Sebastian Fernandez

760 posts

Sebastian Fernandez

@snfernandez

@Bitfinding Co-Founder. Ex-hacker. Mostly EVM these days. Previously at @Microsoft, @MarshallWace.

เข้าร่วม Temmuz 2009

724 กำลังติดตาม1.3K ผู้ติดตาม

ทวีตที่ปักหมุด

Sebastian Fernandez@snfernandez·13 Şub

Wrote a post about those cases when shared_ptr<T> doesn't use atomic operations for the reference count. Spoiler: it's only in GNU and I couldn't decide if it's secure or not. snf.github.io/2019/02/13/sha…

English

Sebastian Fernandez รีทวีตแล้ว

Chaofan Shou@Fried_rice·21 Mar

vibe coded a fuzzing ai agent last month and let it run for a week using my $200 claude max. it then found 21 high/critical vulnerabilities in Chrome.

English

257

558.3K

Sebastian Fernandez@snfernandez·13 Mar

Txs: - Original failed: app.blocksec.com/phalcon/explor… - Yoink: app.blocksec.com/phalcon/explor… Block built by Yoink: etherscan.io/txs?block=2462…

English

122

Sebastian Fernandez@snfernandez·13 Mar

The most interesting thing I saw this week was Yoink fixing the gas on a failed backrun tx for Alkemi ($20k) and then building its own block with *just* the attack *only* paying a 10% bribe to the validator. This is surprising because a gas-fix is something trivial so 10% is a low bribe given the competition. I think Yoink either has very sharp calculations around bribes (likely) or preferential treatment from the MEV Relay. I know that, at least, c0feebabe would do the gas-fix and pay a high enough bribe. The only question is if the block builders wouldn't pass these bribes to the validator and that being the reason Yoink won with his own block building.

English

393

Sebastian Fernandez@snfernandez·13 Mar

Unfortunately users suffer from alert fatigue so they stopped caring. Hard to say without seeing what the warning showed but I think protocols shouldn't allow these trades from the UI. Expert users will find a way if they truly need to do execute these actions.

Stani@StaniKulechov

Earlier today, a user attempted to buy AAVE using $50M USDT through the Aave interface. Given the unusually large size of the single order, the Aave interface, like most trading interfaces, warned the user about extraordinary slippage and required confirmation via a checkbox. The user confirmed the warning on their mobile device and proceeded with the swap, accepting the high slippage, which ultimately resulted in receiving only 324 AAVE in return. The transaction could not be moved forward without the user explicitly accepting the risk through the confirmation checkbox. The CoW Swap routers functioned as intended, and the integration followed standard industry practices. However, while the user was able to proceed with the swap, the final outcome was clearly far from optimal. Events like this do occur in DeFi, but the scale of this transaction was significantly larger than what is typically seen in the space. We sympathize with the user and will try to make a contact with the user and we will return $600K in fees collected from the transaction. The key takeaway is that while DeFi should remain open and permissionless, allowing users to perform transactions freely, there are additional guardrails the industry can build to better protect users. Our team will be investigating ways to improve these safeguards going forward.

English

302

Sebastian Fernandez@snfernandez·11 Mar

@lzhou1110 It was an LLM copycat, there is another at 12:25 if you look closer!

English

Liyi Zhou@lzhou1110·11 Mar

Looks like we have an imitator here for this Alkemi liquidation thing. Someone copied the attacks after 40 mins?

English

961

Sebastian Fernandez@snfernandez·5 Mar

@fede_k Bet a lot of money that something will not get hacked and someone may prove you wrong

English

Federico Kirschbaum@fede_k·5 Mar

Are there Polymarket bets for breaches? I mean it would solve many incentives

GIF

English

138

Sebastian Fernandez@snfernandez·21 Şub

@wraitii Are you measuring the idle time of the buildings (tc/range) as well? Also, do these agents have access to the evaluation tool? My intuition says they'd try to optimize it in a loop if they had access to it.

