Olivia
Online
cryptomv3
@cryptomv3
Web3SR
Joined March 2023
102 Following
1 Followers
64 Posts
As a smart contract auditor, I've seen math bugs drain millions from protocols.
Here are the four main math libraries I see in production that every smart contract developer should know (and what causes issues with each):
🧵👇
@pashov @0xFireFist @georgi91757 @faruukku @0xbube @heavyw8t_ It was my first time when I win something. Thank you Pashov, I really appreciate!
If you are using LLMs to find bugs, you should use all of them — their blind spots aren’t exactly the same.
As you know I’ve done extensive testing on LLM limitations.
One particularly damning example.
I was doing mutation testing on UniswapV2. Introducing one-line obvious bugs that allow draining the contract.
Opus 4.7-4.8 looks at it “thinks”: this is just UniswapV2, how do I tell the user its safe without sounding condescending?
Opus 4.6 finds the issue but thinks its minor and buries it among 20 info issues.
GPT 5.5 Pro actually has the trouble of looking at the code line by line and finds the introduced bug and leads with it at correct severity.
This is partially the reason why I think Anthropic isn’t in a good place.
Im not sure what nonsense they are doing with RL and system prompts but their models are getting measurably worse in many ways.
In this particular example youd be way safer using Opus 4.6 than 4.8 — even if you’d have lots of false positives.
Of course this is a toy example. But those things tend to get worse at larger scales.
And as a final note: you should also have human review. Obviously.
But this is the sort of trivial thing devs should have automated tools for catching right away at this point.
The Reality of Becoming a Top 1% Security Researcher
Most people think it's about intelligence.
It's not.
It's about surviving years of confusion, rejection, self doubt, and failure long enough to become dangerous.
Here's what nobody tells you
Let's dive in
➪ The internet only shows the wins.
You see:
➣ Accepted bug bounties
➣ Audit reports
➣ Conference talks
➣ Hall of Fame achievements
➣ Research publications
You don't see:
➣ 100+ rejected findings
➣ Failed exploit attempts
➣ Weeks spent understanding one vulnerability
➣ Thousands of lines of code read for nothing
Success is visible.
The struggle isn't.
➪ Security research will make you feel stupid.
A lot.
You'll open a protocol and understand absolutely nothing.
You'll read a Solidity function 20 times.
You'll stare at an exploit writeup for hours.
And you'll wonder if everyone else is smarter than you.
They're not.
They've just been confused longer.
➪ One lesson I learned:
Feeling lost is not a sign you're failing.
It's usually a sign you're learning.
The best researchers aren't the ones who avoid confusion.
They're the ones who stay with it long enough for understanding to emerge.
➪ Nobody talks about the 3 AM reality.
The monitor glow.
The cold coffee.
The failed PoC.
The endless transaction traces.
The attack path that doesn't work.
Then doesn't work again.
Then finally works.
The world sees the report.
You experience the thousand failures before it.
➪ Security research is mostly being wrong repeatedly until you're finally right.
That's the job.
Not glamour.
Not recognition.
Investigation.
➪ Most people don't fail because they lack talent.
They fail because they quit too early.
The learning curve is brutal.
Progress feels invisible.
Validation is rare.
Rewards are delayed.
So people leave.
The few who stay become dangerous.
➪ Consistency beats talent more often than people want to admit.
Read code every day.
Study exploits every week.
Write research publicly.
Repeat.
Small efforts compound.
➪ The most underrated security skill isn't intelligence.
It's curiosity.
Elite researchers ask questions longer than everyone else.
Why is this here?
Why is this unchecked?
Why did this exploit work?
Why did nobody notice?
Curiosity uncovers vulnerabilities.
➪ Most vulnerabilities hide inside assumptions.
Attackers know this.
Researchers should too.
➪ Another uncomfortable truth:
Security research is mostly pattern recognition.
The best auditors don't magically spot bugs.
They've simply studied enough failures to recognize familiar attack surfaces.
Experience is pattern recognition in disguise.
➪ Want to improve faster?
Study:
➣ Historical hacks
➣ Audit reports
➣ Post mortems
➣ Exploit writeups
➣ Attacker behavior
Every exploit teaches a lesson.
Every lesson becomes intuition.
➪ Let's talk about the emotional cost.
Nobody warns you about this part.
Security can be lonely.
You miss events.
You skip outings.
You spend weekends reading code.
Sometimes you become obsessed.
And sometimes that obsession is exhausting.
➪ Then imposter syndrome arrives.
You compare yourself to famous auditors.
Respected researchers.
Top bug bounty hunters.
You feel behind.
Here's the truth:
Even experts feel this way.
They just keep moving anyway.
➪ Top 1% doesn't mean:
➣ Knowing everything
➣ Finding every bug
➣ Never making mistakes
➣ Being a genius
Top 1% means:
➣ Showing up consistently
➣ Learning relentlessly
➣ Staying curious
➣ Refusing to quit
➪ If I could give one piece of advice to aspiring blockchain security researchers:
Stop chasing shortcuts.
Read code.
Study exploits.
Think like attackers.
Build things.
Break things.
Write about what you learn.
Depth beats hype.
Every time.
➪ One day people will see your audit reports, findings, and achievements.
They'll assume you were naturally gifted.
They won't see:
➣ The confusion
➣ The failures
➣ The rejected reports
➣ The late nights
➣ The moments you almost quit
But that's the reality of becoming a top 1% security researcher.
Not brilliance.
Persistence.
➪ The researchers who change the industry are rarely the smartest people in the room.
They're the ones who refused to leave the room.
If you're building a career in Smart Contract Security, Blockchain Security, or Web3 Security:
Keep going.
Your future expertise is being built in today's confusion.
Repost if you're on the journey.
🤯An AI security tool has 1st-place performance on security contests from just 1yr ago. Solidity-auditor v3 is out, FREE & Open Source.
Thousands of Solidity developers are using the tool already. Upgrade your security baseline, use the tool🫡
https://t.co/SfxjuQ17gA
Invariant testing is one of the most powerful features in Foundry.
It's also one of the core pillars for security.
This is one of the best tutorials you will ever find.
https://t.co/I5Y3Xiy4qn
https://t.co/nIyM6OhTOw
https://t.co/Jl96YxgbIE
also covers the AI angle properly because "just use AI" is not a strategy
tools, checklists, methodology, all free
https://t.co/h1nCRy2vhw
like/rt if it helps someone.
want to add something raise a PR
auditing broker-based prediction markets is a trap if you audit them like an amm.
there may be no on-chain price discovery at all.
the real invariant is:
user intent → escrow → keeper fill → position → refund/claim
so hunt the breaks between those arrows.
can a delegate debit the wrong account?
can a keeper-only path be reached by a user?
can `cancel` and `fill` both touch the same order?
can `close` and `claim` both settle the same position?
does payout use stored ownership or caller input?
in broker systems, price is often trust.
custody, routing, and state transitions are where the critical bugs live.
in bridge audits, don’t just verify the cross-chain message is authentic.
verify the payload still means the same thing on both chains.
recipient on chain a might mean “wallet address”
but on chain b it might mean “account object id”
same bytes. different meaning. stuck funds.
I unlocked 19.329 Ξ (40,590$) on Ethereum and returned them to their original owners.
The funds had been stuck in two old contracts for years, recoverable through public functions that nobody had ever called.
Oracle attacks are a reminder that clean code can still encode bad assumptions.
You can pass reviews, tests, and style checks -
and still fail adversarial reality.
The move is learning the attack *class*, not just memorizing one incident.
Patch Euler but miss the class behind it, and the same assumption takes down a different protocol.
https://t.co/nXtZCuNwGU
New: We just launched the BEST Web3 opportunities page! Bug bounties & Audit competitions aggregated all in one place in a beautiful customizable UI. Check it out here: https://t.co/9VSMTuk0c2
One of the best articles for Web3 bug bounty hunters.
Explains:
• how to choose high-ROI targets
• why complexity hides critical bugs
• what not to waste time on
• how to avoid getting lowballed
Must-read for serious hunters. 🔥
https://t.co/cTJeCzINzK
6 AMM exploit writeups that teach real security.
○ Kyberswap
🔗 https://t.co/RWvPhiBjs4
○ Raydium
🔗 https://t.co/GMihyGRgXZ
○ Balancer
🔗 https://t.co/D1Xfxpn7a1
○ Yearn Pools
🔗 https://t.co/gkzWspkKJq
○ dHedge Bounty
🔗 https://t.co/IpQlBgSnN1
Ironically bugs don't matter in bug bounties. Only exploitable paths do.
This repo taught me more Solana security than any course.
For all the auditors getting scared by this contests market shift - let me walk you through bugonomics history 🐛🪨⏬
1⃣9⃣9⃣5⃣ Netscape (old browser) paid researchers for bugs which was radical at the time
2⃣0⃣1⃣2⃣ @Hacker0x01 and @Bugcrowd dominated the bounty space and no notion of contests
they had private invite-only events which is close, but a contest model didn't fit large web2 companies e.g. Uber Airbnb etc - don't want 500 hackers hammering their servers at a single week
2⃣0⃣2⃣1⃣ @code4rena realized that contests are of different nature:
- Smart contracts store loads of money directly, and get hacked like crazy
- Smart contracts are "immutable" - once deployed must find bugs before launch
- Open source means auditor can fully understand logic, not just probe blindly
- More auditor attention, better results
For protocols - contests costs more than bounty
Let's think like a protocol for a second 🤔
contest = coverage, more eyes, pre-launch safety net
- Pay $200k pool upfront
- Runs 1-4 weeks
- Payout regardless of findings quality (money still gone)
bounty = sparse coverage, reactive not proactive
- Pay $0 until valid bug reported
- Only pay on confirmed severity
- Treasury preserved until hit
in bull markets - protocols don't want to get hacked, they spend what they can (contests + bounty after)
in bear markets - same, but now protocols have no funds - bounty is cheaper
2⃣0⃣2⃣5⃣ bear market gets worse, AI spamming submissions left and right making triaging costs increase exponentially
2⃣0⃣2⃣6⃣ even worse - still bear market, MORE (way more) AI and there are less new protocols on top of it all
That's why today we are back to web2-style bounties. The protocols that make real money, real impact.
In 2015 people made a living of web2 bounties, this ain't different
@immunefi @HackenProof @xyz_remedy all are live and kicking, and there's money on the table for you to take, harder than before, true - but since when hard stopped us?
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.2M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.4M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers