pessimist

651 posts

pessimist banner
pessimist

pessimist

@0xpessimist

21. Assumptions break under a pessimistic lens. Security Researcher @Hashlock_, My sensei @0xSorryNotSorry, prev Game Designer https://t.co/0ZHCkSxkRc

Beigetreten Mayıs 2023
802 Folgt1.2K Follower
0x9527🦀
0x9527🦀@coffiasse·
Submitted bug bounty report a week ago No response so far Maybe the real vulnerability is the communication layer
0x9527🦀 tweet media
English
8
0
65
3.1K
pessimist
pessimist@0xpessimist·
@asen_sec Not really imo, the PoC comes before "found a bug", otherwise it's in theory. The gap is if the project wants to actually pay you, as even platforms can't enforce it..
English
0
0
1
36
0xasen
0xasen@asen_sec·
The gap between "found a bug" and "got paid for a bug" is the PoC. This skill just filled it. Free and open source. 🔥
cholakov@cholakovvv

🚀 This month I got 3 bug bounties paid out and built an open-source Claude Code skill along the way. Finding the bug is the hard part, but what really determines the outcome is how well you demonstrate its impact. That's where the PoC matters most: if it's not a mainnet-fork end-to-end test on real deployed contracts at the current mainnet state, it doesn't really prove impact. I iterated a lot before figuring out what actually works. Now it's a skill anyone can install. Free & fully open source 👇 github.com/cholakovvv/fou…

English
4
1
50
4.6K
pessimist
pessimist@0xpessimist·
@HackenProof nk11: north korean team of 11 hackers!? jk, congratz :)
English
0
0
2
67
HackenProof
HackenProof@HackenProof·
A $75,000 win for nk11 💰 He’s done it again - another $75,000 earned, and it’s far from his first big win. HackenProof salutes you. Keep hunting 🔥
HackenProof tweet media
English
10
7
152
3.9K
pessimist retweetet
Peter Kacherginsky
Peter Kacherginsky@iphelix·
There is another way to look at this. The LayerZero/KelpDAO hack was caught in about an hour. Teams saved another $72M+ by reacting instantly. It took JPMorgan 20+ years of ignoring screaming red flags before Madoff’s $65B Ponzi finally collapsed. Market manipulations like the RAVE token pump-and-dump got uncovered and crushed in under 24 hours by on-chain sleuths and exchanges. JPM’s own LIBOR, FX, and precious-metals rigging cartels ran for 5+ years before anyone outside the chat rooms noticed. A $60B Enron-style rug pull would be damn near impossible to hide on-chain. JPM managed to keep that one going for years through offshore shells, fake trades, and straight-up hiding the debt from analysts and investors. Maybe they’re concerned they wouldn’t be able to peddle opaque financial instruments on-chain without anyone noticing? You know, like the mortgage-backed securities they sold in the 2000s that triggered the $15+ trillion market meltdown. Are they really “concerned about our industry”? Or are they just using the latest hack as perfect cover to push their “institutional” DeFi vision and JPM Coin while CLARITY Act negotiations are still live? DeFi is not "scaring institutions away", it is scaring JPM that they will have to work honestly and transparently.
Immunefi@immunefi

It's exactly what we've been saying, and now JPMorgan agrees. Security is the key blocker to institutions coming onchain. And whoever solves this problem is going to unlock tremendous growth. theblock.co/post/398611/jp…

English
4
7
49
5.7K
pessimist retweetet
Jeffrey Scholz
Jeffrey Scholz@Jeyffre·
Do all your coding inside a VM. Seriously. UTM for Mac is free, works fantastically, and lets you run Mac inside Mac. Get into the habit now before you get rekt by library supply chain issues you cannot control or anticipate. mac.getutm.app Or buy a second laptop. Not having separation nowadays is lunacy.
CoinDesk@CoinDesk

LATEST: A senior blockchain security researcher at CertiK told CoinDesk on Wednesday that North Korea’s Lazarus Group is running a new macOS-focused campaign dubbed “Mach-O Man” that targets executives at fintech, crypto and other high-value firms through routine business communications.

English
26
50
788
129K
pessimist
pessimist@0xpessimist·
926d3682958b6261192a6ee2c60051d985de7be81ea2ec096cf2b5624d205e35
Français
0
0
1
91
pessimist retweetet
LonelySloth
LonelySloth@lonelysloth_sec·
ok, so mythos was leaked apparently. did the world end and I didn't notice? what sort of apocalypse is going on right now?
English
3
1
20
1.9K
pessimist retweetet
asymmetric research
asymmetric research@asymmetric_re·
CU optimizations come with risks. @_fel1x discusses a critical bug we found in p-token before mainnet, subtle enough to survive in a heavily scrutinized codebase.
asymmetric research tweet media
English
4
20
119
34.9K
pessimist
pessimist@0xpessimist·
@0xfrsmln I thought the person referred to as "white hat" was someone else (MEV bot etc.). Are we sure they referred to the person who started the attack as white hat? If so, that's so dumb..
English
0
0
1
70
frs.eth 🦇🔊
frs.eth 🦇🔊@0xfrsmln·
Somehow this kind of PoC is: 1. You get to be called a white hat. 2. It solves the duplication problem. 3. It guarantees payout. Is this the norm now? Somehow if you do this, it is a white hat act. We skip the platform middleman and go straight to exploit? Seems so wrong for me tbh
dango🍡@dango

