Tim

I’ve been involved in most of Quantstamp’s audits for Polymarket. They take security seriously, care about code quality, and are willing to rethink design decisions when it matters. Always appreciated auditing their code 🫡

Enjoyed the audit, very skilled and hard-working team.

If you're an independent SR/contest grindoor looking to land a job at an audit firm, the most underrated skill you can have is good team comms.

Zircuit is featured on Ξ ethereum.org Ξ

@TrainTestToad It’s always a pleasure working alongside you 🫶

It's my one year anniversary at Quantstamp 🥳 It has been a wild year and have learned so much 52 audits, audit lead for 20 4 Ecosystems (3 new) Working alongside smart, passionate people every day is a cheatcode for improvement A lot more to achieve in the next 12 months🫡

@servrox1337 So you can finally watch Itallian brain rot while programming?

How can this be real? ycombinator.com/launches/OgV-c…

The Zircuit Finance waitlist is officially live. Limited wallets will be admitted into the alpha. Secure your spot: zircuit.com/waitlist

A new identity built for the future of secure finance at scale. Zircuit Finance, coming soon on zircuit.com.

Tempo is parasitic to Ethereum

See you all in Buenos Aires

@summit_defi @Quantstamp Cant't wait to drop the real alpha on Paymasters

@panana_predict Congrats on the launch 🚀🚀

As predicted: Panana is LIVE on mainnet 🍌🔮 ✅ Trade your opinions ✅ Earn XP & rewards ✅ Shares = real tokens ✅ AMM → instant trading, no order books Think stock shares, but for future events. 👉 Start now: app.panana.fun

Builder Spotlight is back, highlighting apps leveraging Self's privacy-preserving zkPoH & identity verification Meet Ascend: an inheritance protocol developed by @schereo, @kianluetke & @t0malbrecht at @EthGlobal Cannes, ensuring your crypto "doesn’t die with you." ↓

Crosschain isn’t a dream anymore. It’s live, tested, and already shipping. At @ETHGlobal Cannes, we gave early access to the Avail Nexus SDK, a new way for apps to move assets, view unified balances, and call contracts across 11 chains, all through a single integration. To kick things off, @robin_rrtx hosted a workshop on building a 1-click crosschain experience with Avail Nexus SDK, with which our hackers built real use cases in just 48 hours! Here are the winners 🏆 1. Buddy - A multichain social payments app exploring new ways to move value across chains. They integrated Nexus to enable token bridging functionality across networks. Built by Pablo @0xrouss and Saul @saugardev 2. Ascend - Ascend focused on enabling crosschain asset recovery for verified users. They used Nexus to bridge balances from multiple chains into a single destination, supporting scenarios like inheritance and access by trusted contacts. Built by Tim @schereo, Kian @kianluetke, and Tom 3. SessionFlow - A cold storage-safe wallet with fast, fluid UX. By integrating Nexus, SessionFlow lets users bridge and transact between chains while keeping their core keys offline. Built by Jakob, Jure, and Kristjan 4. NexusFund - A chain-agnostic crowdfunding platform that lets donors support projects using USDC from any chain. It was the only project to integrate bridgeAndExecute, using Nexus. Built by Agustin. Across the board, feedback poured in. Builders weren’t just excited; they were invested in shaping what comes next. Because Nexus isn’t just another SDK. It’s the first step toward a connected, composable crosschain world. Build once. Scale everywhere.

@selfxyz enables privacy-preserving proof of personhood using your passport and zero-knowledge technology. We’re proud our idea resonated with the Self Protocol jury 🫶

We built Ascend 🪽 at @ETHGlobal — a system that ensures your loved ones can access your tokens after your passing, preventing them from being locked forever. To verify that only the intended recipients can claim them, we integrated @selfxyz for secure identity verification.

The Blockspäti is the best place for Mr. Peeltos @joinwebzero @polkadot

@panana_predict Mr. Peeltos is addicted to upgrading has lawnmower robot

Join the Panana AI Meme Contest 🍌🔮 Panana Prediction Markets hit early access for selected users. Want a spot on our limited whitelist? Create the funniest, weirdest, or most legendary meme starring our Mascot Mr. Peeltos, and win: 🧠 Early access to our new prediction platform 🍌 Legendary Mr. Peeltos avatar 🔁 Retweets from Mr. Peeltos 🏆 Eternal meme glory ✨ Additional surprise rewards Need help? Our custom GPT makes meme creation easy! (link and examples in comments ⬇️) To enter: 📸 Post your meme 🏷️ Tag @panana_predict and @peeltos Let the meme wars begin! 🚀

