Olivia
Online
Fidesium
@Fidesiumapp
Fidesium uses advanced automation and dev tools to cut time, costs and risk for your audits.
Get protected here ➤
Joined March 2023
370 Following
305 Followers
393 Posts
Security and compliance are what we do.
Honoured to be a part of shaping London's crypto future.
The future of DeFi in the UK shouldn't be decided without the people building it.
Today, we submit our response to the FCA's perimeter consultation.
Backed by 20+ founders, all pushing for rules that can give DeFi a home here.
We fight for the progress we need. 🦾🇬🇧
@Fidesiumapp https://t.co/dex4p4xUhj
The team audited 36,000 lines of Rust on @AdrenaProtocol .
The findings weren't where most auditors look.
Here's the framework that surfaced them.
@consensus2026 Miami is one week away.
Our CTO @cryptoabe4 will be there May 5–7.
#Smartcontractsecurity. #Automatedaudits. #Devtooling.
If any of that is on your radar, reach out now and lock in time with @cryptoabe4 directly.
Great day with @SuperteamUK
Audited and still hacked: $600M+ lost in 2026. 5 op-sec rules, 6 technical questions to ask w/ @Fidesiumapp https://t.co/eANT1soSvA
Our co-founder and CTO @cryptoabe4 will be at @consensus2026 Miami, May 5–7.
If you want to talk #smartcontractsecurity, #automatedaudits, or #devtooling, reach out to him directly at @cryptoabe4.
See you there.
🆕 What We Built in Q1 2026 - And Why It Matters
Most #smartcontractsecurity updates read like patch notes. Here's ours framed around the problems these improvements actually solve.
⚡️ 140x Faster. Zero Quality Trade-Off.
Our scanning engine got a ground-up rebuild this quarter. Large repository scans - like Balancer - dropped from 12+ hours to under 5 minutes through deep algorithmic and memory optimisations.
The important part: detection quality didn't move. Every optimisation was validated against our full benchmark suite before shipping. Faster scans that miss vulnerabilities aren't faster scans; they're false confidence.
—
🪲 Cross-Contract Bugs Are No Longer Invisible
Most scanners work file-by-file. Real exploits don't.
Fidesium now supports multi-file scanning with full cross-contract flattening and deduplication. The scanner resolves import trees, traces taint across contract boundaries, and surfaces bugs that live in the interaction between contracts, the ones that actually get exploited in production.
—
⛓️ On-Chain Scanning Across 30+ EVM Chains
There's a gap between the code in your repository and the bytecode deployed on-chain. Fidesium now lets you register deployed contract addresses and scan the actual bytecode directly. No repo access needed. No assumptions about whether what shipped matches what was reviewed.
—
🆙 A #SolanaFuzzer That's 5x Faster Than Public Alternatives
We built a high-performance #Solana fuzzing harness, natively bridging CPI via LiteSVM onto native hardware. In benchmarks, it outperforms publicly available fuzzers by approximately 5x in both operations per second and memory efficiency.
Deeper fuzzing. Faster engagement spin-up. State spaces that were previously cost-prohibitive to test.
—
📃 90%+ Better Reentrancy Detection
We overhauled our reentrancy detector and validated it against the SmartBugs curated benchmark. It now handles cross-function reentrancy paths, self-call guard patterns, and pre-Solidity 0.6 syntax - the variants most automated tools miss entirely.
Across the board, we ran a systematic false positive reduction effort. Better cross-contract taint analysis, improved call graph resolution, and recognition for patterns that previously generated noise. The goal: findings your team acts on, not ones they dismiss.
—
The Bigger Picture
Every improvement this quarter reflects the same thesis: the future of #web3security isn't choosing between human expertise and automation. It's building infrastructure where they compound each other.
That's what we're building at Fidesium.
Full technical breakdown on the blog → https://t.co/GaNUsI7UWc
https://t.co/2hGVsTggXG
#Audits are signals.
Not systems.
A signal tells you: "This was secure at this point."
A system tells you: "This is still secure now."
Most teams confuse the two.
That's not a process problem.
It's a mental model problem.
