Sunshine

My first smart contract! Onboarding to Web3 with full passion and enthusiasm🛠️⚒️⚙️😁. This is gonna be an adventurous journey for me because my life is all about learning new, meaningful and exciting things everyday. LFG🔥🔥🔥 #WEB3 #SmartContracts #DeFi #webdev

@BitWizards__ @bittensor 5GNrqo5tQHoLchmRKw8ndWBQHWacP9pX7aJXdw9nhVmnTcV5

Introducing BitWizards -- a 10k NFT collection on @bittensor tao inscriptions protocol 🪄 24H mint window with a max supply of 10k / mint out or cut supply / WL = GTD Public = FCFS Comment wallet address for WL ( RANDOM )

Everyone I've seen building AI security tools is optimizing for the wrong metric. And it's leading to the wrong architecture. 🧵

It's not too late to start in web3 security. But the game you're entering isn't the game you've been reading about. Contests take months to judge. Platforms limiting submissions. AI finds the easy bugs before you do. The people who make it now are the ones who adapt fast.

In bear markets, audit volume naturally drops lower than in times when everybody wants to rush and deploy. This means lower revenue for auditing companies. Apparently some company owners think they are geniuses and lower their quality (which was already shitty before) even more, with practices such as: - reducing manpower for audits - allocating auditors with (even worse skillset than before) - relying on AI only and selling it as manual audit Customers often don’t realize that, until it’s too late. Rest assured that we at @bailsecurity don’t follow such questionable actions. You can count on us to keep on delivering the worlds best security without compromise. To project founders that are looking for a cheap batch which tells them they are ready to deploy (and eventually get rekt) to just collect money from investors: I’m (not) sorry to tell you this, but you will never get the @bailsecurity batch of approval.

After many tests around LLM use in bug hunting, and taking into consideration all my experiences/study in AI in the past few months I arrived at some conclusions. And I'll make some predictions: 1. Every new model will be followed by a wave of new bug findings in a short time that will get people very excited. Followed by a period of very few findings. 2. Those waves will get smaller and smaller, until basically there's no improvement. 3. The reason isn't that the code is becoming bug free -- it's because the % of bugs that **can be found** by LLMs is quite small. Why? 1. The model has no idea how the code works -- you can catch it making ridiculous statements about the code all the time. 2. It has no idea how the EVM works either -- it misrepresents basic facts about the EVM all the time. 3. The way it finds bugs is basically hallucinating credible-sounding exploits. If there is a bug and it is typical enough, sometimes the hallucination matches reality. 4. Even very easy, very typical bugs, can be missed if slightly obscured. 5. Matching the actual threat model is hard so the severity is basically a random guess most of the time. 6. You can improve all of the above in two ways: 6.a. Make extensive prompts/skills telling exactly what it should look for. You just turned the supposedly generic auditor into a (very expensive and slow) static analyzer! 6.b. Force it to PoC and retry repeatedly, enforcing success conditions. This turns it into a (very expensive and slow) fuzzer! You can combine both for better results. 7. It's useful but it is still just a static analyzer + fuzzer. An incremental expansion on the existing state of the art tooling. When you don't know what tools to use or dont have time to find out, they will be very useful -- and that's maybe a lot of value -- but it doesn't change the nature of what's going on. 8. People telling you it's doing what an auditor does, replaces humans, yadda yadda yadda -- they are either clueless, deluded, or deliberately misleading. 9. BTW humans hunting for bugs don't just try to look for known bug patterns -- the known bug patterns are compiled from findings by humans **who actually understood how the code works** and found the bug without anyone telling them what they should be looking for. That's the "research" part in Security Researcher. 10. Most of the known patterns were discovered independently by multiple SRs sometimes years before becoming public knowledge. Sometimes it becomes public knowledge after a black hat discovers it and steals millions (you probably dont want to be the target of that research!) 11. Any human or machine that keeps just trying to match known patterns against code bases will miss **A LOT** of bugs. 12. Finding bugs is crazy hard. Writing bug-free code is even harder. There is no silver bullet. AI isn't magical. Nor is it "automating human cognition". 13. Life is always unfair. More so in a bear market. 14. If you think someone will hand you on X a solution so you can find bugs easily OR so you don't have to spend a lot of effort/money on securing your code... We'll things are not gonna work great for you.

Become a 100x security researcher

I am ready to help anyone willing to make it in web3 security. If you are reading most of the opinions on X, "junior auditors" are dead, if you haven't made it as an auditor yet, you should give up. The reality is that we need good SRs more than ever. DM me if you need help🫡

Nothing changes for someone unwilling to do the work. Knowledge alone will not get you there. You can study every book, watch every tutorial, and memorise every strategy, but until you do the work repeatedly, until you gain what I call functional understanding, it will not stick. Functional understanding is different from theoretical knowledge. It is the kind of understanding that comes only from doing, making mistakes, adjusting, and doing it again. It is not about learning in theory; it is about applying what you know even when it is hard, even when it feels uncomfortable. That is where growth happens. That is where you push past the plateau and start seeing results. The breakthrough you are looking for lives on the other side of persistence. Learn, apply, struggle, reflect, and repeat. Every iteration builds your intuition, sharpens your skills, and moves you closer to mastery. This is especially true in trading. You do not go from reading a strategy to seeing consistent success. You go from repeated action to functional understanding, and only then does success follow.

