Angehefteter Tweet
Between informal charity and the critical mountain walketh the hunter, and his purse ripeneth in silence.
nnez@__nnez
The new meta for bug hunting just dropped! the Goodwill Hunting. Always get paid the goodwill amount.
English
0xdeadf4ce
12.6K posts
@Ehsan1579 Great job, man. Now you’ll have to aim for first place
English
Damn that’s more than I thought I did lol. Lost count. Thanks mate. Appreciate the support.
DANISH@MOHDDANISH798
My Brother @Ehsan1579 is on fire🔥800k last 90 Days @immunefi
English
@unsafe_call @ResolvLabs If only there were dozens of incidents we could learn from.
English
Looks like @ResolvLabs got hit with a private key compromise
The transaction where an attacker swapped 100,000 USDC for 50,000,000 USR had an inflated rate, but is only callable by the SERVICE_ROLE
Off chain uses pyth but the price feeds were stable
DCF GOD@dcfgod
Quick updates on USR / @ResolvLabs exploit: - Exploiter mints 50M USR - Sells it via metamask swap (farming the airdrop ofc) - USR goes to 5c - Protocol could snapshot everyones balances pre exploit as the exploiter didn't take any of the underlying funds - LPs rekt as exploiter is able to dump into AMM pools - Dola getting hit as a sideffect as its partially backed by USR / USR-DOLA LP - Probably not a good idea to buy USR as the exploiter still has their minted USR and you'd be screwed if team refunds based on pre exploit snapshot - Haven't seen any word from the resolv team but hopefully they're on it - Shoutout @yieldsandmore for being all over this
English
If a single signer or service role can bring down your entire protocol you're not competing with TradFi. You're just making it worse for everyone in DeFi.
English
TrustSec 1 - 0 Opus, GG
This kind of finding is where humans will always have the edge - combining benign behaviors in unusual sequence, using defensive checks for offense, specialized logical impacts.
Fellow human hunters, don't let the FUDers get to you, the future is ours.
English
@bangjelkoski @injective > There was no impact realized from this issue.
If a bug isn't significant because it wasn't "realized" I guess we can leave the whole thing to North Korea and just pack it up then?
English
Security is paramount at @injective and we take our bug bounty program very seriously.
First and foremost, the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised.
For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base.
In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000.
If the poster had requested a mediation we would explain to him the dynamic rate limiters and monitoring systems we have in place and why his stated figures are misleading. However, he did not do so. We always follow the procedures set forth by the Immunefi program and expect the submitter to do so as well.
We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first.
f4lc0n@al_f4lc0n
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…
English
0xdeadf4ce retweetet
Just verified the source code of 1,644 unidentified Ethereum contracts. All deployed with identical bytecode, all showing as unverified on Etherscan for 9 years.
681 $ETH across 263 ancient Mist wallets.
The code was written by Gavin Wood in December 2015. Here's the story 🧵
English
@0x15_eth IKR. Seems I may not have been precise enough. But it's definitely part of the "experience". I wouldn't trade in the part of solving puzzles and coming up with ways to break things for anything else at the moment. The "work environment".. isn't always the fulfilling part though.
English
The level of mental exhaustion that comes with being a Web3 security researcher in this space is not for the weak fr.
Most people who are new to this industry only see the big payout posts, but they have no idea... (and I mean no idea) what it actually takes to earn one.
You spend countless hours hunting bugs, testing exploits, and writing reports, only for platforms to throw your work in the trash.
They wrongly invalidate, downgrade severity, reduce payout amounts, ghost reports, take forever to respond, and take even longer to pay. You’re constantly fighting to eat.
Man, it’s brutal.
Yes, the payouts can be good if you manage to land one, but the process is so exhausting that it can leave you wondering whether it was even worth it.
It’s mentally draining, and honestly, the protocols you spend so much time trying to protect often don’t really care about you. Whitehats are treated unfairly in this space, and at times it feels like some protocols don’t deserve the effort people put in to keep them safe.
To anyone thinking about getting into Web3 security: think twice and really ask yourself if this is what you want.
Please don’t get distracted by the payout posts. You have no idea what you may have to go through behind the scenes.
You’re probably better off finding another space that gives you more peace of mind.
I go soon japa too cos omo... 🤣
playboi.eth@adeolRxxxx
I don’t think I can continue this career path for long. - I’ve experienced exhaustion every day for the past week bro that I can’t even sleep at night. Bro I’m sad I’m mentally exhausted.
English
💬 Onchain Message:
Fuck you flashbots. Why did you leak my attack transaction to yoink?
etherscan.io/tx/0x325a67f87…
English
@adeolRxxxx You are your single most valuable asset. Not those in anyone's vault. Take care of yourself first. Always.
English
I don’t think I can continue this career path for long.
- I’ve experienced exhaustion every day for the past week bro that I can’t even sleep at night. Bro I’m sad
I’m mentally exhausted.
English
0xdeadf4ce retweetet
“Oh my god, the Treasury said we can use mixers if we promise we won’t do crime”
Listen here you fucking idiots. The very notion of “lawful users of digital assets” implicates a mechanism to distinguish between “lawful” and “unlawful” use.
The report very clearly lays out how this will be distinguished, and it isn’t magic wands and fairy dust.
