Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
@bytes032.xyz Profile picture
@bytes032.xyz
@bytes032
chief smart contract security cook @zenith256 tg: https://t.co/fVm8KmTyY2
Nov 27, 2023 14 tweets 5 min read
Last 12 months for me:

➜ 0 to ~$310,000 in revenue
➜ 0 to ~14,000 followers
➜ 0 to ~12M impressions
➜ 0 to ~1000 newsletter subscribers
➜ 0 to ~5000 monthly visitors on my website

Now, here are the 8 steps that made it all happen: Image 1/ Create lots of noise through learning in public

Daily, I generated educational content about
1. Smart contract security.
2. How to become an auditor

I hit 1.7M impressions with < 1000 followers Image
Jun 18, 2023 20 tweets 4 min read
The best book I've read this year:

Economics and Math of Token Engineering and DeFi

It has more insights on tokenomics/DeFi than any book I've ever read.

Here are 70 questions that will change the way you think about tokenomics forever: 🧵 Image General

1. What tokens are utilized by the project?

2. If multiple tokens exist, what's the reason?

3. What's the market capitalization of the token?

4. How many tokens are currently in circulation?
Jun 14, 2023 10 tweets 4 min read
Querying contract variables through @etherscan is tough and impractical.

evm.storage just revolutionized smart contract storage queries, for techies & non-techies alike.

By the end of this thread, Etherscan storage queries will be history 🧵 Image Let's take a look at USDC.

The first thing that catches our eye?

A helpful tooltip informing us that this contract is a proxy.

But wait, what's a proxy contract, you ask?
evm.storage/eth/17464217/0… Image
Jun 11, 2023 7 tweets 3 min read
In Jan 2023, I earned from auditing $0.75.

Five months later:

$52,500 banked for the month
-------------------------------
1. ~42.5k from solo audits
2. 10k from contests
3. Five solo audits for a month
--------------------------------

Here are my 4 dead-simple principles: Step 1: Build a presence

In December, I committed to “Learning in Public”

My 2 goals were simple:

1. Educate myself so I become an auditor
2. Build a presence in the space

By the end of January, I earned 1.7M impressions and generated ~2500 followers. Image
Jun 7, 2023 17 tweets 5 min read
@chainlink 's contest in @code4rena has some fancy bitmap manipulation that would probably take hours for a newb to comprehend.

So, I've decided to prepare for you a quick masterclass 🧵 Image ### These two functions are manipulating a bitmap.

A bitmap in this context is a 128-bit integer that is treated as an array of 128 boolean (true/false) values.

Each bit in the integer represents a different flag, and it can either be "on" (1) or "off" (0).
May 31, 2023 9 tweets 2 min read
Being a procrastinator doesn't go well with working alone as an auditor.

I can easily lose myself in unrelated stuff and get distracted. So, I figured, why not start planning my time effectively?

Let me show you how I do it: 🧵 1. Dividing my time**

I split my time into two parts: "online" and "offline" blocks.

The cool thing about the online block is I can take breaks to check out social media, have chats or do some browsing. This block runs from 11 AM to 8 PM.
May 29, 2023 9 tweets 2 min read
When I first dove into solo audits, I was a hot mess.

But then, I made a guide I swear by.

Here's the 3-step plan that's nabbed a critical bug in my last 5 audits. 🧵👇 Step 1: I only tackle X nSLOC a day.

Some folks scan the whole system first, but I flip that script.

I take it slow, focusing on a section daily, like a group of contracts or even a single contract if its big enough.
May 25, 2023 6 tweets 2 min read
So, let's keep it real.

I nailed my first solo high and crushed at least two solo audits every month.

But hey, no shame in admitting my smart contract security skills can level up big time.

Here are my next three steps for becoming an advanced researcher. 🧵 I'm diving into the previous Secureum races, but with a twist!

Gonna convert Solidity contracts to IR/Yul using

$forge inspect <contract> ir

Then solve the races using Yul output.

Let's see if I can conquer 'em!
May 24, 2023 6 tweets 3 min read
When I started the @Web3SecurityDAO I didn't expect it to explode to that level.

I thought I would chat with 20-30 like-minded folks about stuff that intrigues me.

Right now, it has over 1700 members.

Today, @Web3SecurityDAO merges into @opensensepw

Here's why: 🧵 I made the community to help and to get helped.

Unfortunately, I don't have the time and mental power to give back, so I felt that I'm letting down the community I've built.

