𐌋𐌄Ꝋ

The first ZK exploits happened... blog.zksecurity.xyz/posts/groth16-…

Auditing feels impossible at first. Here’s what progress actually looks like: 0–100h -> lost most of the time 200–300h -> start spotting patterns 500–700h -> can handle big codebases 1000h+ -> it clicks, bugs stand out instantly The skill compounds over time. Keep going🙏

Here’s my new article on finding soundness bugs in ZK circuits, with concrete examples in Circom, Cairo, and Rust. Link in reply.

@RealJohnnyTime @StarknetFndn @Om_Santoshwar @MSG_Encrypted @ayur_27 @0xaudron @1techhunter @Pelz_Dev @rejwar @0xLegendaire @AnmolSirola @Icon_70 @dmtrbch Appreciate the chance! Can't wait to dive in with the CSCH community and @Starknetfndn! 🔥

IT’S HERE❗️ Together with @Starknetfndn, in no particular order, we are thrilled to welcome 18 new CSCH students to the community 🥁 @Om_Santoshwar @MSG_Encrypted @ayur_27 @0xaudron @1techhunter @Pelz_Dev @rejwar @0xLegendaire @AnmolSirola @Icon_70 @dmtrbch @CipherShade @0xjarix @scarcemrk @ManiVeer198 @Sriki09182003 @Likitd_ @SerahOluwatosin Congratulations! You will be receiving access to the learning platform shortly 🫡 To everyone who did not get in this time, keep up the great work, and I’m sure there will be more opportunities for you in the future 👀 You are also welcome to reach out for individual feedback🤝

Something big is brewing. Eyes on #cantinapectra. 🕶️🖤

@angelinarusse @Alchemy Excuse me, ma’am, I’ll take some alchemy fries with my order.

Gm Web3! Fun Alchemy stickers for the win!! Thinking about making an envelope full of stickers to send to people! Also, how cute is the ZK <> Alchemy one? 😄🎉

@angelinarusse What a ride it’s been since '22! All the love for alchemy — onwards and upwards. LFG! 🥳

Thank you for everyone’s patience! I’m going through the list! Will give a shirt to everyone I can 😊❤️

It's that time again.👀 The holidays are here, and I’ve got a little surprise for you! Bitcoin shirts are back in stock! Let me know if you’d like one. Thanks for being part of the Alchemy community! ❤️

Level up your cybersecurity knowledge! A compilation of the best Web3 security alpha from our top engineers 🧵 📚 Blog Posts 1️⃣ Preparing for the Challenges of Smart Contract Audits 🔗 zokyo.io/blog/navigatin… Compilation of essential tips for pre-audit preparation 2️⃣ The Power of Penetration Testing 🔗 zokyo.io/blog/unlocking… Why penetration testing is crucial for identifying security gaps in Web3 systems 3️⃣ Understanding Subdomain Takeovers 🔗 zokyo.io/blog/when-web2… A comprehensive guide to subdomain takeovers in the context of Web3 4️⃣ Design: Push vs. Pull Pattern in EVM 🔗 zokyo.io/blog/design-pu… The benefits and trade-offs of different smart contract design patterns within the Ethereum Virtual Machine 5️⃣ Bug Bounty Programs 🔗 zokyo.io/blog/bug-bount… The evolution and critical role of bug bounty programs in cybersecurity 6️⃣ AI & Smart Contract Security 🔗 zokyo.io/blog/ai-in-cry… How AI is reshaping security practices in smart contract coding and auditing 7️⃣ Under the Hacker’s Hood: JSON Injection in NFTs 🔗 zokyo.io/blog/under-the… Understanding vulnerabilities in NFT metadata and risks from JSON injection attacks 8️⃣ The Role of Invariant Testing in Cybersecurity 🔗 zokyo.io/blog/ensuring-… How invariant testing ensures robustness in smart contracts 9️⃣ Flash Loan Attacks 🔗 zokyo.io/blog/flash-loa… How flash loan attacks work, their impact on DeFi, and strategies to avoid them 🔟 Chainlink VRF 🔗 zokyo.io/blog/chainlink… An examination of Chainlink’s VRF and the security considerations for its use 1️⃣1️⃣ The Top 10 Vulnerabilities in Large Language Models (LLMs) 🔗 zokyo.io/blog/exploring… Insights into the top vulnerabilities in AI models and the security measures to consider 1️⃣2️⃣ Best Practices for Web3 Wallet Security 🔗 zokyo.io/blog/safeguard… Guidelines to securing private keys and wallet security 1️⃣3️⃣ Web3: A Promising Frontier Fraught with Deception 🔗 zokyo.io/blog/web3-a-pr… Lessons from a recent YouTube-promoted crypto scam case study 💬Twitter Threads 1️⃣ Recap of OpenSense Interview 🔗x.com/zokyo_io/statu… Key insights from top engineer @SakshamGuruji on Web3 security, hackathon competitions, AI in auditing, and best practices 2️⃣ Boss goes on NASDAQ TradeTalks 🔗x.com/zokyo_io/statu… Our CEO Hartej discusses Generative AI, asset auditing challenges, and the future of cybersecurity 3️⃣ Top 10 Security Issues Discovered by Zokyo 🔗x.com/zokyo_io/statu… Our top audit findings of 2024, from rounding errors to DoS vulnerabilities 4️⃣ Fuzz Testing:All You Need to Know About 🔗x.com/zokyo_io/statu… Why fuzz testing is a practical alternative to formal verification for blockchain Virtual Machines 5️⃣ Zokyo's Top Security Insights on Solodit 🔗x.com/zokyo_io/statu… A deep dive into 1,200+ expert audit findings on Solodit

