Ijele
327 posts

Ijele retweetledi

We just published the fairest comparison of audits vs. audit competitions ever done.
Contests win hands down.
Help us make sure every founder reads it.
Contests will become the new standard.
Mitchell Amador@MitchellAmador
English
Ijele retweetledi

@mylifechangefa1 @adeolRxxxx @pelz @fromeo_016 @LASUOfficial @Bugcrowd @GoogleVRP @kuprumxyz Are you studying computer science?
English

life lately:
met @adeolRxxxx @pelz @fromeo_016
I'm in my final year @LASUOfficial
found 2 valid P4 at @Bugcrowd
still have pending @GoogleVRP
awaiting a contest result
I'm in my final year @LASUOfficial
can't wait to get back with @kuprumxyz from where we stopped.
e no easy

English
Ijele retweetledi

How do you know a protocol is worth spending time on? What are the key metrics you look out for?
Pls, ser @WhiteHatMage
English
Ijele retweetledi
Ijele retweetledi

If you're interested in catching chain halts, here are some ideas:
Consensus critical paths:
- Check consensus invariants and how to break them -> halt
- Check functions that should always succeed, but you find a way to make them fail or revert for everyone every time -> halt
- Check functions that should always return a response (success or failure), but you can make them panic -- unexpected side effect or missing recovery mechanism.
- Look for possible sources of non-determinism -- may lead to chain halt or fork
Risk profiles:
- Halt the production of blocks
- Halt the production of proposals
- Halt the processing of transactions
- Halt the p2p communications
- Halt the processing of txs
- Crash validators consistently
- Crash critical dependencies consistently
Attack Surface:
- Trace back the critical paths, and the components that could be broken
- It may be a malicious transaction by any user, or a malicious p2p message relayed to the nodes
- It could be a rogue validator with a malicious proposal
- The chain might read events from contracts. It could have a light client checking things happening on other chains.
- It could be time based, or something that happens on specific blocks, or during some special event.
- There might be issues in dependencies that aren't critical anywhere else, but they lead to a more severe impact in some specific flow
- The chain could have special roles that could be vulnerable to specific attacks
Resource exhaustion:
- CPU: make validators spend too much time computing transactions or blocks -- they won't make it in time for agreeing on the block
- Memory: crash validators with OOM errors
- Storage: bloat the disk space
- Invariants: bloat some resource invariant, like consistently surpassing the block size, or tx size, making proposals fail.
Caveats:
- Most bugs aren't vulnerabilities. Learn how to code an e2e PoC for a network.
- Not every panic leads to a crash. They're often gracefully caught.
- Not every crash leads to a chain halt. You may crash the RPC node, but not the validators
- A chain might have different clients, and the overall impact may not lead to a chain halt
- Permissionless attacks are more dangerous than ones that require a validator
- Panics in transactions are usually caught by the execution layer
- If the impact is that your tx reverts, there's no impact. If the impact is that your proposed block is rejected, there's no impact.
- Chains have different consensus mechanisms and caveats. The same vulnerability won't necessarily lead to the same impact.
There's a huge overlap with other impacts. The same core vulnerability could be exploited for a chain halt, or could be used to take down validators to gain consensus, or could be abused to lead to a chain fork, or other issues. It's also possible that it doesn't lead to any real impact too.
It's up to you to assess the most critical impact.
English
Ijele retweetledi

This Immunefi All Star just crossed $1 million in earnings, making them the newest crypto millionaire on Immunefi.
Meet @_blockian, the alter ego of @ControlZ_1337.
We asked him how he does it.
"What is one practical bug bounty strategy that has helped you find better bugs? "
Pre-AI era: Find the most complicated part of the project - the area I assume most researchers would avoid diving into - and then repeatedly chant to myself “there are always bugs” until I eventually break something.
Post-AI era: Same thing, but with AI.
Don't be scared of complexity - embrace it
"What habit, routine, or mindset has made you more consistent as a researcher? "
Balanced life.
Personally, I burn out pretty fast. Too much ADHD and not enough self-discipline 😅 So I compensate by cycling between periods of hard work and periods of rest.
I work hard until I start feeling the early signs of burnout, then I stop before I hit the point where I won’t want to work at all. I’ll start a new PS5 game, fly abroad, take a week (or a month) off, snowboard, recharge, and then come back feeling fresh and ready to go again.
Would I have found more bugs if I could work 24/7 like some other researchers? Probably.
But is that actually sustainable for me? Probably not.
"Can you share a memorable bug or win, and what helped you find it? "
I think it was my first bounty, this is what made me believe this was actually possible.
It was a pretty cool cache-poisoning issue that, to this day, I still consider one of my favorite bugs. I was determined to find something. The codebase was quite complex, so I was convinced there had to be an issue hiding somewhere.
At some point I got stuck and stepped away from the computer, but I couldn’t stop thinking about the codebase. Then suddenly it clicked. I realized how I could use the cache to my advantage, rushed back to my computer, and spent the entire night building a PoC out of pure excitement.
The report got confirmed and paid, and that was the moment that made me believe this was actually possible. It’s what kept me going.
"What is one piece of advice you would give to a researcher trying to level up or land their first bounty?"
Find what genuinely excites and interests you.
If you're doing it only for the money, you'll probably hit a wall sooner or later. If you want to rise above the competition, you need to be passionate about what you're doing - passion is what keeps you going when things get difficult, repetitive, or frustrating.

English

In case you missed it, here are five things Immunefi shipped this month:
1. IronScore
A free security score for any protocol, rated from 0 to 100 and ranked on a public leaderboard.
It also includes a wallet scanner that shows how much of your value is sitting in weakly secured protocols.
2. Immunefi Studio
A new toolkit built with and for top security researchers.
It includes Studio Reviews and Studio Signals.
3. Studio Reviews
Get structured feedback on your bug report before you submit it, so a real finding doesn’t get weakened by a weak writeup.
4. Studio Signals
Access real program data before committing your hours, including which programs pay and how fast they move.
5. Dark mode
Easier on the eyes. Finally.
Some of these shipped in limited release first, but we’ll be rolling them out to everyone soon.

English
Ijele retweetledi

Episode is now live!
Immunefi@immunefi
This Security Researcher has earned $1,073,742 on Immunefi in 2026. 2nd on the Whitehat Leaderboard. Now @0xvivekd is coming on The Immunefi Show to talk through how he hunts, how he thinks, and what separates a good report from a million-dollar year. What should we ask him?
English

This Security Researcher has earned $1,073,742 on Immunefi in 2026.
2nd on the Whitehat Leaderboard.
Now @0xvivekd is coming on The Immunefi Show to talk through how he hunts, how he thinks, and what separates a good report from a million-dollar year.
What should we ask him?

English
Ijele retweetledi

This Immunefi All-Star just made a Google Staff Software Engineer’s salary from one report.
Congrats @riproprip.

English










