🐸 #Blockend Engineer & Advocate 🥑
🏋️♂️Lover of all things smart contracts 🐍
🌲 linktr.ee/PatrickAlphaC 🌴
Views are my own.
Ooo. Looks like if you transfer your lens NFT to a new address, it removes everyone you're following?
ITS FINALLY HERE
🎊🎉🎊🎉🎊🎉🎊🎉🎊🎉🎊🎉
The Ultimate, Learn Blockchain Development, Solidity, AI-Powered Smart Contract Course | Foundry Edition sponsored by @CyfrinAudits!
🎊🎉🎊🎉🎊🎉🎊🎉🎊🎉🎊🎉
Here is everything you'll learn from this course, and more 👇
You can find parts 1 - 3 (A new YouTube cap of 12 hours means I had to split it up!)
🔗 Here's a link to part 1 of the course, with parts 2 and 3 on my YouTube.
After 2+ months of pouring every ounce of information into a video, this is where we have arrived - with 27+ hours of pure KNOWLEDGE.
www.youtube.com/watch?v=umepbfKp5rI
As many of you know, I've made a monster course every year for the past 3 years, dumping all my knowledge into a video so we can bring everyone in web3 up to speed quickly.
We chose Foundry this year because it is becoming the go-to tool for smart contracts and security researchers alike.
Here is a link to the entire course curriculum.
github.com/Cyfrin/foundry-full-course-f23
The best part of this year, is that since the course is in pure solidity, there are absolutely ZERO prerequisites, meaning anyone can take the course no matter where you are in your journey!
Additionally... We will teach you advanced AI prompting techniques so you can get up to speed FASTER THAN EVER BEFORE.
I can say with assurance that if you're looking to get started in Web3, Solidity, or become a blockchain developer, this is 100% the place to go.
I've poured my soul into this content, and we've been able to help thousands of developers in the past, with many developers surpassing me at their skill of smart contract development.
Here are some of the technologies, industries, and groups we will teach you:
And SO much more!
🔁 ❤️ Please smash this tweet a link and a retweet so we can bring web3 and blockchain to the masses by ushering the next generation of smart contract engineers.
And in case you missed it, here is the link to the video again.
Good luck, have fun, let's make the second half of this year for the builders & devs of the space.
Go Web3!!!!!
🦾🦾🦾🦾🦾🦾🦾
🚨 The secret to finding CRIT vulnerabilities easily is...
🐈 Fuzz Tests
(Sometimes known as invariant tests in Foundry)
Fuzz Testing or Fuzzing is when you supply random data to your system to break it.
There are two kinds of Fuzzing:
💨 Stateless Fuzzing: Fuzzing/Fuzz Testing where the state of a previous run is discarded for the next run.
🧱 Stateful Fuzzing: The state of our previous fuzz run is the starting state of our next fuzz run.
To see me do a breakdown of these concepts in video and all my balloon non-sense, be sure to watch my video or read my blog on the topic too!
www.youtube.com/watch?v=juyY-CTolac
Stateless fuzzing is often easier and faster to setup, while stateful fuzzing is really what you want to aim for.
But before you go write your fuzz tests, you need to understand your systems "invariants" or "properties"
Invariant: The property of the system that should always hold.
Only then, can you attempt to throw random stuff at your code to break it.
In DeFi an invariant might be:
Can't withdraw more than staked
Reserve balance must always be higher than debt, etc
Now it's impossible for a fuzzer to go through every scenario, so understanding how the random number selection is done is crucial.
@trailofbits echidna combined with their symbolic execution tool maat does a fantastic job at using math to find breaking points with fuzzing.
At @CyfrinAudits we use this method to find vulnerabilities quickly, and recommend all developers implement them, even before going to audit!!
Understand your invariants
Write stateful fuzz tests for them
Don’t go to an audit before you've done this.
If you do, ensure your auditors help you understand your invariants!
Let's stay safer out there Web3!
🌪️ What's happening with Tornado Cash and Coinbase is STILL one of the most important battles happening today in Web3.
Let me explain, or just watch my video.
www.youtube.com/shorts/6QI5WjaW8Zo
Imagine a world where all governments bad using crypto.
Sure we can go prohibition style, but people already drank then, we haven't even brought Web3 to the masses!
We need to make it EASIER not HARDER to get into Web3.
T-Cash is a privacy-preserving protocol, and as @coinbase backed motion says it violates freedom of speech and isn't even a sanctionable entity.
We would like them to undo this ban yes? Ok well then we need someone to fight it.
So is anyone showing up?
NO! Most of Web3 won't touch this with a 10-foot pole, and a TON of protocols and groups started banning T-Cash-related stuff because they were terrified the SEC would come after them.
I had blogs reject some of my posts due to their fear!
Coinbase is showing up.
Some are saying they have ulterior motives.
Frankly, I don't care. I'm happy we have someone fighting.
And if they have something nefarious planned we can hunger games them after they win.
I'm not sure how else to help other than vote and email my senators (to which @SenWarren and @EdMarkey have given me "hey sorry we too busy" answers)
So I decided to paint myself blue to call attention to it.
Let's go Coinbase.
🌪️ What's happening with Tornado Cash and Coinbase is STILL one of the most important battles happening today in Web3.
Let me explain, or just watch my video.
www.youtube.com/shorts/6QI5WjaW8Zo
Imagine a world where all governments bad using crypto.
Sure we can go prohibition style, but people already drank then, we haven't even brought Web3 to the masses!
We need to make it EASIER not HARDER to get into Web3.
T-Cash is a privacy-preserving protocol, and as @coinbase backed motion says it violates freedom of speech and isn't even a sanctionable entity.
We would like them to undo this ban yes? Ok well then we need someone to fight it.
So is anyone showing up?
NO! Most of Web3 won't touch this with a 10-foot pole, and a TON of protocols and groups started banning T-Cash-related stuff because they were terrified the SEC would come after them.
I had blogs reject some of my posts due to their fear!
Coinbase is showing up.
Some are saying they have ulterior motives.
Frankly, I don't care. I'm happy we have someone fighting.
And if they have something nefarious planned we can hunger games them after they win.
I'm not sure how else to help other than vote and email my senators (to which @SenWarren and @EdMarkey have given me "hey sorry we too busy" answers)
So I decided to paint myself blue to call attention to it.
Let's go Coinbase.
Over the next decade, demand for knowledge workers will continue to diminish.
But not at the highest level.
Education is still critical, and AI will augment our learning journeys.
👇 Let me explain.
For the next decade (maybe shorter), you can think of AI as "statistics on steroids."
It is constantly predicting responses based on all the data it has been fed previously.
Knowing this, the flaw becomes apparent. At this time in history, AIs have a hard time with situations they have never seen before.
In 2016, AI was said to have surpassed human Go players by defeating the world Go champions.
However, just this year, some amateurs decided to try to beat these top bots by making "poor" moves the AI had never seen before, and they were able to consistently win 14/15 games.
arstechnica.com/information-technology/2023/02/man-beats-machine-at-go-in-human-victory-over-ai/
Standford Artificial Intelligence Research in Education (AIRE) director Dr. Li Jiang says:
"Humans are better at zero to one"
Knowing this, we need to continue to focus on education because we need to be the ones to push AI into the next phase, where it can be better than humans at creating things that have never been seen before.
Want to learn the exact process Damn Vulnerable DeFi creator Tincho uses to audit a smart contract?
I bet you do.
You see exactly how a professional auditor works in this video!
For the next few weeks we at the ⛨ Cyfrin team will be streaming a LIVE web3 solidity audit from a paid protocol.
As far as we know, this has never been done before.
For those of you looking to follow along to see an end-to-end audit as it happens LIVE here are the details you need to know 👇
🐸️ 1. You can follow along and watch me and our team at @CyfrinAudits work over the next few weeks here on twitch.
