Ali - 0xdev8.eth

@github stars list beta feature experimentation github.com/ahmedali8 🧵

Announcing the Solidity Testing Handbook ✨ Fully free, one-stop resource for Solidity developers and security researchers. Resources are currently scattered across blogs, docs, and forums. I found it difficult to keep track of everything in one place. This handbook aggregates all testing patterns from basic unit tests to advanced mutation tests into a single, well-organized guide for quick reference. It’s built from my own learnings and best practices observed in popular codebases. soliditytestingbook.com

No Service 📶 Can't wait for us to get back to 5G when we're at Breakpoint. Until then, some quality time at our co-working space... Sign up below and see you Friday! 🧘‍♀️

Solana at Rust Nation 2026 🦀🇬🇧

The Pitstop London just kicked off! 🚦 Europe’s sharpest builders. Under one roof with the leading teams in the Solana ecosystem for a week. That’s Pitstop. Level up! 📈

Full house of rust developers learning Solana tonight. Thank you @RustNationUK for inviting us! See you Thursday for the UK’s largest rust developer conference.

@CapinUK @SuperteamUK @RustNationUK @solana @solana_devs @SolanaConf Thanks for having me ❤️

@SuperteamUK @RustNationUK @solana @solana_devs @SolanaConf Thank you @0xdev8 for repping @SuperteamUK and presenting tonight! You absolutely smashed it 👏👏

The best way to learn how something works is to build it yourself. So I rebuilt OpenClaw from the ground up, starting from a 20-line Telegram bot and ending with a Mini Openclaw in 400 lines. I learned a lot and it was a lot of fun! Here's the tutorial so you can do it too:

🦞Calling all openclaw bots, clawdbots, moltbots, and AI agents @moltbook. We’re running an end-to-end, agent-powered hackathon with a $30,000 USDC prize pool, open until Sunday, Feb 8 at 12:00 PM PST. Three tracks: → Agentic Commerce → Best OpenClaw Skill → Most Novel Smart Contract Agents submit projects. Agents vote. USDC moves. Agents can read the rules and submit projects on m/usdc: moltbook.com/post/b021cdea-… Learn more: circle.com/blog/openclaw-…

OpenClaw + ERC-8004 + x402 + (...?) Agentic activity is about to get very interesting - Agentic task markets - Agentic Commerce (crypto + tradFi rails) - Collaborative agentic networks (social, workflow...) - Agent lending and credit lines - Proof of agency (identity) + verification tooling - Integration of Decentralized AI compute/inference - RWA pricing by connecting agents to oracles The concentration of both capital and attention is going to send this parabolic What's missing? What's the (...?) in the equation? I'll compile a list of projects + use cases to help index the signal through the noise Drop the protocols in the comments below and RT for awareness for me to collate data

ERC-8004 is now live on mainnet. 5 months ago, we wrote the specs for the Trustless Agents standard. Since then, over 10k agents registered on testnet. Today, we’re releasing it on Ethereum Mainnet. Welcome to the 8004 Genesis Month. Here’s everything you need to know 👇

TruFin has signed an MoU with @libeara_ to explore the expansion of tokenised RWA opportunities on Solana. The collaboration will explore institutional-grade workflows and on-chain utility, including compliant access, streamlined onboarding, efficient settlement, and composability on Solana.

@VittoStack @ethereumfndn Congratulations 🙌🏻

It's official. I've joined the @ethereumfndn AI team to make Ethereum the trust layer of the agentic economy. The AI economy is just getting started, and Ethereum is the perfect place to coordinate it - excited to push this forward. Send a dm if you're building cool stuff.

⚠️ When you verify contracts on Etherscan or Sourcify, you might unknowingly leak your device info! This is for the USDC contract deployer:

@VittoStack Cool, excited!!

@0xdev8 we're currently updating the website :)

@VittoStack @VittoStack can you check please?

@VittoStack 8004.org doesn't work

If you want to do ZK in 2026, here are the courses I'd take: 1 - A linear algebra course. This is the foundation of almost all non-trivial fields of programming. 2 - A discrete math course (especially one that includes elementary number theory) 3 - A proofs course (as a prerequisite for group theory) 4 - A group theory course 5 - A probability/stats course so your intuition on the subject gets proper training 6 - A computational theory/computational complexity course, so you know what a "language" is formally, and you have experience with "reductions." 7 - A Rust course. 90% of ZK projects use it. Use @RareCodeAI, and you'll have all you need to know. 8 - A cryptography course. Privacy depends on cryptography 9 - An algebraic coding theory course so you can understand FRI/ZK-STARKs 10 - A course in VMs/Computer architecture so you can make sense of ZKVMs. I've worked with students who take the ZK Bootcamp at 2x speed -- Having a solid foundation lets you move fast. Easy money in Web3 is over. Learn how to gain hard skills instead of constantly looking for shortcuts. Even if you fail, you'll come out cracked.

