nmirchev8

1.6K posts

nmirchev8 banner
nmirchev8

nmirchev8

@nmirchev8

Security Researcher @Certora | Co-founded @EgisSec - LSW, Top 8 in Sherlock

EVM, SVM Katılım Haziran 2023
541 Takip Edilen1.7K Takipçiler
Sabitlenmiş Tweet
nmirchev8
nmirchev8@nmirchev8·
Proud to win this one! We haven't previous stableswap math experience, but we always want to challenge us, so we can improve.
Code4rena@code4rena

🏆 The results of the Basin competitive audit are in! Congrats to everyone who submitted valid findings, especially to @EgisSec (@nmirchev8 and @dethSCA) for a landslide win in their second team showing! Respect to @basinexchange for their solid commitment to the highest security outcomes. Full list of winners in thread 👇

English
11
1
103
9.7K
nmirchev8 retweetledi
deth
deth@dethSCA·
before you pay anyone to audit your code, spend one afternoon doing this > run @pashov's solidity auditor (github.com/pashov/skills) > fix the bugs > run it again a lot of bugs can die for free nowadays, the rest are for auditors to find.
English
5
8
52
2.2K
nmirchev8 retweetledi
deth
deth@dethSCA·
my audit stack: > eyes > brain > every line guilty until proven innocent
English
1
3
34
961
nmirchev8
nmirchev8@nmirchev8·
BonkDAO lost ~$20M this week and no contract was hacked. Every transaction was valid. An attacker spent ~$4M buying BONK, then passed a treasury-draining proposal with 7 wallets (2.9% turnout), clearing quorum by a hair — 882.38B vs 879.95B BONK. The code executed the vote flawlessly. That's the point. Audits verify code correctness at a moment in time. They can't see the live economic state — price, treasury value, and quorum drifting — until $4M of votes can move $20M of treasury. That's not a bug in the code. It's a config no audit is scoped to catch. An invariant a monitor enforces at runtime: a treasury transfer must not execute while the market value of the votes backing it < the value it moves out. Bonk violated it 5:1. Pair it with a timelock so a flagged proposal pauses for a guardian instead of settling instantly. Detection + a pause is a security procedure on top of a code security audit. Security has a lot of layers and the worst part is that if you leave one layer uncovered, it may compromise the entire system. Take notes, think twice and continue to progress!
English
2
3
20
1.2K
deth
deth@dethSCA·
Turning 26 today, these are the most important things I learned > If you want something, you have to take it > If you want success, hard work and lonely years are inevitable > The woman next to you can make or break you
English
15
1
69
2.1K
nmirchev8 retweetledi
deth
deth@dethSCA·
There are 3 certain things in life > Death > Taxes > Not getting paid for a valid bug bounty at least once
English
3
4
53
1.5K
nmirchev8 retweetledi
deth
deth@dethSCA·
back in 2024, @EgisSec took 1st in the @useteller contest on @sherlockdefi — 16+ findings, one of our first wins here's a unique High we caught: a lender could stop any borrower from ever repaying, then take their collateral. the whole bug is this try/catch
deth tweet media
English
1
3
38
1.5K
deth
deth@dethSCA·
Today was my last day @Certora. It was a fun ride — worked with many great people, audited the biggest DeFi protocols in the space, and learned more than I can fit in this post. I had the pleasure of working with many of the friends I made throughout the olden days of @code4rena and @sherlockdefi — when contests were the shit and the judging was too <3 Met some very talented, hard-working people like @tpiliposian , who posts more about his BJJ medals than his actual work 😁 And I was lucky to work under the guidance and mentorship of @BowTiedDravee — the best team lead anyone could ask for. He always had my back, no matter what. I consider you a true friend, brother. What will I do now? I thought about it, and it's time to dust off this old t-shirt from the closet and get back to work. We're back, stronger than ever. If you're a protocol in need of elite-level auditors — or a security agency in need of the best — you know where to find us. @EgisSec
deth tweet media
English
12
3
126
7.2K
nmirchev8
nmirchev8@nmirchev8·
Bear market is just an oppertunity to catch up with the latest technology and innovate
English
0
1
14
665
nmirchev8
nmirchev8@nmirchev8·
One invariant neutralizes inflation & donation attacks — the vector behind most vault drains Checkpoint the rate. Revert + auto-pause on >X% deviation per block A vault's share rate (totalAssets/totalSupply) moves in bps per day. Exploits move it 10–1000x in one tx
English
1
2
18
880
nmirchev8
nmirchev8@nmirchev8·
@MaslarovK Congrats, brother!!! The best is yet to come
English
1
0
1
176
Kris Paladin
Kris Paladin@MaslarovK·
Turning 29 today, so I thought it was a good time for my half-year summary and 2026 has been amazing so far. - 17 audits completed with Paladin. - Bought a house with my wife - our second property. - Learned a lot, grew a lot, and kept pushing forward both professionally and personally. But most importantly, we became parents to our first son 👼. Nothing I’ve achieved comes close to that feeling. I’m incredibly grateful for how life has been going lately - for my family, for the opportunities, and for the years of hard work that are now paying off.
Kris Paladin tweet media
English
14
1
71
2.9K
nmirchev8
nmirchev8@nmirchev8·
Quick tip on how to open a Visual Studio Code preview of a GH repo at a fixed commit: -> After the repo path paste "/blob/{commit}" then enter -> You open a GH view at the commit -> Press "." and you're redirected to vscodе.dev/githib/... for the given commit hash
English
2
1
15
1.2K
dravee.eth
dravee.eth@BowTiedDravee·
@nmirchev8 Bro, additional tip, try pressing "y" while on a branch on GitHub 😄 This swaps the branch name to its commit hash in the url.
English
1
0
15
577