DxDLabs

5 months ago

# Weekly Security Tip Series (Move/Sui) – DxDLabs Audit Kit Mỗi tuần mình sẽ post 1 tip ngắn về an toàn smart contract Move/Sui trên X (@Loki_Alcie) và repo này. Tip được thiết kế ngắn gọn, dễ áp dụng ngay cho dev/auditor. Tip #1: Capability – Không public borrow Luôn dùng ownership (AdminCap has key) hoặc &mut, không public borrow &AdminCap → tránh capability abuse. Xem: resources/move/safe/capability-safe.move Tip #2: Flash Loan – Destroy hot potato trong tx Flash loan Sui dùng hot potato object – phải destroy trong cùng tx, không drop/transfer ra ngoài → tránh leak storage. Xem: resources/move/safe/flash-loan-hot-potato-safe.move Tip #3: Oracle – Check staleness Luôn check timestamp + max_age cho price feed → tránh stale price manipulation. Xem: resources/move/safe/oracle-integration-safe.move Tip #4: Upgrade – Version guard bắt buộc Package upgrade phải assert new_version > current_version → tránh downgrade attack. Xem: resources/move/safe/package-upgrade-safe.move Tip #5: Kiosk – Enforce OwnerCap Listing/withdraw NFT phải dùng KioskOwnerCap → tránh unauthorized access. Xem: resources/move/safe/kiosk-pattern-safe.move Tip #6: BTCfi – Queue FIFO cho redeem Redemption queue phải FIFO strict (no reordering) → tránh front-running attack. Xem: resources/move/checklists/move-btcfi-edge-cases.md Tip #7: Object – Delete khi không cần Object không dùng nữa thì delete ngay → tránh storage bloat & DoS. Xem: resources/move/vulnerable/resource-leak.move (fix: object::delete) Tip #8: Shared Object – Version check Shared object update phải check version tăng dần → tránh race condition. Xem: resources/move/safe/shared-object-safe.move Tip #9: Dynamic Field – Check exists trước Khi add/borrow dynamic field, luôn check exists_ → tránh overwrite sai. Xem: resources/move/safe/dynamic-fields-safe.move Tip #10: Coin – Dùng built-in check Tránh custom balance → dùng Coin<T> & Balance<T> để tránh overflow/underflow. Xem: resources/move/safe/coin-management-safe.move Theo dõi repo/X (@Loki_Alcie) để nhận tip hàng tuần! Anh em có tip hay thì PR hoặc tag mình nhé! 💡🔒 #Sui #Move #Web3Security #SmartContractAudit #SuiVN

129

DxdLabs retweeted

about 1 month ago

Most “let’s rewrite the legacy monolith into microservices in 6 months” plans fail for the same reason: nobody has a mental model for trade-offs. I wrote a 6-step architecture design checklist you can literally print and pin to your desk: Start from ASRs (constraints + top 3 quality attributes), not from “we want microservices” Decide partitioning by domain, not just layers Use Architecture Quanta to decide if you actually need a distributed architecture Capture big choices as ADRs so you can defend past decisions with context Use Risk Storming + Fitness Functions (e.g. ArchUnit in CI/CD) so the code can’t silently drift away from the diagram Full breakdown here 👇 🔗 https://t.co/rkvwcubVav If you’re sitting on a growing monolith or being pressured into a big-bang microservices rewrite, this is for you.

DxdLabs retweeted

about 2 months ago

Multi-LoRA > model clones. 1 shared base LLM on GPU, 100+ tiny LoRA adapters per tenant. Millisecond context-switching, sane VRAM bill, and hard isolation to avoid cross-tenant leaks. Deep dive into the architecture we’re deploying at Dverse 👇 https://t.co/Ez8Uo99I3V #LLM #LoRA #MultiTenant #MLOps #AIInfrastructure #SaaS

🏆 Presented by @HOFLeague2K EST 2022 👑 SZN14 - https://t.co/xI4zvrvAGw

about 2 months ago

We just open-sourced the DXD Audit Kit — a public-good security engine for Sui Move smart contracts. What's inside: 31+ vulnerability entries (YAML, machine-readable, each with PoC test) Formal verification via Move Prover (Docker, one command) BVSS scoring CLI + web dashboard 4 real-world audit reports (BlueMove, BTCfi, NAVI...) One-click setup: ./one-click-audit.sh Built for builders, auditors, and contributors on Sui. If you're writing Move contracts — this is your free security reference. ⭐ Star it if you find it useful: https://t.co/uAiKY8Jsdp #Sui #MoveLanguage #SmartContractSecurity #Web3Security #OpenSource @SuiNetwork @SuiNetwork_VN @SuiNetwork_JP

Who to follow

DUNK League

@DUNKLeague2K

Bitbse Exchange

@bitbse

BITBSE is the INDIA'S Global Crypto Exchange. It has been developed with the latest and advanced technology. And its the safest exchange of india

💰

@0__Rodriguez1

GWS❤️ ❤️LLCB ❤️LLDame @llHendriana 🇩🇴 || TeacherBae🍎 Coach O

DxdLabs retweeted

about 2 months ago

Most teams still think “finetuning” is the magic button to make their LLM product production‑ready. In practice, that mindset is burning GPU budget for very little UX gain. Here’s what actually worked for us in Sprint 4 at Dverse/DXDLabs 👇 https://t.co/nYNet0UPJh

DxdLabs retweeted

about 2 months ago

Just shipped a new piece on the most underrated part of multi‑agent AI systems: the Router. Not the sexy LLM. The boring intent classifier that quietly decides which lane every query goes to – legal, generic, infra, or “hell no, this is out‑of‑scope”. When the Router is wrong, nothing else matters. You get: Legal queries routed to generic bots Compliance holes On‑call engineers debugging vibes at 2 AM So I wrote up how to treat the Router like a first‑class product: Hierarchical 2‑tier Router (domain → action), built on small finetuned models (Llama 7B / BERT‑class), not a giant general LLM Hard confidence thresholds + WAIT_FOR_APPROVAL for low‑certainty calls Full tracing + drift detection on queue distribution so you see failures before customers do Evaluation‑Driven Development: Golden Dataset, AI‑as‑a‑judge in CI/CD, 99% accuracy gate before anything ships Enum‑only outputs (LEGAL_QUEUE, GENERIC_QUEUE, INFRA_QUEUE, IRRELEVANT) enforced at the code boundary If you’re routing RWA, compliance, or high‑risk workflows, the Router is your risk surface. Full article here: https://t.co/fE8JPGaZWW

DxdLabs retweeted

2 months ago

Beyond basic RAG isn’t about fancier demos — it’s about systems that don’t melt down in production. GraphRAG, Agentic RAG, CoA, MCP, ethics & tool design, all in one deep dive 👇 https://t.co/JUR7hP98PY #AIEngineering #RAG #AIInfrastructure #MultiAgent #MCP

DxdLabs retweeted

3 months ago

Fundamentals of Software Architecture: An Engineering Approach — Day 1 The moment an engineer stops asking “does it run?” and starts asking “what’s the trade-off?” — that’s when they become an architect. Security vs UX. Monolith vs microservices. Cost vs scale. You don’t get all 4. Your job is to make the trade-offs explicit so your boss signs off on reality, not fantasy. Full Article: https://t.co/emTwlcN6MW #softwarearchitecture #systemdesign #softwareengineering #microservices #monolith #devleadership #techlead #startupbuilders

Loki_Alcie's tweet photo. Fundamentals of Software Architecture: An Engineering Approach — Day 1

The moment an engineer stops asking “does it run?”
and starts asking “what’s the trade-off?” — that’s when they become an architect.

Security vs UX. Monolith vs microservices. Cost vs scale.

You don’t get all 4.

Your job is to make the trade-offs explicit so your boss signs off on reality, not fantasy.

