Craft and publish engaging content in an app built for creators.
NEW
Publish anywhere
Post on LinkedIn, Threads, & Mastodon at the same time, in one click.
Make it punchier 👊
Typefully
@typefully
We're launching a Command Bar today with great commands and features.
AI ideas and rewrites
Get suggestions, tweet ideas, and rewrites powered by AI.
Turn your tweets & threads into a social blog
Give your content new life with our beautiful, sharable pages. Make it go viral on other platforms too.
+14
Followers
Powerful analytics to grow faster
Easily track your engagement analytics to improve your content and grow faster.
Build in public
Share a recent learning with your followers.
Create engagement
Pose a thought-provoking question.
Never run out of ideas
Get prompts and ideas whenever you write - with examples of popular tweets.
@aaditsh
I think this thread hook could be improved.
@frankdilo
On it 🔥
Share drafts & leave comments
Write with your teammates and get feedback with comments.
NEW
Easlo
@heyeaslo
Reply with "Notion" to get early access to my new template.
Jaga
@kandros5591
Notion 🙏
DM Sent
Create giveaways with Auto-DMs
Send DMs automatically based on engagement with your tweets.
And much more:
Auto-Split Text in Posts
Thread Finisher
Tweet Numbering
Pin Drafts
Connect Multiple Accounts
Automatic Backups
Dark Mode
Keyboard Shortcuts
Creators love Typefully
170,000+ creators and teams chose Typefully to curate their Twitter presence.
Marc Köhlbrugge@marckohlbrugge
Tweeting more with @typefully these days.
🙈 Distraction-free
✍️ Write-only Twitter
🧵 Effortless threads
📈 Actionable metrics
I recommend giving it a shot.
Jurre Houtkamp@jurrehoutkamp
Typefully is fantastic and way too cheap for what you get.
We’ve tried many alternatives at @framer but nothing beats it. If you’re still tweeting from Twitter you’re wasting time.
DHH@dhh
This is my new go-to writing environment for Twitter threads.
They've built something wonderfully simple and distraction free with Typefully 😍
Santiago@svpino
For 24 months, I tried almost a dozen Twitter scheduling tools.
Then I found @typefully, and I've been using it for seven months straight.
When it comes down to the experience of scheduling and long-form content writing, Typefully is in a league of its own.
Luca Rossi ꩜@lucaronin
After trying literally all the major Twitter scheduling tools, I settled with @typefully.
Killer feature to me is the native image editor — unique and super useful 🙏
Visual Theory@visualtheory_
Really impressed by the way @typefully has simplified my Twitter writing + scheduling/publishing experience.
Beautiful user experience.
0 friction.
Simplicity is the ultimate sophistication.
Queue your content in seconds
Write, schedule and boost your tweets - with no need for extra apps.
Schedule with one click
Queue your post with a single click - or pick a time manually.
Pick the perfect time
Time each post to perfection with Typefully's performance analytics.
Boost your content
Retweet and plug your posts for automated engagement.
Start creating a content queue.
Write once, publish everywhere
We natively support multiple platforms, so that you can expand your reach easily.
Check the analytics that matter
Build your audience with insights that make sense.
Writing prompts & personalized post ideas
Break through writer's block with great ideas and suggestions.
Never run out of ideas
Enjoy daily prompts and ideas to inspire your writing.
Use AI for personalized suggestions
Get inspiration from ideas based on your own past tweets.
Flick through topics
Or skim through curated collections of trending tweets for each topic.
Write, edit, and track tweets together
Write and publish with your teammates and friends.
Share your drafts
Brainstorm and bounce ideas with your teammates.
NEW
@aaditsh
I think this thread hook could be improved.
@frankdilo
On it 🔥
Add comments
Get feedback from coworkers before you hit publish.
Read, Write, Publish
Read, WriteRead
Control user access
Decide who can view, edit, or publish your drafts.
🚨 People continue to invent new ways to create security issues.
I found out about ClonesWithImmutableArgs, and I found a structural problem in this pattern.
It doesn't mean all contracts will be exploitable, but we must know when they are vulnerable.
twitter.com/boredGenius/status/1484618024564891648
Understanding how the code you import works is incredibly important.
This new pattern creates clones of a contract, simulating immutable args using `calldata` and lots of assembly.
The problem is the "immutable" args are just "calldata" args (not really immutable). This means that ANYONE can call the contract with a specially crafted calldata.
Doing that, your implementation will parse that calldata and use the arguments.
Thus the "immutable" args are not actually immutable.
I assume the creator of this pattern chose the word "immutable" because the arguments exist in the code. But there is a difference that makes this whole thing exploitable.
First, we need to understand how the pattern works.
The whole implementation uses another common pattern known as the Beacon Proxy Pattern.
In the Beacon Proxy Pattern, you have a pair of contracts one is the actual implementation, and the other one is the beacon pointing to the implementation.
The Beacon points to the implementation, and it holds the contract storage.
This pattern is a simple way of deploying multiple "thin" contracts, each with its own storage that behaves identically to all others (has the same implementation).
In the Beacon Proxy pattern, the users interact with the Beacons and the Beacon delegates the execution to the Implementation.
This pattern is very similar to Clones With Immutable Args. The difference is that some arguments are passed down to the Implementation through calldata
If you want to understand how this is done, it's not very easy, but I'll help you.
It's not easy because it's assembly. But follow below 👇
The immutable args are sent to the contract when a new contract is deployed and saved in the bytecode (similar to actual immutable variables).
Thus, the Beacon is deployed when the `.clone(implementation, args)` method is called.
The Beacon holds the "immutable args" and all execution is forwarded (with delegatecall) to the `implementation`, adding the "immutable args" at the end (`extra`).
At the other end, the implementation picks up the arguments from the calldata using specially crafted functions.
The function below reads an address.
The problem appears when the implementation believes the address should be trusted and specifically when it delegates more execution to it.
Your implementation can do whatever it needs with the arguments. And sometimes you might need to delegatecall to the received address.
Follow this example using the ClonesWithImmutableArgs pattern.
Have a look and tell me if there is something wrong with it.
Did you see the problem? Is it obvious?
I hope it's a bit more obvious now that you understand how this pattern works.
You can't trust the address returned by `_getArgAddress(0)`. Why?
In theory, this should be a trusted address that the Beacon forwards to you.
But anyone can call this contract and add what address they want in the calldata.
This means that CodeRunner will delegatecall to an address controlled by the attacker.
You might say this isn't a problem.
However, the delegated code can choose to selfdestruct. And because all execution happens in the implementation, the implementation selfdestructs.
This means that all beacons point to a self-destructed contract.
You don't change the Beacon's storage but make all Beacons unusable.
I believe it's extremely important to understand how patterns work behind the scenes and make sure your code doesn't open up doors that should stay closed.
I am not saying we should stop using code from other devs, but it's really difficult to include code and know exactly how it works.
Most of the time we must trust something, but we shouldn't trust Solidity code.