Slava S.

convention changes between protocol versions are an underrated attack surface same function name, different behavior. same parameter, opposite sign. auditors bring assumptions from v1 into v2 reviews some of the nastiest bugs i've seen come from "i assumed it worked like the old version"

@pashov the "1 command install" part matters more than people think. half the tools in this space never get used because setup takes 30 minutes. reducing friction is how you get adoption

🧠AI security tools are booming. Still, many are slow, painful to set up or expensive to run. solidity-auditor v2 drops tomorrow. 1 command install. 8 parallel specialist agents. <10min on 5000 nSLOC. Runs locally on a cheap API plan. Free (even though it probably shouldn't be)

@0xKaden breaking mental models between versions is a guaranteed source of bugs. auditors who reviewed v3 will bring wrong assumptions into v4 reviews. convention changes like this are subtle but dangerous

whoever at uniswap decided to swap the negative/positive add/remove liquidity convention between v3 and v4 is a villain yes the v4 implementation is more intuitive but the fact that they are the opposite breaks my brain every time

@PatrickAlphaC this is why frontend security is underrated in defi. everyone audits the contracts, nobody audits the dapp serving the transactions. a compromised frontend can make users sign anything

A website can always be hacked. Which means, you cannot trust calldata.

@p_tsanev 90% coverage against a real contest is a strong benchmark. the question is what that last 10% looks like. usually it's the protocol-specific logic bugs that no amount of pattern matching catches. still, if this handles the baseline, auditors can focus on the hard stuff

😱A FREE Open-Source AI Auditor just delivered the same output as a $47,000 audit contest! Plamen ran twice on the same DODO contest as other tools and achieved 90+% coverage both times! Check the entire process below and integrate Plamen in your development workflow now

auditing a payment abstraction system this week. the pattern where users pay in any token and it gets swapped to the target token onchain is deceptively complex. every swap path is a potential attack surface. slippage, oracle manipulation, sandwich attacks. the more flexible the payment, the bigger the threat model

@0xKaden bZx is the textbook case for why one audit isn't enough. they got exploited, "fixed" it, got exploited again with a different vector in three days. the codebase was fundamentally fragile, not just buggy

the bZx protocol had probably the worst security posture of any smart contract protocol in history in february 2020, they suffered not one, but two oracle manipulation exploits [1] within a three day period. with the second one coming after the protocol was deemed to be fixed. ~$350k + ~$600k exploited then in september 2020, they had a self-transfer exploit [2] which resulted in a loss of ~$8.1m and if that wasn't already enough damage, in november 2021, a phishing attack on the developer key [3] allowed the attacker to not only drain the protocol TVL, but also dangling user approvals, resulting in a loss of ~$55m!

@al_f4lc0n this is the exact dynamic that kills bug bounty motivation. researcher finds valid issue, protocol downplays it to avoid paying. then we wonder why fewer people bother reporting responsibly

the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised. My response: Are you suggesting I should have actually exploited the bug and caused real damage before coming to talk to you? For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. My response: You should know better than anyone that on a Cosmos-based chain, a single transaction can pack multiple messages. Just one transaction is more than enough to completely drain multiple whale accounts. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base. My response: First, this has nothing to do with the vulnerability itself. Rate limiting doesn't stop attackers from stealing funds. It only slows them down when they try to bridge those funds over to Ethereum. Second, when I submitted my report, the mainnet configuration for this feature was not set. In other words, this feature wasn't even turned on! In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000. My response: First, Immunefi has always put the impact of direct fund theft at the very top of its priority list. This is a fact that everyone knows. Second, you changed your bug bounty page after I submitted my report. Here’s the snapshot from November 8, 2025: web.archive.org/web/2025110816… . And now, there’s an extra line added to your bug bounty page: “IMPORTANT: Within the Assets in Scope table, the injective-core folder is listed for both Blockchain/DLT and Web/App due to overlap between the two within the same folder. However, for a report to be categorized as Blockchain/DLT, the resulting impact has to be directly involved with the block production process or with consensus failures. All reports not dealing directly with either of these are to be categorized as Web/App.” I’d really like to know when this line was added. and do you really value chain consensus more than users' funds? We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first. My response: You never even replied to my messages, and now you’re blaming me for not requesting mediation? I can post the original report if you agree. I left many messages, but you haven't replied to a single one. ---------- Finally: Stop making excuses from every angle and trying to use technical jargon to confuse people who aren't developers. That doesn’t work anymore these days. Anyone can just ask an AI to fact-check what both of us are saying. I have no ill intentions toward your project. All I'm asking is for you to be honest and handle this transparently.

