Revofusion

My latest CVE bounty hit Ethereum, Solana, Sui, Polkadot and more at the same time. can't say much yet, will share details soon 👀

@zerocipher002 I would add @Optimism, @zksync and @Starknet.

After doing extensive Bug Bounty and interacting with dozens of protocols. In the Infra Space among the major blockchains, I believe only these protocols (currently) actually care about security: 1. Solana 2. Ethereum 3. Monad 4. Sei Most of the other blockchains don't care about either security or respecting whitehats.

Using Lean 4 to identify contradictions in laws. Very exciting work by Pramaana Labs pramaanalabs.ai. They have build a DSL called LegalLean to formalise US tax codes.

Security researcher @revofusion just earned $50,000 for a High vulnerability. Their highest win ever...so far. Pledge $IMU to revo here - whoever does will be the first: immunefi.com/pledge/revofus…

@trentdotsol I think thats a fair position to take, atleast you guys state it out of scope clearly!

@revofusion if we were competent to write and maintain that logic, we wouldn't be using a dependency in the first place. how are we fit to verify and mitigate the claims? we're more likely to make the problem worse

i don't think i've reviewed a single pr this week. instead massive influx of slop ghsas

@trentdotsol If it affects the execution of your program, does it matter if you wrote it? If you use a networking library and it has a bug that allows an attacker to take down every solana node, it just seems a little light to claim external

@revofusion why would we pay for bugs we did not write? how are we fit to triage the claims? report to upstream. let them do their job. we'll light them on fire if they fuck us with disclosure (has happened)

@TopengaNFT It was a High from EF (50K). Solana excludes dependencies under bug bounty (weird policy), and Sui was behind 150 points on hacken proof which my account didn’t have yet. For Polkadot, their bug bounty has been unresponsive, reported a month ago.

@revofusion and did they categorize as critical or medium? read the report and from my perspective the blast radius is high. also what stopped you from reporting to the others?

My latest CVE bounty hit Ethereum, Solana, Sui, Polkadot and more at the same time. can't say much yet, will share details soon 👀

@TopengaNFT Just primary company, which was Ethereum Foundation in this case

@revofusion did you report as bugs to each or just to the dependency provider, my thought is most companies wont accept?

I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…

the shear numbers of "is this update important?" this morning my god you people should just shut your fucking nodes down

@serge_golubev all good on that front 😄 details coming soon

@revofusion Quite a coordinated strike across so many major protocols—hopefully this disclosure follows best practices for responsible security.

@gakonst When BB program

love that people are following our work on github virtual addresses are one of the most obvious in hindsight features blockchains should've shipped to scale and save costs and headaches to users reach out to us with feedback!

@TTrevethan @januszg_ @sethforprivacy @bamskki This is not true, only 1 of the SOs has to delete the key. So you need all SOs to be malicious and a previous owner to be malicious.

@sethforprivacy @bamskki If a dishonest (i.e. didn't securely delete a key share) SO and a previous owner collude, they can spend the UTXO without restriction, and timelocks are irrelevant.

Spark might actually be worse than custodial services because users believe they have sovereignty they don’t have. This marketing reduces user vigilance. At least with Coinbase you know exactly what you’re signing up for.

@bzogrammer atleast my hardness assumption doesn’t get absolutely massacred every time someone finds a new factoring paper on eprint

Aww, apparently elliptic curve groups are abelian and just reduce to obfuscated cyclic groups. That's disappointing. So elliptic curve crypto is really just RSA in disguise.

Insane 3x speedup on BLS

Lighthouse v8.1.1 (Scary Terry) is out! This is a mandatory upgrade for all users on prior versions due to a security fix. Please upgrade ASAP. Further details to follow. Also fixes VC head monitor timeouts, DataColumnsByRange duplicate bug, and a slow memory leak. github.com/sigp/lighthous…

@iruletheworldmo @adonis_singh But it’s not really, GPT 5.3 feels much smarter Only Gemini feels comparable when it has its 5% consistently show of intelligence on deep think (rest of the time it hallucinates)

@adonis_singh opus is probably closest.

I still believe no one has trained a reasoning model with a base that's as strong as gpt-4.5

1/ Octane’s AI found a high-severity liveness bug in the @Nethermind execution client that could have stopped local block production for 38% of @ethereum mainnet validators. This bug was patched via the @ethereumfndn bug bounty program, with no exploitation observed.

@0xmstore keeping auditors in business

please don’t vibe code DLTs 🙏