Olivia
Online
Ward Audits
@WardAudits
The rising duo in the field of Web3 Security.
For audit requests:
Joined January 2024
20 Following
69 Followers
33 Posts
Never send a bug report to Injective. You probably remember what @al_f4lc0n went through, but even worse happened, you may hear the story soon. Do not make any business with them.
We owe you a lot. If it weren't for Code4rena, I probably wouldn't have become interested in web3 security; might not even have realized such a field existed at all. Being such a great pioneer, thank you sincerely for the immeasurable contributions Code4rena has made to web3 and for all the people it has onboarded into the space over the years.
If the process regarding my three pending bug reports ends badly, I may take a break from bug bounty work -- either until the bull market starts to come back or until the number of AI spammers decreases and project teams start to act more ok towards bug bounty hunters again. This is something I do in my spare time and the treatment I've recently experienced suggests it may not be worth it (at least around these times).
I hope my unresolved reports are ultimately handled fairly so that I won't feel the need to take such a break. It's heartbreaking to see that every bug bounty hunter goes through this rn.
I'd also like to thank the project teams who consistently remain professional, respect bug bounty hunters and their work, and care about timelines -- simply for doing what should be normal.
As I observe the growing use of AI on both the development and security sides -- and therefore the increasing density of low-quality commits or updates -- I become more convinced that if we had liquidity that was truly decentralized at the level of DeFi Summer, we would all got rekt.
What's "protecting" things right now is the centralized and mutable nature of projects. But if you accept that this is how it should be, then you are part of the problem in this industry. Ever since we started treating centralization not as a risk but as a design choice, we've been on the wrong path.
Since this rant is a roller-coaster of topics, I will divide it into four sections.
1-) How do the best bug bounty hunters deal with problematic project teams?
Spoiler: they are mortals like us and can't magically fix anything.
I think that by listening/chatting with the best bug bounty hunters, I've understood their strategy:
Just keep hunting.
From the start, they choose the target mindfully. Hunt on bigger targets (in terms of TVL and bounty size, read this amazing article by @WhiteHatMage on this: https://t.co/9WHaygCRZ7) but even then they don't assume that the process will go smoothly, and they focus on finding new vulnerabilities on a different target while their existing reports are being (not) resolved. They try to create as many opportunities as possible so that some bad faith actors won't totally stall them.
However, this doesn't mean they don't care about unresolved reports. On the contrary, they behave very professionally in messaging channels and do not let go of a project that tries to avoid paying. This is their full-time job, and they want to get paid.
2-) Why this sucks?
Unfortunately, the above situation shows how inclined we are to create more black-hats than white-hats, because there are only two scenarios that can create the incredible level of devotion I mentioned above:
* You received one large payout, and because of that, no matter how many bad experiences you have, your belief that another large payout will come never fades.
* You have an incredibly strong attraction to feeling like a hero and doing what is ethically right.
Note: Many people do bug hunting *occasionally* (like myself), and the situation is completely different for that case. These two scenarios are related to creating devoted full-time bug bounty hunters.
If we don't have established standards and legal enforcement (aka incentives), we will remain limited to creating only a ridiculously small number of consistent elite bug bounty hunters. We shouldn't wait for every project to get hacked in order for them to get incentivized to allocate more resources to security.
3-) Market actual security, not your newest product.
Because products/services will change over time -- sometimes it will be AI, sometimes audit competitions -- but the need for security will never disappear. What we need to show project teams is not just which fancy tool to use to achieve security, but that they genuinely need a “security-first” mindset.
Security is not achieved through a single best product, but rather by getting various services. Instead of only launching a large bug bounty or only paying for one expensive audit, distributing the budget across both of these will produce a much better outcome. It feels like, instead of sharing the pie wisely, we are allowing most of it to be captured by the newest trend.
Nothing done with a “let's not miss the boat” mentality is truly innovation. There will be some successful products/services, but most of them will be forgotten, sunset, or be forced to evolve.
