Andy Li
@andyfeili
security assessment manager, engineer @sigp_io
Found a live bug in EigenLayer (this was a few days before the cantina contest). It was discovered during reviewing the offchain sidecar rewards calculation.
verify the output
AI PROMPTING → AI VERIFYING AI prompting scales, because prompting is just typing. But AI verifying doesn’t scale, because verifying AI output involves much more than just typing. Sometimes you can verify by eye, which is why AI is great for frontend, images, and video. But…
Nice list! Though this list is intended for dev positions. So I am wondering if people think security folks should also be expected to know all this, or at least the easy questions? Because sometimes SRs learn a new language on the fly during an audit, and rely on their…
We classified very similar questions as "easy" here: rareskills.io/post/solidity-…
We have wrapped up the first round interviews The interview had a short technical component which caught some candidates off guard, though I was surprised that some had a hard time despite their impressive backgrounds. Do you think these questions are fair game for every SR to…
We have manually reviewed all the applications and will be sending out 20 interview invites soon. To give an idea of the quality, the people who have made the cut have had 50+ H/M bugs in audit contests, multiple top finishes, private audit portfolio.
Auditing the response from AI is part of the workflow, it also has the benefit of solidifying your own understanding of the code. For example if there is a complex function: - Let AI explain it. - Verify if the answer is correct. - If there was any hallucination, explain the…
We have manually reviewed all the applications and will be sending out 20 interview invites soon. To give an idea of the quality, the people who have made the cut have had 50+ H/M bugs in audit contests, multiple top finishes, private audit portfolio.
270 applications so far, reviewing them this week
We will be taking on 3-4 security interns this round. 6-8 weeks paid internship. I will be acting as one of the mentors Apply here
Sigma Prime is hiring 🚀 We’ve just added 3 roles to our GitHub - Blockchain Security Intern - Rust Engineer - DevOps Engineer Help shape the future of web3 with us 👇
wrote a blog post for this
A critical division-by-zero vulnerability was discovered by our team in EigenLayer’s sidecar rewards calculation that could have caused DoS for AVSs and operators. The issue was fixed before exploitation by adding explicit checks onchain and in the sidecar.
planning out a more structured internship intake - security engineers and an internal LLM role, will post more details when it gets finalized
Hack a protocol, negotiate to return 90% of the funds and keep 10% as a "bug bounty". Same as hacking a database of PII and negotiating a "bug bounty" for the deletion of PII. It is literally demanding a ransom payment.
If going by case law, the current precedent is that you 100% can get prosecuted even if you return the funds under a negotiated safe harbour agreement post hack. Shakeeb Ahmed: 8.8 million stolen from Crema Finance, returned most funds with agreement protocol will not report…
After the DAO hack in 2017, the idea that “code is law” was called into question. The notion of blockchain as an infallible, self-governing system seem quaint at best. But what if we embraced an adversarially hardened blockchain, where hacks were seen as the cost of improving…