Zero Cipher

$300,000 from a single bounty. Also yes, it was Move related. Move helps, but it doesn’t magically make protocols safe. The real bugs still live in assumptions, invariants, and integrations. Proud of what VulSight has been doing too. We’ve cleared over $500k in bounties in the last 2 months. If you’re a founder and you want an audit team that consistently finds criticals, we’re a DM away.

@hwisesa23 @CentuariLabs Exactly. One way protocols sometimes tackle this are through protocol operated liquidator bots. Not a fan of this mechanism. What solution did you guys use.

The first place I look in any lending protocol isn’t the interest rate model. It isn’t the oracle. It’s the liquidation logic. Blacklisted collateral token. Transfer reverts. Liquidation blocked. Bad debt can accumulate silently. Zero-amount interaction. Revert. Position can become stuck permanently. Multi-asset basket where a partial liquidation removes the highest-LTV asset and the health score worsens instead of improving. Three edge cases. Each one worth treating as high severity until proven otherwise. One question decides everything: “Can this position ever reach a state where liquidation reverts or fails to improve solvency?” If yes, the protocol may have a trapped bad debt path. It just doesn’t know it yet. If your protocol has liquidations and you haven’t tested what happens when they can’t execute, that’s one of the first places I’d look for a critical.

Personal security tip (that may or may not work) Always keep a small amount like 100 USDC in your MetaMask wallet. So you would likely know if your PC is compromised. Likewise for a hardware wallet, store funds using a pass phrase. While keeping a small amount of funds in the default wallet.

@androolloyd Sounds really amazing. Would love to try out the client on which you are working on. I felt like hyperliquid was obfuscated enough to not be able to make sense of it all.

in case youre wondering what im working on, ive built my own hyperliquid client and am working on joining testnet as a validator on my client, its looking like im pretty close too. So thanks to everyone who has delegated thus far on testnet. All the work has been done entirely by claude opus 4.6 and 5.4 gpt, i have an automated reverse engineering pipeline that has been running pretty much non stop for a few days now and waking up to expontential gains in understanding of Hyperliquid has made me so unbelievable bullish. I baked in a full anvil/foundry replacement, so all you evm devs can simulate hypercore and corewriter actions txns all from solidity!, full replay debug, chain/oracle data follow, gossip. shoutout to the hlz dev, i also forked that and integrated support for local devnet chains. One way or another we're getting an open client. Hypurrliquid

I need to acquire 20k Test Hype tokens on the HyperLiquid Testnet @HyperliquidX. Would anyone be able to help with that? Would be even willing to buy them if anyone's selling.

Thank you for your critical finding. We would like to reward you a bounty of 12 redbulls.

@0x158_ Their argument is that bug is not live and it never would be live as they would fix it now (after I told them about the bug)

@zerocipher002 > deployment is 2 weeks away. so what? WTF 🤯 How is that even a reason to not pay?

Response to a critical report in a bug bounty that would have caused losses of 8 figures dependent on a feature that was to be activated in 2 weeks. "The finding even though critical is not valid for a payout as the deployment is 2 weeks away and we would fix the bug before deployment" MF how would you even would have fixed it in the first place if I didn't report it??

@CreatorsOfChaos That sucks man. I see no solution to ths problem

And it gets worse. They rejected my report as a 'duplicate,' only to drop a PR with my exact fix in under 30 minutes. If it was already known, why wait for my report to suddenly find the solution? Just a blatant, pathetic attempt to exploit free labor while protecting their 8-figure bags. The lack of ethics in these BB platforms is a joke.

@TopengaNFT Not polyon. But its quite surprising that people have such an image of them now. They used to be one of the most generous programs in bbp.

@zerocipher002 Let me guess polygon?

@ibrahimatix0x01 Not the one which you are thinking

@zerocipher002 the program's name starts with an S?

@0xriptide It sucks how such programs hide behind non disclosure requirements and still screw over SRs.

