PatrickAlphaC
0 Suivis
2 Abonnés
0 J’aime
0 Partagé(s)
Publications
Vidéos
I spoke to a Solana project (Cyfrin does Solana work now!) about their codebase, and we asked them why they kept a piece of their codebase out of scope for an audit.
Their answer:
“We plan to keep it closed sourced so the security needs are less.”
1. Without a security review, you’re just delaying the hackers to break down your project and find holes. Relying on obscurity should never be your entire security plan!
2. It seems this is a trend across Solana projects. This needs to change!
Also closed sourced contracts have issues regardless, but that’s for another day…
Their answer:
“We plan to keep it closed sourced so the security needs are less.”
1. Without a security review, you’re just delaying the hackers to break down your project and find holes. Relying on obscurity should never be your entire security plan!
2. It seems this is a trend across Solana projects. This needs to change!
Also closed sourced contracts have issues regardless, but that’s for another day…
Hot takes that I think shouldn’t be hot, and should be “the default”
1. The contest platform is ultimately responsible for the payout. It is the contest platform that promises payout, so if a platform doesn’t pay out, no matter the drama, it is the platform’s fault.
2. The auditors are the workers, and should be treated with the same respect as you would someone on your team. Changing goal posts in the middle of a review, allowing your team to be taken advantage of by allowing clients to dismiss submissions for any reason, or even giving the opportunity for a client to ruin the integrity of a contest (sharing results that could be leaked before contest ends, allowing the protocol to fix the bug and then close the issue because “oh it’s fixed now”) isn’t acceptable. Team > Client. With this, you end up giving the client better output because the team actually cares.
Changing the rules of a competition that pays out money could even be considered illegal in some cases.
3. Exclusivity deals on bounty platforms are the antithesis of security. Imagine finding a live crit and not being able to report it because you have an exclusivity deal.
4. Despite all this, bug bounties and competitive audits are still the best way to get into the industry. Don’t let this be the excuse you give to platforms to treat you like dirt, but also keep in mind, many of them are trying their best. Unless they violate one of the statements I made above, in which case they may not be.
1. The contest platform is ultimately responsible for the payout. It is the contest platform that promises payout, so if a platform doesn’t pay out, no matter the drama, it is the platform’s fault.
2. The auditors are the workers, and should be treated with the same respect as you would someone on your team. Changing goal posts in the middle of a review, allowing your team to be taken advantage of by allowing clients to dismiss submissions for any reason, or even giving the opportunity for a client to ruin the integrity of a contest (sharing results that could be leaked before contest ends, allowing the protocol to fix the bug and then close the issue because “oh it’s fixed now”) isn’t acceptable. Team > Client. With this, you end up giving the client better output because the team actually cares.
Changing the rules of a competition that pays out money could even be considered illegal in some cases.
3. Exclusivity deals on bounty platforms are the antithesis of security. Imagine finding a live crit and not being able to report it because you have an exclusivity deal.
4. Despite all this, bug bounties and competitive audits are still the best way to get into the industry. Don’t let this be the excuse you give to platforms to treat you like dirt, but also keep in mind, many of them are trying their best. Unless they violate one of the statements I made above, in which case they may not be.
Ledger has made a lot of oopsies, this may be one of them - decommissioning a wallet is frustrating for those who purchased one.
But on the plus side, they are still the only wallet to show EIP-712 hashes for signing.
Other wallet brands, pay attention.
But on the plus side, they are still the only wallet to show EIP-712 hashes for signing.
Other wallet brands, pay attention.
Competitive audits are still the best way to onboard to web3 security.
We made a smart contract dev framework for Vyper.
We made a pretty cool feature.
We think it would be cool in foundry.
We made a ticket for it in foundry.
Open source is amazing.
https://github.com/foundry-rs/foundry/issues/6556
We made a pretty cool feature.
We think it would be cool in foundry.
We made a ticket for it in foundry.