4-) Not all founders have been reading @RektHQ for years like we do
Maybe you don't think much about it, but it is also important to realize that not all project teams have the same level of maturity. They just don't really think they need to allocate much to security. We need to teach some VCs that security is an actual thing and not a fucking marketing tool.
You wouldn't believe how often I've heard bug bounty hunters say about major projects that “X project's codebase is terrible / is a mess.” Do you think the developers, founders, and VCs of those projects are even aware that this is the case?
Last month, I reported a critical severity vulnerability in a Cosmos SDK-based blockchain project and was awarded a $20,000 bounty.
Thanks to @WhiteHatMage for the advice on handling communications in private bug bounties.
Big thanks to Triaging & Whitehat Success teams at Immunefi <3 @immunefi #immunefitribe https://t.co/pFJ86Czp1i
So true, you got yourself a legendary cap of crits. It’s super effective.
Youngest but definitely far from the last 😎✨
Great job @0xpessimist
I wish it could be counted as points in Island 2, but I reported it before :) @immunefi #ImmunefiIsland2 https://t.co/H2MbqiuHbL
Ward is a "W" for our industry. 🏆
Our team kicked off the year with an outstanding performance, earning bug bounty rewards from three Cosmos ecosystem projects in January, with a few more reports still pending resolution.
https://t.co/WsV6mclini
Some projects may still want to fork AAVE v2 governance, which is time-tested and reliable. I've found an edge case that doesn’t have much impact but could cause confusion if it happens. (Got permission to open the issue) 👻👻👻
https://t.co/wHiEZE0her
Second bounty in a row. 🫡
I wouldn't recommend spending time on Stride (https://t.co/IIeK0PuDrQ), they will give the lowest possible reward. Portfolio updated: https://t.co/NEJMfHqtnO
just getting started :)
crit found — portfolio updated
https://t.co/NEJMfHr1dm
We are proud to have contributed to bringing Starknet's best aggregator to the Scroll network.
It was a pleasure working with Fibrous team and we look forward to many more collaborations! 🤝
We are thrilled to share that our smart contracts on the Scroll network have been developed with the incredible support of @WardAudits.
Big shoutout to @WardAudits for helping us bring our smart contracts to life on the Scroll.
Thanks to their magic touch, our contracts are now secure, efficient, and ready to rock the blockchain world!
We couldn’t have done it without you, here’s to many more adventures together! 🚀
We hope that you’ve gained a new perspective by reading these tweets and looking at the examples. And as you may notice, it’s actually more about multiple parsers rather than just two, so think of it that way and don’t limit yourself to look for only two.
Thanks!
(4/4) 🧵
After reading this thread, you'll gain a new perspective on your audits, get ready to be two parser pilled. 💊
Daniel Von Fange's tweet defines the two parser bug and provides great real-world examples;
(1/4) 🧵
I call it a "two parser bug".
Two different implementations tracking the same input, and parsing differences cause diverging behavior from different parts of a system. Here's two recent examples used in hacks, and how to avoid.
🧵1/5
Thanks to @bl4ckb1rd71's memory, here is one of the earliest instances of the two parser bug: Gearbox Protocol Vulnerability Report by @__nnez
(3/4) 🧵
https://t.co/GSc5qG23r6
@danielvf Here is the earliest instance I recall of this in web3, although the idea is found more often in web2 https://t.co/qGXpAPXyQx
Last Seen Users on Sotwe
MARAZMKREPCHAET ❌✪✪✪✪✪✪✪✪✪✪
Seen from United States
Miss Sarah Speedwell Official 
Seen from United Kingdom
.
Seen from United States
Yağız Sabuncuoğlu
Seen from Turkey
Owen yoel Morales clara
Seen from Panama
ป.ป. ลาดพร้าว ราม81 ชอบให้ผช.กินงูชอบเสียบชายแท้
Seen from Thailand
هنيك مراتك 135K
Seen from Italy
Ne önemi varki isimlerin Anı Yaşa
Seen from Turkey
meow
Seen from Malaysia
mê trai đẹp
Seen from United States
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers