Andrea | Blockchain Security

Happy new year 2026 * Get first Med/High by Mar 2026 * Rank top 10 in one of the contest by end of this year I solemnly pledged, no quit

Wrap up k2 audit today. Spend 2 days trying to abuse the flashloan operation, but failed. Fingercross now and take a break.

A nice first flight arena for solana

What Smart Contract Security Research Really Is Most people think blockchain security is just “checking code for bugs.” It isn’t. Smart contract security research is psychological warfare against invisible adversaries. A smart contract security researcher studies decentralized systems the same way a thief studies a bank vault. The job is to think like an attacker before attackers arrive. To identify weaknesses before they become headlines. To understand how complex financial systems break under pressure, manipulation, and human assumptions. In Web3, code is law. And unlike traditional software, smart contracts often control real money directly. No customer support. No chargebacks. No emergency rollback button. One vulnerability can drain millions of dollars in seconds. That’s why smart contract auditing has become one of the most critical disciplines in blockchain cybersecurity. Every DeFi protocol, governance system, bridge, staking platform, and DAO depends on security researchers seeing what everyone else missed. Sometimes that means catching catastrophic flaws before launch. Sometimes it means watching exploits happen in real time and realizing nobody can stop them.

After months of auditing, I rarely touched liquidation logic—it's long, complex, and intimidating for beginners. But in every contest results, liquidation operations are always where most bugs are found. So for K2, I'm biting the bullet and grinding through liquidation. 💪

New: We just launched the BEST Web3 opportunities page! Bug bounties & Audit competitions aggregated all in one place in a beautiful customizable UI. Check it out here: smartcontractshacking.com/tools/audit-co…

Audit update. Nothing new, continue grinding K2 for flash liquidation. It has been almost a month grinding K2, with only 3 days short break for Solana Audit Arena.

When I just learned the basic audit, I keep hearing "security results are not linear". Now I truly understand the meaning

Oh, forgot to tag @0xShaedyW Full dataset: x.com/0xshaedyw/stat…

Three major hacks in just 4 days! On May 15, #THORChain was exploited, with stolen funds exceeding $10M. On May 18, the Verus-Ethereum Bridge (@VerusCoin) was hacked, with ~$11.5M stolen. Today, @EchoProtocol_ was exploited, the hacker minted 1,000 $eBTC ($76.64M) and has already used it to steal 385 $ETH($821K). Stay safe.

Crazy — another hack just happened! According to @dcfgod, @EchoProtocol_ on Monad was exploited. The hacker: minted 1,000 $eBTC ($76.64M) on Monad; deposited 45 $eBTC ($3.45M) into Curvance; borrowed 11.3 $WBTC ($867K) from Curvance; bridged the 11.3 $WBTC to Ethereum and swapped it for 385 $ETH ($821K); then deposited the 385 $ETH into Tornado Cash to launder the funds. The hacker still holds 955 $eBTC ($73.2M). debank.com/profile/0x6a01…

Continuing k2 audit today. Today for price oracle and internal liquidation. Tomorrow will be the 2 step liquidation. Having a nice zen moment yesterday with Ikea coffee & almond cake.

@r0bre 🫡

Not at all, but its really important to do the next step

I just published Learning Solana Bug From Solana Audit Arena Week 4 medium.com/p/learning-sol…

If I spend 3 weeks focusing in only one audit contest & found nothing. Does it mean I am wasting my time?

If you're starting out in Web3 security, you gotta check this out: hackviz.shredsec.xyz Super clean way to learn real-world exploits without all the fluff. 🫡

Price oracles always make my head smoky. Staleness Decimal precision / rounding Fetch mechanisms And that’s before dealing with protocols that aggregate multiple sources. What else belongs on the oracle risk checklist?

Let's distract our demotivated state with just doing. Continuing K2 Audit. Diving on the internal_liquidation_call & the get price data mechanism.

@yusufthebdev Still demoralized

To every new security researcher feeling discouraged right now especially us junior SRs. You do not need perfect conditions to improve. No contest? Audit old codebases. No roadmap? Build your own. No opportunity yet? Prepare for it. Keep showing up!

@AuditingCntrcts He quit his position at the company in order to become an education minister. However I think he still has share there.

@snufflesrea channelnewsasia.com/asia/indonesia… Did not grasp the details but is it usual for someone to be both a minister of educ. and a tech entrepreneur ?

One of the saddest weeks. C4 is shutting down, the Web3 industry is losing momentum. Poor law enforcement in my country continues to hurt my motivation. One of the most well-known tech founders just received a 27-year prison sentence over allegations that are still unproven.

@AuditingCntrcts Just 3rd world problem. Gojek founder is accused of procurement corruption.

@snufflesrea Wow what's that issue? Any links? Just curious