<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>thesandf | Smart Contract Security Researcher</title><description>thesandf is a Smart Contract Developer and Web3 Security Researcher specializing in Solidity, DeFi protocol audits, and cross-chain security research. View my portfolio, research, and case studies.</description><link>https://thesandf.com/</link><item><title>Why Smart Contract Auditing Is the Fastest Path to Web3 CTO</title><link>https://thesandf.com/posts/audit-to-cto/</link><guid isPermaLink="true">https://thesandf.com/posts/audit-to-cto/</guid><description>Learn why elite smart contract auditors become Web3 CTOs, protocol architects, and founders. Explore the four-stage auditor lifecycle, career roadmap, and how adversarial thinking creates technical leaders.</description><pubDate>Mon, 22 Jun 2026 00:00:00 GMT</pubDate></item><item><title>YieldZero: Engineering an Omnichain Vault with LayerZero</title><link>https://thesandf.com/posts/yieldzero-engineering/</link><guid isPermaLink="true">https://thesandf.com/posts/yieldzero-engineering/</guid><description>Engineering patterns for omnichain vaults using LayerZero, covering messaging, composability, and distributed system challenges.</description><pubDate>Tue, 10 Mar 2026 00:00:00 GMT</pubDate></item><item><title>I Thought My Cross-Chain Vault Shares Vanished -Turns Out They Were Just in a Hurry to Bridge</title><link>https://thesandf.com/posts/shares-vanished/</link><guid isPermaLink="true">https://thesandf.com/posts/shares-vanished/</guid><description>A 6-hour LayerZero + ERC-4626 debugging meltdown where shares didn’t disappear - they were just bridged instantly.</description><pubDate>Sat, 31 Jan 2026 00:00:00 GMT</pubDate></item><item><title>Thor vs The Bifrost - Denial of Service (DoS) in Solidity (Gas Griefing Case Study)</title><link>https://thesandf.com/posts/denial-of-service/</link><guid isPermaLink="true">https://thesandf.com/posts/denial-of-service/</guid><description>Thor gets stranded when Loki clogs the Bifrost bridge. Learn how DoS in Solidity works, how attackers block withdrawals, and how patterns like pull-payments and gas-optimized loops prevent disaster.</description><pubDate>Fri, 12 Dec 2025 00:00:00 GMT</pubDate></item><item><title>How Quicksilver Stole Iron Man’s Trade - The Most Profitable (MEV 🥪) Sandwich Attack Explained </title><link>https://thesandf.com/posts/sandwich-mev/</link><guid isPermaLink="true">https://thesandf.com/posts/sandwich-mev/</guid><description>Quicksilver doesn’t steal Iron Man’s suit. He just sandwiches his trade in the mempool and walks away with millions. The fastest, most profitable MEV attack in DeFi - explained with MCU speed.</description><pubDate>Sat, 29 Nov 2025 00:00:00 GMT</pubDate></item><item><title>Naruto vs The Chaos Scroll - Insecure Randomness Catastrophe</title><link>https://thesandf.com/posts/insecure-randomness/</link><guid isPermaLink="true">https://thesandf.com/posts/insecure-randomness/</guid><description>Orochimaru doesn’t fight Naruto. He just predicts the next block.timestamp and steals the entire Hidden Leaf lottery. The most ninja-level randomness exploit ever told - dattebayo!</description><pubDate>Fri, 28 Nov 2025 00:00:00 GMT</pubDate></item><item><title>Doctor Strange and the Mirror Portal - Improper Input Validation Heist</title><link>https://thesandf.com/posts/input-validation/</link><guid isPermaLink="true">https://thesandf.com/posts/input-validation/</guid><description>Loki doesn’t break the Mirror Dimension. He just walks out pretending to be Iron Man. One missing require() = $41M gone. The ultimate input validation case study.</description><pubDate>Thu, 27 Nov 2025 00:00:00 GMT</pubDate></item><item><title>Ant-Man and the Giant Loan - Flash-Loan Oracle Manipulation</title><link>https://thesandf.com/posts/flash-loan-oracle-manipulation/</link><guid isPermaLink="true">https://thesandf.com/posts/flash-loan-oracle-manipulation/</guid><description>Ant-Man goes quantum: one flash loan, one block, one vault drained. The most devastating oracle attack in DeFi history - now with full code, two exploit scenarios, and MCU chaos.