Jacopod
@jacolansac
Auditor and bug hunter on Smart contracts. Slow is good.
Apparently, the @spillways10 staking contract was hacked, and funds have been draining for the last 200 days. I was approached by a stakeholder to investigate the hack and I happily agreed. A thread:
Every single article I've read from @RareSkills_io was a good investment of my time. Truly impressive and inspiring. Very rarely we see such high quality/quantity ratio. Very Rare.
The next Uniswap V3 article that comes out is going to blow peoples’ minds. This isn’t just because the animations are cool, but because what would normally be scary math feels extremely digestible. This is one thing that makes RareSkills incredible as a publishing company. We…
This is one of the most frightening attacks I've seen. To see if your proxy is currently hijacked, paste a tx hash to your contract into @TenderlyApp TX simulator, and see if delegates twice to reach your impl contract (more details in the article). Legendary work by…
This is so true for any aspect of life that compounds. Sports, knowledge, learning a new skill, programming, auditing... Perhaps we should measure our progress in a log scale
Even if you don't implement invariant tests as part of your audits, you MUST think in invariant terms. Force yourself to think about system properties to be beyond line by line auditing.
I'm trying @envio_indexer and it is just lightyears better than TheGraph. Blazing fast, super easy to get started, great docs, great local testing framework and great deployment process. RIP TheGraph. Thanks @PaulRBerg for the recommendation.
AI won't replace you. A version of you who knows how to use AI will replace the version who doesn't.
Some people think the hacker extorted GMX. It could be true. But remember that bug hunters often get downplayed. This guy was tired of it and wanted to secure a fair bounty that would otherwise be classified as Medium because part of the bug was offchain.
There was a security vulnerability in the GMX V1 codebase that was disclosed. GMX V1 forks were also safely notified. We would like to recognise the actions of 0xDF3340A436c27655bA62F8281565C9925C3a5221 in this recovery. A potential exploitable amount of $42 million belonging to…
Schedule some time every day/week to read all those X bookmarks before they become outdated
Private auditors, be careful when cloning repos:
A critical in git released yesterday that can be triggered by git clone of untrusted repo. That's the dream vector to pwn auditors and steal their bounties / audit money. Patch your systems before quoting any new clients! And expect visitors in your inbox in coming weeks...
Auditing smart contracts line by line is inefficient. Why? Functions are randomly ordered, which forces you to switch contexts arbitrarily. Instead, try these two methods: 1/ Follow the funds: Use `slither --print entry-points` to list interesting externally exposed functions,…
I realized I find most bugs before even reading the functions line by line. I find most of my bugs scrutinizing the storage variables first: are they initialized? Where are they increased? Where decreased? Strategy heavily inspired by giants like @milotruck or @danielvf
Imagine an elite SR joins @sherlockdefi with a blank profile (no rank). If he ranks first in every competition he participates in, how much time/competitions does it take him to become n LSR?
And more. You can save the prompt as a custom "slash command" with arguments, and invoke it directly from the Claude terminal. Example: save the prompt in ~/.Claude/commands/estimate.md and invoke it like `/estimate X Y Z` docs.anthropic.com/en/docs/claude…