Full Article: https://t.co/emTwlcN6MW

#softwarearchitecture #systemdesign #softwareengineering #microservices #monolith #devleadership #techlead #startupbuilders

3 months ago

Submitted dxd-audit-kit-smartcontract vào awesome-sui list! Full toolkit audit Move/Sui: Custom rules capability/object misuse Vuln-db real Sui hacks + PoC Prover examples (agent spend limit, intent verify, Nautilus TEE) Scorecard auto-report Secure patterns library Fit Sui 2026 agentic roadmap. Dev Việt/SEA thử & contribute nhé! PR: https://t.co/sarpJtm32W Repo: https://t.co/uAiKY8Jsdp #Sui #MoveSecurity #Web3VN @SuiNetwork @Mysten_Labs

3 months ago

🚀 Deep integration incoming in dxd-audit-kit-smartcontract! Added:Unified CLI (Python/Rust wrapper) cho full workflow: lint → prove → vuln check → scorecard Extend Move Prover: Attested compute proofs cho Nautilus TEE (verifiable off-chain AI inference) ZK-intent verification examples (privacy-protected agent actions) Auto-generate reports: Scorecard link vuln-db + prover fixes (PDF/JSON) Secure agentic Sui với verifiable privacy! Try it & PR welcome 📷Repo: https://t.co/uAiKY8Jsdp #Sui #MoveSecurity #Nautilus #AIAgents #Web3VN @SuiNetwork @Mysten_Labs

3 months ago

New in dxd-audit-kit-smartcontract: Initial public audit demo for NAVI Protocol (Sui's top lending) Added:Project setup (clone navi-smart-contracts, sui move build) Key modules analysis (lending_core, flashloan, oracles) Summary of public audits + toolkit findings (prover invariants for collateral, oracle staleness flags) Helping secure Sui DeFi! Try & PR welcome Repo: https://t.co/uAiKY8Jsdp #Sui #MoveSecurity #AIAgents #SuiDevs #Web3VN @SuiNetwork @navi_protocol

3 months ago

@NickyBuffett Check your dm

3 months ago

AI agents on Sui đang hot Nhưng security thì sao? Vừa add 7 vulns agent-specific vào dxd-audit-kit: unauthorized tool calls rogue spends intent spoofing permission leaks... Với PoC + tests Sui-native! Từ static analysis → prover invariants cho guardrails. Dev Việt/SEA, thử toolkit & contribute để cùng secure agentic economy nhé! Repo: https://t.co/uAiKY8Jsdp #Sui #MoveSecurity #AIAgents #SuiVN @SuiNetwork @SuiNetwork_VN

3 months ago

@MrDariBoss Okay, I already d.m

3 months ago

🚨 SCAM ALERT: Received DM from @louislau_fund (Louis Bush) claiming affiliation with @Signum_Capital, praising our Sui/Move security work & proposing a "Sui Security Pack" sponsorship + paid reviews/office hours. Signum Capital has NO team member named Louis Bush/Lau (verified: https://t.co/wMxtEZXruV). This matches their repeated impersonation warnings (e.g., fake Ian Lee DMs). Do NOT reply, share contacts, or click any links/meetings. Report & stay safe, Sui builders! #CryptoScam #Web3Security #Sui #SignumCapital #Phishing

188

3 months ago

feat(prover-examples): Add AI-Agent Security Specs trong DxDLabs Audit Kit! - MSL specs prove agent invariants: spend <= policy.limit, intent_verified, aborts_if unauthorized_tool_call - Ví dụ: invariant agent.spend <= limit, ensures intent verified trước execute action - Guardrails cho AI agents/machine txns on-chain (Sui AI-Native Primitives 2026) - Fit Beep/Talus-like agents: prevent overspend, rogue tool calls, permission abuse Run `sui move prove` để verify agent bounded & verifiable – safer agentic economy! Thử examples mới trong repo, PR thêm spec agent welcome! 💪🤖 Repo: https://t.co/uAiKY8Jsdp #Sui #Move #MoveProver #AIAgents #Web3Security #SuiVN #AuditKit @SuiNetwork @Mysten_Labs @SuiNetwork_VN