@zerocipher002 this response belongs in the hall of shame fame

@lonelysloth_sec @injective Not that. But glad I avoided doing the injective bbp just out of sheer luck.

@zerocipher002 is that @injective again? sounds like their mo

Your Stack Is Split Across Move, EVM, Rust, and ZK 4 ecosystems. Each fails in very different ways. 1. EVM → reentrancy variants + accounting/invariant bugs 2. Move → resource lifecycle bugs + cross-module interaction failures. 3. ZK → under-constrained circuits. 4. Rust on Solana → PDA validation gaps + CPI guard bypasses. A generalist who's "pretty good" at four ecosystems misses the bugs specialists catch. One ecosystem specialist can't help you when your stack spans two. If your protocol spans more than one ecosystem and needs a team that can audit across the full stack. Feel free to reach out to us.

Audits happen. Reports get filed. Protocols still get drained. This is why I only work with teams that treat security as survival, not marketing. There are a lot of reasons this keeps happening: • The team gets the audit report and fixes the Highs. marks everything else as "acknowledged." ships. • "Acknowledged" means "we read it and accepted the risk" but actually means "we don't have time and the deadline is Friday" • The patch for the critical finding introduces a new vulnerability in the fix. Nobody reviewed the remediation. they just assumed patching was safe. • The audit covered commit abc123. The deployment was committed by xyz789. six new functions added after the audit completed. Nobody mentioned it. • Six months after launch there's a new integration. no re-audit. the integration is 40% of the attack surface. • The economic exploit that drained everything wasn't in the code. The code was correct. The math was wrong. The audit reviewed code. not economics. • Leadership says "we can't afford a longer audit" then spends 20x the audit cost on the launch marketing campaign • The post-mortem after the hack says "we have now engaged additional security partners." the new partners review the same codebase. Nobody asks why the first audit missed it. Every one of these is fixable. We don't sign off until the deployed commit matches the audited commit. And we treat "acknowledged" findings like ticking time bombs, because that's what they are. If you want an audit team that solves the problems above instead of contributing to them,DM us at @VulSightSec .

For a protocol with a bug bounty on multiple platforms, Which one would you use to submit your Crit/High? And Why?

Three years ago I submitted my first Web3 contest entry on Code4rena. Found one QA issue. Thought maybe I'd chosen the wrong career path. This year I collected $300,000 from a single critical bug report. This space rewards depth and patience in ways I didn't fully understand when I started.

Everyone thinks they understand flash loan attacks. Most don't. Most people think flash loans are about the money. Borrow millions. Manipulate a price. Return the loan. Pocket the difference. That's the surface. What if the attack isn't related to the capital. What if it utilizes the state manipulation that the capital enables within a single transaction. Beanstalk. April 2022. $182 million. The attacker didn't exploit a price oracle. They used the flash loan to temporarily acquire governance control. Passed a malicious proposal. Drained the treasury. In one transaction. The vulnerability wasn't in the flash loan mechanics. It wasn't even in the price feed. It was in the assumption that governance proposals couldn't be executed within a borrowing window. I found a similar governance timing assumption in a recent audit. The protocol had a 24-hour timelock on proposals. No protection against flash-loan-powered quorum acquisition. The team had reviewed every oracle interaction. They hadn't considered that an attacker could borrow their way into governance power. Never audit flash loan surfaces by just looking at the surface. Audit what the loan temporarily makes possible.

Recently, saw some chatter about how total payouts vary across web3 bug bounty platforms. So I compared the top 10 earners on each: Immunefi: $55.3M HackenProof: $6.3M Cantina: $1.5M Immunefi is ~8.8x HackenProof. HackenProof is ~4.2x Cantina. Curious how much of this is: - platform maturity - deal flow - private vs public payouts - where top researchers choose to spend time (Note some of these numbers could be inaccurate as I calculated these numbers on publically available information in the leaderboards)