Giovanni Di Siena
@81k
Ah sheesh, just been followed back by @horsefacts.eth so guess that means I finally have to take cross-posting to Farcaster seriously… We at @cyfrin have been cooking recently. Here’s a juicy one I posted recently regarding the current Uniswap Foundation Security Fund private audit I’m working on 👇
1 reply
0 recast
2 reactions
Giovanni Di Siena
@81k
Last week I worked with Draiakoo on a single* mainnet PoC that stole $400k+. Executed across all possible targets, the vulnerability could have easily drained multiple millions of dollars in TVL. While quite (very) stressful at the time, the reality of the situation has only just properly hit me. It’s one thing running forge test but a completely different perspective when you step back to really think about it. *single root cause but we actually found two different routes to the same attack
1 reply
0 recast
1 reaction
Giovanni Di Siena
@81k
We as security researchers are so used to seeing huge numbers without any anchor to reality that it’s all too easy to get caught up in counting fixed point decimals rather than actually deeping the true significance of the amount displayed onscreen. But this is real life, and that really is millions of dollars in value ripe for the taking! Right this second!! Wtf?!!!! A blackhat running the exact same code? Instant payday. They don’t care that it’s 4am and you’re so tired that you can’t type a message straight. You could go to sleep and it could all be gone by the time you wake up. It’s truly wild to think about.
1 reply
0 recast
0 reaction
Giovanni Di Siena
@81k
I couldn’t have asked for a better teammate in my first experience of a live critical vulnerability disclosure. Big props to Draiakoo for being an absolute beast! Watching him work can only be described as masterful and I’m excited for us to share the finer details of the attack as soon as possible. A couple million down, here’s to securing multiple millions more in the future! That said, I honestly don’t know how the _SEAL_Org chads do it. My heart could never.
0 reply
0 recast
0 reaction
