Toby

Midwife tried to hold him, he said onlyOwner() Enrol your kids to @CyfrinUpdraft today 🍼

@jamesdawsonx @StaniKulechov I agree with this lol

@StaniKulechov $50 million to $35,912. That is so insane. Yeah, you need a more aggressive friction pattern than just a checkbox if they are about to lose over $100,000 in slippage. "Yo, bro. The fuck you doing?" Type "I will lose all my money" to proceed.

Earlier today, a user attempted to buy AAVE using $50M USDT through the Aave interface. Given the unusually large size of the single order, the Aave interface, like most trading interfaces, warned the user about extraordinary slippage and required confirmation via a checkbox. The user confirmed the warning on their mobile device and proceeded with the swap, accepting the high slippage, which ultimately resulted in receiving only 324 AAVE in return. The transaction could not be moved forward without the user explicitly accepting the risk through the confirmation checkbox. The CoW Swap routers functioned as intended, and the integration followed standard industry practices. However, while the user was able to proceed with the swap, the final outcome was clearly far from optimal. Events like this do occur in DeFi, but the scale of this transaction was significantly larger than what is typically seen in the space. We sympathize with the user and will try to make a contact with the user and we will return $600K in fees collected from the transaction. The key takeaway is that while DeFi should remain open and permissionless, allowing users to perform transactions freely, there are additional guardrails the industry can build to better protect users. Our team will be investigating ways to improve these safeguards going forward.

@adeolRxxxx Had this convo with a colleague in the space some days ago.

I don’t think I can continue this career path for long. - I’ve experienced exhaustion every day for the past week bro that I can’t even sleep at night. Bro I’m sad I’m mentally exhausted.

@AbdullahiI51232 @adeolRxxxx Honest advice. Too late.

@adeolRxxxx 🥹🥹🥹 so we that are trying to start what can we say

Weekend rodeo. Wrapped up Challenge 5 of Damn Vulnerable DeFi. Spent way too long chasing a dead end around the bitmap boundary (0 → 1). The actual bug was much simpler. Transfers execute per claim, but “already claimed” is enforced per token group. By repeating the same valid proof within a single call, the contract pays out multiple times before the claimed bit is finally recorded. The assumption: each (token, batchNumber) appears at most once in inputClaims per tx. The issue: state updates happen once per token per batch, not per claim. The contract relied on the structure of inputClaims instead of enforcing it.

@philbugcatcher Bad debt and collaterization is always an interesting topic to talk about haha

A masterclass in handling collateralization edge cases in lending protocols

🚨DeFi project Blend (Stellar blockchain) was exploited for $10.5M+ yesterday. Root cause - price manipulation of a virtually zero liqudity asset. Attacker inflated USTRY price 100x, price oracle reported collateral as 100x more valuable, so attacker borrowed >$10M and ran away.

@pashov “and ran away” 😂😂😂

@bosmadev Hey Dennis, that’s exactlt why i picked it up haha. Feels like the missing piece. I’m currently on challenge 5, the merkle tree one!

Got caught up with some irl stuff and forgot to share my Damn Vulnerable DeFi progress. Just wrapped up Challenge 4 - Side Entrance (easiest so far, solved it and got the test set up under an hour). The pool relied on actual balance to enforce flash loan repayment, but internal balances mapping was treated separately. By repaying the flash loan through deposit() the contract credited the borrower internally while still satisfying the balance check. Flow was simple: >> flashLoan -> execute -> deposit -> withdraw This allows an adversary to completely drain the pool. Internal accounting ≠ actual ownership. Always align both.

Download all smart contract code executed in a transaction tx-graph-eight.vercel.app 1. Paste transaction hash 2. Click blue button on top right corner

@anchabadze “There is no plan B”

Exactly one year since the moment I received my first payout from public contests. It was a great year. I studied web3 security and participated in audits every day. My professional level increased many times over. Dozens of H/M vulnerabilities found, thousands of dollars earned, and 3rd place in a contest. Never compare yourself to others. Your only real competition is yesterday’s version of you. Consistency is the key There is no plan B Success is inevitable #RoadToWeb3SecurityJobChallenge

Finally had time to solve Challenge 3 of Damn Vulnerable DeFi. It reinforced something critical about ERC20s: Ownership ≠ Control. You don’t need to hold tokens to move them, you just need approval.

Just finished challenge 2 (Naive Receiver) on Damn Vulnerable DeFi. This one really tested my understanding, took me 4 days to break it. I can already see the missing pieces connecting in my head 😅 Don't trust blindly, always verify!

just wrapped up a contest and jumped straight into Damn Vulnerable DeFi. solved challenge 1 (unstoppable vault) in ~30 minutes. on to the next!

not proud of my contest results lately -- taking a step back to recalibrate. after some honest introspection, I realized the gap isn’t theoretical exposure, but mechanical intuition -> the ability to reason about and violate systems beyond "missing access control". starting by working through all 18 Damn Vulnerable DeFi challenges. excited for what comes next!

