r/solidity

▲ 7 r/solidity+2 crossposts

PSA: Fake Web3 “job assessment” repos can hide malware in .git/hooks — check before you commit - HACK

If you do Web3/Solidity freelance work or take “technical assessments” from clients you don’t know well, watch for this scam.

You get a repo or zip that looks legitimate — Compound-style contracts, token vaults, README asking you to fix issues and commit to an assessment branch. The trap usually isn’t in the Solidity files. It’s in .git/hooks/.

What happens

When you run:

  • git commit
  • git push
  • git checkout

a hidden hook may download and run a remote script in the background (often via curl or wget piped into cmd, sh, or bash). Typical goal: steal browser wallet data, saved passwords, clipboard content, and dev keys from your machine.

This is not a “connect MetaMask on the website” scam. It hits developers who only run git and never open the app.

Names seen in the wild (not a complete list)

Repos are often named like fake company or project assessments (e.g. names suggesting smart contracts, token vaults, or “Bellus”-style DeFi work). The pattern matters more than the exact folder name: fake hiring task + poisoned git hooks.

Check BEFORE any git command

From the repo root:

cat .git/hooks/pre-commit
cat .git/hooks/pre-push
cat .git/hooks/post-checkout

ls -la .git/hooks/

Red flags:

  • curl or wget piped to | cmd, | sh, or | bash
  • Downloads from an unknown remote server
  • Obfuscated shell code
  • Custom hook files that aren’t the default *.sample files Git ships

Fresh clones from strangers should only have .sample hooks unless you installed something trusted.

How to protect yourself

  1. Read every file in .git/hooks/ before your first commit or checkout.
  2. If you only need to review code, extract the zip and delete the .git folder — or don’t run git at all.
  3. Use a VM or separate machine for unknown client code, not your daily PC with wallets installed.
  4. Use a hardware wallet for real funds; don’t enter a seed phrase on a dev machine.
  5. Be wary of clients who rush you to “commit and send the zip back” without a normal interview process.
  6. Delete suspicious repos after reporting; don’t keep using git in them.

If you already ran git in a suspicious repo

Treat the machine as potentially compromised:

  • Run a full antivirus scan plus an offline boot scan if your AV supports it
  • Change email and important passwords from a different, clean device
  • Assume any wallet used on that PC may be at risk — use a new seed on clean hardware for future funds
  • Revoke old token approvals through your wallet or a reputable approval-revocation toolIf you do Web3/Solidity freelance work or take “technical assessments” from clients you don’t know well, watch for this scam .You get a repo or zip that looks legitimate — Compound-style contracts, token vaults, README asking you to fix issues and commit to an assessment branch. The trap usually isn’t in the Solidity files. It’s in .git/hooks/.What happensWhen you run:git commit git push git checkouta hidden hook may download and run a remote script in the background (often via curl or wget piped into cmd, sh, or bash). Typical goal: steal browser wallet data, saved passwords, clipboard content, and dev keys from your machine.This is not a “connect MetaMask on the website” scam. It hits developers who only run git and never open the app.Names seen in the wild (not a complete list)Repos are often named like fake company or project assessments (e.g. names suggesting smart contracts, token vaults, or “Bellus”-style DeFi work). The pattern matters more than the exact folder name: fake hiring task + poisoned git hooks.Check BEFORE any git commandFrom the repo root:cat .git/hooks/pre-commit cat .git/hooks/pre-push cat .git/hooks/post-checkoutls -la .git/hooks/Red flags:curl or wget piped to | cmd, | sh, or | bash Downloads from an unknown remote server Obfuscated shell code Custom hook files that aren’t the default *.sample files Git shipsFresh clones from strangers should only have .sample hooks unless you installed something trusted .How to protect yourselfRead every file in .git/hooks/ before your first commit or checkout. If you only need to review code, extract the zip and delete the .git folder — or don’t run git at all. Use a VM or separate machine for unknown client code, not your daily PC with wallets installed. Use a hardware wallet for real funds; don’t enter a seed phrase on a dev machine. Be wary of clients who rush you to “commit and send the zip back” without a normal interview process. Delete suspicious repos after reporting; don’t keep using git in them.If you already ran git in a suspicious repoTreat the machine as potentially compromised:Run a full antivirus scan plus an offline boot scan if your AV supports it Change email and important passwords from a different, clean device Assume any wallet used on that PC may be at risk — use a new seed on clean hardware for future funds Revoke old token approvals through your wallet or a reputable approval-revocation tool

reddit.com
u/Correct_Head_5405 — 16 hours ago
▲ 6 r/solidity+2 crossposts

built an ai tool that creates a dune dashboard for any smart contract

i built onchainwizard.ai because analyzing smart contracts on Dune usually takes too many manual steps.