Open source is amazing.
https://github.com/foundry-rs/foundry/issues/6556
If you want to be cyberpunk
Want a new career for you or your friends
Want to make web3 a safer place
Want to learn how to improve the solidity compiler
@CyfrinUpdraft
Want a new career for you or your friends
Want to make web3 a safer place
Want to learn how to improve the solidity compiler
@CyfrinUpdraft
I went to pay out money in a game of Texas Hold’em to people from different parts of the world.
Me: “no worries, I’ll text you a link to @getclave with your winnings”
Them: “but I don’t have the app…?”
Me: “that’s the beauty of account abstraction wallets”
Crypto is amazing
Me: “no worries, I’ll text you a link to @getclave with your winnings”
Them: “but I don’t have the app…?”
Me: “that’s the beauty of account abstraction wallets”
Crypto is amazing
Here is your exhaustive guide on how to choose a hardware wallet:
No calldata, no buy.
No calldata, no buy.
Four more wallets entered my review lair.
I only considered one acceptable for security researchers to use.
Can you guess which one?
Let's find out (NGRAVE, SafePal, useBurner, and BitBox02) 👇
I only considered one acceptable for security researchers to use.
Can you guess which one?
Let's find out (NGRAVE, SafePal, useBurner, and BitBox02) 👇
Verifying transactions is basically now a career path.
If you ever want to be on a security council or a multi-sig, you need this skill.
AIs can help you, but ultimately, you are responsible for what you sign.
https://updraft.cyfrin.io/career-tracks/web3-wallet-security
If you ever want to be on a security council or a multi-sig, you need this skill.
AIs can help you, but ultimately, you are responsible for what you sign.
https://updraft.cyfrin.io/career-tracks/web3-wallet-security
@_iphelix how come we don't see the Bybit attack here?
I have more hardware wallets DMing me to try their wallet.
When I ask about how they show input data, they tell me “oh it’s good!”.
But they either:
- don’t show calldata
- show their own custom encoding (wtf…?)
Stop bullshitting your users please.
When I ask about how they show input data, they tell me “oh it’s good!”.
But they either:
- don’t show calldata
- show their own custom encoding (wtf…?)
Stop bullshitting your users please.
I'm going to make an EVM hardware wallet tier list not influenced by referral codes.
Stay tuned.
Stay tuned.
AI MCP Claude Model mixed with MetaMask | Live on Abstract
Private Key + .env = Poverty.
I don't make the rules.
I don't make the rules.
Ok, the other crazy part?
I still have hardware wallet founders in my DMs trying to convince me why showing calldata is a waste of time and not required.
A: "Here, sign here."
B: "Can I read the contract?"
A: "No, stfu and sign"
Insane.
I still have hardware wallet founders in my DMs trying to convince me why showing calldata is a waste of time and not required.
A: "Here, sign here."
B: "Can I read the contract?"
A: "No, stfu and sign"
Insane.
The Bybit ($1.4B) hack has been on my mind since it happened, trying to think of ways to solve it.
I've been hammering away at making tooling to help people verify their transactions, and I feel like a couple of small tweaks to the wallet interfaces could make a big difference in making sure complex transactions are what you expect them to be.
So, I made this forum post to make a potential new ERC to discuss a few tweaks that might make life easier.
https://t.co/A2wYihHxxE
Would love to get anyone's thoughts/comments!
I've been hammering away at making tooling to help people verify their transactions, and I feel like a couple of small tweaks to the wallet interfaces could make a big difference in making sure complex transactions are what you expect them to be.
So, I made this forum post to make a potential new ERC to discuss a few tweaks that might make life easier.
https://t.co/A2wYihHxxE
Would love to get anyone's thoughts/comments!
I like the fox wallet
I like Bankless
I like Claude AI
I like Coinbase (even though, the recent exploit is not great)
I like Curve
But yet, for some reason these are “bad takes”
Someone plz explain
I like Bankless
I like Claude AI
I like Coinbase (even though, the recent exploit is not great)
I like Curve
But yet, for some reason these are “bad takes”
Someone plz explain
If I wanted to pivot from crypto to AI, here is how I would do it:
1. I wouldn’t
1. I wouldn’t
Connectez-vous pour découvrir d’autres contenus