Olivia
Online
Auditware
@audit_wizard
Industry leading OpSec audits, security tools, and code reviews performed by true security wizards
Joined August 2022
540 Following
2.7K Followers
781 Posts
Pinned Tweet
In 2022, we performed one of the first ever OpSec audits for a web3 company, pulling from over 7 years of experience securing the most sensitive and high value teams at companies like Apple and Amazon. We built a bespoke audit process from the ground up that covers all of the weak points that code and infra audits don't. Over the past 4 years we've reviewed OpSec for VCs, startups, mature companies, and teams ranging from 5 people to 50+. Including crypto-adjacent orgs with no on-chain presence, and crypto-native orgs with dozens of multi-sigs and hot wallets.
We started with ad-hoc reviews tailored to each organization: Meet with the team to ask all the questions we could think of, build a threat model, and write a report highlighting risks and recommending mitigations. But we quickly learned that, while there are unique risks each team faces, much of the topics we covered were shared between orgs. We wrote guides for securing Discord servers, Twitter/X accounts, email servers, and developed both targeted and generalized trainings for whole teams. We also learned that these audits ran most smoothly with some sort of structure in place to define what each meeting should cover, who we needed to talk to in the org, and when we knew we were done. And when we spoke about OpSec to teams they didn't have a solid understanding of what it even meant or what the scope included. We built a very detailed internal process and set of resources outlining all of this.
Since then, we've taken that internal playbook and refined it across multiple audits, each with their own unique risks and challenges. But this was something we felt we could not keep to ourselves. Last year, we converted that playbook into a comprehensive set of requirements, guides, and tools - all open source and free for anyone to use. We called it the Web3 OpSec Standard (W3OS).
What sets W3OS apart from other OpSec resources is that it aggregates a comprehensive set of guidance into one place; presents everything as actionable checklists; and provides concrete guides for configuring platforms, setting up secure development environments, and training teams to stay secure. This year, we've also started building tools to support these guides and requirements and enable teams to take their OpSec seriously without having to build complex monitoring tools themselves.
Auditware has been doing OpSec audits for over 10 years, we wrote the book on web3 OpSec, and we continue to build open source public goods for tackling OpSec issues because we truly believe that our industry cannot thrive without preventing the many, easily preventable security failures we have seen over the years. We highly encourage everyone to put these resources to good use and tighten up your OpSec before you have an incident!
The best way to get started with this is making an account on our free OpSec collaboration platform platform, Sentry, which allows you to navigate W3OS requirements and guides with ease, track tasks across your team, and set up monitoring tools:
https://t.co/yjgQ42yW18
🚨W3OSC/skills is now open, a repo of AI skills built specifically for Web3 operational security.
We built these for the problems security teams and auditors run into constantly:
→ Endpoint threat hunting
→ Org security mapping
→ Supply chain defense
→ Multisig hardening
More coming soon 👀
All in one place just drop it into your AI agent and get the right guidance when you need it.
Web3 security teams and auditors, which skill are you adding first? Or submit your own and see if it passes the automated checks for malicious patterns!
https://t.co/PrW4ca5P4u
@mikotabrbrbr Let us know what you think 💜
skill-warden integrates directly into your CI pipeline and sends the scan results into Sentry. It automatically checks every push and every pull request. If it finds a hard violation, it blocks the merge. All the results then appear in Sentry’s unified security dashboard alongside your other tools, using SARIF.
Together they give you strong end-to-end coverage: skill-warden catches risky AI skills and prompt injections in CI, while Sentry keeps watching your GitHub activity, endpoints, identities, DNS integrity, and breach exposure.
https://t.co/yjgQ42ztQG
Who to follow
Cyfrin Solodit 🟪
@SoloditOfficial
The world's largest blockchain vulnerabilities database.
Explore reports, findings, and bugs from top web3 security firms.
Powered by @cyfrin
dravee.eth
@BowTiedDravee
Leading at @Certora 👨💻 | Preaching about Mindsets 📝 | Over-Approximating 🔎 | Expectations != Reality
Owen | Guardian
@0xOwenThurm
Founder, @guardianaudits. $45,000,000,000+ Protected. Host: Permissionless Podcast.
Book an audit → https://t.co/M4i98qFCD3
Hey Protocol Labs founders and builders 👋
We're hosting a hands-on OpSec workshop exclusively for @ProtocolLabs portfolio founders and developers in New York City.
