webrainsec

@p_tsanev can you link the contest?

😱A FREE Open-Source AI Auditor just delivered the same output as a $47,000 audit contest! Plamen ran twice on the same DODO contest as other tools and achieved 90+% coverage both times! Check the entire process below and integrate Plamen in your development workflow now

The @aave team partnered with Sherlock across the V4 upgrade through three major phases: a multi-phase collaborative audit with Blackthorn, a $365K audit contest, and a bug bounty to protect live code after launch. For one of the biggest architectural shifts in Aave’s history, the margin for missed issues was basically zero. Sherlock was brought in to go deeper on the parts of V4 that were entirely new, especially the Hub-and-Spoke architecture + risk premium system.

@adeolRxxxx @webrainsec @cantinaxyz 👏👏👏 This is the way to go, to avoid conflicts of interests. Refund the whitehat, or burn the deposit, but don't keep it as profit.

@infosec_us_team @adeolRxxxx @cantinaxyz it's fair and square, reduces the amount of slop/trash. Also, @cantinaxyz triage team is fast and fair as far as i've experienced

ty for quick triage @cantinaxyz 🤝 on to the next

fair point, FoT reverts at the require so it's DoS not inflation. the fix is still the same though. shares should track the balanceOf delta, not the input amount. that way FoT tokens work instead of reverting, and the accounting stays correct regardless of token behavior. Also, the CEI violation you mentioned is real, state update after external call

@webrainsec @HackenProof you are partly right but fee on transfer tokens won't pass the require statement, they will revert. I think rebasing tokens will mess up the accounting of the protocol, if wierd ERC20 are in scope 😁. In addition to that, violation of CEI can also be seen here.

Spot the Bug 🧠 ERC20 deposit accounting What’s the issue in this code?👇

@victorokpukpan_ ye we also see it a lot, maybe even more than before because of vibe coded apps?

I still see developers storing private keys in plaintext. .env files, config files, and even random text files. It feels harmless until one mistake exposes everything. There is a better way to handle this.

@PashovAuditGrp always 🫡

@webrainsec Good luck building, crush it please🫡

Everyone is shipping AI security tools now. We went through them so you don't have to. 35 tools reviewed - Claude Code skills, standalone scanners, paid platforms. Hand-picked, not bulk imported. Drop the one AI security tool that you love the most🫡

@pashov very interesting read

Beautiful blog post. If you want to build the best AI security tools, read this. Innovation in the is space about to upgrade the baseline, fast.

@cvetanovv0 discipline, consistency and hard work lead to success, and eventually the impossible is made possible 🤝

In Web3 security, every finding and every failure forges a stronger auditor. Each challenge is an opportunity to learn. The true expertise is built by those who never stop growing, adapting, and pushing the boundaries of what’s possible.

AI Web3 Security AI Web3 Security AI Web3 Security AI Web3 Security AI Web3 Security AI Web3 Security AI Web3 Security

@zacodil ye, didn't see the UI yet but you're absolutely right

@webrainsec imho UI is pretty clear x.com/zacodil/status…

Read both post mortems from CoW Protocol and Aave on the $50M swap. What they reveal is worse than the headlines. Here's what stood out: The auction timeline: - Three solvers quoted. Two found routes returning ~52K AAVE (~$5.7M). One returned ~330 AAVE (~$36K). The two good quotes were rejected by a hardcoded 12M gas limit in the verification system - legacy code nobody updated. The worst quote set the limit price. - A solver later found the good route again and won two consecutive auctions. Then never submitted the transaction. No revert. No error. Just didn't execute. Then stopped bidding. CoW says this is "under investigation." - The last solver standing had the worst route. Won the third auction with no competition. That's what executed. Mempool leak: - The solver submitted via private RPC. Etherscan tagged it as seen in the public mempool. If confirmed, the transaction leaked - enabling ~$34M in backrun extraction. Also "under investigation." Aave's side: - UI showed 99.9% price impact. Checkbox: "I confirm the swap with a potential 100% value loss." User confirmed on mobile. - Initially announced a $600K fee refund. Post mortem now says $110K. That's not a rounding error. - Shipping "Aave Shield" - blocks swaps over 25% price impact by default. A threshold check. After $50M. - The user still hasn't contacted them. What neither report addresses: - Why CoW is hardcoded as the only swap provider with no price comparison. - The SolverParticipationGuard deleted six weeks earlier instead of fixing it - The 12M gas ceiling that rejected 160x better quotes was legacy code. CoW says it's "already fixed." It took a $50M loss to update a hardcoded number. - CoW confirms even the best quotes reflected ~90% value loss. The liquidity wasn't there on any single chain. This isn't a routing problem - it's a liquidity fragmentation problem. - Solver E found a 160x better route, won two consecutive auctions - and never submitted the transaction. Didn't even try. Then stopped bidding. The worst solver won the third auction by default. CoW's explanation: "ongoing investigation."

now at 31 scans, feat. @AckeeBlockchain @auron_xyz @webrainsec @winfunction & others

@z0r0zzz just dropped our review as a PR 🫡

@webrainsec cool - hmu - moloch/majeur looks like an ai audit scan contest so far and it would be useful to get your input

lucky day on friday the 13th, let's get it