Auditing feels impossible at first.
Hereβs what progress actually looks like:
0β100h -> lost most of the time
200β300h -> start spotting patterns
500β700h -> can handle big codebases
1000h+ -> it clicks, bugs stand out instantly
The skill compounds over time. Keep goingπ
The next chapter of @ethereum security begins πͺ
Today marks the beginning of a new competition: a comprehensive review of Pectra, in partnership with the @ethereumfndn.
οΏ½οΏ½ $2,000,000 USDC
π Live now - March 24th
π Below
Level up your cybersecurity knowledge!
A compilation of the best Web3 security alpha from our top engineers π§΅
π Blog Posts
1οΈβ£ Preparing for the Challenges of Smart Contract Audits
π https://t.co/MTdjiuv1Bo
Compilation of essential tips for pre-audit preparation
2οΈβ£ The Power of Penetration Testing
π https://t.co/tCBcT3WQxL
Why penetration testing is crucial for identifying security gaps in Web3 systems
3οΈβ£ Understanding Subdomain Takeovers
π https://t.co/vdcb2wXyyg
A comprehensive guide to subdomain takeovers in the context of Web3
4οΈβ£ Design: Push vs. Pull Pattern in EVM
π https://t.co/ifDcwHTDU8
The benefits and trade-offs of different smart contract design patterns within the Ethereum Virtual Machine
5οΈβ£ Bug Bounty Programs
π https://t.co/CQ8F2iv7We
The evolution and critical role of bug bounty programs in cybersecurity
6οΈβ£ AI & Smart Contract Security
π https://t.co/m0jA8TkSqn
How AI is reshaping security practices in smart contract coding and auditing
7οΈβ£ Under the Hackerβs Hood: JSON Injection in NFTs
π https://t.co/OpY2cpRct2
Understanding vulnerabilities in NFT metadata and risks from JSON injection attacks
8οΈβ£ The Role of Invariant Testing in Cybersecurity
π https://t.co/hVc3AinQPa
How invariant testing ensures robustness in smart contracts
9οΈβ£ Flash Loan Attacks
π https://t.co/g4zgZ7FjWt
How flash loan attacks work, their impact on DeFi, and strategies to avoid them
π Chainlink VRF
π https://t.co/Sl53U112w6
An examination of Chainlinkβs VRF and the security considerations for its use
1οΈβ£1οΈβ£ The Top 10 Vulnerabilities in Large Language Models (LLMs)
π https://t.co/mWKelIfVvD
Insights into the top vulnerabilities in AI models and the security measures to consider
1οΈβ£2οΈβ£ Best Practices for Web3 Wallet Security
π https://t.co/lyfyEz46qD
Guidelines to securing private keys and wallet security
1οΈβ£3οΈβ£ Web3: A Promising Frontier Fraught with Deception
π https://t.co/7q8P8BaGZs
Lessons from a recent YouTube-promoted crypto scam case study
π¬Twitter Threads
1οΈβ£ Recap of OpenSense Interview
πhttps://t.co/rtvYVXXnMV
Key insights from top engineer @SakshamGuruji on Web3 security, hackathon competitions, AI in auditing, and best practices
2οΈβ£ Boss goes on NASDAQ TradeTalks
πhttps://t.co/bzXyE2Ygq7
Our CEO Hartej discusses Generative AI, asset auditing challenges, and the future of cybersecurity
3οΈβ£ Top 10 Security Issues Discovered by Zokyo
πhttps://t.co/ucEqa0LRED
Our top audit findings of 2024, from rounding errors to DoS vulnerabilities
4οΈβ£ Fuzz Testing:All You Need to Know About
πhttps://t.co/WaBczx7hi6
Why fuzz testing is a practical alternative to formal verification for blockchain Virtual Machines
5οΈβ£ Zokyo's Top Security Insights on Solodit
πhttps://t.co/s9Gd7EoA0m
A deep dive into 1,200+ expert audit findings on Solodit
Ether Transfers in Solidity: transfer(), send(), and call()
In Solidity, there are three primary ways to transfer Ether between contracts or to external accounts: transfer(), send(), and call(). Each method has different behaviors, including safety mechanisms and gas consumption, so it's important to understand when and how to use each one.
1. transfer()
The transfer() method is the simplest and most secure way to send Ether. It forwards 2300 gas to the recipient, preventing reentrancy attacks and ensuring that only basic operations (like logging) can be performed in the recipientβs fallback function. If the transfer fails, it automatically reverts the transaction.
Key Points:
Gas forwarding: Only 2300 gas is forwarded, which protects against reentrancy.
Auto-revert: The transaction reverts on failure, so you donβt need to handle errors.
Simple to use, but can fail if the recipient's fallback function requires more than 2300 gas.
Many auditors think it's an issue if a smart contract wallet is interacting with a contract and the transfer method transfers funds to the smart contract wallet. This will however only revert if there is gas-consuming logic in the fallback/receive function.
2. send()
The send() method works similarly to transfer(), but it does not automatically revert if the transaction fails. Instead, it returns a boolean (true on success, false on failure). You must manually handle the failure case.
Key Points:
Gas forwarding: Like transfer(), it only forwards 2300 gas.
Error handling: It does not revert on failure, so you must check the return value and handle failures manually.
3. call()
call() is the most flexible and method for sending Ether. It allows arbitrary interactions with contracts, including sending Ether and invoking functions. Unlike transfer() and send(), it forwards all available gas, which makes it more prone to reentrancy attacks.
However, it's useful when dealing with contracts that require more than 2300 gas to execute their logic.
To avoid security risks, call() should always be followed by a check of the return value and, ideally, a proper gas management or protection against reentrancy attacks.
One can also forward a custom gas value, if desired.
Key Points:
Gas forwarding: Forwards all available gas by default, making it flexible but potentially dangerous.
Error handling: Like send(), it returns a boolean that must be checked to ensure the transaction succeeded.
Reentrancy risk: Since all gas is forwarded, itβs vulnerable to reentrancy attacks unless guarded with checks like the nonReentrant modifier.
Spot this bug, and you might become a Sherlock Lead Senior Watson (LSW) one day.
The winner will be picked in 24 hours.
This code is a simplified version of an actual vulnerability found in a Sherlock contest.
Hint: Look closely at the disableMaxLock function, consider all the edge cases.
Good luck!