On Feb 17 2025 I reported a critical vulnerability to @Scroll_ZKP. $100m+ in TVL was at risk for more than 2 months. Anyone could force Scroll L2 into an indefinite re-org, halting the chain so that no user transactions would be included in blocks and the chain would not move forward. All funds on L2 would be frozen. @Scroll_ZKP downplayed the report. There was no meaningful communication about the issue—only continuous ghosting and silence. The @immunefi team mediated, yet did not correctly classify the vulnerability, which clearly falls under "Primacy of Impact." When I requested a re-evaluation, I received no response. As a result, I am disclosing this to the public to highlight Scroll's lack of security proficiency, their unfair resolution process, and their treatment of white-hats. You can find the link to the full report and complete timeline below. @redhairshanks86 @0xBalloonLover @Wublockchain @coindesk @cointelegraph @TheBlock__ @aave @EtherFi @ambient_finance @l2beat Full impact of the issue: - The Scroll chain can be halted deliberately at zero cost to the attacker. - Withdrawals remain blocked for the duration of the attack (potentially indefinitely, as it is free to sustain). - Halted block production prevents critical time-dependent DeFi actions (e.g., topping up positions to avoid liquidation, oracle price updates), putting user funds at risk. - The sequencer stops collecting transaction fees because no L2 user transactions can be included in blocks. - Anyone on the internet can trigger the attack, and Scroll has no preventative measures. --- Timeline - **Feb 17 2025** – Issue submitted on Immunefi. - **Feb 18 2025** – Scroll claims the issue was known from a Trail of Bits audit 14 months earlier and says it will be fixed in the Euclid upgrade (still 2+ months away). Scroll closes the report. - **Feb 18 2025** – I request Immunefi triage, providing code commits that show Scroll attempted—but failed—to fix the issue. I emphasize that, while the attack vector is similar, the impact and exploitation mechanism are different. - **Feb 24 2025** – Immunefi reopens the report for discussion with Scroll. - **Feb 27 2025** – Immunefi asks Scroll for an update. - **Mar 03 2025** – I contact Scroll to stress that the issue is public and exploitable on the live protocol. - **Mar 03 2025** – I DM @yezhang1998 on Twitter about the Immunefi report. - **Mar 04 2025** – Scroll says the issue is out of scope, labeling it "Throttling or suppression of operations without loss of user funds," and notes a similar report from Nov 06 2024. - **Mar 04 2025** – I request Immunefi mediation to confirm the submission's uniqueness and ensure a fair bounty. - **Mar 13 2025** – I ask Immunefi for an update. - **Mar 17 2025** – Immunefi classifies the issue as **High severity** ("causing network processing nodes to handle transactions from the mempool beyond set parameters"). They confirm the bug is unique, acknowledge Scroll's attempted fix was ineffective, and suggest a goodwill bounty because Euclid will deprecate the vulnerable functionality (in ~1.5 months). - **Mar 17 2025** – I reiterate that an attacker could freeze $100m+ on L2 and highlight Scroll's "Primacy of Impact" policy, which requires considering broader consequences. - **Mar 19 2025** – Scroll acknowledges receipt and promises to follow up shortly. - **Mar 27 2025** – I ask Scroll for an update. - **Apr 03 2025** – I ask Scroll for an update. - **Apr 03 2025** – Immunefi also asks Scroll for an update. - **Apr 09 2025** – Immunefi contacts Scroll directly. - **Apr 09 2025** – Scroll offers a payment of only **$1000**, stating the mechanism will be deprecated in the Euclid upgrade (3-4 weeks away). - **Apr 09 2025** – I reject the bounty, explaining the protocol is still vulnerable and detailing potential losses had the vulnerability been exploited on Feb 17 2025. - **Apr 15 2025** – I ask Immunefi to confirm "Primacy of Impact" applies and that the network remains vulnerable. - **Apr 22 2025** – Scroll responds with a single "." and closes the report. - **Apr 22 2025** – I ask Immunefi to explain Scroll's response and provide an update. - **Apr 29 2025** – I notify both Scroll and Immunefi that I will publicly disclose the vulnerability on Apr 30 2025 unless the report is treated and rewarded fairly. Here is the full audit report with a complete explanation of the issue, PoC scripts, a local network setup guide, and a PoC video. A full triage history (screenshots) is included at the end of the blog post—please review it! notion.so/shabarkin/Crit…

@servrox @Aptos @SuiNetwork What can it do better than Solidity?

🚀 Big news! #MoveVM is coming to #IOTA It’s a game changer that many haven’t realized yet 🔥 Move, like Solidity, is a powerful smart contract language - already making waves with @Aptos & @SuiNetwork. 🌐 It’s gaining serious traction and will be the next big thing in #Crypto