nickwrb's comments

nickwrb · 2025-12-24T10:51:31 1766573491

Probably the heavy AI-generated feel to the article.

block_hacks · 2025-12-24T11:14:56 1766574896

Just to address the “AI-generated” point directly:

This isn’t something you can realistically get out of an LLM by prompting it....

If you ask an AI to write about Next.js RCE, it will stay abstract, high-level, and defensive by default. It will avoid concrete execution paths, real integration details, or examples that could be interpreted as enabling exploitation — because that crosses into dual-use content.

This article deliberately goes further than that line: it includes real execution ordering, concrete framework behaviors, code-level examples, deployment patterns, and operational comparisons drawn from incident analysis. That’s exactly the kind of specificity automated filters tend to suppress or generalize away.

It’s still non-procedural on purpose — no payloads or step-by-step exploitation - but it’s not “AI vague” either. The detail is there so defenders can reason about where execution and observability actually break down.

Whether that level of detail is useful is subjective, but the reason it reads differently is because it’s grounded in real systems and real failure modes, not generated summaries.

whilenot-dev · 2025-12-24T10:55:38 1766573738

...and the question what an Next.js audit has to do with "expert blockchain security audits", as advertised by BlockHacks (OP).

block_hacks · 2025-12-24T11:18:02 1766575082

That’s a fair question.

Blockchain security work is rarely just cryptography in isolation. Web3 applications are still web applications. Wallets, dashboards, admin panels, and APIs are part of the system, and many of them are built with frameworks like Next.js.

Many of our clients building decentralized applications use Next.js as the frontend and sometimes as the backend-for-frontend layer. In real audits, issues often span both sides: smart contracts and the web stack that exposes them.

This article focuses on the web execution side of that reality, not on-chain cryptography. If you are only interested in protocol-level or cryptographic audits, we publish separate articles that focus specifically on those topics.

The point here is that compromises do not respect category boundaries. They usually start at the web layer and move inward.

Out of curiosity, in your experience, do you usually see real-world compromises starting at the contract layer itself, or at the surrounding web and infrastructure layer that interfaces with it?

nickwrb · 2025-12-19T07:19:45 1766128785

That’s not the only option, though. There is also institutional membership, which is basically the same as the previous subscription model, just pitched the other way around. Authors whose institutions are members don’t have to pay the processing charge.

Here’s the list of current members: https://libraries.acm.org/acmopen/open-participants

nickwrb · 2025-12-10T10:23:51 1765362231

If you need to handle OAuth, I have a service to help with that: https://auth-email.com

Authorize once in a web dashboard, then use your accounts as if they didn’t need OAuth (ie. normal IMAP, POP3 or SMTP).

nickwrb · 2025-11-10T16:54:19 1762793659

https://auth-email.com

OAuth is here to stay for major email providers (Outlook, Gmail, etc). Microsoft is dropping support for standard/basic authorization in April 2026, and Google has already done this. But plenty of devices and systems don't (and may never) support OAuth.

Auth-Email is a relay that lets you continue using traditional email auth methods even when your provider requires OAuth. Lots of other more advanced features too: all OAuth grant types, add-ins to modify behavior and lots more.