#web3security
Humans and AI agents can accidentally commit sensitive artifacts.
Anthropic's Claude Code leak (512k+ lines via a forgotten npm source map) is just the latest example - one packaging error exposed agent architecture, memory patterns & unreleased features.
Last week at the @SimplicityWeb3 Group accelerator, one thing stood out:
Founders are asking better questions.
Not just:
“How do we grow faster?”
But:
“What assumptions are we building on?”
Our co-founder @bockus joined a strong group of speakers alongside teams from Base, DWF Labs, Canton Network and others, sharing a perspective that cuts across both #startups and #Web3security:
Shout out to what Simplicity Group is building here.
More rooms where founders think at this level.
#FirstPrinciples
Excited to announce that we
will be attending EthCC[9] in Cannes!
March 30 – April 2 at the Palais des Festivals.
DM us, let's talk code, audits, and keeping things safe at scale. See you on the French Riviera!
![Fidesiumapp's tweet photo. Excited to announce that we
will be attending EthCC[9] in Cannes!
March 30 – April 2 at the Palais des Festivals.
DM us, let's talk code, audits, and keeping things safe at scale. See you on the French Riviera! https://t.co/PZubikdFZu](https://pbs.twimg.com/media/HEQER66bgAAzwoP.png)
Someone just poisoned the Python package that manages AI API keys for NASA, Netflix, Stripe, and NVIDIA.. 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine.
The attacker picked the one package whose entire job is holding every AI credential in the organization in one place. OpenAI keys, Anthropic keys, Google keys, Amazon keys… all routed through one proxy. All compromised at once.
The poisoned version was published straight to PyPI.. no code on GitHub.. no release tag.. no review. Just a file that Python runs automatically on startup. You didn’t need to import it. You didn’t need to call it. The malware fired the second the package existed on your machine.
The attacker vibe coded it… the malware was so sloppy it crashed computers.. used so much RAM a developer noticed their machine dying and investigated. They found LiteLLM had been pulled in through a Cursor MCP plugin they didn’t even know they had.
That crash is the only reason thousands of companies aren’t fully exfiltrated right now. If the code had been cleaner nobody notices for weeks. Maybe months.
The attack chain is the part that gets worse every sentence.
TeamPCP compromised Trivy first. A security scanning tool. On March 19. LiteLLM used Trivy in its own CI pipeline… so the credentials stolen from the SECURITY product were used to hijack the AI product that holds all your other credentials.
Then they hit GitHub Actions. Then Docker Hub. Then npm. Then Open VSX. Five package ecosystems in two weeks. Each breach giving them the credentials to unlock the next one.
The payload was three stages.. harvest every SSH key, cloud token, Kubernetes secret, crypto wallet, and .env file on the machine.. deploy privileged containers across every node in the cluster.. install a persistent backdoor waiting for new instructions.
TeamPCP posted on Telegram after: “Many of your favourite security tools and open-source projects will be targeted in the months to come.. stay tuned.”
Every AI agent, copilot, and internal tool your company shipped this year runs on hundreds of packages exactly like this one… nobody chose to install LiteLLM on that developer’s machine. It came in as a dependency of a dependency of a plugin. One compromised maintainer account turned the entire trust chain into a credential harvesting operation across thousands of production environments in hours.
The companies deploying AI the fastest right now have the least visibility into what’s underneath it.
Security team trying to affect real change in the ecosystem. You should check them out. The team also let me know they will be showing the film at @EthCC
We are really proud to support @ChainPatrol and their project on @Giveth! 💜 Read about their impact or support them here:
https://t.co/xVElInpJKs #Giveth
⚠️ An expired audit isn’t just a technical issue; it’s a governance risk:
If stakeholders rely on outdated validation, you’re operating on false security assumptions.
Security claims must be version-aware.
#web3security
Our CTO Abraham Polishchuk, @cryptoabe4, is speaking on:
Defensive Programming in Web3 at @BalkansCryptox
Here’s what actually matters ↓
If your system assumes good behavior,
it’s already broken.
#Web3Security
Smart contracts don’t get patched.
They get exploited.
That’s what defensive programming actually means.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers