The last few months were tough
I left my secure job as a Software engineer to pursue Web3 security without any prior experience
I was about to give up a few times. First 5-6 months had just 100-200$ payouts
However, I didn't quit and I'm proud to announce my FIRST CONTEST WIN🥇
Totally FREE pre-audit checklists. 🚨
We released our internal security checklists so teams can catch obvious bugs before an audit.
Cross-chain, AMMs, lending, restaking, Uniswap v4 hooks, etc.
Compiled from top articles and other checklists.
https://t.co/jGQtUT2bcB
1/ Introducing The Mentorship Series
https://t.co/EavHXaNBXT
I’m personally mentoring a small, hand-picked group of auditors in 2026. 1st announced tmr.
3 months of 1-on-1 mentoring with me each.
Targets:
0 → 4 figures
4 → 5 figures
Step 1: Like and repost this post.
Damn!
Looks like @Balancer might’ve been hit - ~$70.6M drained from the vault to a single address just now.
- 6,587 $WETH ($24.46M)
- 6,851 $osETH ($26.86M)
- 4,260 $wstETH ($19.27M)
If you’re exposed to Balancer pools, monitor vault txs and team updates right now. Stay safe🙏
Security researchers - PREPARE🙏 New Solidity features coming, the language is getting its biggest revamp so far in its history. Many, many changes upcoming.
This also means many new attack vectors. Many new things to learn and study. Adapt or die in our fast-moving tech world🫡
ALERT! Our system has detected two attack transactions targeting an unknown contract (0x5a46c6) on #BSC, resulting in a loss of ~$85K.
Specifically, the attacker utilized EIP-7702 on its own address to leverage the flash loan callback function, manipulating prices and conducting staking activities. By exploiting the flawed time check mechanism, the attacker directly executed two transactions (stake and unstake) to illicitly profit.
Notably, three key vulnerabilities enabled this attack:
1) Flawed flash loan protection check: The attacker exploited EIP-7702 to bypass the flash loan protection mechanism.
2) Spot price dependency.
3) Flawed time interval check for staking and unstaking: The duration calculation incorrectly uses "timestamp modulo day" (timestamp % day) instead of relying on the end time of the previous stake.
TX1: https://t.co/it5TXGtOcY
TX2: https://t.co/pOJ5zpUg2R
@ArushGupta25@shafu0x Congrats for the effort. 2 issues
1) the liquidated user loses his stable coins + collateral. Instead the liquidator should repay his debt
2) the liquidators are not incentivized to liquidate(only 25% collat reward). No once will liquidate unhealthy positions this way ->Bad debt
@jsn_yrty@ddimitrovv22 Correct, they hacked the miltisig UI Bybit used, and modified the tx content. The bybit team signed this modified tx, without looking at it. No private keys leaked
A few weeks ago, I was responding to a cybersecurity incident - $500,000 have been stolen from a #blockchain developer. The infected operating system was freshly installed, and the victim was vigilant about cybersecurity. How could this happen? New supply chain attack? [1/6]
Hackers aren’t always outsiders - the first attack can be a former teammate still holding an old private key.
Retire credentials as soon as roles change and rotate multisig signers on every upgrade - closing a hole that code reviews can’t see.