handsome

@wizard

19 Following

26 Followers

woj pfp

getting to this screen only takes 20 mins these days the crypto dev tools have gotten insanely good

4 replies

2 recasts

19 reactions

horsefacts pfp

@horsefacts.eth

I wrote a short post on account abstraction wallet security for @code4rena. It was great to take a deeper look at the spec. Wallets are critical and it’s important to get them right, but I’m excited for 4337. https://medium.com/code4rena/smart-account-security-69b544c0da86

5 replies

4 recasts

20 reactions

handsome pfp

The notifications from bots/scams on Twitter/X are getting out of hand. Feels like Elon Musk truly lost control. Going to be more active on warp going forward

0 reply

0 recast

0 reaction

handsome pfp

Price from on chain oracles are calculated based on underlying assets in a liquidity pool. Low volume/liquidity pools are highly sensitive to injection of capital -- which are often targets of price manipulation hacks.

0 reply

0 recast

0 reaction

handsome pfp

On chain oracles like @Uniswap V3 provide price data that is sourced entirely on chain. Data is calculated using TWAP (time-weighted average price). While these are the most decentralized and trustless, they are also highly prone to manipulation. Why?

0 reply

0 recast

0 reaction

handsome pfp

@WeAreTellor is a decentralized oracle which works on the optimistic principle of 'true until proven false'. As shared in my Day 3 post, it is susceptible to manipulation IF its mechanics are not well understood; Time is needed for false data to be challenged and rejected.

0 reply

0 recast

0 reaction

handsome pfp

@chainlink is the most widely used oracle but is considered 'centralized' as data feeds are provided by a group of node operators communicating with each other thru OCR (Off-chain reporting). Price feeds are reliable assuming operators do not collude.

0 reply

0 recast

0 reaction

handsome pfp

🔥 Day 4 of #30daysweb3security @Web3SecurityDAO Today I continued my deep dive into the different types of Oracles and their pros/cons 🧵

4 replies

0 recast

0 reaction

handsome pfp

Instead, BonqDao should have take prices that had a slight delay of 15-30 mins, to confirm that the price data is true. I'll be reading up and sharing about the different types of oracles, and the issues around using them, in the days ahead!

0 reply

0 recast

0 reaction

handsome pfp

They should not have used Tellor's no-dispute, instant price -- where an attacker could provide fake data and have BonqDao instantly use it. As an optimistic oracle, time is needed for the system to challenge and reject the false price. This was a known bug reported by Liquity

0 reply

0 recast

0 reaction

handsome pfp

Hackers were able to manipulate Tellor oracle, by providing an erroneous price feed and artificially increase the price of a token -- and then borrowing and draining millions from the BonqDao. What could BonqDao have done?

0 reply

0 recast

0 reaction

handsome pfp

🔥 Day 3 of #30daysweb3security @Web3SecurityDAO Today I learnt about the recent hack at @BonqDAO due to oracle price manipulation 🧵

3 replies

0 recast

1 reaction

handsome pfp

3. Reading from storage is expensive! If we write to a local variable, then update storage at the end, we can save some gas. See before and after below! p.s. but doing this does increase contract size https://i.imgur.com/Q5EIrFT.png

0 reply

0 recast

0 reaction

handsome pfp

2. For JS peeps, don't use <= or >=. It is more gas intensive because it checks if values are less than AND also checks for equality. Instead, use totalSupply < 1001 instead of totalSupply<= 1000 !

0 reply

0 recast

0 reaction

handsome pfp

🔥 Day 2 of #30daysweb3security @Web3SecurityDAO Today I learnt THREE interesting gas saving tips 🧵: 1. Changing a uint from zero to non-zero cost 20k gas, but only 5k gas when changed from non-zero to non-zero. So, start your NFT totalSupply from 1 instead of 0!

2 replies

0 recast

0 reaction

handsome pfp

So how? Implement a reentrancy guard if using _safeMint; or don't use _safeMint at all (if you don't expect contracts to be minting) and even save some gas with _mint. 🔥

0 reply

0 recast

0 reaction

handsome pfp

_safeMint checks whether the receiver can receive ERC721 tokens (i.e. receiver is not a contract). However, this creates a reentrancy loophole due to the onERC721Received callback, where an attacker can mint more tokens - before a check is performed.

0 reply

0 recast

0 reaction

handsome pfp

🔥 Day 1 of #30daysweb3security @Web3SecurityDAO Follow me on my 30-day journey in Web3 security! Today, i learnt about the dangers of using _safeMint over _mint 🧵

2 replies

0 recast

0 reaction

handsome pfp

i've always felt games like World of Warcraft were an early representation of the Metaverse. Used to enjoy just logging in and spending time in that world. With NPCs that can hold a conversation -- that would take it into a whole different level 🔥

0 reply

0 recast

0 reaction

handsome pfp

Loving farcaster so far (no pun intended).. but why is it in a standalone app instead of a browser site?

0 reply

0 recast

0 reaction