Mx (beta)

1.1K posts

Mx (beta) banner
Mx (beta)

Mx (beta)

@0xMSF14

DeFi Security researcher

(e/acc) Katılım Temmuz 2023
594 Takip Edilen634 Takipçiler
Mx (beta)
Mx (beta)@0xMSF14·
@0x3b33 same old story, they probably refused to pay up
English
1
0
4
838
Pyro
Pyro@0x3b33·
My guy hacked Cosmos and shared the bug on X
Doyeon Park@p6rkdoye0n

I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT). This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability. I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure. This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.

English
12
10
271
45.7K
playboi.eth
playboi.eth@adeolRxxxx·
I took my mom on a date today, she was so happy. I also got to relax after some heated private audits back to back. Motion can’t be stopped. Back to xrp.
playboi.eth tweet mediaplayboi.eth tweet mediaplayboi.eth tweet mediaplayboi.eth tweet media
English
71
16
739
21.9K
LonelySloth
LonelySloth@lonelysloth_sec·
That's the whole point. Go "AI native". Be rug pulled by the duopoly (at best, if you can work with either). If the entire world changes processes to depend on them their valuation sky rockets. Doesn't matter what value is delivered. They can charge whatever they want. They basically own all businesses.
English
1
0
8
467
m4rio
m4rio@m4rio_eth·
I was raising exactly this problem a few posts on my timeline, business start being super dependent on claude/OAI it’s not anymore your business.
Pato Molina@patomolina

Anthropic decidió dar de baja a toda nuestra organización por una supuesta infracción de sus condiciones de uso. Qué política específica infringimos no tengo ni la menor idea: simplemente recibimos un mail y listo, adiós Claude. Si querés apelar la medida hay que completar un Google Form, así de ridículo como suena. De golpe más de 60 personas se quedaron sin una herramienta fundamental para trabajar. Integraciones, skills, historial de conversaciones: todo perdido o, en el mejor de los casos, parado por tiempo indeterminado. Enorme aprendizaje para cualquier empresa de software que dependa de herramientas de IA en procesos críticos. Nunca hay que poner todos los huevos en una canasta.

English
2
0
5
1.1K
Mx (beta)
Mx (beta)@0xMSF14·
I don't know what happened to @immunefi but they are partly responsible for the surge in hacks in 2026. People may want to submit a critical vulnerabilities and you are asking them to submit KYC information first ? to limit "spam". What happens if they don't want to ?
English
9
5
99
7.1K
Mx (beta)
Mx (beta)@0xMSF14·
web3 security is the only place where protocols and companies act like they are doing people protecting the industry a favor. The beatings will continue until morale improves.
Mx (beta)@0xMSF14

What incentives do web3 researchers have to submit vulnerabilities ? @immunefi :KYC, banning, deposit to submit, ghosting @code4rena : KYC, submission limit Protocols: fix and lowball Protocols need researchers, real money is at stake, this industry is a joke. DeFi will die

