14976
sudo rm -rf --no-preserve-root /
@pcaversaccio #14976
𝐖𝐨𝐫𝐤𝐢𝐧𝐠 𝐨𝐧 𝐰𝐡𝐚𝐭'𝐬 𝐧𝐞𝐱𝐭.
https://github.com/pcaversaccio
2935 Follower 151 Following
Over the past few years, I've seen countless folks scrambling to recover tokens from compromised wallets besieged by sweeper bots. So, I decided to take action and create an open-source (white hat) frontrunning script designed to outsmart these fuckers and recover vulnerable funds. This Bash script is all about simplicity, built with minimal dependencies and leveraging only the native tools found in Linux, along with Foundry's cast and chisel. My hope is that this script becomes a powerful ally for victims and their tech-savvy allies, helping them reclaim at-risk funds and regain control over their assets—totally independent of any third-party support 🫡. https://github.com/pcaversaccio/white-hat-frontrunning
Yeah, we can keep playing this game for years. L2 launches with a fucking drop-down menu, and everyone pats themselves on the back over 'technical improvements,' while real people keep getting screwed by simple permit phishing. Are you all out of your fucking minds? We don’t need ten half-baked solutions—we need one fucking chain that actually works for everyone.
We're fucking drowning in SEAL 911 tickets every damn day, with people getting drained left and right. It's brutal, and the reality is we're nowhere near fixing this. The harsh truth? Most of these tickets are coming from basic web2 issues—phishing, malware, the usual bullshit. No amount of smart contract audits is going to save these people. This is the biggest security nightmare our industry faces currently.
In a world dominated by dependency bloat, it's refreshing to see tools that minimise dependencies. These Ethereum utility Bash scripts run seamlessly without installation, utilising only the standard components of a typical Linux machine.
https://github.com/jrhea/bashquiat
https://github.com/jrhea/bashquiat
Remember guys that paranoia is prudence. Those who survive long-term here (try to) verify every transaction, scrutinise every smart contract, and trust no central authority. By delegating nothing (or at least trying not to) and validating everything themselves, the paranoid mitigate risks of hacks, scams, and system failures. This hyper-vigilance, while taxing, ensures longevity in our space where a single misstep can be catastrophic. Being paranoid is an important trait. Don't delegate it to someone else.
The engineers who excel in autocomplete will be the first ones to be replaced by LLMs.
Pretty wild timeline on the latest high severity bug in Bitcoin Core. ~5.5 years from reporting the issue to public disclosure. If you check now the user agents via https://bitnodes.io/nodes ,you can see that almost ~17% of the running nodes are still at risk. The major patch was shipped in 2022 via PR: https://github.com/bitcoin/bitcoin/pull/25717.
https://bitcoincore.org/en/2024/09/18/disclose-headers-oom
https://bitcoincore.org/en/2024/09/18/disclose-headers-oom
a painful Monday so far
1/ Throughout reading the reverse engineering attempt of `bigbrainchad.eth` I got reminded how program obfuscation is actually the ultimate cryptographic primitive and the way to general-purpose privacy-preserving smart contracts. Think about it like that: An obfuscator allows a program (in this context a code run via the EVM) to be obfuscated in such a way so it is _impossible_ to disassemble, impossible to modify, but still possible to execute. You are not able to learn anything about the program, except what you can learn from inputs and outputs. I think Ethereum is still in its infancy here and I'd like to see more efforts at program obfuscation. https://x.com/jtriley_eth/status/1834692924204105915
Some historical piece on Ethereum <> Reentrancy. In August _2014_ (2 years (!) before the DAO reentrancy hack) Andrew Miller (aka @socrates1024) warned Vitalik & Gavin on the danger or reentrant contracts. But at least Gav seemed blind to the fact that this could become a serious problem one day...
https://web.archive.org/web/20170311025657/https://forum.ethereum.org/discussion/1317/reentrant-contracts
https://web.archive.org/web/20170311025657/https://forum.ethereum.org/discussion/1317/reentrant-contracts
So I was cleaning up my Telegram groups recently and wanted an easy way to count how many I'm still in. Well, guess what, it turns out there's no simple way to do that, so I put together a quick Python script to check. I'm still in over 500 groups 💀... https://github.com/pcaversaccio/telegram-group-counter
It might be a (partially) controversial take but I genuinely think that LLMs aren't inherently harmful per se, however their overuse/misuse threatens human cognition. Relying on AI (=statistical models on steroids via GPUs) erodes our grasp of _foundational_ knowledge—like developers building sleek apps without understanding basic memory architecture (ask your devs if they can explain to you what BSS, stack, or heap is). We're trading deep comprehension for convenience, risking our intellectual core.