@chilling_44676 @adumetaj123 @ChuksEricE poverty enabled the madness you see today.

@adumetaj123 @ChuksEricE How do you ascribe this to poverty ? How ? Poverty is you scooping petrol from a falling tanker. That is madness and nothing close to poverty. Madness, greed, stupidity everything and not poverty

Happening now: A tanker has overturned at Tincan Liverpool Bridge, Apapa, as residents rush to scoop its contents from beneath the bridge🙆🤯

@0xFireFist ty!

Have you ever felt like you understand each contract, but you can't make the bigger picture? You can't see where the money flows, or you don't understand the whole purpose of this protocol? Worry not, here is a prompt that will help you build a mental map of the whole protocol in your head so you can remember it easily. Hope it helps🫡 ``` Help me build a complete mental map of this protocol so I can visualize it end-to-end. Do NOT explain contracts in isolation. Explain the protocol in terms of flows. Structure the explanation as follows: 1. Actors: - Who are the main actors? (users, admins, keepers, bots, external protocols) - What each actor is trying to achieve 2. Primary user flows (money-first): - Describe the main things a user can do, in chronological order - For each flow, follow the user’s funds step by step: - Where the money starts - Which contracts it passes through - Where it ends up - Who controls it at each step 3. Contract orchestration: - For each flow, list which contracts participate - Describe each contract’s role using one sentence only - Emphasize *why* the contract exists in the flow 4. State progression: - What high-level protocol state changes as flows execute? - How the protocol moves from “before user action” to “after user action” 5. External integrations: - Identify all external systems (DEXs, oracles, automation, bridges, ERC standards) - Explain: - Why the protocol depends on them - When they are invoked - What assumptions are made about them 6. Full protocol walkthrough: - Narrate a complete, realistic scenario: - User enters the protocol - Uses its core functionality - Money moves - External systems interact - Protocol reaches a stable end state Focus on helping me *run the protocol in my head* with my eyes closed. ```

really wish I could write like this. lowkey jealous of people who can articulate their thoughts this cleanly and deeply. biggest takeaway for me wasn’t “having multiple interests” it was that learning without a vessel is just dressed-up procrastination. curiosity on its own doesn’t move your life forward if it never turns into output. having many interests isn’t the issue. not building anything with them is. the idea of a vessel really hit: a way to channel curiosity → understanding → creation → leverage. research in public. think in public. write in public. not to perform, but to compound. we really are in a second renaissance where tools are cheap, distribution is free, knowledge is everywhere. the real edge now is synthesis which means basically connecting dots others don’t and turning that into something useful. also loved the reminder that brand isn’t aesthetics, it’s accumulated thought. people don’t follow profiles, they follow worldviews, need to do more of that fr. still learning how to express my thoughts better, but pieces like this remind me that clarity comes from reps, not waiting to feel “ready.” great read man ❤️👐

@pipelineabuser analysis paralysis. just jump in 🔥

most people are pussies. they keep waiting for the "right time" to start. they're "preparing" and "researching" and "getting ready" while the years slip by. sartre nailed it - you're reserving yourself for later and then one day you wake up and realize later never comes. the teeth are gone. the window closed. you spent so long sharpening the axe that you forgot to swing it. i see this constantly. guys who've been "about to launch" for 3 years. founders who need "just one more feature" before they can ship. people who won't post content until their brand is "ready." ready for what? ready for who? nobody is coming to give you permission. nobody is going to tap you on the shoulder and say "ok now you're qualified." the market doesn't care about your preparation. it only cares about what you put in front of it. the difference between people who make it and people who don't isn't talent or intelligence or connections. it's the willingness to look stupid in public. to ship something embarrassing. to fail where people can see you. most people would rather protect their ego than build something real. they'd rather be a "future founder" forever than an actual founder who shipped something mid. but here's the thing - everything is mid at first. your first product will be bad. your first content will be cringe. your first sales calls will be awkward. that's the point. you're not supposed to be good yet. you're supposed to be in the arena getting punched in the face and learning. the guys winning right now aren't smarter than you. they just started earlier and failed more times. they have scar tissue you don't have because you've been on the sidelines "preparing." every day you spend waiting is a day someone dumber but more aggressive is taking your market share. the best time to start was 5 years ago. the second best time is today. not tomorrow. not next week. not when you finish that course or read that book or save that money. today. send the cold email. post the tweet. ship the landing page. make the call. you will be bad at it. you will feel like a fraud. you will get rejected and ignored and laughed at. good. that's the curriculum. that's how you earn the skills that actually matter. the people who "made it" aren't special. they just refused to stay on the sidelines. they bit into life with whatever teeth they had left instead of waiting for a perfect set that was never coming.

@ArtOfAuditing @_blockian then it all comes together like magic 🪄

🧙‍♂️Wise sage @_blockian once sad: 🧠 CONNECT THE DOTS 📜 "Remember all the little oddities and issues that weren’t bugs, eventually they’ll be useful for something larger"👇 web3-sec.gitbook.io/art-of-auditin…