Tammy.eth

someone with 6 months of experience just got paid $100,000 for a single bug bounty finding. i'm at roughly that same point in my journey and haven't found anything yet. no valid findings. no contest payouts. just months of studying, breaking things in practice environments, and slowly learning to read code the way an attacker would. on the days it feels pointless, a post like that is the thing that resets the perspective. because it proves the timeline isn't as long as it feels from inside the grind. 6 months is enough, if those months go into the right things. reading real code, not just tutorials. building the instinct, not just the knowledge. i don't know when my first finding comes. but i know it's closer than it was yesterday.

@dethSCA the ones who can actually evaluate technical talent usually became technical themselves. founders who can't read the code can't vet the person writing it either

to all devs an audit isn't a stamp it's an argument that your code does what you think it does — and a list of every place it doesn't clean PDF? no pushback? you didn't get an audit, you bought a badge for your landing page

@pashov the ones who can actually evaluate technical talent usually became technical themselves. founders who can't read the code can't vet the person writing it either

web3 founders truly don't know how to hire good devs lol

@RealJohnnyTime most people read code to understand what it does. auditors read it to find where it stops doing what everyone assumed it would

Every exploit starts as a tiny inconsistency that everyone else scrolled past. The bug was always there. Someone just stopped to ask why.

@panditdhamdhere @gakonst foundry changed how i write and test contracts entirely. the speed of having everything in solidity instead of switching contexts to javascript is something you don't appreciate until you've used both

In last 6 years as a developer, this is the greatest ever tool i used in my tech career. Massive Respect @gakonst & Rust 🦀 maxis team.

@HildaGilbora spending time and spending time on the right things are two completely different things. took me longer than i'd like to admit to figure out the difference

@TammyBuilds Hmmmm, true. How you spend the time matters.

someone with 6 months of experience just got paid $100,000 for a single bug bounty finding. i'm at roughly that same point in my journey and haven't found anything yet. no valid findings. no contest payouts. just months of studying, breaking things in practice environments, and slowly learning to read code the way an attacker would. on the days it feels pointless, a post like that is the thing that resets the perspective. because it proves the timeline isn't as long as it feels from inside the grind. 6 months is enough, if those months go into the right things. reading real code, not just tutorials. building the instinct, not just the knowledge. i don't know when my first finding comes. but i know it's closer than it was yesterday.

@HakimChbn73510 this is exactly what i've been working on shifting less theory, more actual hunting. the discomfort of not knowing if you'll find anything is the part most people avoid. trying to sit in it anyway

@TammyBuilds Just start real hunting , dont dive deeply in theorical and courses only , start hunting , focus in one or two bugs you see that youre really understand it theorically , and start real work , you will see the results bro

@HildaGilbora best decision i made was finding a structured path there instead of jumping between random courses. the difference in progress is night and day

@TammyBuilds This is true. I am currently learning on Cyfrin Updraft.

i spent 3 months "learning" smart contract security before i found a structured roadmap. i was watching random courses, jumping between topics, consuming content that felt productive but wasn't building anything real. after 3 months i couldn't tell you what i actually knew. then i found @CyfrinUpdraft and everything changed. suddenly there was a clear path, solidity foundations, then foundry, then advanced concepts, then security. each thing built on the last. i stopped feeling lost and started actually making progress i could measure. the difference wasn't effort. i was putting in effort the whole time. the difference was structure. if you're learning web3 security right now and feeling like you're going in circles — it's probably not you. it's the path. find a structured roadmap and follow it start to finish before jumping to anything else. the 3 months i spent lost were expensive. they didn't have to be.

@DanielOlaw53386 no be lie !!!

@TammyBuilds Tammy motion these days>>>

@iamwehi yeah it is cyfrin changed how i approached learning this space entirely. went from feeling lost to actually having a path worth following

@TammyBuilds cyfrin is really cool, highly recommend their signer courses

@ControlZ_1337 open sourcing the actual workflow instead of just talking about AI in auditing is rare. most people keep the harness private. interested to see how it holds up on real codebases

I think this finding is a good opportunity to announce something we’ve been working on. We’re currently cooking up an open-source project that’s essentially a public version of the internal system we use to leverage AI for vulnerability research and finding bugs (like this one). Stay tuned 🙂

@theayacommunity @panditdhamdhere

Are you spotting any familiar faces? 👀 We’ve got some insane builders & minds speaking at the Ethereum Build camp… but the real question is, how many of them do YOU already know? If you see someone you’ve learned from or followed → tag them below 👇 More details here: buildcamp-nine.vercel.app

@theayacommunity looking forward to this

@immunefi @__nnez would love to know how he decides a target is worth spending serious time on versus moving on. that filter seems like half the skill

This Security Researcher has earned $1,764,402 on Immunefi. $519,991 in 2026 alone (so far). Now @__nnez is coming on The Immunefi Show to break down his hunting process, how he chooses targets, and how to use AI to actually find bugs. What should we ask him?

@immunefi $140M paid out means the protocols that didn't get hacked because of those findings saved multiples of that. bug bounties are still one of the highest ROI security investments in the space and most protocols still treat them as optional

We've just crossed $140,000,000 in payouts to security researchers on Immunefi. Huge shoutout to every single SR who's gotten a payment. Collectively, you've saved countless billions from being hacked. Imagine what crypto would've looked like without those contributions.

@sherlockdefi the contracts passing audit while the signing flow or frontend introduces the real vulnerability is one of the most underreported attack surfaces in web3. the scope of "secure" has to expand beyond the solidity file

More teams are coming to Sherlock to test the full system their contracts depend on. Signing flows, frontends, wallets, infra, access control, integrations: this is where clean code still turns into real risk. Quick writeup below.

@FireFlySquid380 claude is useful for understanding code quickly and generating hypotheses but it hallucinates enough that every finding needs manual verification. treat it as a first pass, not a final answer

@TammyBuilds Is it helpful on using Claude Opus for bug bounty?

survivorship bias point is fair. but "AI will fix all the bugs" misses the part where AI consistently misses business logic errors, cross-protocol assumptions, and anything that requires understanding what the protocol was supposed to do vs what it actually does. that gap is still entirely human

@TammyBuilds It's great if stories like these motivate you. But I always remember that it's survivorship bias. And what's worse, today you're not just competing with other people in finding bugs. Tomorrow, Anthropic will release a new model, and it will fix all the bugs without us…

@eligibleumary same boat, still in uni, still in the courses, still showing up anyway. the ones who make it aren't the ones who had perfect conditions, they're the ones who didn't wait for them

@TammyBuilds I'm still stuck in my courses. Though it's because I am still in the Uni. But as long as one didn't stop it, he will reach it.

@ar3za12 Real!! valid bugs with no payout still means the skill is there. the luck part is real but it finds the people who keep submitting, not the ones who stopped

@TammyBuilds For me it's already one year and still no bounty but valid bugs so yes we can learn things from them but it may depends on consistency and luck