Since no one who claims this report is “a win for privacy” seems to have actually read it, here’s some of the recommendations the Treasury actually makes:
Finalization of the regulation of mixers under the PATRIOT Act as well as the introduction of a sixth special measure under the PATRIOT Act targeted at non-custodial software
The creation of sub-types of non-bank financial institutions in the BSA targeted at DeFi services
To recind, modify, or update 2013 & 2019 FinCEN guidance that has been protecting non-custodial software and developers
To incentivize the development and integration of digital identity tools aimed at countering illicit finance
Nothing, and I mean **nothing** about this is good for privacy at all.
The Rage@theragetech
🔴News outlets are touting a recent report by the US Treasury on the combatting of illicit finance in digital currencies as a "win for privacy." This is incorrect. While the report notes that "lawful users of digital assets may leverage mixers to enable financial privacy when transacting through public blockchains," the majority of language on mixers highlights their use in terrorist financing and other illicit activities, as well as the challenges mixers introduce for law enforcement. As the Treasury states: "Criminals commonly use tools like mixing [...] to introduce challenges for investigators attempting to trace illicit digital assets, frustrating law enforcement investigations as well as DASPs’ transaction monitoring and tracing efforts." While the report issues no new recommendations on the future of mixers, it notes that the Treasury has already proposed a rule to regulate mixers under the PATRIOT Act that it has been tasked to finalize by the White House. According to the report, the Treasury has additionally adopted the following recommendations: Treasury will "incentivize the development and integration of digital identity tools aimed at countering illicit finance" Treasury will "explore working with Congress on ways to better enable third-party service providers to conduct identity verifications" Treasury will "encourage industry stakeholders to develop open-source and standardized APIs for essential compliance functions" Regarding Decentralized Finance (DeFi), the Treasury further recommends that: "Congress should consider specifying actors within the decentralized finance ecosystem that should be subject to AML/CFT obligations" "Congress should consider how to best safeguard the U.S. financial system from money laundering threats that originate abroad, including those in the decentralized finance ecosystem," that should ***"include adding a sixth special measure*** to Section 311 [PATRIOT Act] authorizing Treasury to prohibit, or impose conditions upon, certain 'transmittals of funds' that are not tied to a correspondent banking relationship." "Congress should consider creating digital asset-specific financial institution types or subtypes within the BSA, such that the new types or subtypes would be subject to AML/CFT obligations" "FinCEN should evaluate whether and how its existing guidance related to the digital asset sector, including guidance issued in 2013 and 2019, should be rescinded, modified, or updated to reflect legislative and regulatory changes"
English
0xdeadf4ce retweetet
✅ UPDATE: Exploit Contained
We can now confirm the situation is fully contained and no further NFTs are at risk.
What our investigation found:
• A limited number of NFTs were affected
• The exploit was isolated to the Sell & Repay contract deployed on February 20
• All users who interacted with this contract and were impacted have been contacted directly by our team
What was never at risk:
• NFTs in active loans — not affected, at any point
• Buying, selling, listing, accepting bids, and trades — not affected, at any point
All platform activity is safe to resume, including:
→ Repaying, renegotiating, and refinancing loans
→ Starting new loans
→ Listing for sale, buying, accepting bids, and trades
The Sell & Repay feature remains disabled while we deploy a fix. All other functionality is fully operational.
Thank you for your patience and for acting quickly on our earlier guidance.
English
0xdeadf4ce retweetet
0xdeadf4ce retweetet
⚠️ UPDATE: Gondi Security Incident
We have new information on the exploit.
What we now know:
• The exploit appears to affect NFTs that are NOT currently in active loans
• It is tied to an approval vulnerability on the affected contracts (Purchase Bundler)
• NFTs held as collateral in active loans do not appear to be at risk at this time
What you should do right now:
→ Do NOT repay your loans until we confirm it is safe to do so
→ Revoke approvals for the affected contract immediately via revoke.cash
→ Do not initiate any new activity on the platform
Affected contracts: (All Purchase Bundler)
0xc10472ac1bf9f2e58ff2c83596b4535334c90814 (Ethereum Mainnet)
0x1fba531724ea2493a15bf5c4ea05f6ab5c0fcd62
0x53ceda4c47585df08201955820e23bb261489140
0x3b59bffe109e0f33f20887343759a98b48ecdf5f
0xfd31a0cd628f0bab2cc174c3abd6bfc2d01aca61
0xfaaff69da43b8195e5b0945c4fea4476e4264157 (HypeEvm)
If you have a loan that is about to expire and need to take action, please do NOT interact with the platform directly. Instead, open a support ticket in our Discord and the team will assist you personally.
We will post another update as soon as we can confirm it is safe to resume normal activity. Thank you for your patience — we are working as fast as possible.
English
@mbaril010 @Ledger @Trezor Could've just printed a cross hair on a shirt instead of having all those in one place. Too bad the opsec is the least of his concerns.
English
FBI Director Kash Patel@FBIDirectorKash
Last night, John Daghita – a U.S. government contractor who allegedly stole more than $46 million in cryptocurrency from the U.S Marshals Service – was arrested on the island of Saint Martin by the French Gendarmerie’s premier elite tactical unit in a joint operation with the @FBI. Thanks to the International Cooperation Team Serious Crime Unit of the French Gendarmerie National in Saint Martin, and the Groupe d’intervention de la Gendarmerie nationale of Guadeloupe for the outstanding coordination. FBI will continue working 24/7 with our international partners to track down, apprehend, and bring to justice those who attempt to defraud American taxpayers—no matter where they try to hide.
English