English
3
2
34
2K
Mx (beta)
Mx (beta)@0xMSF14·
What incentives do web3 researchers have to submit vulnerabilities ? @immunefi :KYC, banning, deposit to submit, ghosting @code4rena : KYC, submission limit Protocols: fix and lowball Protocols need researchers, real money is at stake, this industry is a joke. DeFi will die
English
11
9
122
7.2K
Mx (beta)
Mx (beta)@0xMSF14·
Protocols are now building with AI and barely understand their product.
English
0
0
1
160
Mx (beta)
Mx (beta)@0xMSF14·
*** Biggest Contest of all time *** $500,000,000 Conditional Pot : Unlock full payout by draining the entire protocol, it's current blockchain infrastructure and find the founders long lost nephew. Otherwise the pot is $6,300.
English
9
0
83
4K
Mx (beta) retweetledi
Jack Sanford 🛡️
Jack Sanford 🛡️@jack__sanford·
If you're a security researcher or Solidity dev who: 1) has good product sense 2) enjoys talking to customers DM me Hiring for a few different roles that could be a good fit
English
29
7
206
12.6K
Mx (beta) retweetledi
f4lc0n
f4lc0n@al_f4lc0n·
the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised. My response: Are you suggesting I should have actually exploited the bug and caused real damage before coming to talk to you? For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. My response: You should know better than anyone that on a Cosmos-based chain, a single transaction can pack multiple messages. Just one transaction is more than enough to completely drain multiple whale accounts. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base. My response: First, this has nothing to do with the vulnerability itself. Rate limiting doesn't stop attackers from stealing funds. It only slows them down when they try to bridge those funds over to Ethereum. Second, when I submitted my report, the mainnet configuration for this feature was not set. In other words, this feature wasn't even turned on! In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000. My response: First, Immunefi has always put the impact of direct fund theft at the very top of its priority list. This is a fact that everyone knows. Second, you changed your bug bounty page after I submitted my report. Here’s the snapshot from November 8, 2025: web.archive.org/web/2025110816… . And now, there’s an extra line added to your bug bounty page: “IMPORTANT: Within the Assets in Scope table, the injective-core folder is listed for both Blockchain/DLT and Web/App due to overlap between the two within the same folder. However, for a report to be categorized as Blockchain/DLT, the resulting impact has to be directly involved with the block production process or with consensus failures. All reports not dealing directly with either of these are to be categorized as Web/App.” I’d really like to know when this line was added. and do you really value chain consensus more than users' funds? We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first. My response: You never even replied to my messages, and now you’re blaming me for not requesting mediation? I can post the original report if you agree. I left many messages, but you haven't replied to a single one. ---------- Finally: Stop making excuses from every angle and trying to use technical jargon to confuse people who aren't developers. That doesn’t work anymore these days. Anyone can just ask an AI to fact-check what both of us are saying. I have no ill intentions toward your project. All I'm asking is for you to be honest and handle this transparently.
Bojan Angjelkoski@bangjelkoski

Security is paramount at @injective and we take our bug bounty program very seriously. First and foremost, the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised. For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base. In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000. If the poster had requested a mediation we would explain to him the dynamic rate limiters and monitoring systems we have in place and why his stated figures are misleading. However, he did not do so. We always follow the procedures set forth by the Immunefi program and expect the submitter to do so as well. We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first.

English
40
34
470
50.5K
Mx (beta)
Mx (beta)@0xMSF14·
2026 has been mostly white hats disclosing critical severity vulnerability for free.
playboi.eth@adeolRxxxx

So basically, I have not been resting as I am currently competing in contests and also consistent in bug bounties. > So I think it would be nice to share my dups with the public for those who wanna learn. > But bug bounties have been a hell hole, or maybe let me say crazy. A bounty dropped last week in the heat of the day. I was asleep when I got pinged by my tool. I quickly woke up, checked, and saw it was in DLT. I have been preparing all my life for this. 4 hours just after this dropped on @HackenProof , I was able to find a critical that could allow an attacker to drain the entire pool in a single transaction by forging a block. I quickly wired an end-to-end POC to prove this issue, even estimating the time it would take the attacker. But unfortunately, I was met with "this issue has been found by another whitehat", bro, 4 hours?? Here, if you wanna learn: github.com/blessingblockc…

English
1
0
1
635
Mx (beta) retweetledi
Pyro
Pyro@0x3b33·
The era of smart contract auditors is just beginning
English
23
23
245
10K
Mx (beta)
Mx (beta)@0xMSF14·
Human knowledge is the most precious thing we have. From childhood savants discovering numerical manipulations to the theoretical chemist who died in penury and obscurity. Training AI to paraphrase and regurgitate this information then calling it intelligence, is a sin.
English
0
0
0
170
Mx (beta)
Mx (beta)@0xMSF14·
"Pattern matching" is absolutely new in web3 security right ? Because that is all AI is capable of at the moment
English
0
0
0
110
Mx (beta)
Mx (beta)@0xMSF14·
so much deceit in LLM marketing, especially exaggerated as it is geared toward technical users that are lagging behind and very easy to impress
English
0
0
0
65
Mx (beta)
Mx (beta)@0xMSF14·
Nobody wants to tell the truth, but AI is terrible with reasoning.
English
0
0
4
163

Keşfet

@0x3b33 @adeolRxxxx @lonelysloth_sec @m4rio_eth @immunefi @code4rena @elonmusk @BarackObama