3 months ago

feat(vuln-db): Update Sui vuln database với cross-chain exploits, race conditions & spoofing attacks! Thêm mới: - Cetus Spoof Token + Liquidity Overflow ($223M drain 2025) - Typus Oracle Authority Bypass ($3.44M arbitrary price manip) - Nemo Economic Logic Exploit ($2.4M cross-chain drain via bridge flaw) - Shared Object Race post-Mysticeti (parallel exec inconsistency) - Unaudited Lib Dependency Inheritance (supply chain risk từ math libs) Update cũ: Thêm loss metrics, clean description. Enhance https://t.co/73I3zH7qIY: Parse loss → sort by impact/date + gen JSON/MD summaries. Real data từ hacks 2025 để dev tự audit & tránh lặp lỗi. Repo càng ngày càng mạnh cho Sui DeFi/RWA. Thử pull & verify PoC, PR vuln mới hoặc feedback welcome! 💪🔍 Repo: https://t.co/uAiKY8Jsdp #Sui #Move #SuiDevs #Web3Security #DeFiExploit #MoveSecurity #Web3VN #AuditKit @SuiNetwork @Mysten_Labs @SuiNetwork_VN

4 months ago

Weekly Move/Sui Security Tip #11: Prove Invariant Balance Không Âm bằng Move Prover! Vuln: Balance âm do logic sai → free money/exploit. Best: Global invariant `forall addr: coin::value >= 0` để Prover verify mọi state. Code spec ngắn: spec module { invariant forall addr: address where exists<Coin<C>>(addr): coin::value(...) >= 0; } Run `sui move prove` → catch lỗi sớm! Link: prover-examples/lending_collateral.move trong dxd-audit-kit Anh em thử verify project lending của mình chưa? Tag nếu có case hay! 💧 #Sui #Move #MoveProver #Web3Security #SuiVN @SuiNetwork @Mysten_Labs @SuiNetwork_VN

4 months ago

feat(prover-examples): Ship Move Prover examples + CI checks trong DxDLabs Audit Kit! - Thêm folder prover-examples/ với formal verification cho DeFi modules: safe_transfer, no_double_spend, flash_loan_safe, lending_collateral, oracle_safe, liquidation_safe, oracle_deviation_safe (prove no double-spend, repayment enforced, over-collateral, oracle freshness...) - CI GitHub Actions auto-run `sui move prove` on PR – fail nếu spec không hold - Hướng dẫn setup chi tiết multilingual (VN/EN/CN) + troubleshooting (Z3/Boogie install Mac/Linux/Windows) - Thêm Prover.toml config + run_prover.sh script cho easy execution - Update main README reference examples & docs Lower barrier formal verification cho dev Sui Việt – prove code safe trước khi deploy, giảm risk hacks. Không flashy, nhưng giúp project DeFi/RWA bền vững hơn. Anh em thử setup & verify examples, PR thêm spec welcome! 💪🔍 Repo: https://t.co/uAiKY8IUnR #Sui #Move #SuiDevs #FormalVerification #MoveProver #Web3Security #Web3VN #AuditKit @SuiNetwork @Mysten_Labs @SuiNetwork_VN

4 months ago

feat(scorecard): Interactive Security Scorecard live trong DxDLabs Audit Kit! - BVSS-based calculator (Halborn-inspired) cho Move/Sui vuln: impact x likelihood + immutability adjust → score 0-10 + severity (Low-High-Critical) - Auto-parse vuln-db YAML để pre-fill findings - CLI Python: generate Markdown/HTML/PDF report với color matrix, alerts & fix recommendations - CI integration + visual risk matrix Từ checklist thô → professional audit scorecard chỉ vài lệnh. Giúp dev catch high-risk sớm, client nhận report đẹp pro. Try ngay, PR welcome! 💪 Repo: https://t.co/uAiKY8Jsdp #Sui #Move #SuiDevs #Web3Security #AuditKit #BlockchainSecurity #Web3VN @SuiNetwork @Mysten_Labs @SuiNetwork_VN