I will do my best to steam everything I can. This is undeployed code, so we shouldn't find any live exploitable issues. Sometimes, I will need to turn off the camera, but I'll try to stream as much as possible so you can see the inner workings.
⛲️ 2. We will be working on the @BeanstalkFarms's new Wells implementation.
As you already know, decentralized stablecoins are essentail to the success of web3 and DeFi, and especially as we've seen over this past week, the "decentralized" aspect of a stablecoin is more important than ever.
💰 If you're unfamiliar with stablecoins, be sure to watch this video I made a few months back.
www.youtube.com/watch?v=pciVQVocTYc
👯♂️ 3. We will not be working alone!
Teamwork makes the dreamwork.
1 auditor == 1 person of work
2 auditors == 4 people of work
Bouncing ideas off each other aggressively is important, and we will do this in the steam. We at Cyfrin have many ideas boards which I won't show on stream, but I'll say when I'm dropping an idea on the board.
🫘 4. We will not be working alone (part 2!)
A private audit with a company is more than just the report. We are looking at:
Constant communication with the protocol devs is all part of the security journey, especially for a private audit.
In a competitive audit, the product is the report.
In a private audit, the product is the security journey, best practices & feedback, AND the report.
I will not be sharing the chat between us and Bean developers, however I will be mentioning when I ask them questions.
🟢 5. We will be starting in the next half hour
I will not be responding to twitch chat as I audit, however, I need to take breaks. So please add questions into the chat and I will get to them once I reach a break.
Please leave feedback and let us know if you find value in this!
And see you all in 30 minutes!
Productivity tip: Never look at your email until the end of the day. Your email is a waste pit of urgent action items that are not important.
Do your essential action items first, and look at your email at the end of the day when your brain isn’t at its peak. Responding doesn’t usually take that much effort.
🧰 All your smart contract security tools are shit
...Or at least, according to a recent research study
After analyzing 516 bugs across 2021-2022, they discovered:- How good our tools are- How to categorize web3 bugs- How to use this knowledge to win $102k in audit contests
Let's unpack this paper.
🏋️♂️ 1. Humans still beat machines at finding web3 vulnerabilities
~80% of all vulnerabilities were undetectable by automated tools and required a human in some capacity.
~20% could be found by automated means.
What does this mean?
If your auditor tells you:
"Yeah, we just did some formal verification and ran slither."
Run.
Run away from them as fast as you can.
Even protocols like Compound that had done formal verification ended up being exploited. Formal Verification isn't a silver bullet that says your code is bug-free.
docs.compound.finance/v2/security/#formal-verification
🙏 2. There aren't enough good auditors and tools in web3
Looking at ~50 real-world exploits and comparing bounties & payouts to ethical hackers vs. exploit damage - the ratio of damage to bug bounties is 20 to 1.($265M to $14M)
This means there is high demand for security, but also not enough strong people in security because people do be getting hacked.
Projects like @trailofbits and Foundry are some of the main groups leading the charge on building better web3 security tooling.
The team categorized machine unauditable bugs (MUBS) into 7 categories and then tried to calculate how difficult they were to find based on the number of auditors in a C4 competition who were able to find them.
Less people find them == more difficult bug
In order, the hardest to least difficult bugs to find were:
💣 4. Price oracle manipulations and privilege escalation seemed to be the most common bugs in the real world
Price oracle issues were often caused by:1. Implementing an oracle incorrectly2. Using some shady oracle
For 1, the remedy is to read the docs and not try to do something clever.
For 2... Haaaaaaaaave you met @chainlink?
Privilege Escalation is an example of a bug that would be helped by our tooling.
Using something like symbolic execution, fuzzing, etc, we could map out possible paths that a user could bypass access controls.
There is a lot more information in the paper itself, so I highly recommend everyone check it out. It's quite an enjoyable read.
Thanks to @bytes032 for calling this to my attention, and good luck out there.
The paper is in the GitHub here: github.com/ZhangZhuoSJTU/Web3Bugs