@ShieldifySec To the Moon 🚀🫡

How to become a Better Smart Contract Auditor? It's simple, put maximum time into it and do it willingly, every single day, no Excuses First is learning, then the first letter of the word Learn is removed LEARN -> EARN

@cryptodavidw Yes serrr 🫡

anybody needs an invite for news.zksecurity.xyz ?

@ShieldifySec The wild part is I just quit my job two days ago to go all-in on Web3 security. 😂

Stop thinking about it, just quit your job and become a Smart Contract Researcher/Auditor. That's it!

@angelinarusse Who needs therapy when Angelina’s tweets hit the soul like that every day? 😌

Ether Transfers in Solidity: transfer(), send(), and call() In Solidity, there are three primary ways to transfer Ether between contracts or to external accounts: transfer(), send(), and call(). Each method has different behaviors, including safety mechanisms and gas consumption, so it's important to understand when and how to use each one. 1. transfer() The transfer() method is the simplest and most secure way to send Ether. It forwards 2300 gas to the recipient, preventing reentrancy attacks and ensuring that only basic operations (like logging) can be performed in the recipient’s fallback function. If the transfer fails, it automatically reverts the transaction. Key Points: Gas forwarding: Only 2300 gas is forwarded, which protects against reentrancy. Auto-revert: The transaction reverts on failure, so you don’t need to handle errors. Simple to use, but can fail if the recipient's fallback function requires more than 2300 gas. Many auditors think it's an issue if a smart contract wallet is interacting with a contract and the transfer method transfers funds to the smart contract wallet. This will however only revert if there is gas-consuming logic in the fallback/receive function. 2. send() The send() method works similarly to transfer(), but it does not automatically revert if the transaction fails. Instead, it returns a boolean (true on success, false on failure). You must manually handle the failure case. Key Points: Gas forwarding: Like transfer(), it only forwards 2300 gas. Error handling: It does not revert on failure, so you must check the return value and handle failures manually. 3. call() call() is the most flexible and method for sending Ether. It allows arbitrary interactions with contracts, including sending Ether and invoking functions. Unlike transfer() and send(), it forwards all available gas, which makes it more prone to reentrancy attacks. However, it's useful when dealing with contracts that require more than 2300 gas to execute their logic. To avoid security risks, call() should always be followed by a check of the return value and, ideally, a proper gas management or protection against reentrancy attacks. One can also forward a custom gas value, if desired. Key Points: Gas forwarding: Forwards all available gas by default, making it flexible but potentially dangerous. Error handling: Like send(), it returns a boolean that must be checked to ensure the transaction succeeded. Reentrancy risk: Since all gas is forwarded, it’s vulnerable to reentrancy attacks unless guarded with checks like the nonReentrant modifier.

@sherlockdefi anonymous ditches the signature, keeps it cheap, but tracking? Nah, good luck with it lol. 😂

Anonymous keyword in Solidity Solidity includes an "anonymous" keyword for events that's not commonly used. When might a developer choose this option, and what does it actually do in a smart contract?

@CharlesWangP The code wrongly uses balanceOf(address(this)) to check the token balance.

FIND THE BUG - CHALLENGE A simple refund mechanism that lets the owner refund tokens to recipients - what could go wrong here? Bonus: What could go wrong if the array of recipients is in the storage and users could become part of the array by depositing funds?

Spot this bug, and you might become a Sherlock Lead Senior Watson (LSW) one day. The winner will be picked in 24 hours. This code is a simplified version of an actual vulnerability found in a Sherlock contest. Hint: Look closely at the disableMaxLock function, consider all the edge cases. Good luck!

@_TheNFTDaily Gm

Security researchers don't need sex Escalations fck them every day

@vukan0x Add me to the list serrr ;)

replied to like 300+ invites, will continue sending rest in a bit just want to say how amazing it is to work in web3 / crypto, everyone is so nice, friendly and collaborative maximalism in crypto is DYING, interoperability and collaboration is THRIVING and I’m super happy that this also goes for my own project, @BlockformerLLC, and for the projects that we work with, like @ApexFusion please, ping me again in DMs if I didnt get back to u, reply here for speedy reply