🗓️ Tuesday, June 9 · 10:00 – 11:00 AM
📍OASIS by Workville, NYC
We'll be covering practical security practices for teams building in Web3:
→ Key management & storage
→ Device security
→ Wallet & multisig handling
→ Incident response fundamentals
→ Auth & security policies
Led by our CEO, @joe_vanloon
Want a head start or can't make it in person? Check out the training materials here:
https://t.co/9Xh3vOi9yJ
Grab your spot below 👇
https://t.co/1isu8Nv99j
See you there!
@SocketSecurity If only there was an open-source tool to defend against these type of campaigns...👀
https://t.co/u54V6P4blg
An attacker may not directly target you, and instead they can register a batch of package names, create some empty GitHub repos to look credible, and wait for someone to make a typo in an install command.
Supply chain attacks at scale are not very precise. It's a numbers game that employs enough fake packages and a real looking repo.
The TrapDoor campaign pushed 34+ malicious packages and 384+ versions across npm, PyPI, and https://t.co/ynMqdK0pvS with many targeting DeFi devs on Solana, Aptos, and Sui.
Depenemy spots the pattern: repos with almost no history and publishers who released multiple packages in the same 48-hour window.
https://t.co/uiKLneCfvT
An attacker may not directly target you, and instead they can register a batch of package names, create some empty GitHub repos to look credible, and wait for someone to make a typo in an install command.
Supply chain attacks at scale are not very precise. It's a numbers game that employs enough fake packages and a real looking repo.
The TrapDoor campaign pushed 34+ malicious packages and 384+ versions across npm, PyPI, and https://t.co/ynMqdK0pvS with many targeting DeFi devs on Solana, Aptos, and Sui.
Depenemy spots the pattern: repos with almost no history and publishers who released multiple packages in the same 48-hour window.
https://t.co/uiKLneCfvT
🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io.
Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.
TrapDoor targets #crypto, #DeFi, AI, and security developers, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, env vars, and API keys.
Socket detected releases with a median detection time of 5 minutes, 27 seconds. The fastest detection occurred 58 seconds after publication.
If you are shipping a skill, one command is all it takes to verify it is clean.
skill-warden scan ./your-skill/
It checks for prompt injection, jailbreaks, token smuggling, secret grabbing, and obfuscation.
You can also add the GitHub Action and get a badge that goes red the moment a hard violation is detected. Your users will know your skill passed before they install it ✅🦸♂️
https://t.co/7N9fbUn0l2
@Fried_rice Great work! We built an open-sourced tool called skill-warden for a similar threat model, feedback is welcomed.
https://t.co/lh1YenFcbD
🚨You probably have `^` in half your dependencies. In your dev tools that is fine. In your actual production dependencies it means someone can push a malicious update and your next `npm install` pulls it in automatically with no warning.
The axios supply chain attack worked exactly this way. depenemy flags loose version specifiers in production dependencies and leaves your dev tooling alone, because the risk is not the same in both places! 🗣️
https://t.co/uiKLneCNlr
@pashov The noise removal is overlooked, the real skill is now knowing which AI findings to trust and which to drop. The attack surface shifted too, many are not auditing the AI agents themselves yet.
Things in web3 move fast enough that stepping away may mean starting over. Operational security is not the same 🫨
The basics that protect your team, your keys, and your infrastructure are not being replaced by something new.
If you're curious where to start 👇
https://t.co/QtgWiUyrrg
We're sharing our ShieldFlow audit report. 👇
One curl request to a public endpoint returned live auth tokens, encryption keys, and internal infrastructure secrets. This was not a smart contract bug. It was a web2 misconfiguration.
The gap most audits miss is that Web3 protocols run on Web2 infra.
Auditing the full stack is the only way to know what you are actually exposed to. 🕵️♂️
10 critical and high severity findings which they fixed in record time!
https://t.co/H5OgKAbu1k
For all the auditors getting scared by this contests market shift - let me walk you through bugonomics history 🐛🪨⏬
1⃣9⃣9⃣5⃣ Netscape (old browser) paid researchers for bugs which was radical at the time
2⃣0⃣1⃣2⃣ @Hacker0x01 and @Bugcrowd dominated the bounty space and no notion of contests
they had private invite-only events which is close, but a contest model didn't fit large web2 companies e.g. Uber Airbnb etc - don't want 500 hackers hammering their servers at a single week
2⃣0⃣2⃣1⃣ @code4rena realized that contests are of different nature:
- Smart contracts store loads of money directly, and get hacked like crazy
- Smart contracts are "immutable" - once deployed must find bugs before launch
- Open source means auditor can fully understand logic, not just probe blindly
- More auditor attention, better results
For protocols - contests costs more than bounty
Let's think like a protocol for a second 🤔
contest = coverage, more eyes, pre-launch safety net
- Pay $200k pool upfront
- Runs 1-4 weeks
- Payout regardless of findings quality (money still gone)
bounty = sparse coverage, reactive not proactive
- Pay $0 until valid bug reported
- Only pay on confirmed severity
- Treasury preserved until hit
in bull markets - protocols don't want to get hacked, they spend what they can (contests + bounty after)
in bear markets - same, but now protocols have no funds - bounty is cheaper
2⃣0⃣2⃣5⃣ bear market gets worse, AI spamming submissions left and right making triaging costs increase exponentially
2⃣0⃣2⃣6⃣ even worse - still bear market, MORE (way more) AI and there are less new protocols on top of it all
That's why today we are back to web2-style bounties. The protocols that make real money, real impact.
