M3dython | Zealynx.io

🚀 Thrilled to share my results from the @sherlockxyz Burve audit contest! Secured a Top 10 finish (#8 out of 703 participants) and a 2,509.74 USDC reward. 🛡️ Proud to have uncovered 3 High-Severity findings, contributing to a more secure Web3. Congrats to all fellow auditors! #SmartContracts #SecurityAudit #Web3 #Sherlock #BlockchainSecurity #BugBounty #m3dython You can view my Sherlock profile here: sherlock.xyz/u/m3dython

You cannot code away a subpoena. If your RWA protocol fails to enforce off-chain SPV legal constraints natively, it is structurally flawed.

Moving from Solidity to Rust auditing replaces "who can call this function?" with "is this account actively lying about its data structure?"

EVM auditors hunt for state manipulation. SVM auditors just try to confirm an account isn't actively lying about its identity. Different execution environments, identical root vulnerability: the developer.

My public address 0xD46c42A9142280E0e2BCB791D35Ee1F9064B02ac

@TheBlockChainer the full-stack threat model isn't optional anymore if you're touching real money.

Just wrapped a meeting with a protocol CEO. We covered smart contract audits, pentesting, and MCP security. Then he said something that stuck: "The scarcity of resources who are able to handle Web2 and Web3... it's very difficult now to find resources who are able to have a foot on both sides. And I think this is a very interesting resource that we can find in Zealynx." This is exactly what we built for. Most teams are either Web3-native or security firms trying to pivot. We started at the intersection. API vulnerabilities that drain wallets. Frontend logic that bypasses smart contract rules. Oracle manipulation through compromised backends. You can't audit one layer and ignore the other. Not anymore. If your protocol touches both worlds, your security team needs to as well.

@DevDacian protocols want cheaper audits, auditors wanted higher payouts. contests squeeze the middle and burn out the good hunters while rewarding volume over depth.

Q) Why did audit contests die? All free market businesses without profitable business models eventually die (or get acquired frequently at unattractive terms). That is the root cause, everything else is a secondary consequence.

@VittoStack Great post!

@pashov man literally invented the discipline of "proving your code doesn't explode" before VCs were throwing money at unaudited defi forks

Dijkstra is an OG security auditor, hunted for bugs before it was cool He would've crushed it in web3

I just published Quantstamp Review 2026: Is the Gold Standard Worth It? medium.com/p/quantstamp-r…

@ArnieSec #3 hits different. too many juniors treat audits like linting instead of threat modeling. "where does value move" is the unlock. solid list

Mistakes I made early learning security research (and how I fixed them): 1) Giving up when doubt appears: Starting a new codebase feels overwhelming. Your brain interprets this as “I’m not cut out for this.” Fix: Push through the discomfort and doubt. As familiarity increases, doubt collapses and confidence increases. 2) Searching for the “perfect resource”: I delayed real learning by endlessly reading, watching, and bookmarking. Fix: Learn the basics, then move directly into bug hunting/auditing. Understanding compounds after exposure, not before it. 3) Reading code line-by-line instead of modeling behavior: I treated audits like syntax puzzles instead of systems. Fix: Start with questions: -What must always hold? -What can change? -Where does value move? Then read code to confirm or break assumptions. 4) Mistaking confusion for lack of ability Confusion to me felt like failure instead of progress. Fix: Confusion means your mental model is updating. If you’re confused, you’re learning. If you’re comfortable, you’re probably plateauing. 5) Avoiding hard sections too early I’d skip “scary” parts (math, edge cases, accounting). Fix: Lean into the hardest parts. That’s where real bugs live and where growth accelerates. Takeaway: The biggest blocker isn’t knowledge. It’s how you respond to discomfort. Security research rewards those who push through discomfort.

@bichistriver structured mentorship > random youtube rabbit holes.

7 people have already chosen to join the challenge. 10-Weeks web3 security Mentorship Course Outline: docs.google.com/document/d/10V… Application Form: docs.google.com/forms/d/e/1FAI… 50 Slots only. First Come First Served.

@peter_szilagyi solid work.

