phil

believe it or not, this is the second tool developed by our genius security researchers this week who said Certora is only a formal verification company?

The hidden truth behind successful web3 bug bounties and audits In 2 sentences:

I gave a talk this morning about Formal Verification for Ethereum’s Next Scalability Era, organized by @drinkcoffee2010, and mentioned Sir Tony Hoare’s great contributions to computer science. Later, I found out that he died this week at the age of 92, just like my own father. Here are a few things that I learned from Tony. If computer science interests you, these topics are worth knowing 👇

Aave Labs is strengthening its Product and Enterprise Sales teams, and we’re hiring with open roles! Senior Product Designer Staff Design Engineer Senior Design Engineer Staff Smart Contract Engineer Product Marketing Manager Sales Engineer Director of Enterprise Sales and Partnerships Business Development Associate We’re a product-driven company focused on bringing DeFi to millions of users and institutions around the world by building the most compelling DeFi products. Apply at aave.com/careers

when the agent takes more than 5 words to explain the 100k LoC program he just one-shotted

This helped me do a lot more and be much more present over the weekend Highly recommended

@0xitsgreg @0xKaden Privacy-wise, I don't quite see how that would be different from how it works today Take sandwich attacks as example. Searchers perform this with their own funds; the difference with this new primitive is that they wouldn't have to deploy capital Same txns, except for funding

@philbugcatcher @0xKaden Well, in theory you could ZK-prove the multi-block MEV strategy profit without revealing it. Validator posts a bond on a slower chain, only released if they both executed the strategy AND paid the searcher. Only then does the searcher hand over the real recipe.

back when flash loans were first popularized, it opened up a whole new vulnerability class before then, oracle manipulation never seemed to be feasible, but suddenly attackers realized they had access to billions of dollars needless to say, a lot of protocols got hacked i wonder what vulnerability classes still lay dormant, waiting for a novel mechanism to unlock them 🤔

@bbl4de_xyz @0xKaden Yeah this requires a new primitive at the consensus level

@philbugcatcher @0xKaden Underlying consensus design would get tested hard if that was implemented

@duncancmt @0xKaden 🤯 An uncollateralized loan guaranteed by the consensus mechanism

@philbugcatcher @0xKaden and beyond that, now that there are a few builders with great penetration into the validator ecosystem, there will be *INTER*-block flash loans where a single entity can guarantee that they will build to adjacent blocks and gives a loan for the duration of 2 blocks.

Join us for a social media fast See you all on Sunday

@0xKaden Block builders/ validators can ensure atomicity within a block, so this can be used to ensure the flashloan is repaid even if split between different transactions

@philbugcatcher how would intra-block flash loans work? sounds terrifying 😅

Petition to ban noreply@ being used for sending emails. If your company can email me, the least you can do is make it easy for me to email you back.

Thanks @eboadom, @andy_koz and @bgdlabs for holding providers like @Certora to high security standards over the past four years. Here are some of the things we learned and built together 🧵👇

This is quite an impressive experiment. Vibe-coding the entire 2030 roadmap within weeks. Obviously such a thing built in two weeks without even having the EIPs has massive caveats: almost certainly lots of critical bugs, and probably in some cases "stub" versions of a thing where the AI did not even try making the full version. But six months ago, even this was far outside the realm of possibility, and what matters is where the trend is going. AI is massively accelerating coding (yesterday, I tried agentic-coding an equivalent of my blog software, and finished within an hour, and that was using gpt-oss:20b running on my laptop (!!!!), kimi-2.5 would have probably just one-shotted it). But probably, the right way to use it, is to take half the gains from AI in speed, and half the gains in security: generate more test-cases, formally verify everything, make more multi-implementations of things. A collaborator of the @leanethereum effort managed to AI-code a machine-verifiable proof of one of the most complex theorems that STARKs rely on for security. A core tenet of @leanethereum is to formally verify everything, and AI is greatly accelerating our ability to do that. Aside from formal verification, simply being able to generate a much larger body of test cases is also important. Do not assume that you'll be able to put in a single prompt and get a highly-secure version out anytime soon; there WILL be lots of wrestling with bugs and inconsistencies between implementations. But even that wrestling can happen 5x faster and 10x more thoroughly. People should be open to the possibility (not certainty! possibility) that the Ethereum roadmap will finish much faster than people expect, at a much higher standard of security than people expect. On the security side, I personally am excited about the possibility that bug-free code, long considered an idealistic delusion, will finally become first possible and then a basic expectation. If we care about trustlessness, this is a necessary piece of the puzzle. Total security is impossible because ultimately total security means exact correspondence between lines of code and contents of your mind, which is many terabytes (see firefly.social/post/x/2025653… ). But there are many specific cases, where specific security claims can be made and verified, that cut out >99% of the negative consequences that might come from the code being broken.

I propose we change the job title "prompt engineer" to "sloperator".

If you're in crypto, pivot to AI

A masterclass in handling collateralization edge cases in lending protocols

🚨BREAKING: A study finds ChatGPT, Claude, and Gemini deployed tactical nuclear weapons in 95% of 21 simulated war game scenarios and never surrendered It’s so fucking over

Wait, so the founder of Anthropic is "Amodei," as in "loves god"? And he leads Anthropic, meaning "human-centered," which is being used in military strikes? And the creator of ChatGPT is "Altman," as in "an alternative to humans"? And he leads OpenAI, which is completely closed? And then there's "Gemini," meaning "two-faced," from a company that promised to do no evil? And the whole global AI arms race is being driven by people who claimed to be worried about AGI taking over the world? Either the universe is an extremely cliché writer, or has a brilliant sense of humor