In 2015 people made a living of web2 bounties, this ain't different
@immunefi @HackenProof @xyz_remedy all are live and kicking, and there's money on the table for you to take, harder than before, true - but since when hard stopped us?
Huge thanks to @Giveth for having us in the Ethereum Security QF Final Project Showcase 🛡️
Today is the LAST DAY to donate and every donation is matched!
The projects in this round are building the security layer Ethereum runs on, and W3OS is one of them, bringing free practical and accessible OpSec tooling to web3 teams that need it.
If you believe in a safer web3, now's the time to act 👇
W3OS: https://t.co/DXBIPIoXuQ
Full round: https://t.co/v92jPSy1RT
We're very sad to hear this news. C4 were the first innovators that really paved the way for solving the unique challenges of web3 in a way that the industry really needed. Thanks for all of the years of keeping projects secure and launching security researchers' careers 🫡
After careful consideration, we’ve made the decision to wind down @code4rena. This community has meant a great deal to everyone who has been part of building it, and sharing this news is not easy.
And if you would like to support OpSec public goods, consider donating to W3OS on Giveth!
https://t.co/feUg6GwTOS
In 2022, we performed one of the first ever OpSec audits for a web3 company, pulling from over 7 years of experience securing the most sensitive and high value teams at companies like Apple and Amazon. We built a bespoke audit process from the ground up that covers all of the weak points that code and infra audits don't. Over the past 4 years we've reviewed OpSec for VCs, startups, mature companies, and teams ranging from 5 people to 50+. Including crypto-adjacent orgs with no on-chain presence, and crypto-native orgs with dozens of multi-sigs and hot wallets.
We started with ad-hoc reviews tailored to each organization: Meet with the team to ask all the questions we could think of, build a threat model, and write a report highlighting risks and recommending mitigations. But we quickly learned that, while there are unique risks each team faces, much of the topics we covered were shared between orgs. We wrote guides for securing Discord servers, Twitter/X accounts, email servers, and developed both targeted and generalized trainings for whole teams. We also learned that these audits ran most smoothly with some sort of structure in place to define what each meeting should cover, who we needed to talk to in the org, and when we knew we were done. And when we spoke about OpSec to teams they didn't have a solid understanding of what it even meant or what the scope included. We built a very detailed internal process and set of resources outlining all of this.
Since then, we've taken that internal playbook and refined it across multiple audits, each with their own unique risks and challenges. But this was something we felt we could not keep to ourselves. Last year, we converted that playbook into a comprehensive set of requirements, guides, and tools - all open source and free for anyone to use. We called it the Web3 OpSec Standard (W3OS).
What sets W3OS apart from other OpSec resources is that it aggregates a comprehensive set of guidance into one place; presents everything as actionable checklists; and provides concrete guides for configuring platforms, setting up secure development environments, and training teams to stay secure. This year, we've also started building tools to support these guides and requirements and enable teams to take their OpSec seriously without having to build complex monitoring tools themselves.
Auditware has been doing OpSec audits for over 10 years, we wrote the book on web3 OpSec, and we continue to build open source public goods for tackling OpSec issues because we truly believe that our industry cannot thrive without preventing the many, easily preventable security failures we have seen over the years. We highly encourage everyone to put these resources to good use and tighten up your OpSec before you have an incident!
The best way to get started with this is making an account on our free OpSec collaboration platform platform, Sentry, which allows you to navigate W3OS requirements and guides with ease, track tasks across your team, and set up monitoring tools:
https://t.co/yjgQ42yW18
Did you know that Auditware also provides free security training to any org? Learn more about our work and how you can stay secure with our without a professional audit:
https://t.co/2qaBsAbAZZ
https://t.co/UvDchaQcQx
https://t.co/QT01Bu8gOj
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers