nico_security

22 posts

nico_security

nico_security

@nicoweb3audit

web3 security,I hope you can follow me. Thank you!

Katılım Kasım 2025
141 Takip Edilen3 Takipçiler
nico_security
nico_security@nicoweb3audit·
I did it 🎉 I've completed the Cyfrin Updraft Foundry Fundamentals! I've learned about: - Solidity smart contract development - Chainlink Blockchain Oracles - Foundry deployment and testing And created 3 projects for my portfolio! Check it out 👇 profiles.cyfrin.io/u/wilgingcoury…
English
0
0
0
7
nico_security
nico_security@nicoweb3audit·
On the eighth day of learning smart contract auditing, I learned how to deploy contracts locally using Anvil from the Foundry Fundamentals course.
nico_security tweet media
English
0
0
0
16
nico_security
nico_security@nicoweb3audit·
Day seven of learning smart contract auditing; today I completed all the courses on Solidity smart contract development.
nico_security tweet media
English
0
0
0
17
nico_security
nico_security@nicoweb3audit·
I did it! I've completed the Solidity fundamentals course 🎉 5 hours of resources to learn: - Solidity smart contract development - Blockchain oracles - Smart contract testing and security Completely for free. Check it out 👇 profiles.cyfrin.io/u/wilgingcoury…
English
1
0
1
21
nico_security
nico_security@nicoweb3audit·
The probability of `transfer()`/`send()` being attacked is lower due to gas cost limitations; the root cause is still insecure code logic. Best practice: Use `call()` + reentrancy protection (such as OpenZeppelin's ReentrancyGuard) + an "inspect-effect-interaction" model.
English
0
0
0
4
nico_security
nico_security@nicoweb3audit·
On the sixth day of learning smart contract auditing, I learned about the three ways to send ETH in Cyfrin's smart contract course: transfer, send, and call.
nico_security tweet media
English
4
0
0
13
nico_security
nico_security@nicoweb3audit·
Why is the focus more on the reentrancy vulnerability of `call()`, even though `transfer()` and `send()` can be attacked? Because attackers can execute complex code logic, and modern development widely uses `call()`, leading to more related vulnerabilities.
English
0
0
0
5
nico_security
nico_security@nicoweb3audit·
Calls can perform many operations and have no gas fee limit, so they are generally used for money transfers. However, you need to prevent reentrancy attacks by using reentrancy locks and checking the Checks-Effects-Interactions pattern.
English
0
0
0
8
nico_security
nico_security@nicoweb3audit·
I learned that the maximum gas consumed by `transfer` and `send` is 2300, which is only enough to perform some simple transfer operations. Therefore, they naturally prevent duplicates, since calling functions requires more gas.
English
0
0
0
7
nico_security
nico_security@nicoweb3audit·
fifth day of learning about smart contract auditing, the analysis of the Truebit Protocol contract theft by Manwu Technology deepened my understanding of integer overflow. Large companies also refer to variables in the denominator as part of the numerator in their publications.
nico_security tweet medianico_security tweet media
English
0
0
1
346
nico_security
nico_security@nicoweb3audit·
On the fourth day of learning smart contract auditing, today I learned how to obtain real price data through oracles on Cyfrin.
nico_security tweet media
English
0
0
0
20
nico_security
nico_security@nicoweb3audit·
This is my third day learning about smart contract auditing. Today I looked at some analysis files about the stolen Truebit protocol and learned how to decompile bytecode. Once I successfully decompile it, I'll document the attack process. etherscan.io/tx/0xcd4755645…
nico_security tweet media
English
1
0
0
235
卡卡
卡卡@0xkaka1379·
This is a classic issue: in older compiler versions, addition operations do not perform overflow checks, allowing overflows to occur and resulting in incorrect price calculations. compiler version: v0.5.3+commit.10d17f24 @Truebitprotocol
卡卡 tweet media卡卡 tweet media卡卡 tweet media
Weilin (William) Li@hklst4r

Another 26M hack. @Truebitprtocol I haven't decompiled the vulnerable code yet, but the root cause appears to be a mispriced minting function of its purchase contract that allows anyone to purchase TRU token at a very low price. The first attacker (26M profit): 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014The second attacker (~250k profit): 0x71496352b02f974a3898c1b743e9fc2befb935e6c2a3e421134ec09b63052f4b@Truebitprotocol This contract has been a very old contract deployed ~5 years ago... It seems old contracts are getting more "popular" among attackers now. btw a friend of mine shared me a screenshot of the second hacker celebrating in his chat group 😂 (not sure if it's genuine) --- Disclaimer: This is my prelminary analysis and I may make mistakes.

English
2
2
74
12K
nico_security
nico_security@nicoweb3audit·
On the second day of learning smart contract auditing, I've currently covered the ZKsync Plugin section of Cyfrin.
nico_security tweet media
English
0
0
1
32
nico_security
nico_security@nicoweb3audit·
The cost of living is relatively low in second-tier or third-tier cities in China, which is an advantage for me. If I can also earn in US dollars, my quality of life would be very good. However, English is a big challenge for me.
English
0
0
0
21
nico_security
nico_security@nicoweb3audit·
Day 1 of Blockchain Journey. Today is my first day learning about blockchain. I plan to use X to document my learning process. I started by learning blockchain fundamentals on Cyfrin and passed the exam.
English
2
0
1
26
nico_security
nico_security@nicoweb3audit·
Next, I will be taking a smart contract development course on Cyfrin, and I hope to meet like-minded friends and move forward together.
English
0
0
0
20
nico_security
nico_security@nicoweb3audit·
Funnily enough, the exam options couldn't be automatically translated into Chinese, and my English level is very poor, so I had to use Google Translate to select and translate the options before answering the questions.
nico_security tweet media
English
0
0
0
19

Keşfet

@0xkaka1379 @Truebitprotocol @dedaub @RebelsRunways @immunefi @elonmusk @BarackObama @taylorswift13