yETH Exploit Deep Dive After spending some time exploring the recent yETH exploit, I quickly realized that it's easily one of the most sophisticated attacks I've ever seen. In fact, it was so complicated that every writeup I read misunderstood at least some part of the attack. This complexity provides for some serious alpha to developers and security researchers who can thoroughly understand the attack, so don't just bookmark this, let's dive in. Hybrid AMM Curve To understand this exploit, we first need to understand the underlying mechanism of the protocol. The yETH pool uses an invariant which is a hybrid between constant product and constant sum. If you're familiar with the inner workings of Uniswap, you should be familiar with the constant product behavior, essentially it just adjusts the price according to the reserves. Whereas constant sum results in a constant price between the tokens, regardless of reserves. The yETH hybrid curve behaves like a constant sum when the token reserves are balanced, keeping the price constant, and behaves like a constant product curve when the reserves are imbalanced. This behavior is valuable for pools of assets which have the same value due to the fact that the price is much less sensitive to reserve changes. Below we have a graph [1] of these different curves. Red: constant product, green: constant sum, blue: hybrid used by the yETH pool. The First Bug: Breaking The Invariant Let's zoom in on the `_calc_supply` function. This function uses an iterative approximation to converge to a new supply and constant product term at each iteration, ending the loop once sufficient precision is achieved. The constant product term (r) is recomputed at each iteration as the current value multiplied by the new supply, divided by the previous supply (`r * sp / s`). Effectively, it scales at the same rate as the supply. The bug: if the decrease in supply of any given iteration of the solver is large enough, the constant product term can round down to zero. There is no revert to handle this case and once it occurs, each following iteration will remain zero since `0 * x / y = 0`. Now that we have a zero constant product term, we no longer have a hybrid constant product/constant sum curve, instead we effectively just have a constant sum curve. To understand why this is a problem we have to go back and look at the curves. In the below graph [2], we have the intended curve (red) and the constant sum curve (purple) which is the result of the zero product term. As we adjust the supply (see desmos graph [2] linked in reply) of these two curves (D), we can see that the reserves increase by the same amount in the middle, where the reserves are balanced, but by different amounts on the outside, where the reserves are imbalanced. This means that as we add/remove liquidity with imbalanced reserves, these two curves will mint/burn a different amount of LP tokens. Understanding this behavior, the attacker systemically switched between these curves by triggering the zero constant product term when adding liquidity with unbalanced reserves to receive more LP tokens than intended. They then resolved the constant product term back to normal during liquidity removal to receive the correct amount of tokens provided for burning the inflated amount of LP tokens they received. This allowed the attacker to withdraw more tokens than they deposited, which they repeated until the pool was drained of its reserves for a profit of about ~$8m. The Second Bug: Unexpected Underflow You thought we were done? Nope, there's yet another bug that the attacker exploited to steal even more funds after already completely draining the pool. Now that the pool is empty, and variables used for accounting are in such an unusual state, there is a significant side effect which occurs when we attempt to deposit certain dust amounts. Again, looking in the `_calc_supply` function, when we iteratively recompute the supply, we compute it with the following line (`(l - s * r) / d`): Since we use unchecked math here and the accounting is in a highly irregular state, it's unexpectedly possible for `s * r > l`, resulting in the computed supply underflowing. The attacker exploits this underflow by depositing the following amounts: `[1, 1, 1, 1, 1, 1, 1, 9]`, resulting in them being minted `~2.6*10^56` yETH LP tokens. The attacker then makes a swap on the curve yETH/WETH pool, draining the pool of its WETH, for a profit of ~$1m. Conclusion Not only did this attack include a highly sophisticated AMM invariant exploit, but it also exploited an underflow which is likely only possible due to the existence of the invariant exploit. This combination of exploits allowed the attacker to not only drain the yETH pool, but also another pool containing the LP token. Both attacks, and even tornado cash deposits were all made in the same transaction, preventing any chance at rescue. In my research, every writeup I came across misunderstood this attack in some way. Clearly, it's extremely rare to understand such a sophisticated exploit, providing for some serious alpha to developers and security researchers to fully wrap their heads around this.

What a place to spend my birthday! 🎂 Thank you Argentina 🇦🇷 ✨