Alex the Entreprenerd

@entreprenerd

34 Following

25 Followers

Alex the Entreprenerd pfp

Alex the Entreprenerd

After 2 years of reviews with Spearbit, I’ve finally been promoted to the highest rank of Lead Security Researcher!

10 replies

4 recasts

81 reactions

Alex the Entreprenerd pfp

Alex the Entreprenerd

I’ve collected a few high signal videos and resources to help founders prevent exploits in: - Smart Contracts - Web2 (phishing, social media account takeover, impersonation) - Governance (private key loss) They are all here: https://book.getrecon.xyz/opsec/main.html

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Secureum Workshop on using Foundry and Echidna for Stateless and Stateful Fuzzing to find bugs: https://www.youtube.com/watch?v=3A7aa5B8aak

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

I went live with Shafu to talk about the Recon Extension for invariant testing - Write foundry tests - Run powerful tools like Echidna, Medusa and Halmos - Instantly debug with Foundry repros https://youtu.be/Sl2rz-y8_xg?si=493TxC-P3IDXNEp_

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

What would it take for you to use another tool over foundry?

0 reply

0 recast

1 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Solidity HTTP Make HTTP requests written in solidity in your foundry code

0 reply

0 recast

1 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Bugs like rounding errors are easy to detect and hard to escalate into crits Bugs like silent overflows are harder to detect but easy to escalate Every bug is easier to find with different techniques That’s why you should try all and use what works for you

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Bugs like rounding errors are easy to detect and hard to escalate into crits Bugs like silent overflows are harder to detect but easy to escalate Every bug is easier to find with different techniques That’s why you should try all and use what works for you

0 reply

0 recast

4 reactions

Alex the Entreprenerd pfp

Alex the Entreprenerd

One weird trick to cut your audit cost by half - Write as much of your code as Stateless functions - Run Fuzzers and Formal tools on them Auditor can quickly verify their behaviour and “take them for granted”, or quickly find mistakes in your logic State is a hidden input

0 reply

0 recast

2 reactions

Alex the Entreprenerd pfp

Alex the Entreprenerd

Recon is sponsoring this months editions of BlockThreat!

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Did you know you can run the same tests you wrote for foundry, with Echidna (Concrete Fuzzer) and Halmos (Formal Verification), with zero code changes? Safer code and zero extra work Here’s the demo you can try today! https://x.com/getreconxyz/status/1903129678447251714?s=46

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Did you know you can run the same tests you wrote for foundry, with Echidna (Concrete Fuzzer) and Halmos (Formal Verification), with zero code changes? Safer code and zero extra work Here’s the demo you can try today! https://x.com/getreconxyz/status/1903129678447251714?s=46

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Did you know you can run the same tests you wrote for foundry, with Echidna (Concrete Fuzzer) and Halmos (Formal Verification), with zero code changes? Safer code and zero extra work Here’s the demo you can try today! https://x.com/getreconxyz/status/1903129678447251714?s=46

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Did you know you can run the same tests you wrote for foundry, with Echidna (Concrete Fuzzer) and Halmos (Formal Verification), with zero code changes? Safer code and zero extra work Here’s the demo you can try today! https://x.com/getreconxyz/status/1903129678447251714?s=46

0 reply

0 recast

1 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Another phishing exploit causes $8 MLN in losses I’m seeing the same mistakes being repeated every 6 months For this reason I hosted a 2 Hour event on how to safely manage Multisigs Please just follow the advice we laid out in this video and share it with all new founders Phishing exploits need to stop https://x.com/getreconxyz/status/1885249716386226572?s=46

0 reply

0 recast

3 reactions

Alex the Entreprenerd pfp

Alex the Entreprenerd

Another phishing exploit causes $8 MLN in losses I’m seeing the same mistakes being repeated every 6 months For this reason I hosted a 2 Hour event on how to safely manage Multisigs Please just follow the advice we laid out in this video and share it with all new founders Phishing exploits need to stop https://x.com/getreconxyz/status/1885249716386226572?s=46

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Quite a few researchers reached out to ask me more details about this bug Would you want me to post a full breakdown?

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

It is my pleasure to finally release the Bold Audit Report This is the result of a 3 weeks solo review were I had spent a considerable amount of time looking at the batch rebasing logic This resulted in one of the most interesting crits you’ll see, complete with POC that made it into the Bold repo On the design side, one my favourite contribution has been introducing Bid and Ask pricing for Borrowing vs Redemptions to combat arbitrages I open sourced the full repo, giving you a glimpse into my actual process, with hundreds of notes that never made it in the final report https://github.com/GalloDaSballo/bold-review

1 reply

0 recast

3 reactions

Alex the Entreprenerd pfp

Alex the Entreprenerd

Compiling all the Liquity related work I’ve done over the years I have worked with many Liquity V1 and V2 forks as well as the Bold team for their Liquity V2 and their Governance Repository Security Advisories: - Liquity V1 - Tellor - Yeti Finance - Ethos Reserve Developers: - eBTC (Bitcoin themed Liquity V1 Fork) - Liquity Governance V2 Invariant Testing: - Bold (private) - Quill Finance - REDACTED Finance - REDACTED Manual Review V2: - Bold (private) - Quill (LINK) - REDACTED (SOON) - REDACTED (SOON) Manual Review V1: - thUSD (Threshold) - eBTC (developer and internal reviewer) - Ethos Reserve - Apollon (SEI V1 Fork) Economic Intel: - Quill (Economic Review that resulted in introducing borrow caps) - REDACTED (Economic Review that resulted in adding redemption fees and changing caps logic) - REDACTED (Economic Review that resulted in changing oracle config) - eBTC (Economic Review and sims to help determine risk parameters, validated by Risk DAO Contests: - Raft - Yeti - Ethos Reserve

0 reply

0 recast

0 reaction

Alex the Entreprenerd pfp

Alex the Entreprenerd

Join us on the bleeding edge of reverse engineering the EVM for Security Research All tools mentioned are open source and free to use - WhatsAbi - the easiest way to get abis - Evmole - the most thorough tool to get abi and cfg - Heimdall - can give you decompiled solidity off of bytecode In the video we: - Show each tool, demo it and talk about the key code snippets making it work - Answer a ton of questions on grabbing data from onchain - Reverse engineer the Bybit exploit contract with these tools This was a unique event, hopefully you’ll enjoy! https://x.com/getreconxyz/status/1893707255977324960?s=46

0 reply

1 recast

3 reactions