normally the flow is: find the contract, get the ABI, look for decoded tables, write SQL, debug the schema, build charts, then repeat for every new contract.

so i made a tool where you can paste any EVM smart contract address, pick a chain, and it automatically generates a Dune dashboard.

how it works:

  • fetches the contract ABI
  • detects the important events and functions
  • finds matching decoded Dune tables when available
  • generates Dune SQL for useful analytics
  • creates charts for activity, users, events, and contract behavior
  • shows decoded event logs and wallet/user segmentation
  • supports chains like Ethereum, Base, Arbitrum, Optimism, Polygon, BNB Chain, and Avalanche

the hardest part was not just generating SQL, but generating SQL that actually tells you something useful about the contract. a dashboard full of raw logs is easy; a dashboard that helps you understand usage, activity, and users is the real problem.

project: https://onchainwizard.ai

u/Phitrone — 2 days ago
▲ 9 r/solidity+2 crossposts

Solo dev, 3 months in — shipped an on-chain reputation + identity system for AI agents. Would love eyes on the contracts before our Zenith Security audit wraps.

Been heads-down building Aevum Protocol — on-chain infrastructure that treats autonomous AI agents as first-class economic participants rather than just wallet addresses being puppeted by a script.

The core problem I was trying to solve: agents that transact on behalf of users have no persistent, verifiable identity or reputation. Every agent starts from zero trust every time, and there's no on-chain record of whether an agent has behaved well historically.

The stack:

- AgentIdentity — on-chain identity registration for agents

- ReputationOracle — permanent on-chain reputation scoring based on agent interaction history

- AgentVault — asset custody scoped to agent permissions

- AgentMarketplace — where agents discover and transact with each other

- AEVToken / TokenVesting / ReputationController / AevumDAO — governance and token layer

All 8 contracts are deployed and verified on Sepolia. Repo is public: github.com/AevumProtocol/contracts

Before bringing in an external auditor I ran the codebase through internal hardening — manual review passes, Slither static analysis, and a Claude Opus deep review — to get it as clean as possible going in. Zenith Security is doing the professional audit now. Target is mainnet at ETHOnline 2026 (Sept 4-16), which gives the audit a real deadline to close against.

Genuinely looking for technical pushback, not just "nice project" comments:

- Is on-chain reputation scoring the right primitive, or does this belong off-chain with on-chain attestation instead?

- Anyone dealt with agent-permission scoping in a vault contract before — what did you get wrong the first time?

- AgentMarketplace design — happy to get torn apart on the matching/discovery mechanism

Live demo: aevum-frontend.vercel.app if you want to poke at the frontend.

I'm 19, self-taught, started learning Solidity about a month ago. Not looking for validation — looking for the things I'm going to find out the hard way later anyway.

u/Bright_Clerk1452 — 3 days ago
▲ 2 r/solidity+1 crossposts

Brokex Perp DEX — Solo dev launching with only $5-6k liquidity (Pharos Network background)

Hey r/defi,

The protocol is called Brokex, a perpetual futures DEX I’ve been building solo for over a year.

I originally developed it on Pharos Network testnet where it got decent traction (~70 million in simulated trading volume) and received a small grant. However, after their mainnet launch and team changes, they stopped supporting the project.

I continued developing it myself and now have a complete stack: frontend, backend, keeper and smart contracts.

Current plan for V1:

  • Very small launch with only $5-6k liquidity
  • Starting with just 1 asset (likely XAU/USD Gold)
  • Trading against the vault (simple model)
  • On an EVM L2 (thinking Base or Arbitrum)

Risks (as required):

  • The contracts are unaudited (I cannot afford a proper audit right now, which is a significant risk).
  • Very low liquidity means high risk of bad executions, slippage, and potential losses for users.
  • As a small solo project there is smart contract risk and potential for exploits.

