1. Deflation attack in @SiloFinance vault during a @code4rena contest
Share = _assets.mulDiv(_newTotalSupply + 10^_decimalsOffset(), _newTotalAssets + 1, _rounding)
What the problem here?
totalAssets is based on redeemable market shares, but market rounding can cause an issue
Today marks 2 years as a Security Researcher at @QuillAudits_AI.
Grateful for the journey, the lessons, and everyone who has been part of it.
Looking forward to learning more, finding more bugs, and becoming better auditor every day 🥷
An AI audit passed your contract. That doesn't mean it's safe.
3 places AI auditors still fail 👇
• Novel attacks: it matches patterns, can't sense "feels wrong"
• Cross-protocol exploits across oracles, pools & bridges
• False confidence: AI can even hallucinate a bug and propose a "fix" that quietly adds a real vulnerability.
One auditing lesson that keeps repeating:
Never trust a dependency because it's popular.
Verify:
• the exact version
• the deployed bytecode
• the imported implementation
A trusted library with one modified line can become a backdoor.
@gurwinder_sui True.
It's easy to stay motivated when everything is going up.
The real test is whether you're still showing up when nobody is watching.
Interesting shift happening in Web3:
Security discussions are moving beyond:
“Was the smart contract audited?”
toward:
• who monitors risk continuously
• who reacts during incidents
• who controls emergency systems
• who understands ecosystem contagion
The hardest part of Web3 security isn’t Solidity.
It’s reasoning about systems.
How:
• liquidity moves
• state changes compound
• integrations inherit risk
• incentives alter behavior
• edge cases break invariants
That’s why great auditors study systems, not just functions. 🎯
Every integration is also a dependency.
Every dependency imports:
- assumptions
- trust boundaries
- external risks
- failure conditions
That’s the hidden cost of composability.
Sui developers, put your Move security skills to the test ⛳️
Move-over is an open source, browser-based CTF. Read the vulnerable contract, write your attack logic and return the flag.
Like Ethernaut, but for @SuiNetwork 💧
🚨 Be Alert.
Your AI coding tool won't run cargo test without permission. But it'll read your .env file - silently, no questions asked.
That's not a feature. That's a misconfiguration waiting to be exploited.
✅ Always verify your tool's default permissions before production or audit.
Your AI is part of your attack surface. Treat it that way.
People think auditing is just reading code.
It's reading code at 1 Am, questioning every assumption, documenting findings nobody wants to hear, and doing it again tomorrow.
It's a lifestyle. Not a job.
Most critical bugs I find aren't complex.
Same devs who spent 2 weeks shaving gas costs never asked:
"What is this function doing vs what it's supposed to do?"
The code runs fine. The logic is wrong.
Auditors don't find bugs in the code.
They find bugs in the assumptions.
Every protocol has paired functions.
Deposit/Withdraw. Mint/Burn. Borrow by amount/by shares.
Same goal. Different code paths.
Ask one question:
do both sides handle edge cases the same way?
Usually no.
That asymmetry is your finding.