</description><pubDate>Wed, 26 Nov 2025 00:00:00 GMT</pubDate></item><item><title>Spider-Man vs Doctor Strange - Multiverse Bridge Heist</title><link>https://thesandf.com/posts/cross-chain-bridges/</link><guid isPermaLink="true">https://thesandf.com/posts/cross-chain-bridges/</guid><description>Doctor Strange steals the validator key and replays Spider-Man’s message across the multiverse. One signature. Infinite tokens. A $3.2B+ real-world disaster explained with MCU flair.</description><pubDate>Mon, 24 Nov 2025 00:00:00 GMT</pubDate></item><item><title>Thor vs Hulk &amp; Iron Man - Arithmetic Overflow &amp; Underflow in Solidity</title><link>https://thesandf.com/posts/arithmetic-overflow-underflow/</link><guid isPermaLink="true">https://thesandf.com/posts/arithmetic-overflow-underflow/</guid><description>Thor pushes Hulk’s rage past 255 and drains Iron Man’s suit below zero. Witness the most spectacular math explosions in the MCU and learn why unchecked arithmetic is the silent killer of pre-0.8.0 and inside `unchecked {}` blocks.</description><pubDate>Sun, 23 Nov 2025 00:00:00 GMT</pubDate></item><item><title>Black Widow and the Red Room Vault - Access Control Case Study</title><link>https://thesandf.com/posts/access-control/</link><guid isPermaLink="true">https://thesandf.com/posts/access-control/</guid><description>Black Widow infiltrates the most heavily guarded vault in the MCU history… only to discover the doors were never locked. A delicious cocktail of 4 critical access control bugs in one single contract.</description><pubDate>Sat, 22 Nov 2025 00:00:00 GMT</pubDate></item><item><title>Doctor Strange vs Dormammu - The Reentrancy Time-Loop Explained (CEI Case Study)</title><link>https://thesandf.com/posts/reentrancy/</link><guid isPermaLink="true">https://thesandf.com/posts/reentrancy/</guid><description>Doctor Strange traps Dormammu in an infinite time loop. Exactly how reentrancy works - and how attackers drain millions.</description><pubDate>Thu, 20 Nov 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Compromised</title><link>https://thesandf.com/ctf/compromised/</link><guid isPermaLink="true">https://thesandf.com/ctf/compromised/</guid><description>Oracle manipulation via compromised private keys. Learn how a leak in server logs can lead to complete price control and the systematic draining of an NFT exchange.</description><pubDate>Tue, 29 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Puzzle Wallet</title><link>https://thesandf.com/ctf/puzzle-wallet/</link><guid isPermaLink="true">https://thesandf.com/ctf/puzzle-wallet/</guid><description>Mastering proxy patterns, storage layout collisions, and msg.value reuse inside multicalls. Learn how to hijack proxy administration by bypassing whitelists and exploiting delegatecall execution flows.</description><pubDate>Thu, 24 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Naught Coin</title><link>https://thesandf.com/ctf/naught-coin/</link><guid isPermaLink="true">https://thesandf.com/ctf/naught-coin/</guid><description>Bypassing transfer locks by exploiting incomplete standard overrides. Learn how standard ERC20 token mechanics allow approve and transferFrom to circumvent direct transfer controls.</description><pubDate>Tue, 15 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Gatekeeper Two</title><link>https://thesandf.com/ctf/gatekeeper-two/</link><guid isPermaLink="true">https://thesandf.com/ctf/gatekeeper-two/</guid><description>Bypassing extcodesize checks and solving bitwise XOR constraints. Learn how the EVM manages code size during constructor initialization and how to derive cryptographic gatekeys.</description><pubDate>Mon, 14 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Gatekeeper One</title><link>https://thesandf.com/ctf/gatekeeper-one/</link><guid isPermaLink="true">https://thesandf.com/ctf/gatekeeper-one/</guid><description>Bypassing complex multiple gate controls in Solidity. Learn how to solve execution origin barriers, brute-force exact gas constraints, and master bitwise mask operations.