Thoughts/Open problems:

What is this ?

This page contains blockchain security thoughts, ideas and current problems.
Generally i will also post about these (thoughts, ideas, security problems) so i will mention the links to the X posts/tweets.

How different habits and priorities yield different results in blockchain security reviews - (Aug 2, 2025)

My thoughts on Dacian's observation about auditor's performance

I think what can make a difference here is the habit of following a process.

While it can also be related to “monetary reward” i assume its not the same in every case, there are other reasons like:

Many (if not all) who work on private audits have to follow a process. In fact, they (companies, SRs) can have their own processes and mental models, internal checklists etc. to MUST follow throughout the audit process. And they are mostly tied to visiting all the possible paths in one way or another.

The process makes much more difference in the output ( Not saying someone who is working on BB can’t have/follow a process, but it also depends on the need of the process/mental model and priority for which that process/model will be used)

Additionally, the experience (about one specific thing, BB, and or private audits) is something that can make a difference when it comes to results derived from the habit of setting specific priorities over months and years.

Lastly, I assume exceptions exist in both cases.

https://x.com/caliber_tweets/status/1951630458355155103

Just stumbled on a thought about "multiple audits" - (June 9, 2025)

Let’s say a protocol goes through several audits, and in the final one, the auditors discover critical bugs. Those bugs require fixes, but what if those fixes introduce new vulnerabilities?

At that point, the only line of defense is the current audit team reviewing the changes.

And realistically, assuming the protocol (maybe) isn’t going to commission another audit just for that last patch with budget and timeline constraints.

Anon, you see the problem?

I hope the industry figures out a better way to handle this scenario.

monitoring tools are a great complement, always. But is there anything else that can be done to reduce this risk?

https://x.com/caliber_tweets/status/1932113454246264849

At the end it boils down to visiting more paths - (May 9, 2025)

When finding the bugs in code, different techniques can yield different results, one core idea to remember is that the more paths you explore, the greater the chances of finding potential bugs.

https://x.com/caliber_tweets/status/1929458756296855784