English

196

Lancelot@wraitii·20 Şub

The only LLM benchmark I trust is how good they are at Age of Empires 2 build orders. AoE 2 bench now live at wraitii.github.io/build-order-wo…

English

6.2K

Sebastian Fernandez@snfernandez·20 Şub

In the not so distant future, programming will become like knitting. Some of us will still find it relaxing and empowering. But in reality, writing code by hand, or even typing on keyboards, won’t be productive at all very soon.

English

143

Sebastian Fernandez@snfernandez·17 Şub

@0xz80 Reverting the last commit sounds great if you have a "safeword" that trigger it ignoring breaking changes

English

z80.wei 👌☀️👌@0xz80·17 Şub

@snfernandez i’m adding a tg command that’ll essentially git stash and revert to previous commit and restart from there, open to ideas for more and am looking more into all the BEAM fault tolerance stuff

English

148

z80.wei 👌☀️👌@0xz80·17 Şub

zeebot can now recompile in place without any downtime so it can extend itself live only possible on lemon 🍋

English

3.6K

Sebastian Fernandez@snfernandez·8 Şub

And this brings us to no-restart patching systems and how important it is that these become more widely adopted by software.

English

Sebastian Fernandez@snfernandez·8 Şub

And the second order effect of this is that we can no longer wait til Sunday to apply patches and restart programs/OS. Patches will need to be released to everyone at the same time and applied asap.

Sebastian Fernandez@snfernandez

We need to change the term 1-day-exploit to 1-hour-exploit (and actually take it seriously). The LLM models are getting to a stage were they can plan the reverse engineering of patches, researching exploitability and helping write exploits all in parallel.

English

156

Sebastian Fernandez@snfernandez·8 Şub

English

268

Sebastian Fernandez รีทวีตแล้ว

Maximiliano Malvido@maximalvido·14 Oca

I am #OpenToWork! Built arbitrage bot for EVM. Here's the smart contract: - Aave V3 flash loan - Uniswap V3 arbitrage - Atomic repay/revert github.com/maximalvido/fl… #Remote Roles: Staff Eng/Leadership, #Web3/#DeFi infra, #MEV, L2 scaling. More repos coming soon!

English

183

Sebastian Fernandez รีทวีตแล้ว

banteg@banteg·2 Oca

takopi v0.5.0 is out 🐙 our third release in a day! - new agents: opencode, pi first external contribution by @snfernandez who has added @opencode runner $ uv tool install -U takopi github.com/banteg/takopi now supports codex, claude code, opencode, and pi

English

5.6K

Sebastian Fernandez@snfernandez·30 Ara

Antes de terminar el año, @BitFinding llego a uno de los diarios mas importantes de Argentina! Gracias @juanbrodersen por la nota. clarin.com/tecnologia/emp…

Español

229

Sebastian Fernandez@snfernandez·30 Ara

Super useful, ported it to opencode. github.com/snf/takopi-ope…

banteg@banteg

released takopi 🐙 a little telegram helper that bridges your chats to codex sessions. stateless resume, progress updates, markdown rendering. he just wants to help-pi! $ uvx takopi github.com/banteg/takopi

English

4.3K

Sebastian Fernandez@snfernandez·19 Ara

@zmtO21 @ede_finance They do have an oracle price update there, did you analyze how it helps the attack?

English

177

metaphantacy@zmtO21·19 Ara

On Oct. 25, El Dorado Exchange @ede_finance (bscscan.com/address/0xf1d7…), which is a GMX fork, lost ~$80k due to an ELP (LP token) accounting bug. Attacker exploited a mismatch between LP valuation and position accounting, minting ELP from thin air. Attack flow (atomic tx): addLiquidity(ETHB) → increasePosition() → removeLiquidity() → decreasePosition() Opening a leveraged position temporarily altered reservedAmount / vault exposure, but ELP mint & burn logic didn’t fully account for it. There are multiple exploiters involved in this exploit, this is one of the exploit tx app.blocksec.com/explorer/tx/bs…