Pinned
Josselin Feist
1,516 posts
Josselin Feist
@Montyly
Joined January 2010
- Today was my last day at @trailofbits. After 8 amazing years, I decided it was time for me to do something different. Over the years, I have learned so much working there — from a technical standpoint, where I worked on all layers of blockchain security (L1/L2, DeFi, bridges,
- (Personal update, so skip if you are only interested in technical content) At the beginning of the year, I decided to leave ToB. It was not an easy choice. I was in a comfortable position, but it felt like time for a change Usually, someone with my experience would go for a
- I have been looking at @aave v4 over the past weeks. The new hub <> spoke architecture is neat: it makes the code simpler and improves isolation aave.com/blog/understan… They now use explicit rounding directions in all operations, which reduces risks and should be a standard
- My main takeaway from the recent rounding hacks is that every incorrect rounding needs to be considered a bug Most of them are not exploitable, or not even vulnerabilities, but they are still bugs Think of it as: bug → vulnerability → exploit. Every exploit starts from a
- If you want to learn fuzzing, watch our 10+ hours workshop: youtube.com/watch?v=QofNQx… You will learn how to setup a fuzzer, define invariants & tackle complex systems. Ready to upskill your team? We offer invariant development as a service: trailofbits.com/services/softw…
- If you're not sure about the root cause of an exploit, there's a simple solution: don't tweet I get that everyone wants to be first, but it will hurt your credibility and it won't help anyone to spread wrong analyses
- I love the positive relationships among blockchain sec competitors. I always have great discussions with the folks from @dedaub . The people from @ConsensysAudits are always easy to talk to. @chain_security even invited us to a dinner during EthCC. However, I am seeing an
- Some of my best chats about security, tooling, and career growth happen casually at conferences I'm opening a calendar slot to recreate that vibe online No pitches, no business proposals, just genuine discussion if you want to pick my brain on anything: calendar.app.google/3XYr7MsSyekpzT…
- Might be a hot take but “More audits, contests, or bigger bounties” is not always the best advice What protocols often need the most is internal security A 7-figure bounty w/o in-house expertise is inefficient. External help is great, but you can’t outsource all your security
- Announcing W3ST: Web3 Security Tools Seminar at @EFDevcon A small, technical event for builders of blockchain security tools Details and CFP:
- As a general rule, comparing security reports by the number or severity of findings is about as meaningful as comparing them by page count Every team has its own categorization standards. I have seen “medium” issues flagged for things I would consider informational, or that I
