Pinned
Want to learn deep Web3 security knowledge written by the best hackers in the world?
Here's a Twitter thread of interesting Twitter threads the Zellic team has written! 👇🧵
Zellic
1,679 posts
Zellic
@zellic_io
Security reviews and research that keep winners winning. We apply unmatched hacking talent to secure critical software for the most innovative teams.
Joined November 2021
- Bad auditors miss obvious bugs. We built an AI tool that finds them. Introducing V12: the only autonomous Solidity auditor that actually finds Highs and Criticals. We'll be releasing it for free. V12 finds Crits in Zellic audits, High/Mediums in Cantina, and a bug in Pendle.
- In one of our recent engagements with a customer, we were asked to audit some code which depended on BokkyPooBah's DateTime library. The contract calculates the day of the month from block.timestamp, and it does this to ensure an operation happens only up to once a month.
- We're proud to announce that we've acquired @code4rena! Code4rena is the gold standard for competitive audits, and we're thrilled to join forces with them. We acquired Code4rena for one simple reason: because it enables us to do better audits for our clients. Here's how. 🧵👇
- We retrieved every contract on Ethereum. Along the way, we found the exact date when 16,000 unique contracts were deployed (the most in one day), the EOA with the most deployed contracts (2.9M), and much more. This is how we did it.🧵 (Spoiler: It’s 69,788,231 contracts!)
- A billion dollar bug: How Zellic found and fixed a critical security vulnerability affecting all Move L1's, including Aptos, Sui, Starcoin, and 0L This bug violated Move's core security properties and would've broken many smart contracts, e.g. flash loans! Read more: 👇🧵
- 1/ Nomad was just hacked for $190M, making it the 5th largest DeFi hack of all time. How did this happen? We break down not just the exploit, but also HOW THE VULNERABILITY WAS INTRODUCED IN THE FIRST PLACE. Understanding bugs isn't enough. We need to stop merging them.👇
- BLS signatures are everywhere, from Ethereum’s consensus to EigenLayer. But it’s easy to use them wrong. What are BLS signatures? Let’s talk about the right way and the wrong way to use them:
- How to spot misleading audit competition metrics Competitions are crowdsourced audits, where auditors compete to find bugs in a set timeframe. Last year, we acquired @code4rena which does these. We've also seen tons of misleading sales pitches. Here's what to watch out for: 🧵
- Signal has rolled out usernames, meaning users can now use the app while keeping their phone numbers private. This enhanced level of privacy was achieved through the use of Ristretto hashes and zero-knowledge proofs. We wanted to take a deeper look into how these two
- You’re probably using WebViews wrong. There are a million ways to use a WebView wrong. Properly securing a WebView is hard. In this thread, we’ll cover common vulnerabilities in wallet WebView implementations and the ways to properly secure WebViews.
- The dangers of integer truncation: How the Zellic team found a critical vulnerability in the @AstarNetwork. This bug allowed an attacker to drain certain LP contracts on the Astar-EVM, with no bugs required in the contracts. Read more: 🧵👇
- We're proud to announce that Code4rena contests will be free (no fees), starting today! We acquired Code4rena to deliver better security for our clients. Now we want everyone to have that. Audit contest platforms should exist to serve the ecosystem, not to extract from it.Code4rena will run audit contests for free, as public goods. 100% of funds from sponsors will go directly to auditors and judges. We won't take any cut. Why? 1. Competitions are commodities. They're CRUD apps. Why should builders pay premium for a website just to submit bugs?
