S 1

The morning after posting this photo in Tokyo, a stranger awaited me in the lobby of my hotel I went for breakfast and while passing through the lobby, someone on the sofa there turned around and said "Hello Pieter 🤝 " I was like WTF 😳 It turns out he was an indie hacker living in Japan (not Japanese, but Western), who'd been waiting all morning to meet me He figured out which hotel I was staying at just from the photo below I had a chat with him and he was nice, he had a regular job in Japan and wanted to build his own business too, all friendly and nice and fine But still it did make me remember that rule to never post photos in a place until you've left! Because you may get instantly d0xed and visited by people I guess obvious in 2025 Especially in a time where AI can find where any photo is taken in literally seconds, even up to the floor number you stay in a hotel, I stayed at floor 37 and it correctly guessed the range (33-38) Beware! https://t.co/YtRm2V1bWT

At this point I've audited a couple *hundred* Smart Contracts. Along the way, I've picked up a number of things that more often than not... lead to Critical bugs/vulnerabilities. So I decided to compile them all and share them with you. → 17 Common attack vectors I always try out on a new codebase (+ 5 Bonus): - Frontrunning/backrunning - Using very small amounts as inputs (e.g. 1 wei) - Passing zero as an input - Using contracts that cannot accept ether - Gas griefing with external calls - Weird ERC20 tokens (fees, 777, return values, etc...) - Price manipulation - Blacklisted ERC20 addresses - Potential overflow/underflow - Block re-orgs - Reentrancy (721, inter-function, inter-contract, inter-system (read-only)) - Sybil attacks on incentives/tokenomics - Flash loans (even flash mints e.g. Dai) - Accepting any data from an arbitrary address (Malicious bytes) - Inflating internal accounting by sending tokens to the system - Forced precision loss when precision really matters (min balance checks etc...) - Addresses that might be empty at one point, yet house contract code at another 5 Bonuses: - Reverting (external calls I can make revert, inputs I can use to cause a revert) - Unexpected addresses (provide a `receiver` address pointing to another contract in the system) - Selector clashing - Signatures (replay, malleability, recover to 0 address etc...) - Hash collision (encodePacked)