cmichel
1,225 posts
blockchain dev & security
š¹š @SpearbitDAO/@cantinaxyz
šļø blog @ cmichel.io
DM @cantinaxyz for audit
views are my own
Joined January 2016
- ETH devs: write math libraries in assembly to save gas Meanwhile, CosmWasm devs: I need the fractional part of a decimal number. Let me stringify it, find the ".", put a "0" in front of it and string-parse it again github.com/Anchor-Protocoā¦
- if you want to create web3 security content, instead of creating the hundredth auditor roadmap, auditing tips that are just common knowledge, or spot the bug challenge content, try this instead: create cheat sheets for protocols you audited 1/7
- I audit Blast, they announce a million $ competition afterwards. I audit Euler, they announce a million $ competition afterwards. I audit Maker, they announce a million $ competition afterwards.
- After grinding for 14 months I finally reached my goal of being the first to cross 1M$ on the @code4rena leaderboard. š„³ Thanks to everyone involved, this has been very fun, lucrative, and I learned a lot by seeing other wardens' vulnerabilities that I missed.
1/ Code4rena all-star @cmichelio crossed $1,000,000 in Warden payouts: code4rena.com/leaderboard How did he put those numbers on the board? š§µ - Whenever I find a bug, I look back and ask: How could I have found that faster? I go back, figure out which steps of thought were necessary, and retrain myself to perform only those steps in 30 seconds. Fooming Shoggoths - Thought That Faster
- Dear Lord, please forgive any issues I'm about to submit and any severities I'm about to inflate. I'm just playing this game called competitive audits and it's primarily played for points against a judge bound by a flawed rule book filled with infinite loopholes and vague
- hot take: even if @CertiK pointed this out 90% of you would still have been rugged because you don't actually read the audits. Trusted third-party issues exist in the majority of protocols, either directly through admin privileges or indirectly through upgradeable contracts 1/6Replying to @delucinatorand Certik did audit this, it's not like a swapped out frontend, Certik legit saw the contract allow infinite to some random ass address and gave it a pass
- the founder @0xlawlol openly admitted on the @TaikiMaeda2 podcast that their bug bounty strategy is to: 1. exploit the protocol first 2. negotiate afterwards 3. still call yourself whitehat after hearing that I stayed far away from this protocolYesterday, an external fund manager overseeing Stream funds disclosed the loss of approximately $93 million in Stream fund assets. In response, Stream is in the process of engaging Keith Miller and Joseph Cutler of the law firm Perkins Coie LLP, to lead a comprehensive
- proud to be the first Cantina fellow. I've been working closely with @SpearbitDAO/@cantinaxyz for years now and am very bullish on the leadership, the team's execution, and their incentives to attract the best talent. Excited to be joining them exclusively. Not much will changeAnnouncing the very first member of the Cantina Fellowship Program: @cmichelio, signed exclusively for $2M šŖ
00:00 - Wrote up my thoughts on how to become a smart contract auditor as I received a few DMs cmichel.io/how-to-become-⦠#ethereum
- Your oracle has 11 price sources and takes the median. How many sources must you manipulate for the median to change? If the prices are all close to each other it should be 6, not 5. There's more to it: The oracle used is the `sUSDePriceProviderBUniCatch`. It takes 11 sources - 1Today's @UwU_Lend hack leads to $19.4m loss. The root cause is a price oracle issue. In particular, the sUSDe asset is priced as median from multiple sources. Five of them, i.e., FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe, were manipulated during the hack. The stolen
- I'm auditing in VR, that's my alpha. Pros: Portable, good as a second screen when traveling Cons: The resolution is still too bad (2x more pixels would do) and I don't see my keyboard. Can't do any serious work yet
00:00 - What DeFi protocols have USDC price hardcoded to 1$?