@PatrickAlphaC governance attacks are underrated threat vectors. $100k to capture $3m+ is insane ROI for an attacker. more protocols need active monitoring for unusual voting patterns, not just smart contract audits

We are proud to have been a part of this attack save 🫡

@pashov open sourcing tools that protocols would pay thousands for is the fastest way to raise the security baseline. the more free tooling exists, the fewer obvious bugs make it to mainnet. everyone benefits

🤯Protocols would pay >$1000 per run for this. Someone just Open Sourced it for free. MIT Licensed. This AI security tool is proven to get up to 90% coverage post human audits. I haven't seen another one that digs deeper into a codebase. Massive boost for the space🫡

what's the most common bug you keep finding in solidity audits that protocols still don't fix? for me it's the first depositor attack on vaults. inflate share price, steal from the next depositor. been known for years, still shows up constantly

this is where AI auditing is heading. not one tool, but a pipeline where static analysis, vulnerability search, and fuzzing all feed into the same reasoning loop the standalone "scan and hope" approach is already dead

@p_tsanev combining static analysis + RAG + fuzzing in one pipeline is the right direction. running each in isolation means the LLM misses context from the other layers. the more structured data you feed into reasoning, the less hallucinated the output

Every AI auditor now does the same boring thing. So I went and fused the 4 security pillars into a singular pipeline: - Static analysis - RAG vulnerability search - Recursive depth analysis - Fuzzing and testing Fully autonomous 🤖 Fully open-source 🔓 Going live tomorrow 🚨

@PashovAuditGrp Weasel github.com/slvDev/weasel

Everyone is shipping AI security tools now. We went through them so you don't have to. 35 tools reviewed - Claude Code skills, standalone scanners, paid platforms. Hand-picked, not bulk imported. Drop the one AI security tool that you love the most🫡

@z0r0zzz the teams that abandon their dao are the same ones who used it as a regulatory shield in the first place. actual decentralized governance is messy and slow but at least the incentives are honest

dao fud is so retarded because its just like teams that get paid yearly by token vote to then figure out the day to day of product building and marketing then turn around and say the dao doesnt own the product anymore and actually they get th full treasury now cuz micromanagement

@PatrickAlphaC five years, no security incidents, $1B in payments. that's a real track record. the product worked, the market just wasn't big enough yet. respect for shutting down honestly instead of forcing a token to keep it alive

Damn

@pashov 1280 downloads in two weeks is wild. shows how much demand there is for security tooling that just works out of the box. the bar was too high before, most people never ran anything

1280 unique downloads of the solidity-auditor skill. Not a day passing without me receiving "it found a new High severity vulnerability" from a dev or an auditor. v2 is a 10x. Codex, Cursor, Copilot support. Runs in <10 minutes, free (with AI plan) and it just delivers.

bug bounty platforms have a trust problem you find a valid high severity, protocol says "we're aware" and pays nothing. same pattern gets exploited on another protocol a month later the incentives are broken. if you reject valid findings, researchers stop looking at your code

sieve syncs ~1000 blocks/sec on ethereum no rpc provider in the middle. parallel p2p fetches, bloom filter pre-screening, batched writes. the whole pipeline is designed to never wait on someone else's infrastructure

@pashov fair point. most analyzers don't check for this either. sounds like a detector worth building

@slvDev Parsers who don't check for these miss it as well... So you need the "correct" static analysis tools

Invisible malicious code. Because of special Unicode characters, where a human sees "nothing", the JavaScript interpreter sees executable code, that can lead to an exploit. Cybersecurity is now more important than ever. Don't sleep on this, stay safe. arstechnica.com/security/2026/…