</description><pubDate>Sun, 13 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Privacy</title><link>https://thesandf.com/ctf/privacy/</link><guid isPermaLink="true">https://thesandf.com/ctf/privacy/</guid><description>Reading packed storage slots and fixed-size arrays from the blockchain. Learn how the Solidity compiler packs state variables and how to cast data types to bypass access controls.</description><pubDate>Sat, 12 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Elevator</title><link>https://thesandf.com/ctf/elevator/</link><guid isPermaLink="true">https://thesandf.com/ctf/elevator/</guid><description>Exploiting state-manipulating interface implementations to bypass flow controls. Learn why relying on external untrusted contract state returns can break smart contract invariants.</description><pubDate>Fri, 11 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Reentrancy</title><link>https://thesandf.com/ctf/reentrancy/</link><guid isPermaLink="true">https://thesandf.com/ctf/reentrancy/</guid><description>Exploiting classic reentrancy vulnerabilities. Learn how state modification sequence and unchecked external calls can lead to total contract draining.</description><pubDate>Thu, 10 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - King</title><link>https://thesandf.com/ctf/king/</link><guid isPermaLink="true">https://thesandf.com/ctf/king/</guid><description>Exploiting smart contract payments to cause a Denial of Service (DoS). Learn how blocking native Ether transfers can lock contract states forever.</description><pubDate>Wed, 09 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Puppet V2</title><link>https://thesandf.com/ctf/puppet-v2/</link><guid isPermaLink="true">https://thesandf.com/ctf/puppet-v2/</guid><description>Evolution of price manipulation on Uniswap V2. Learn how blindly trusting official libraries and increasing collateral requirements still fails if the underlying price oracle remains manipulative.</description><pubDate>Wed, 09 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Vault</title><link>https://thesandf.com/ctf/vault/</link><guid isPermaLink="true">https://thesandf.com/ctf/vault/</guid><description>Reading private storage variables directly from the blockchain. Learn how data visibility modifiers like private do not hide data on public blockchains.</description><pubDate>Tue, 08 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Force</title><link>https://thesandf.com/ctf/force/</link><guid isPermaLink="true">https://thesandf.com/ctf/force/</guid><description>Forcibly sending Ether to a contract with no receive or fallback functions. Learn how the selfdestruct EVM instruction overrides standard payment controls.</description><pubDate>Mon, 07 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Delegation</title><link>https://thesandf.com/ctf/delegation/</link><guid isPermaLink="true">https://thesandf.com/ctf/delegation/</guid><description>Exploiting delegatecall forwarding to hijack smart contract ownership. Learn how delegatecall preserves transaction context and storage layouts to execute arbitrary code.</description><pubDate>Sun, 06 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Naive Receiver</title><link>https://thesandf.com/ctf/naive-receiver/</link><guid isPermaLink="true">https://thesandf.com/ctf/naive-receiver/</guid><description>Exploiting fixed fees and identity spoofing. Learn how to drain a user’s balance through forced flash loans and hijack admin privileges via meta-transactions.</description><pubDate>Sat, 05 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Puppet</title><link>https://thesandf.com/ctf/puppet/</link><guid isPermaLink="true">https://thesandf.com/ctf/puppet/</guid><description>Oracle manipulation via low-liquidity AMM pools. Learn how to crash the price of a token on Uniswap V1 to borrow an entire lending pool’s liquidity for pennies.</description><pubDate>Sat, 05 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - The Rewarder</title><link>https://thesandf.com/ctf/the-rewarder/</link><guid isPermaLink="true">https://thesandf.com/ctf/the-rewarder/</guid><description>A vulnerable Merkle reward distributor that fails to bind claims to the intended recipient, allowing attackers to steal every unclaimed reward.