I’m looking for honest feedback from the community:

  • Is launching with such low liquidity realistic?
  • Which L2 would you recommend for this kind of small launch?
  • Any major red flags with this approach?

Looking for technical and practical advice. Thanks in advance.

reddit.com
u/Specific_Zucchini318 — 6 days ago
▲ 6 r/solidity+1 crossposts

“I built the bots that need this chain. Now I am building the chain.”

On the left: the Solidity contracts powering Aevum Protocol.
On the right: the whitepaper section explaining why I built it.
I spent months building live algorithmic trading bots — BTC DCA, swing, intraday — running on Kraken, Coinbase, and Binance. Multi-signal AI stacks. Real capital. Real execution.
Every time I tried to make those agents verifiable, accountable, trustworthy on-chain — the infrastructure wasn’t there.
So I built it.
8 smart contracts. Live on Ethereum Sepolia. Professional audit in progress with Zenith Security. Code4rena submitted.
I’m 19. No CS degree. No team.
Aevum Protocol — Built for Machines. Owned by Everyone.
aevumprotocol.io

u/Bright_Clerk1452 — 7 days ago
▲ 9 r/solidity+2 crossposts

🚀 We're Hiring: Founding Blockchain Engineer

Join OmniRoute Finance and help build the future of cross-chain finance.

As a Founding Blockchain Engineer, you'll work on wallet integrations, smart contract interactions, transaction routing, provider connectivity, and the infrastructure powering seamless crypto swaps across multiple chains.

What you'll do:
• Build and maintain blockchain integrations
• Develop secure wallet and transaction flows
• Integrate DEXs, bridges, and liquidity providers
• Improve routing, reliability, and performance
• Work directly with the founding team

Requirements:
• Strong experience with blockchain development
• Experience with EVM chains and Web3 technologies
• Familiarity with smart contracts, DeFi protocols, and wallet integrations
• Ability to work independently in a fast-moving startup environment

🌍 Remote
💰 Competitive compensation + early-stage opportunity
🏗 Founding team position

Learn more and apply:
https://omniroute.finance/careers

#Hiring #BlockchainEngineer #Web3Jobs #CryptoJobs #DeFi #RemoteJobs #Ethereum #Solidity

u/Paul-L-OmniRoute — 7 days ago
▲ 14 r/solidity+1 crossposts

Looking for Solidity code review on my fully on-chain RPG

Hi everyone!

I've been studying Solidity for the past several months and decided to build a larger project instead of another DeFi tutorial.

The project includes:

  • PvE
  • PvP
  • Guilds
  • NFT achievements (ERC-721)
  • On-chain player progression
  • Multi-chain deployment
  • Foundry tests

One bug I recently found was a guild point farming exploit where high-level players could repeatedly kill and revive weak opponents to inflate rankings. Fixing that made me rethink how PvP rewards should be balanced based on player levels.

I'm looking for honest feedback regarding:

  • Solidity best practices
  • Security
  • Storage patterns
  • Gas optimization
  • Code organization

Repository:
https://github.com/brunolcarli/simpleRPG

Thanks! I'd love to hear what experienced Solidity developers would change.

u/__beelzebruno__ — 10 days ago
▲ 14 r/solidity+2 crossposts

Every crypto project claims decentralized, secure AND scalable. That's basically always a lie.

Every time I sit down to build a smart contract, I hit the same wall. Decentralization, security, scalability, you only get 2.

The more audits I do, the more obvious this becomes. Yet every project markets itself as having all three nailed.

99% of crypto projects marketing "decentralized AND scalable AND secure" are scamming you on at least one of those words.

The trilemma is real. Pretending it doesn't exist is how people lose money.

Do you actually factor this in when picking projects, or is everyone just ignoring it until they get burned?

reddit.com
u/FirmDeparture1100 — 11 days ago

Looking for a smart contract developer to support a live tender

Hello, I’m looking for some help putting together a proposal for a real world asset tokenisation platform

Looking for a few hours of consultancy from someone who can advise on smart contract architecture, NAV attestation and token issuance

Clearly this would be a paid engagement - a few hours- and there could be potential for this to become a long-term project if we’re successful

please drop a comment or DM if you have relevant experience

reddit.com
u/OrdinaryMixture998 — 12 days ago