Apenko 🦅💰(Ikechukwu Ezenwanne)

Starting Module 9 today — Security. Built DeFi, cross-chain, airdrops, upgradeable contracts. Now learning to break things. After this: audit contests. Finding real bugs in real protocols. The goal was never just to build. It was always to build securely. @CyfrinUpdraft

@cyfrin Super interesting seeing Cygent reason about invariants on a complex Rust sim. As someone grinding Cyfrin Updraft, I’m curious — how well does it currently translate to Solidity codebases with proxy patterns and assembly? Would love to try it on my Boss Bridge audit.

"A u8-indexed registry capping at 256 entries. A real overflow footgun I'd never written a test for." One developer's Cygent agent found it in his Rust codebase. He hadn't thought about it in months. 🧵

@Abdulrahee84158 Just finished UUPS upgradeables myself. The zkSync PUSH0 issue is sneaky on deployment. Would love to see your final findings when you’re done. Rooting for you

Smart Contract Security Day 25 Started a solo audit on Boss Bridge after wrapping up ThunderLoan. Did an initial static analysis pass with Slither + Aderyn and already digging into some interesting findings: • arbitrary `from` in `transferFrom` • arbitrary ETH + calldata forwarding • unsafe ERC20 interactions • zkSync PUSH0 deployment issue • reentrancy/event-ordering edge cases Still manually verifying everything and building attack paths before confirming severity. One thing I’m learning fast: static analyzers don’t find bugs for you… they just point you where to think harder. The real work starts during manual analysis. Back to the codebase. @_biggids @alexabelonix @CyfrinUpdraft @PatrickAlphaC @QuillAudits_AI @rosarioborgesi @Web3_Vinay

@HackenProof The bug here looks like the timelock check can be bypassed if the emergency function doesn’t properly validate the delay or uses block.timestamp manipulable logic. In Foundry I’d test this with vm.warp() to force the timelock.

Spot the Bug 🧠 Emergency withdrawal / Timelock What's the issue in this code?👇 #Solidity #SmartContractSecurity

@ProjectAFX @CyfrinUpdraft @PatrickAlphaC That's exactly the mindset I'm going in with. No shortcuts this time

@Apenko2 @CyfrinUpdraft @PatrickAlphaC Upgradeable contracts is exactly where tutorial Solidity and real protocol Solidity diverge. Cyfrin's stuff is solid. Security next is the right call — reading a codebase like an attacker is half the job, and the half most devs skip.

Module 6 of @CyfrinUpdraft Advanced Foundry — done. Upgradeable contracts. Proxy patterns. Foundry scripts. Full upgrade flow tested end to end. This one is directly relevant to how real protocols are built in production. Thanks to @PatrickAlphaC Security is next

@timsilva112 @CyfrinUpdraft @PatrickAlphaC Facts bro! That's why I made sure to actually understand it before moving on.

@Apenko2 @CyfrinUpdraft @PatrickAlphaC Make sure u understands this It’s will go a long way in ur security journey I still use ai to clear myself and some resources to clear myself when am confused

Started Module 6 today — Upgradeable Smart Contracts on @CyfrinUpdraft Everything I've built so far has been immutable. Now learning how protocols actually evolve in production. Core idea: separate logic from state. Proxy holds the state. Swap the logic. Users never notice.

Module 5 done ✅- Airdrops and Signatures. Merkle trees: verify a whitelist on-chain with just 32 bytes EIP-712: structured off-chain signing with replay protection ECDSA: recover the signer from v, r, s on-chain Gasless claiming: signer ≠ transaction sender @CyfrinUpdraft

Module 4 of @CyfrinUpdraft Advanced Foundry — done ✅ Cross-Chain Rebase Token deployed and bridged live from Sepolia to ZKsync Sepolia using Chainlink CCIP. That's 4 modules complete. Next stop — Airdrop & Signatures 👀

The hardest parts: — ZKsync RPC URL had changed, had to find the new one — WSL DNS kept resetting, had to make it permanent — applyChainUpdates was passing the wrong array — tried to remove a chain before adding it — Contract size exceeded EVM limit, fixed with the optimizer

What got deployed: — RebaseToken on ZKsync Sepolia — RebaseTokenPool on ZKsync Sepolia — RebaseToken + Pool + Vault on Sepolia — All CCIP roles and permissions configured on both chains

Just successfully bridged a cross-chain rebase token from Sepolia to ZKsync Sepolia using Chainlink CCIP 🔗 Deployed. Configured. Bridged. All from scratch. 🧵👇 #Chainlink #CCIP #ZKsync

@Abdulrahee84158 @CyfrinUpdraft 👍👍

@Apenko2 @CyfrinUpdraft Keep grinding 💪

Cross-chain test setup is compiling ✅ Two forks. Two token pools. Two chains talking to each other. The amount of version mismatch battles it took to get here. 😅 @CyfrinUpdraft

.@cyfrin has been working tirelessly to shift security left, into developers' hands, since day 1. - Building tools like @SoloditOfficial, Aderyn, Moccasin - Teaching people how to become auditors at @CyfrinUpdraft - Doing conventional audits And we just took another step

No tutorial prepares you for version mismatches like this You just have to read the actual source code, trace every error and reason through each fix That's real smart contract development 🔧 Still building. Still learning.

originalSender changed from encoded bytes → plain address Killed my abi.decode call instantly Also overriding with external visibility got rejected — parent expects public virtual override Small things. Big errors.

Upgraded chainlink-ccip to the latest version on my Rebase Token Pool project. Everything broke. 😅 Here's what changed and how I fixed it 🧵👇 #Solidity #Chainlink #CCIP #Web3