ProofofBug

@immunefi I need immediate intervention I submitted a valid bug (64228) to @FloeProtocol. They confirmed it, said they'd fix it "in the future," and closed without paying Then my account was banned by your anti-spam filter. They then shipped my exact fix, and blocked me on X.

@MitchellAmador @immunefi anything to say? I’d appreciate transparency.

@MaLucasBC @immunefi The project is a scammer. They blocked me on X and as you can see they literally referenced my fix on their on-chain code.

@ProofOfBug @immunefi Don't try to be torn anymore, look at their regulations, they have all the right to interpret. You should now look for the project party to see if they are willing to pay.

@immunefi I need immediate intervention I submitted a valid bug (64228) to @FloeProtocol. They confirmed it, said they'd fix it "in the future," and closed without paying Then my account was banned by your anti-spam filter. They then shipped my exact fix, and blocked me on X.

@immunefi @MitchellAmador @0xTimofey @FloeLabs @lonelysloth_sec @WhiteHatMage @infosec_us_team @al_f4lc0n @unsafe_call @0xpessimist @ControlZ_1337 I’d appreciate your support 🙏🏻🙏🏻🙏🏻

@immunefi @MitchellAmador @0xTimofey @FloeLabs

@AlexQuellsIt I’d appreciate a fair resolution. On your tweets you often talk about security. If you are actually committed to security, please act in good faith.

@immunefi Your platform creates more blackhats than whitehats. Take action and fix this. All the protocols listed on your platforms are at serious risks of exploitation.

@immunefi That’s what we all want: report the bugs. However, you force us to exploit them and then act as grey hats. Your platforms’ processes are a failure. You are banning honest researchers. I’ve just found and received a 200k bounty on another web3 protocol on another platform.

"I did a crypto heist … Crypto is all fake internet money anyway." That's what Jonathan Spalletta allegedly told an associate after draining over $50M from Uranium Finance in 2021, forcing the DeFi protocol to shut down. He then bought...pokemon cards with the funds. Now, he's surrendered to US authorities and is facing federal charges for computer fraud and money laundering. It doesn't matter that it was 5 years ago. It doesn't matter that he negotiated a "bug bounty" from the exploited gains. If you find a bug, report it. Don't wait for the feds to show up at your door.

@254Oti_ @maleksharabi @al_f4lc0n @immunefi Same here. Immunefi is the biggest scam in the web3 space, and they put the protocols listed on it at serious risk of exploitation. Honest researchers can’t submit to honest projects

@ProofOfBug @maleksharabi @al_f4lc0n @immunefi I got banned for submitting a valid report, even Immunefi themselves said it was in scope, triager reviewed it and said they can’t “reward this”. I asked Immunefi for a mediation, manual review, they have banned me completely. I’m focused now on HackenProof moving forwards.

the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised. My response: Are you suggesting I should have actually exploited the bug and caused real damage before coming to talk to you? For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. My response: You should know better than anyone that on a Cosmos-based chain, a single transaction can pack multiple messages. Just one transaction is more than enough to completely drain multiple whale accounts. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base. My response: First, this has nothing to do with the vulnerability itself. Rate limiting doesn't stop attackers from stealing funds. It only slows them down when they try to bridge those funds over to Ethereum. Second, when I submitted my report, the mainnet configuration for this feature was not set. In other words, this feature wasn't even turned on! In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000. My response: First, Immunefi has always put the impact of direct fund theft at the very top of its priority list. This is a fact that everyone knows. Second, you changed your bug bounty page after I submitted my report. Here’s the snapshot from November 8, 2025: web.archive.org/web/2025110816… . And now, there’s an extra line added to your bug bounty page: “IMPORTANT: Within the Assets in Scope table, the injective-core folder is listed for both Blockchain/DLT and Web/App due to overlap between the two within the same folder. However, for a report to be categorized as Blockchain/DLT, the resulting impact has to be directly involved with the block production process or with consensus failures. All reports not dealing directly with either of these are to be categorized as Web/App.” I’d really like to know when this line was added. and do you really value chain consensus more than users' funds? We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first. My response: You never even replied to my messages, and now you’re blaming me for not requesting mediation? I can post the original report if you agree. I left many messages, but you haven't replied to a single one. ---------- Finally: Stop making excuses from every angle and trying to use technical jargon to confuse people who aren't developers. That doesn’t work anymore these days. Anyone can just ask an AI to fact-check what both of us are saying. I have no ill intentions toward your project. All I'm asking is for you to be honest and handle this transparently.

@immunefi Nobody would go public if you treated researchers fairly. You are used to scam whitehats and you get surprised when they go public. Interesting 🤔

We're aware of the public discussion regarding a recent bug bounty dispute. We understand the frustration that can come with these situations, for researchers and projects alike. But we don't believe public forums are the right place to evaluate vulnerability severity, debate payout amounts, or litigate the specifics of a report while a dispute is not concluded. That approach risks compromising the quality of discussion and the resolution process itself. Since mediation over payout amount was not requested, we have self-initiated mediation to examine the specifics of the report, which takes time because of the complexity involved, but we’ll take the appropriate actions after coming to a conclusion. In the meantime, we’ve paused the project to make sure that appropriate attention is given to any outstanding reports.

@MaLucasBC @maleksharabi @al_f4lc0n @immunefi Of course!

@ProofOfBug @maleksharabi @al_f4lc0n @immunefi Can you send me a message?

@MaLucasBC @maleksharabi @al_f4lc0n @immunefi Hey, of course! How can I join?

@ProofOfBug @maleksharabi @al_f4lc0n @immunefi Hello, we have many such examples, and we want to form the immunefi Victims Alliance. I wonder if you would like to join?