Is this the 𝗘𝗡𝗗 of metamorphic contracts!?

What is EIP-6780 and what does it mean for metamorphic contracts? 🤔

Let's find out in a few seconds. 🧵 1️⃣ How are contracts metamorphic

Smart contracts are supposed to be immutable right? ... right?

Well, not with the use of the SELFDESTRUCT opcode.

1/43

How I went from charging just $50 down to $50,000+ per Smart Contract audit.

The ultimate guide to "making it" as a Smart Contract auditor so you can do it too.👇 🧵 ⚠️ If you prefer video content, get this full guide in video form here:

As you progress in your journey as a smart contract auditor it's vital to have a deep understanding of DeFi primitives.

Perhaps the most important of these is the AMM (automated-market-maker).

Here's the ultimate guide to the AMM just for you 👇 🧵 There are many kinds of AMMs:

• Constant Mean
• Constant Sum
• Hybrid Function
• Dynamic Automated

But today, we'll deep dive into the most commonly adopted model, the Constant Product AMM.

Just getting into Web3 Security & don't know how to start?

Here's a complete 4 step process to become a pro Smart Contract Auditor as quickly as possible 🧵

1️⃣ Start Off By Building Something
2️⃣ Learn DeFi Primitives
3️⃣ Deep Dive Web3 Security
4️⃣ Build Your Personal Brand 🚨 Skip to the end for some high-impact resources on Web3 Security!

Let's explore each step in detail 👇

An organized repeatable auditing system in 60 seconds 🧵 1️⃣ Audit Tags

Be on the lookout for common attack vectors as you do a more granular walk through the codebase.

As you're pulling on a specific thread, stay laser-focused and leave @audit tags for things you notice & want to come back to.

🧵 The Design of GMX V2 Explained Simply

Let's dive in 👇 1️⃣ Markets

Traders trade on an index token for a solitary market.

Each market has a backing short token and a backing long token.

Sometimes it can be hard to figure out exactly where to begin with a Smart Contract audit, especially if the codebase is large.

Here's how I deal with the initial stage of an audit & what I believe to be the optimal way to begin your audit👇 🧵 1️⃣ Leverage Prior Research & Context

Enumerate all of the different features & use-cases for the smart contract system.

These 🔟 things will make you a 🔟x auditor, a 🧵 0️⃣ Use tools!

Security tools will drastically decrease your false-negative rate and help you catch things that manual analysis rarely uncovers.

Tools like:

• Slither (static analysis)
• Echidna (fuzzing)
• Manticore (symbolic execution)
• SMTChecker (formal verification)

🤯 The clearest, most comprehensive thread on signature malleability of all time!

It’s a hefty claim, I know.

But if you give me the chance, I will not disappoint. ✊

🎩🔮 Allow me to demystify this age-old attack 💫

Let’s hop in 👇 0️⃣ Let’s set some ground rules:

Any tweet that starts off with 🔴 contains in-depth mathematics that is not necessary to understand the attack from a high level.

This info will be useful to understand the inner workings of the concept.

⚠️ Over the past 48 hours I’ve explored a novel gas griefing attack that was previously undocumented ⚠️

In this 🧵 we’ll cover the current idea of gas griefing and then explore this new (IMO more fitting) "gas griefing" exploit.

Strap in! ⛽ 💨 Let’s first start by breaking down the classic idea of "gas griefing".

Then I’ll explain why I believe this new exploit is a better fit for the name.

28 ways to miss vulnerabilities in an audit 🧵 1. Don’t examine every external call for reentrancy

`.send`, `.transfer`, and `.call`⁉️

Why are there so many functions to simply call another contract?

In this 🧵 I break down the difference between the three and some brief history.

Let's hop in 👇 TLDR:

`send` - 2300 gas, returns bool

`transfer` - 2300 gas, reverts

`call` - No hard gas limit (unless supplied), returns bool and bytes data

Reentrancy attacks are among the most common exploits I see out in the wild.

They come in many forms, some more hidden than others.

I’ve compiled everything I’ve learned about Reentrancy into a 🧵 for you 👇 Ah yes, the Reentrancy attack, web3’s version of the SQL injection.

It all starts with an external call.

Whether that’s seen as a `.call()` in the contract or if it’s an arbitrary function call on an external address.

A few aspiring auditors asked me how to break into actually doing audits after mastering the basics.

I've compiled everything I know to help anyone trying to become a solo auditor👇

"The 6 most important things you need to do to consistently land high-paying solo audits."

🧵 1. You must use your network.

In the beginning, it’s all you have. If it isn’t strong, you need to start here.

Get into discords, make connections on Twitter, reach out to project leads and just introduce yourself.

An aspiring auditor recently asked me about my approach to manual analysis.

I thought I'd make a thread out of my response 👇

🧵 • I like to do an initial high-level read-through, to get an idea of how all the contracts/functions work together

• Then I go over the important bits line by line and build a mental model of the system’s core functionality

I’ve spent the past year+ auditing smart contracts for yield-bearing NFTs, naming registries, betting platforms, perpetuals/swap exchanges, optimizer vaults, + others.

I thought I’d share the 9 “code-smells” I picked up that, more often than not, lead to vulnerabilities.

🧵 1. Obviously, any external calls should raise alarm bells – but rather than looking for a simple reentrancy into the same function consider attacks that reenter into other functions, perhaps even into other contracts.