I wonder if audit firms should start auditing a protocols web3 culture. How they sign transactions, how they deal with production etc.
Most hacks nowadays stem from that rather than code that needs auditing…
People have been asking if one can switch from EVM to Move easily. So we thought of writing a series of articles to make the shift from EVM to move easy.
People have been asking if one can switch from EVM to Move easily. So we thought of writing a series of articles to make the shift from EVM to move easy.
I’m focusing extra on Move. I truly believe something good will come out of it.
Luckily there are more and more competitions and BBP. Already submitted some issues today that am happy about.
LFG
The cool thing about auditing Move is that all the entry points are very clearly grouped and marked. At first I thought it was unnecessary but now it's hard for me to go back to Solidity lol.
move sui has 2 timestamp functions that can trip you up
one is `clock::timestamp_ms()` → returns time in milliseconds
and 2nd is `clock_utils::timestamp_seconds()` → returns time in seconds
in a recent private move sui audit we found a bug where cooldown_end was set using…
Here what AI should be actually used for:
Light hacking (easy pickings) and QA.
It should make sure as much as possible that the, what I call, QA bugs are taken care of. Leave us humans to use different levers to hack.
Something that for me took a while to grasp with other ecosystems like Move, is the lack of `msg.sender`. There is something similar, but wasn't as clear to me when I started.
To everyone (like me) hearing all this talk about AI doing well in audits and replacing us.
If you actually enjoy bug hunting, this doesn't change anything. I sometimes think, what else could I do if AI would replace auditors, but I can't think of anything else I'd rather be…
Move Tip 💨
You’ll see many protocol only passing a reference to signer and some Object<T>, thinking that would be secure enough.
However, this is not always true. The code should also verify that the object does in fact come from the signer themselves.
More info can be read…
A reminder to not trust LLMs.
I was doing some Move auditing today and it told me that references to and Object can only be accessed by certain actors. Not true in that case. The object could’ve been accessed by anyone.
It is fine to use them, only if you know how to verify…
I have decided to take the use of LLMs out of my workflow almost completely. I have realised how dependant I have grown to be on them and this has to stop.
I will only use them when I have exhausted Google search and for basic web searches using Grok.
Something I didn’t know you can do.
If you go on the block explorer and the contract is verified you can download or view, through VSCode online, the code and its dependencies.
Maybe something basic but I had no idea. Usually when you audit you do you PoCs though the test…
6K Followers 3K FollowingWill Rhind, Founder & CEO, GraniteShares Inc
Will Rhind is a registered representative of ALPS Distributors, Inc. ADI is not affiliated with GraniteShares
124 Followers 320 FollowingWeb3 is under attack. We teach you how to defend
OpSec audits•Threat modeling•Real-world attack breakdowns
$70,000,000 in Secured Funds | DM for consulting
7K Followers 3K FollowingHead of Triaging @immunefi 🛡️⚔️ Crypto, & analog life | Journals, watches, and personal growth | Sharing what works (and what doesn’t)—join the journey.
6K Followers 1K Followinga girlie learning to break and secure codes, from a non-tech background || originally at web3 growth || prev: @relayprotocol @PRINT3Rxyz
15K Followers 1K FollowingHacking all the things since 1997 • @PwnieAwards Winner • Created Mythril • Hunting Bugs for @Spearbit • AI Research Lead @SherlockDefi
4K Followers 705 Followingintroduced to crypto in 2014 selling osrs gp | sharing my experience, & thoughts | check my articles to learn how i'm farming 6-7 figures of airdrops in 2025
6K Followers 3K FollowingWill Rhind, Founder & CEO, GraniteShares Inc
Will Rhind is a registered representative of ALPS Distributors, Inc. ADI is not affiliated with GraniteShares
1.3M Followers 1K FollowingCo-Founder of Coursera; Stanford CS adjunct faculty. Former head of Baidu AI Group/Google Brain. #ai #machinelearning, #deeplearning #MOOCs
390K Followers 133 FollowingA high-performance Ethereum L2, powered by the FuelVM and verifiable at home⛽️ Sway Language: @SwayLang Community: @BuildonFuel
6K Followers 1K Followinga girlie learning to break and secure codes, from a non-tech background || originally at web3 growth || prev: @relayprotocol @PRINT3Rxyz
1K Followers 4K FollowingSecurity Lead @LineaBuild | Prev @HalbornSecurity @Openfortxyz @CertiK and @NCCgroupplc | Teacher @LaSalleBCN University and @NuclioSchool