Olivia
Online
Nethermind Security
@NethermindSec
Comprehensive security from @Nethermind, from audits to formal verification. Book now:
Joined September 2024
45 Following
1.5K Followers
728 Posts
Pinned Tweet
Your team takes the break. We take the audit.
A few slots open July 1 — August 15. Adjusted rates. AuditAgent Pro included so the codebase is ready before we start.
Smart contracts and ZK circuits.
https://t.co/5lkctca8Ia
Full talk: https://t.co/TVAvQo2c28
A ZK circuit can do exactly what it's supposed to and the system around it still gets drained. The risk lives in what the protocol assumes the proof means. Michael Belegris on the bugs our ZK audit team keeps finding: https://t.co/Z6wY2lE0Dr
Your team takes the break. We take the audit.
A few slots open July 1 — August 15. Adjusted rates. AuditAgent Pro included so the codebase is ready before we start.
Smart contracts and ZK circuits.
https://t.co/5lkctca8Ia
@Uniswap Full case study: https://t.co/E2QNpgXhze
Uniswap ran a free AuditAgent scan, an AgentArena competition on UniswapX, and adopted the AuditAgent Business Plan in three months. Cody Born, Principal Engineer at @Uniswap, on what AuditAgent changed in their development workflow:
@0xKalzak Pre-audit tools handle the surface layer. AuditAgent flags common vulnerability patterns and dead code so the audit goes deeper from day one. Included with audit slots between July 1 and August 15. Reduced rates: https://t.co/1eMm08NUeR
Auditors aren't QA.
When the first days of an engagement go to integration bugs the team would catch on testnet, that's time off the review. When pass one goes to dead code and common vulnerability patterns, that's time not spent on bugs only auditors can find.
@lagoon_finance Sequential audits caught these before production. One audit at one version wouldn't have.
Case study: https://t.co/TYhVb1lT1k
Auditing ERC-7540 vaults is different from auditing ERC-4626. Settlement happens in a different block than the request. Bugs in the gap can leave users mispriced, locked out of exits, or settled into the wrong cycle.
Standard audit playbooks miss them.
@lagoon_finance The work covered pending-state accounting transitions, NAV update timing during synchronous deposits, and economic edge cases at feature interactions.
The most consequential issues became reachable only when new features layered onto existing ones.
@code4rena Bad news for the ecosystem. @code4rena you are OGs and you're where many started their web3 journeys. Competition is what makes us all better - we're sad to see you go.
To all affected builders: https://t.co/FOBC65pfRu
Builders selected for the program and working with us get audit and formal verification in one engagement, plus AI tooling to prepare your code for the audit.
https://t.co/dBbEaSA03o
The $1M Ethereum Security Subsidy Program funds security reviews for mainnet builders. Nethermind's on the Expert Committee with @ethereumfndn, @chainlink, and Areta. New cohorts monthly.
https://t.co/GQPsthiOD4
https://t.co/OqxPG7Bdwc
Every pending transaction in the mempool is a statement of intent. Bots read it before it settles and front-run what's worth front-running.
The contract calls 𝘈𝘔𝘔.𝘴𝘸𝘢𝘱(𝘵𝘰𝘬𝘦𝘯𝘐𝘯, 𝘢𝘮𝘰𝘶𝘯𝘵𝘐𝘯, 𝟘). That zero is 100% slippage tolerance. A frontrunner inflates the price, lets the swap settle, sells back at profit. A 10,000 USDC trade returns 1 ETH instead of 5.
𝘳𝘦𝘲𝘶𝘪𝘳𝘦(𝘢𝘤𝘵𝘶𝘢𝘭𝘈𝘮𝘰𝘶𝘯𝘵𝘖𝘶𝘵 >= 𝘮𝘪𝘯𝘈𝘮𝘰𝘶𝘯𝘵𝘖𝘶𝘵) lets the user set their worst acceptable price. If a bot moves the price outside that range, the swap reverts. The attacker burns gas for nothing.
The mempool stays public. Defense lives in the code, or it doesn't exist.
Aptos Keyless lets users create a blockchain account using Google or Apple ID. ~1.4M ZK constraints sit between that login and the on-chain account.
We're formally verifying them in CLAP.
Full write-up: legal trends, programmable compliance, identity-linked ownership, insolvency risk, regulatory convergence. https://t.co/u25roJRKPS
Tokenised assets fall into three legal categories.
Informational — records a fact about an offchain asset
Certificatory — digital receipt against a custodian
Dispositive — transfer of the token IS transfer of legal title
Most tokenised assets today are certificatory.
Lagoon's vault architecture went through five sequential audits as new features changed accounting assumptions between pending and settled assets.
https://t.co/8Ud7igphGi
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers