nmirchev8

1.6K posts

nmirchev8 banner
nmirchev8

nmirchev8

@nmirchev8

Security Researcher | Co-founded @EgisSec - LSW, Top 8 in Sherlock | SR in @CertoraInc

EVM, SVM Katılım Haziran 2023
527 Takip Edilen1.7K Takipçiler
Sabitlenmiş Tweet
nmirchev8
nmirchev8@nmirchev8·
Proud to win this one! We haven't previous stableswap math experience, but we always want to challenge us, so we can improve.
Code4rena@code4rena

🏆 The results of the Basin competitive audit are in! Congrats to everyone who submitted valid findings, especially to @EgisSec (@nmirchev8 and @dethSCA) for a landslide win in their second team showing! Respect to @basinexchange for their solid commitment to the highest security outcomes. Full list of winners in thread 👇

English
11
1
104
9.1K
nmirchev8
nmirchev8@nmirchev8·
For regular accounts, the client just pre-creates it at full size But PDAs? Only your program can sign for them. So you're stuck: - Init at ≤10 KiB - realloc +10,240 bytes per ix - Repeat across txs until you hit your target
English
0
0
1
66
nmirchev8
nmirchev8@nmirchev8·
I bet you've forgotten about the following Solana constraint: You can't initialize an account larger than 10 KiB in a single instruction via CPI.
English
1
0
10
1.2K
nmirchev8
nmirchev8@nmirchev8·
Do you need any other proof?
nmirchev8 tweet media
English
2
1
47
1.4K
0xaudron
0xaudron@0xaudron·
@nmirchev8 Damn, proof-of-cup is the ultimate proof🫡
English
2
0
4
180
nmirchev8
nmirchev8@nmirchev8·
When initiatives meet initiatives = progres x 100 Always be proactive like @p_tsanev and @MartinMarchev, and you'll be rewarded Thank you, guys, or your effort
nmirchev8 tweet media
English
2
2
23
2.4K
tpiliposian
tpiliposian@tpiliposian·
was so hungry for competitions, yesterday was my first comp this year. it was cool, managed to win 2 gold medals in gi and no gi
tpiliposian tweet media
English
7
0
90
4.1K
nmirchev8 retweetledi
Martin Marchev
Martin Marchev@MartinMarchev·
claudit is one of the projects accepted into the Ethereum Security QF round on Giveth. 500 ETH matching pool, split across Ethereum security projects. Quadratic funding scores projects by (Σ √cᵢ)² - small donations from many people massively outweigh big ones from few. If claudit saved you time, this is the ask 🙏 The round ends May 14. Quick walkthrough on how to support 👇
Martin Marchev tweet media
English
1
7
36
6.8K
nmirchev8 retweetledi
deadrosesxyz
deadrosesxyz@deadrosesxyz·
so excited for this. been cooking on it for the past few months and can’t wait to officially launch soon and bring on-chain prediction market parlays. we spent countless nights building this - including a purpose-built L1 just for settlement. private beta will launch in a few days. mainnet hopefully in May.
ParlayIt@ParlayItGG

Parlays. On Everything.

English
18
5
178
15.5K
nmirchev8 retweetledi
Plamen Tsanev
Plamen Tsanev@p_tsanev·
And this folks, is why risk assessment and trust assumptions are key during audits. And at @Certora we do E2E security btw (reach out) And stop doom-posting the end of DeFi and enjoy watching the phoenix rise from the ashes 🐦‍🔥 🔥☄️🐦‍🔥
English
1
3
27
1.3K
nmirchev8
nmirchev8@nmirchev8·
So damn much attack surfices that can harm "secured" protocols... so much work to do
Param@Param_eth

Everything you need to know about the rsETH exploit ($292 million): attacker targets insecure bridge configuration Verifier setup: Only one approval is required, and this is the single point of failure. Attacker forges cross-chain message. Tricks Bridge into Release: 116,500 fake $rsETH worth ~$292 million About 36% of total supply Unbacked ETH tokens created from thin air by the attacker (minted) Attacker receives fake rsETH on Ethereum Immediately deposits it into Aave as collateral then borrows: 106,467 ETH (~$250M) Started selling and swapping rsETH. bad debt created of more than $177 million. WETH pool utilisation hits 100% Aave freezes rsETH market exploit was not in core rsETH backing exploit hit bridged rsETH version attacker wallet publicly tracked funded via Tornado Cash one of the biggest bridge failures of 2026

English
0
1
2
623
nmirchev8
nmirchev8@nmirchev8·
@0x3b33 Will be solved when AI is the desicion maker instead of the human 😬
English
0
0
1
60
Pyro
Pyro@0x3b33·
Smart contracts are not the most vulnerable part, humans are. We should start auditing humans.
English
11
7
66
2.4K
nmirchev8
nmirchev8@nmirchev8·
🚨 If your Solana program uses instruction introspection (Sysvar1nstructions) to enforce control — you need to also block CPI calls and here's why:
English
3
1
20
2.4K
Trident
Trident@TridentSolana·
@nmirchev8 Great breakdown. The sysvar blind spot during nested CPIs is a pattern fuzz testing can stress at scale. Trident models multi-instruction sequences on Solana, might help verify those guards hold. Btw, I also sent you a DM with more info if you're curious.
English
1
0
1
53
nmirchev8
nmirchev8@nmirchev8·
The fix: You don't have control over nested CPIs in other instructions included in the transaction, but you can still detect and block suspicious behavior:
nmirchev8 tweet media
English
0
0
3
130
nmirchev8
nmirchev8@nmirchev8·
A concrete example — scanning for forbidden flash loan providers: When your program calls load_current_index() it gets 0, scans ix[0] — sees only attacker_wrapper, no forbidden program → passes. The flash loan happened entirely inside CPI, invisible to your check.
nmirchev8 tweet media
English
1
0
2
224

Keşfet

@0xaudron @immunefi @p_tsanev @MartinMarchev @tpiliposian @Certora @0x3b33 @StaniKulechov