Today I learnt that the Linux kernel has a feature called "Kernel Electric Fence" (KFENCE). KFENCE in Linux is a memory error detector that uses random sampling and CPU hardware to catch bugs with minimal performance impact. It's like having a highly efficient security guard that only checks a few packages but can still catch most smugglers, allowing for production-safe memory debugging. I don't know who needs to hear this but this is a super smart approach since it leverages the MMU of the CPU to trap invalid memory accesses, rather than relying on software instrumentation.
https://docs.kernel.org/dev-tools/kfence.html
https://docs.kernel.org/dev-tools/kfence.html
Finally someone with a reasonable contract name 🙃 https://etherscan.io/address/0x74833e7b4221fa0edcdb119861955df46e26198a#code
Look guys, in our world everyone's eager for a free compiler, but enthusiasm wanes when it's time to fund its upkeep. IMHO, L2 projects could make a real impact by investing part of their precious VC money in these essential tools instead of splurging on flashy marketing campaigns. By channeling funds into supporting compilers, they would ensure long-lasting benefits and contribute to the ecosystem's health. This shift from short-term shilling to meaningful investment would create a legacy that outlasts any marketing hype. Think about it L2s! If you wanna help fund Vyper, you know how to reach me.
https://x.com/pcaversaccio/status/1823412274758898077
https://x.com/pcaversaccio/status/1823412274758898077
I'm super happy as it has been in the works for some months already, and now we can finally announce that Vyper is officially part of the EF bounty program! At Vyper, security is our top priority—so don't fear the snake 🐍, bounty hunters, embrace it. Your skills are about to be put to the ultimate test!
PS: All the past Vyper reviews / audits can be found here: https://github.com/vyperlang/audits
PS: All the past Vyper reviews / audits can be found here: https://github.com/vyperlang/audits
The best GitHub dashboard is still the OG version: https://github.com/dashboard-feed
If someone asks how it looks like to be a SEAL 911 member
A smart contract programming language that prioritises readability, simplicity, and auditability is not just a good idea—it's essential. In our ecosystem, unlike in fields like aerospace engineering where only experts can design and build aircraft, anyone can build and deploy smart contracts. This democratisation of building capabilities—which is a feature to be clear—means we can't just cater to the 1% of highly skilled developers who excel at memory optimisation and EVM intricacies. Instead, we need to empower the 99% who could easily make costly mistakes. Built-in guardrails ensure safer development, and readable code is invaluable for auditors and the broader community. Most people appreciate a language that makes their work more secure and accessible, even if they might not admit it. You may not like this approach, and I'm not here to patronise, but complexity is the bridge to simplicity and not the end goal.
Let's think this through: Someone successfully social engineers Circle into leaking their upgrader key, the person upgrades USDC with a version that removes blacklisting and revokes all permissions including admin for upgrades (before you tell me it's not possible to set it to 0x00, remember I can set it to 0xdead for example). What would happen after?
I firmly believe that using Tornado Cash is a good thing to do for your on-chain financial privacy since the protocol has demonstrated its resilience, even after multiple attacks. NOT EVERYONE USING TC IS A BAD ACTOR but simply appreciates on-chain privacy! If you're looking to use an uncompromised interface, here are some secure IPFS hashes to consider:
- bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri
- bafybeia7cu2axyyxsarmaemvlpdpofa4q23lzpltbl4jbrnfixdn573h4y
- bafybeiduouhoquhndpzlqrhcfb7wt2jme7qdp4omldal3kulbx63dsrigq
- bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa
- bafybeiezldbnvyjgwevp4cdpu44xwsxxas56jz763jmicojsa6hm3l3rum
- bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri
- bafybeia7cu2axyyxsarmaemvlpdpofa4q23lzpltbl4jbrnfixdn573h4y
- bafybeiduouhoquhndpzlqrhcfb7wt2jme7qdp4omldal3kulbx63dsrigq
- bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa
- bafybeiezldbnvyjgwevp4cdpu44xwsxxas56jz763jmicojsa6hm3l3rum
First things first: fuck you, French government! Arresting Pavel Durov for NOT censoring Telegram violates fundamental privacy principles by punishing a platform for protecting fucking user data! It sets a dangerous precedent where governments can dictate communication control, undermining free speech, and digital privacy rights essential in any democratic society. Vous êtes une putain de honte!
Ethereum is turning into a labyrinth of unnecessary complexity, and it's getting out of hand (this started already in 2020 if you ask me). We're supposed to be here to democratise finance and value transacting, right? The whole point was to break free from the tangled mess of intermediaries and inefficiencies that plague traditional finance. But dude, we have somehow decided that we create a monster of our own - a system so convoluted that only a select few can navigate it. We've become obsessed with complexity, as if adding more layers and jargon somehow makes us better. Newsflash: it fucking doesn't! Simplicity should be the goal, not an afterthought.
The real danger of phishing isn't just that people can easily fall victim; it's that _subtle_ nuances can turn a seemingly safe action into a costly mistake. These nuances are often hard to spot (this includes me and other security professionals!), and even harder to predict, as they evolve constantly (think about the EOA -> drainer contract via CREATE2 sequence as a simple example). This fluidity makes it so fucking difficult for anyone, no matter how savvy, to stay ahead, turning the familiar into a trap with just a slight change.
Simple facts: I personally think it's fucking absurd that in crypto, we keep designing complex solutions for the 0.0001% (e.g. tech-savvy people which includes myself) while the 99.999% struggle with basic access, usability, and security. Instead of building systems that really democratise finance, we get convoluted projects only some specific elite can understand or benefit from. And the ones that work for the 99.999% are some centralised stablecoins...