If you're a Web3 protocol in need of an affordable smart contract security audit or consultation, you're in the right place!
Here's the deal: If I don't find any High/Medium vulnerabilities, the audit is 100% free.
Book your audit today — Telegram: https://t.co/mUCi0cJFDJ
After 2 years and 500+ security audits, today is my last day as Head of Audits at @PashovAuditGrp .
Huge thanks to @pashov and the whole team for an incredible ride 🙏
I got to build something I'm genuinely proud of: a machine that automated our processes end to end, led every single audit, and coordinated hundreds of auditors and dozens of clients in parallel. A lot of audit firms never even hit that monthly volume - we did, and I don't remember it breaking once.
Now it's time for new horizons.
A bit about me and what I bring:
- Auditing DeFi since the early Code4rena days back in 2022
- Led the DeFi research team at @P2Pvalidator, specialized in on-chain data (I know this world inside out)
- 2 years as a hands-on auditor at @MixBytes on some of the biggest protocols out there - Aave, Curve, Yearn and more
- At @PashovAuditGrp: processes and management (big Lean fan - minimal necessary comms, transparent, data-driven) and AI - I built the stack of internal products and pipelines PAG runs on
(Plus a finance backbone - an economics and finance education toward investment banking and strategy consulting, 2 years of CFO-level financial management, and CFA exams.)
I'm a battle-tested. I ship projects, I'm good with people, I go deep on tech, can write code, manage team, and I can research literally anything. The harder and messier the problem, the more I want it.
So I'm open to new ideas and offers.
Got the hardest problem in the room? Send it.
DMs open
🚨Ethereum Developers: you can now install your first AI Auditor in 1 minute - fully autonomous, available 24/7, with multiple sub-agent helpers. Open Source.
FREE to use (with your AI model) and already finding vulnerabilities in smart contracts. Link below🫡
On hacks as a security company
Hacks are something that is bound to happen with time. We put all our efforts towards preventing them, and while we succeed many times, it sometimes happens.
We've now done around 350 security engagements in the span of 2 years, our talent is well proven, many are security contest champions. We use big teams, 3-4-5 security researchers. We truly try our best on each and every audit.
Still, this year we had our first hack. The Arcadia project - one that we have partnered with multiple times. We did that one audit for them, we got the right talent on it, we did our usual procedure. Found a couple of issues, and one Low severity one, which we decided isn't actualy impactful, turned to be a hidden Critical one which got exploited. Worst feeling ever. Good thing that the project's founders are hustlers and it's still going, keeping pace.
We've had a few more occasions in these 350 engagements - codebases we audited later had some changes added by the developers team, which didn't get reviewed, and they got exploited - for example the Sharwa project.
On another occassion, the Bunni project, one of the most promising ones, got exploited after doing multiple audits after the ones with us. The vulnerable code was added months after our audits. Still, it's a pain for everyone involved.
On other occasions we have done great smart contract security audits for projects which later got hacked through their front-end. Other times the team misconfigured the deployments (not reviewed).
It's such a complex space with a huge amount of moving parts - the deployment, the smart contracts, the front-end, the back-end, the private keys management, the role-based access control and so much more. Our aim is to make projects more secure than ever, for now our specialty lies in smart contract audits, which we do very well, but it's just not enough. We will be expanding.
In the end, hacks are just bound to happen. The biggest security companies in the web3 space have seen code they audited get exploited, even if they put their best efforts into it, clients gave them time and money etc. What we can do is get up, learn, improve and iterate.
While the stat of just a single smart contract security hack from 300+ audits is a good one (~99.7% success rate), based on historical data we can judge that if you are in security long enough and do enough audit engagements, you will see yourself responsible of more hacks. Scary thought, that we can handle only with bravery, action, smartness - what we do daily.
If you are still reading, you are probably in web3 security or part of the web3 builders community. Our message is to not give up, keep going, keep learning and improving. It's the desire that makes the difference. Let's make the space secure together🫡
Not every great session happens in a fancy office or co-working space.
7 PM, I drove to a quiet place, opened my Mac, and started breaking code.
Silence fuels momentum 🫡
@NuUopDaem You’ll get faster over time, just write the first test for the happy path scenario — then, you can easily copy and reuse parts of it for your exploits
Nothing helps you truly understand a codebase like writing tests for it from scratch.
I'm doing exactly that right now—for a 7,000 nSLOC protocol.
Wish me luck!
Rule #1: Don’t believe everything you see on X
Rule #2: Don’t believe *anything* you see on web3 security X
This place gets more stupid by the day with all these lies and marketing techniques.
@AayushJhaAudits Can’t share the reports publicly just yet — the audit is still in progress.
I followed the strategy shared by @EV_om in this thread: https://t.co/GhgspOMgTa
A few weeks ago I shared https://t.co/RQksQ9W1fA, an IDE with integrated LLM prompting. What I haven't shared publicly yet is the biggest use case I have for it: report writing.
Contests still suffer from large amounts of low-quality reports, most of which could have been improved 10x by throwing them at an LLM with a simple prompt. This needs to change, and we've got the tools to make it happen.
LLMs can't find bugs for you yet (be glad), but they are perfectly ripe to become a staple tool in the SR toolkit for report writing.
Today I'm sharing my reporting process, from lead to final report, as well as the prompt templates I've iterated on over the past months to produce reports that are:
- easy to generate: POC, impact and mitigation are often done for you
- easy to follow
- quite organic for LLM output
- good quality writing
Read on 🧵
Security auditing + LLMs = productivity cheat code.
Wrote reports for 34 issues (2 critical, 6 high, 10 medium, 16 low) in 4 hours.
That used to take a full day or more.
AI isn’t taking my job (yet...). It’s making me 3x faster at it.
@0xpinkman Yes, I did — but pretty simple examples, just using numbers to help understand the bug. ChatGPT struggles with that as it lacks proper context.
Use Cursor or Windursf instead.
Here's a great thread to follow by @0xEV_om:
https://t.co/GhgspOMgTa
A few weeks ago I shared https://t.co/RQksQ9W1fA, an IDE with integrated LLM prompting. What I haven't shared publicly yet is the biggest use case I have for it: report writing.
Contests still suffer from large amounts of low-quality reports, most of which could have been improved 10x by throwing them at an LLM with a simple prompt. This needs to change, and we've got the tools to make it happen.
LLMs can't find bugs for you yet (be glad), but they are perfectly ripe to become a staple tool in the SR toolkit for report writing.
Today I'm sharing my reporting process, from lead to final report, as well as the prompt templates I've iterated on over the past months to produce reports that are:
- easy to generate: POC, impact and mitigation are often done for you
- easy to follow
- quite organic for LLM output
- good quality writing
Read on 🧵
If you're a Web3 protocol in need of an affordable smart contract security audit or consultation, you're in the right place!
Here's the deal: If I don't find any High/Medium vulnerabilities, the audit is 100% free.
Book your audit today — Telegram: https://t.co/mUCi0cJFDJ
Today’s my birthday 🎉 — 23 now.
Been a year since I joined @PashovAuditGrp. I can say that it’s been one of the best years of my life.
35+ audits later and I still learn something new every time.
The process is simple: you find the bugs, you fix them, you study what you missed. REPEAT 🔁