You have no excuse any more for not using post-quantum cryptography. I have you covered on desktop, cloud, mobile and web. 🤓 #rust #golang #flutter #typescript

@thepantherplus security by subtraction >>

solidity devs usually ask how do i do delegatecall in move? you don't. move doesn't have it. in solidity, delegatecall lets contract A run contract B's code in A's storage. it is indeed powerful, but it gave us the parity-like hacks, proxy bugs, and storage collision nightmares. move said no from day one. a module can only touch the resources it defines. no borrowing another module's logic to mess with your state. is it less flexible? yes. but entire classes of bugs simply don't exist here. sometimes the best feature is the one they didn't add!

@samrags_ fan out = exhaust the attack surface. narrow = triage by exploitability. good framework.

I've been onboarding non-engineers to Claude Code for sales and GTM work. Most get terrible results because they don't know how to run an agent-guided-search. Lesson 4/5: Fanning out. The Problem Most people prompt Claude like they're asking a junior employee. "Find 5 examples of..." "Give me a few options for..." Claude gives you 5. You pick one. You move on. This is stupid. What you should do instead Fan out, then narrow down. Start broad. Demand everything. Then have Claude go deep and disqualify. Example: You're looking for fractional CFOs in the Bay Area. Bad prompt: "Find me 5 fractional CFOs in SF." Claude finds 5. Maybe 2 are relevant. You have no idea how they compare to the whole set. Good prompt: "Find every single fractional CFO and finance consultant operating in the Bay Area. I want 40+ results minimum. Write them all to a .csv with their name, LinkedIn, website, years of experience, and specialty." Claude searches. Digs deeper. Finds 50. Then narrow: "Review bay_area_cfos.csv. Filter for SaaS experience, 10+ years, and at least 3 LinkedIn recommendations. Score each 0-100 on culture fit for a scrappy startup. Top 10 only." Now you have 10 great options instead of 5 mediocre ones you settled for. Why this works LLMs are lazy by default. They'll give you the minimum unless you demand more. "Find me some options" = Claude stops at 5 "Find me 40+" = Claude actually searches Fan out = gather everything. Narrow down = ruthless filtering. Do the work in two steps. Don't settle for mediocre responses That's all for today!

@0xjayeshyadav ai writes the for loops. you write the invariants.

As a smart contract developer, master what AI still struggles with: - Edge cases, where AI models are weakest - Spotting and solving new problems and novel hacks before they become obvious - Focusing on architecture and design over syntax level coding - Letting AI handle boilerplate while you write the critical logic - Writing extremely clear, edge case aware prompts - Staying innovative and creating mechanisms others haven’t thought of yet - Code is cheap, trust is expensive, build reputation

@ddimitrovv22 ai is basically the intern who reads the docs faster than you but still needs you to point at the sus line.

What AI can do for you in web3 security: - explain math-heavy/complex functions - help with diagrams, flows, etc. - be trained and find bug leads - write PoCs and reports What AI can't do for you: - find (semi)complex bugs itself - scan whole codebases and find all the bugs

@PendleIntern @pendle_fi @Polymarket Comparing yield markets to binary options is wild.

someone just said to me that @pendle_fi doesn't have the cheapest dollars, @Polymarket does mf a coin toss isn't a "cheap dollar", it's a gamble no matter how "guaranteed" it is 😩

@TheDeFinvestor @RWA_xyz RWAs need plumbing before they moon. bet on the shovels, not the gold rush

I'm pretty sure tokenization will be the fastest-growing trend in 2026. Robinhood will soon enable 24/7 on-chain stock trading. DeFi equity perps are booming. Blackrock CEO is shilling RWAs every week. The only question is what is the best way to bet on this narrative.

@DefiIgnas buybacks > governance tokens collecting dust

2025 was a seismic year for DAOs: - Uniswap realigned the DAO with Labs - Jupiter paused governance for 6 months - Scroll shut its DAO Indeed, DAOs are governed by a few. Incentives for delegates dry out, and many are closing shops. On a flip side, value accrual to tokens increased - Lido adopted a buyback framework - Uniswap burnt $600M in UNI & turned fee switch on - Fluid & Aave both turned on buy backs - Cow Protocol increased solver profitability Intern cooked on this one!