All systems usually have at least one kind of invariant (a condition that must always remain true). With this in mind, if we understand the core invariant of a system, we can write tests to test specifically for that invariant.

A bridge that can't tell the difference between a real deposit and a lie just cost $7M. The scariest part? The bug isn't in one protocol. It's in the shared codebase that dozens of chains are built on. Here's why this matters for the entire industry 👇

Many people worth $0 right now were worth 3-6 figures before. Some of you once made up to $100k but are currently worth less than $10. What’s not talked about enough is how you make it all back after going from 100 to 0. And that’s exactly what I’ll address in this post 👇 First thing you need to understand: You don’t rebuild money first. You rebuild control. When you go from 100 to 0, the real damage isn’t financial. It’s psychological. You start doubting your decisions. You hesitate more. Or worse, you rush. That’s where most people lose again. So here’s how you rebuild, practically: 1. Separate the event from your identity You didn’t become stupid overnight. You experienced a bad outcome. Say this clearly: “I lost money” Not “I am a failure” Your brain behaves differently based on the sentence you repeat. 2. Stop trying to restore your old lifestyle This is where most people destroy themselves. You don’t go from 0 → back to 100 instantly. You go: - 0 → stability - Stability → momentum - Momentum → scale If you chase your old lifestyle too fast, ego will bankrupt you again. 3. Rebuild predictable income first Rebuild anything that pays weekly, monthly and reduces anxiety. Security gives you mental clarity. Clarity gives you better decisions. 4. Shrink your risk per move When you had 100, you could survive mistakes. When you have 0, mistakes are fatal. Your comeback phase requires: - smaller bets - fewer experiments - tighter discipline Maturity isn’t less ambition. It’s controlled ambition. 5. Upgrade the system, not the luck If the same strategy made you rich and then wiped you out, the problem isn’t aggression. It’s lack of guardrails. Next time: - No all-in moves - No single point of failure - No decisions made from urgency You don’t remove ambition. You add structure. 6. Focus on compounding reputation and skills Money can vanish, but you know what cannot? - Skills - Network - Experience The person who can build once can build again, if they protect the foundation. Here’s the part most people won’t say: Going from 100 to 0 is humiliating. But it also removes illusion. You stop believing you’re invincible. You start respecting risk. And that version of you? Is far more dangerous, in a good way. Rebuilding isn’t about getting your old number back. It’s about becoming the kind of person who can’t be wiped out that easily again.

How to thrive as a web3 security researcher in the age of AI - Tip 1 Mindset The world is full of pessimists. If you're fixated on the worst outcome, you're setting yourself up for failure. With every major technological shift, productivity goes up and new opportunities open. AI is no different. If you're wondering whether this is a good time to enter web3 security, there has never been a better time. What we're going to see in the coming years is a massive surge in projects building on the blockchain. Developer and product launch capabilities will at least double with AI, best case 10x. The crypto industry will likely 10x alongside it. That's 100x more apps being built. For every lending & borrowing market today, there will be 100 more. For every chain launching now, expect 100x more. Even if AI finds 95% of the bugs, you still need 100% bug-free project before launch. It will never be socially acceptable, let alone sufficient, to ship a project audited only by AI. That last 5% is where the exploits live. So prepare for abundance. Today is the best day to start your journey as a web3 security researcher.

Thank you for always motivating the upcoming SRs. We'll keep on pushing towards productivity.

Oh My God!!! Wow!!!

@RealJohnnyTime Just bid higher than the previousBidder and then call the `endAuction()` function to end the auction and receive the nft as the highest bidder. Any other bidder calling the `bid()` function with a higher bid will revert because the auction already ended.

Weekend challenge #2, this one is a classic. Can you break it?

"There was a time when 20 web3 security contests ran in parallel, and auditors reviewed code manually instead of using AI scans."

@raopreetam_ @QuillAudits I'm interested sir but can't DM you

We’re looking for 4-5 Security Audit Interns at @QuillAudits academy who don't just "read" code, but break it. The Stack: Solidity, Rust, Move. Nice to have: Hands-on experience with Testing & Fuzzing (Foundry, Echidna, Medusa). This is an unpaid 3-month internship designed as a high-octane trial. Perform well, and you’ll be fast-tracked into a Full-Time Auditor role. If you think like an attacker and build like a defender, let's talk

@bichistriver @PashovAuditGrp Done ✅

this is Hooooge! We got the top auditing company to sponsor 29 future Elite security researchers. One of the best in web3 security space. Their founder wants to help this space grow in the era of AI. @PashovAuditGrp We will have an exciting mentorship program. Next steps: If you have been wanting to join but couldn't due to the $50 fee, go ahead and fill this form. You will get a free slot. Join only if you are ready to work hard for the next 10 weeks. docs.google.com/forms/d/e/1FAI… Those that already paid before will get communicated tomorrow. They are already locked in. We will choose the lucky ones from the today applicants that do after this announcement. Make sure to answer the questions with your best response. Let's go!

@RealJohnnyTime An attacker can use multiple addresses to call the deposit() function with a full limit amount (1_000_000), the 'totalActiveAssets' remains constant in every deposit call bcus the state is never updated. He can now call processQueue() successfully since there is no access control

How would you bypass the cap?