@mis4nthr0pic has done an excellent job at what I wanted to do initially, so the move is natural.
May 24, 2023 6 tweets 3 min read
🔥 Get a FREE medium severity finding on ANY @code4rena or @sherlockdefi

This vulnerability stems from the fact that using block.timestamp for deadline could result in loss of funds for the user 🧵 Image If you want a long explanation why that can happen, check my article about it.

blog.bytes032.xyz/p/why-you-shou…

Otherwise, you might check that even Uniswap set a default deadline, if the user doesn't pick one. 👇
May 19, 2023 16 tweets 4 min read
Here's the 5-step framework I used to learn Solidity 6 months ago: 🧵 # 1 A 32 hours course to get you started

This introductory course has become synonymous with the question, "How do I learn Solidity?"

Virtually everyone dipping their toes in the Solidity pool starts here.

No further introduction needed.
May 17, 2023 15 tweets 3 min read
6 months ago, I took a deep dive into security with a simple question:

“How do I get better at this?”

6 months later, I have a messy notepad full of notes, an entirely new way of seeing the space.

Here are 5 profound mistakes everyone should avoid if they want to save time 🧵 Mistake #1: Overstudying

I erroneously believed that the **ONLY** path to proficiency was through devouring countless roadmaps and religiously studying Secureum.
May 10, 2023 8 tweets 3 min read
Did you know you can use console.log to debug a deployed contract on a fork with Foundry? 🫢

Introducing vm.etch as your debugging solution in three simple steps 🧵

Let's assume we want to debug the deposit function of BlurPool. Image 1. Download the source code as a ZIP file from Etherscan.

etherscan.io/address/0x02ab… Image
May 4, 2023 7 tweets 3 min read
🔥 Get a FREE medium severity finding on ANY @code4rena or @sherlockdefi contest using Chainlink on L2!

This vulnerability stems from the potential for the sequencer to go offline, which could result in outdated and stale oracle data. 🧵 Image Optimistic rollup protocols transfer all execution from the Layer 1 (L1) Ethereum chain to a Layer 2 (L2) chain, perform the execution on the L2 chain, and then return the results to the L1 chain.
Mar 24, 2023 6 tweets 2 min read
Auditor tip 💡

When you encounter a function that accepts arrays as arguments, always check if there's a possibility of index out-of-bounds error. 🧵 For example, in this function, the user submits two arrays

(uint256[] agesX and uint256[] agesY)

with the expectation that the indexes of the arrays correspond to the correct values in the other array, and that the lengths will be the same.
Mar 23, 2023 6 tweets 3 min read
Auditor tip💡

Lack of slippage control vulnerabilities often arises in functions where you cannot set a minimum amount of tokens that the receiver will get, such as in swap, sell, or buy functions. If you're unfamiliar with the term "slippage", check out the glossary for more information.

bytes032.xyz/Notes/Glossary…
Mar 22, 2023 8 tweets 2 min read
🚨💰 CTF enthusiasts

Get ready for Damn Vulnerable Defi Challenge #2!

Can you drain the user's contract of all its ETH in a single transaction?

Let's dive into the exciting world of flash loans, ERC3156, and contract vulnerabilities. A detailed walkthrough awaits! 🧠🔍 If you want to read the full article, check it out here bytes032.xyz/Notes/Naive+Re…

I will try to be a bit more concise in the thread.
Mar 14, 2023 10 tweets 2 min read
Here's my framework for auditing a contract that interacts with ERC20 tokens. 🧵

What would you add to the list? ☑️Decimals: If it's a DeFi protocol, I confirm whether it supports tokens with decimals != 18, and if so, ensure that the platform can handle these tokens correctly.
Mar 11, 2023 7 tweets 3 min read
Looking to earn a backstage role on @code4rena? 🏆

To get that, you must find a high-severity bug; luckily, one of the most common can be found easily found🐞

Can you see what the issue is here?

github.com/code-423n4/202…

Let's dig in 👇 Before I dig in that particular finding, make sure to watch @SpearbitDAO's video for a more general explanation of the issue.

Image
Mar 8, 2023 8 tweets 2 min read
💡Audit tip

The current implementation of getEthPrice() lacks a freshness check, which could result in the use of stale prices. In the event of a rapid drop in the market price of the token (commonly known as "flash crashes"), if Chainlink's feed is not updated in a timely manner, the smart contract may continue to believe that the token is worth more than its actual market value.
Mar 2, 2023 18 tweets 5 min read
The MOST detailed write-up on the first challenge in Damn Vulnerable Defi v3 is out! 🧵

Additionally, I've replaced Hardhat w Foundry & explained all the external contracts.

Stay tuned for my solutions in Huff or Yul too!

Let's do this! 🚀 If you want to read the full article with all the details, check it out here: 👇
bytes032.xyz/Notes/Unstoppa…

In this thread, I'll try to keep things short and concise.