The white hat has returned the funds in full, and has been awarded a bug bounty. User funds are completely unaffected. Our appreciation to the white hat for identifying the bug, securing the vulnerable funds before further damage could happen, and assisting us in strengthening our system. Team is now working on deploying additional guardrails to prevent similar situations from happening again. We expect dango.exchange to resume operation within the day.

English
10
1
49
3.8K
pessimist retweetet
Rekt News
Rekt News@RektHQ·
"In security, 99.99% is still a failing grade. And right now we're not winning." Lazarus Group could already be running an AI hacking tool for months at a time targeting your protocol. You wouldn't know. @0xriptide (@therealgregoAI) · Lilian Cariou (@Certora) · @MitchellAmador (@immunefi) Mod: @PataoPT @ Rekt Security Summit
English
5
6
36
6.1K
pessimist
pessimist@0xpessimist·
I'd really like to write a write-up for this bug, but it's not currently possible due to their bbp rules. Maybe if I can't resist the urge, I'll just share the fix commit :)
English
0
0
3
122
pessimist
pessimist@0xpessimist·
If what they spent $20k on is just a null-pointer dereference bug, then they must have done something incredibly wrong -- because I found the exact same type of bug with around $7 of spending using Claude Opus 4.6. That $7 includes not only detection, but also creating a PoC draft and asking all the questions I needed. And the bug I found was in a real, widely used (kinda lol) cryptography library, affecting multiple companies' products. Unlike what Anthropic seems to have found, mine can provably crash the related session and create a repeatable DoS at zero cost. "Mine" might not be the most accurate wording actually, it’s more like Opus's, or our, you get what I mean :D If we're going to calculate the value created by correlating it with the results, then instead of throwing $20k at the machine, you could get the same, or possibly better, result by having me spend $7 with Opus. It shouldn't be that hard to see that it's mostly humans that scales LLMs capabilities.
Ananay@ananayarora

Marcus Hutchins, the guy famous for stopping the WannaCry Ransomware, probably has the best take on Mythos doing vulnerability research

English
1
1
11
1.3K
pessimist retweetet
Marco Hextor
Marco Hextor@marcohextor·
Nice marketing, but transparency and public scrutiny are essential to real security When will @hyperbridge join @immunefi and put their code to a real test like Axelar, Wormhole, and others? No system is invulnerable solely due to architecture choices
Marco Hextor tweet media
English
3
2
31
4.9K
pessimist
pessimist@0xpessimist·
They deleted the tweet, but the internet doesn't forget.
pessimist tweet media
English
0
0
2
34
pessimist
pessimist@0xpessimist·
Biggest laugh I've had in a while
English
1
0
4
77
pessimist retweetet
LonelySloth
LonelySloth@lonelysloth_sec·
People act as if LLMs were as good at scaling as normal software. They feel the LLM doing X is very exciting because now you can just pay for more compute and do it at any scale! Nothing could be further from reality. In many tasks LLMs scale worse than humans.
LonelySloth@lonelysloth_sec

The most fundamental limitation about LLMs which you can easily see in practice again and again: It doesn’t scale from demo to large scale. It can do X perfectly once in scenario Y, so impressively your sure it’s AGI. Then it never does it again in any other scenario — or worse it does X in scenario Y’ instead of doing X’ which is what you wanted. It’s not that it’s “intelligence” is brittle. It’s like trying to cover a surface completely with a sparse collections of points. If you have lots of points and you squint hard it might look right. But in the real world the area covered is still infinitesimal

English
3
1
13
1.7K
pessimist
pessimist@0xpessimist·
Before even getting into the topic of finding zero days with LLMs, there are still plenty of dead simple bugs like this (quoted) in crypto. There aren't many unique contracts that has significant amounts of money in them, either no company/individual that have a proper LLM tool has seriously checked Ethereum (or other chains) extensively, or LLMs don't perform that well when we try to scale the work they do.
pessimist tweet media
pashov@pashov

🚨~$130k exploited today from SubQuery Network. Vulnerable code was written >2yrs ago. Access control missing. Basically, anyone can call the method below and set their own contract as the withdraw target for Staking rewards. Would your auditors catch this one?

English
1
0
13
1.7K

Entdecken

@coffiasse @0xalpharush @Dooflin5 @asen_sec @HackenProof @okkothejawa @_fel1x @0xfrsmln