f4ld3

The amount of locking in that's needed for the second half of this year? I'll be right there. I just had to be there, proper.

I spent 10 hours writing down every weird vault bug I've found. 9 bugs in total - 5 for building a vault - 4 for integrating with one Most of them sound obvious until you realize your project has them @0x3b/9-common-vault-bugs" target="_blank" rel="nofollow noopener">paragraph.com/@0x3b/9-common…

I lost a significant amount of money due to a silent, zero-interaction dev environment exploit. No wallet connection. No signing. No running the app. Just cloning a repo and opening it in VS Code. Malicious .vscode/tasks.json hooks can execute automatically on folder open once you trust the workspace, hidden, background execution. This is actively abused by DPRK Interview groups. I work in Web3 and thought I was careful. This one is genuinely scary and unheard of for most devs. Please treat untrusted repos like malware. Open in restricted mode. Inspect .vscode/ before trusting anything. 🙏

@fresco_io Great finding ser🫡

Invariant Broken, Contest Solo Find W/ No Dups: During a recent audit contest, I identified a way the LP pool cap invariant can be violated — without deposits — via referral fee handling. Let’s break it down 👇 🧵

every single person i've seen use all of this shit actually has nothing worth hiding and is basically a nobody

@0x3b33 😂😂

It's over, his AI will replace us all in 6 months

How ✨I found a critical vulnerability✨ in @zora's ERC20Z contract via a little known Uniswap v3/v4 property When Zora put out this article: zora.co/writings/oncha… outlining their new protocol, I was intrigued and had to learn more From a high level, the system works by allowing creators to sell NFT's where a portion of the revenue from the sale is taken and placed in a Uniswap v3 pool along with an ERC20 wrapped version of the NFT, instantly creating a liquid secondary market. Pretty cool mechanism. I had to dig deeper Reading the contract, I quickly spotted something that set off alarm bells in my head. When minting liquidity, the amount0Min and amount1Min parameters were 0. Looks like a classic sandwich attack vulnerability, was this too good to be true? (spoiler: kinda) I quickly wrote up a (messy) PoC realizing that I was looking at a pretty good payday for the little amount of time I'd spent on this. The PoC worked by frontrunning the liquidity mint to provide a small amount of liquidity to the pool and swap the token price to the maximum price, then backrunning the mint by selling the token into the newly placed liquidity, draining the position of its ETH and dropping the token price to near zero I sent the PoC off to Zora's security team expecting the best, but alas they pointed out a significant flaw in the PoC. I dealt ERC20Z tokens to the contract to provide liquidity so that I could make the frontrun swap, but Zora had designed the system with this in mind, making it impossible for anyone to get the ERC20 token before liquidity was placed Feeling dejected, I played around with the PoC to see if there was any way I could still make the attack possible. What if I try swapping with no liquidity in the pool? I run the updated test. I see green. It worked! It turns out that you can freely manipulate the price of Uniswap v3/v4 pool by swapping zero amounts when there's no liquidity in the way. This was exactly what I needed for the exploit Zora acknowledged that this attack was indeed possible, patching the issue and ultimately awarding me a bounty of 11k USDC To security researchers and smart contract developers: make sure to prevent price manipulation by using safe amount0Min/amount1Min parameters and beware of 0 amount swaps! Shameless plug: this is the third high+ severity confirmed bounty I've reported on a protocol which leverages Uniswap v3, so if you'd like to get coverage on your Uniswap v3/v4 adjacent protocol, my DM's are open! And if you'd like to book me on a team audit with the best of the best, you can book me through @SpearbitDAO

It was a great experience learning about @indexdotfun while auditing it. Thanks @sherlockdefi and @indexdotfun for the opportunity.

Made it to top 10 in a public contest on @sherlockdefi . Thankyou God for this 🤲. Big thanks to @sherlockdefi for this opportunity, many more to come inshallah😇

@Delvine_ @sherlockdefi Massive win, bro🔥🔥 Congrats🎉 Keep Grinding💯

After 4 years @NickSzabo4 is back 👁👄👁

How to make the most out of any codebase? First, list every entry point a user can interact with. Then, go through them one at a time and take note More details: x.com/philbugcatcher…

SRs when you ask them to show some love 😅 How do you show yours?

@vixhal She's good to roll 😁

She showed up in this on our first date.

@josh_my_man Congratulations ser

Critical Vulnerability Bug Confirmed......we go again

Just finished reading this thread and i can tell you this is alpha packed. Who needs a mentor with this approach given away for free? I know many will skip it because its lengthy, you SHOULDN'T!! x.com/philbugcatcher…

@philbugcatcher Thanks man, for not gatekeeping these alpha tips.

it costs more than a real car 🔥