</description><pubDate>Sat, 05 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Token</title><link>https://thesandf.com/ctf/token/</link><guid isPermaLink="true">https://thesandf.com/ctf/token/</guid><description>Exploiting arithmetic underflows in Solidity versions before 0.8.0. Learn how unsigned integer wrapping can bypass balance checks to mint an astronomical supply of tokens.</description><pubDate>Sat, 05 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Side Entrance</title><link>https://thesandf.com/ctf/side-entrance/</link><guid isPermaLink="true">https://thesandf.com/ctf/side-entrance/</guid><description>Exploring the flaws in flash loan accounting. Learn how to use a contract’s own flash loan to &quot;deposit&quot; into your own account and then walk out with the entire pool.</description><pubDate>Fri, 04 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Telephone</title><link>https://thesandf.com/ctf/telephone/</link><guid isPermaLink="true">https://thesandf.com/ctf/telephone/</guid><description>Understanding the critical security distinction between tx.origin and msg.sender. Learn how tx.origin authentication can be bypassed using simple contract proxying.</description><pubDate>Fri, 04 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Truster</title><link>https://thesandf.com/ctf/truster/</link><guid isPermaLink="true">https://thesandf.com/ctf/truster/</guid><description>Arbitrary external calls leading to full permission leaks. Learn how a single flash loan call can trick a contract into approving away its entire treasury.</description><pubDate>Fri, 04 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Coin Flip</title><link>https://thesandf.com/ctf/coin-flip/</link><guid isPermaLink="true">https://thesandf.com/ctf/coin-flip/</guid><description>Exploiting weak on-chain randomness using a smart contract. Learn how transaction execution order and historical block data make deterministic randomness highly exploitable.</description><pubDate>Thu, 03 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Fallout</title><link>https://thesandf.com/ctf/fallout/</link><guid isPermaLink="true">https://thesandf.com/ctf/fallout/</guid><description>Exploiting a simple typographical error in a smart contract constructor. Learn how a single character typo can turn a critical initialization function into a public exploit vector.</description><pubDate>Wed, 02 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Free Rider</title><link>https://thesandf.com/ctf/free-rider/</link><guid isPermaLink="true">https://thesandf.com/ctf/free-rider/</guid><description>Exploiting msg.value reuse in batch processing. Learn how to combine Uniswap V2 flash swaps with a faulty NFT marketplace loop to drain an entire collection for the price of one.</description><pubDate>Wed, 02 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Ethernaut - Fallback</title><link>https://thesandf.com/ctf/fallback/</link><guid isPermaLink="true">https://thesandf.com/ctf/fallback/</guid><description>Claim ownership and drain the contract by exploiting weak access control in the receive fallback function. Learn about Solidity receive/fallback mechanics and the critical importance of secure defaults.</description><pubDate>Tue, 01 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Unstoppable</title><link>https://thesandf.com/ctf/unstoppable/</link><guid isPermaLink="true">https://thesandf.com/ctf/unstoppable/</guid><description>A masterclass in Denial of Service (DoS) via ledger inconsistency. Learn how a single permissionless transfer can permanently paralyze an ERC4626 vault.</description><pubDate>Tue, 01 Jul 2025 00:00:00 GMT</pubDate></item><item><title>Damn Vulnerable DeFi - Selfie</title><link>https://thesandf.com/ctf/selfie/</link><guid isPermaLink="true">https://thesandf.com/ctf/selfie/</guid><description>Governance hijacking via flash loans. Learn how a lack of snapshotting allows an attacker to borrow a majority of voting power and pass malicious proposals.</description><pubDate>Sat, 28 Jun 2025 00:00:00 GMT</pubDate></item></channel></rss>