Nikkk

🎩 Hats off to @eth_nik_dev for finding a low severity bug in the Hats vault Nik has been an appreciated contributor in our community, constantly participating in the competitions we run. Check out our writeup 👇 hatsfinance.medium.com/frontrunning-i…

@HatsFinance Thank you @HatsFinance it is a pleasure to participate in your community and help secure the crypto space!

@delucinator The market is full of "auditing firms" which just run slither on the contracts and then gave the project owners a pdf to show to the investors, or worse... I had audits mentioning snippets of code not in my codebase...

and Certik did audit this, it's not like a swapped out frontend, Certik legit saw the contract allow infinite to some random ass address and gave it a pass

btw Merlin is a 100% rug, It approves uint256 max to feesto address (deployer) which let it get drained LP tokens can be withdrawn but liq can't be removed for the same reason, there are no funds left in the pool Source: @overnight_fi team member

@creeddao Just joined, that was an interesting challenge :)

Today is the day! Some sleuths got a head start, today it's your chance! Enter the Creed: sepolia.etherscan.io/address/0xC678…

@PopPunkOnChain this is great, how would you handle picking a random winner with their probability of winning directly proportional to their ticket count? from their implementation they'd do raffle.participants[randomNumber]

In this new smart contract, I only made TWO changes 1. Instead of using an array to track participants, I use a mapping of an address to an integer amount of tickets. 2. Instead of looping up to ticketCount, with these new changes, we can simply increment the value. 6/8

⛽ How NOT to write a Raffle Smart Contract ⛽ This collection's new raffle contract is doing ONE small thing so incredibly wrong that it's costing their users ✨250✨ times more than it should be. Come one come all! Step right up and put on your gas mask and get ready! 1/8

@FelipeNovaesFR1 @mis4nthr0pic twitter.com/HarpalJadeja11…

@emilianobonassi I like the idea, but I see a potential Arbitrary Code Execution when calling revokeERC20 with the address of a malicious token contract, would there be a way to ensure that wouldn't happen in a trustless manner?

2/ this plugin, when enabled in your safe, grants to a 'revoker' the right (only that) to revoke permissions to any token (ERC20, ERC721, ERC1155) you manage the list of 'revokers'. it may be your hot wallet on mob, a trusted 3rd party, a web2 account github.com/emilianobonass…

how many times you were out and an exploit occurs w/o access to your hw wallet? 🫠 account abstraction fixes this ✅ welcome 🔏 Revoke .@safe Module 🧯 github.com/emilianobonass… delegate your hot wallet or a 3rd party to revoke permissions on your behalf a 🧵

@arzdev @moopidoopi github.com/OpenZeppelin/o…… OZ ReentrancyGuard works like this under the hood since 2020, definitely good to highlight this as it's not very intuitive when writing code

@moopidoopi Most people use bools because they dont even know what SSTORE is, but uints are much better imo and you can save a lot of gas(~17k) False -> True uses the 0 to non-zero SSTORE operation Uints use non-zero to non-zero SSTORE(cheaper)

@pcaversaccio @samczsun if a public zk-proof of an exploit is given then you raise attention on the contract, and it basically becomes like a CTF, it's likely that someone else might find a solution and behave badly

@pcaversaccio @samczsun The "zk proof-of-attack" is a concept I'd love to see evolve, but if a contact with the owners of the project is difficult, especially if the exploit is fairly simple, I think white-hacking is the best way to go

thought experiment: how do you responsibly disclose a bug in a smart contract that was either a) deployed anonymously and has no known/reachable devs b) deployed non-anonymously but is immutable and the devs have explicitly stepped back to maintain an arm's length relationship

emit Tweet("Hello world!")