.
#SmartContractSecurity
#Solidity
English
Day 30 of my SR Journey:
Today I learned about External calls.
External calls are one of the largest attack surfaces in Solidity.
When your contract calls another contract, you temporarily lose control of execution.👇
English
@dubemox Learn fundamentals
Then use AI to develop your project quickly
English
#day29 of my Smart Contract Journey
Security tip most Solidity devs ignore:
A lot of web3 is still reliant on web2 technologies.
- Improper signature validation allowing for account takeover
- XSS on IPFS gateways allowing for browser wallet popups and cookie hijacking
English