AhmedSec

If LLMs finding bugs missed by multiple human auditors makes it super-human. When I find bugs missed by multiple humans and AI does it make me super-super-human? When then people catch bugs I missed do they become super-super-super-human? Congrats to teams finding bugs with whatever tools they use. But for the people making a living off bounties, finding stuff missed by dozens of the best auditors is just a Tuesday. Nothing super human about it.

Near the end of 2024, around November to December my entire life turned upside down. I never expected what happened next, and for more than a year I planned to never talk about it. But I think I need to, because it affected me deeply, both in life and as a hunter. 2024 was the best year of my life. It was the year I finally found myself. I discovered value in what I do. Being a security researcher and hunter in Web3 stopped feeling like “just a job”, it became something much bigger to me. People started recognizing my work. I met incredible researchers and hunters I genuinely respect and look up to. I built amazing friendships and connections. The feeling was indescribable. I was truly happy, and I enjoyed every single moment of it. At the beginning of 2024, I set a goal for myself: make $100k. People around me in real life laughed at that goal. They told me it was impossible. Some even said I should stop wasting time and look for a normal job that pays $150/month at mos. “Being rich is not for us,” they said. To them, $100k was something unreachable. So I distanced myself from those people, even though some were my friends. Not because they were bad people, but because we had completely different mindsets and goals. I had to choose myself. That same year, I seriously started hunting on @immunefi. I had a bad experience on another platform before, so I decided to give Immunefi a chance. I knew nobody there. No hunters, no team members. But the process felt professional from day one. Then I got my first $2k bounty. I was insanely happy 😂 I kept hunting, joined the Discord, and met amazing people from the Immunefi team and the community. I learned a lot, worked on many BBPs, and eventually Immunefi introduced Boosts (now contests) and Attackathons. That’s where my life completely changed. Then the Fuel Attackathon happened. I saw the $1M reward pool and a completely new language I had never touched before, and I told myself: “This is my chance.” I pushed hard. During that time I also landed another bounty. Eventually I made around $15k from bounties and around $86k from Fuel. I should’ve gotten second place, but some things happened and I secured fifth instead. And here’s the strange part… I felt nothing. No happiness. No excitement. No celebration. Just emptiness. I felt confused, mentally exhausted, almost like something inside me had shut down. I kept asking myself: “Why aren’t you happy? You achieved your goal. You proved everyone wrong. Why do you feel nothing?” Before I could answer that question, the second worst thing happened. My father had his first brain stroke. We rushed him to the hospital trying to save him. Then another stroke happened. Then another. I spent countless nights in hospitals, mentally destroyed. I became deeply depressed in a way I had never experienced before. At one point, I seriously thought about quitting Web3 and bug hunting entirely. I remember opening my phone late at night planning to delete everything I built. Then somehow I saw one of @lonelysloth_sec’s posts talking about patience, not giving up, and how hard this journey is. I don’t even remember the exact words anymore, but that post stopped me from making a huge mistake. Because people like him, @WhiteHatMage, and others became role models to me in this space. So I decided to wait instead of quitting. Meanwhile, my father’s condition kept getting worse. Eventually doctors told us there was nothing more they could do. We just had to fulfill his wishes and stay beside him until the end. And when he passed away in 2025… I felt nothing again. No tears. No breakdown. Just emptiness. The same emptiness I felt after reaching my biggest goal. That completely broke my understanding of myself. I forgot who zeroK really was. Months later, something incredible happened: @0xjonah1 messaged me saying I got accepted into All Stars. That gave me hope again. But even then, something still felt missing for almost a year and a half. I couldn’t figure it out. I tried convincing myself I was overthinking. year passed, Doing my best every day just to make sure I deserve my place at Immunefi and among the All Stars. Then, a few weeks ago, I got a clue about what was missing when I DM’d @WhiteHatMage asking for some advice related to working as hunter. While reading his messages, I felt like my brain was trying to reconnect with something I had lost for almost a year and a half... something that shaped who zeroK is both in real life and in the Web3 space. But at the time, I still couldn’t fully understand it, and I kept telling myself, “Maybe I’m just overthinking it.” Then Firedancer happened. I participated a bit, got overwhelmed, submitted only one bug, and honestly felt lost again. Then Infosec team reminded me that I should trust myself, that being part of All Stars already proved I belonged here. And suddenly it clicked. I finally realized what I had lost. It wasn’t motivation. It wasn’t discipline. It wasn’t skill. It was my ability to enjoy the journey. That was always the best part of me. Enjoying the process. Smiling during hard times. Helping people. Learning. Connecting with others. Being curious. Building something meaningful. I realized I never truly wanted $100k for the money itself. I wanted proof that I had value. Proof that I belonged somewhere. Proof that I could become the person I always wanted to be. And once I reached it, I didn’t know what came next. Now I finally understand it. Money matters for survival, yes. But chasing money alone made me miserable for an entire year. Now I’m chasing something different: my dreams, my growth, my journey, the people I meet, the things I build, the impact I leave behind. That’s what actually makes me happy. Being recognized for meaningful work. Protecting people. Saving users from exploits. Being good at what I do. Being kind while doing it. I’m glad I found myself again. And I’m deeply grateful to the people below who helped me rediscover that part of me, even without knowing what I was going through: @lonelysloth_sec @DecentralDisco @PappaPug @WhiteHatMage @minato7namikazi @0xMackenzieM @0xjonah1 @MartinMarchev @thisisgrey, who built my profile picture, the interview we did helped me remember part of who I really was. And many other amazing people too that I might not remember while writing this post. The only reasons I posted this are: 1. I want people to know that the joy of a goal you set for yourself ($100k, $500k, $1M, $10M, building something, buying something, achieving something) is not in the moment you finally reach it, it’s in the journey and the path you go through. 95% of the joy is in the process, not the destination. 2. I just wanted to talk a little bit lol.

@adeolRxxxx @sherlockdefi @Pelz_Dev we'll get here too, hopefully soon I sha Allah.

I am happy to say i topped 6 out of 500+ participants in the Move contest on @sherlockdefi > I didn’t touch the code once. > I built an algorithm from absolute scratch. > It found 4 out of the 6 issues that made the top 6. > I never opened the source > I and @Pelz_Dev only wrote the reports and submitted the findings. > I’ve been building this in silence. No clout. No noise. > Because I don’t talk about shit I can’t prove. > This isn’t here to replace auditors. > It’s here to show the beauty of hacking live contracts on-chain in real time. No lowballing. No shortcuts. Just straight, undeniable proof of work, exactly how black hats are already using AI. > I built this because I’ve been cheated on, played, and ignored too many times. It runs in 3 phases: 1. Contests: This was my backtesting ground. 2. Bug bounties: where I show real results. 3. Live chains: Instances deployed on mainnet, auto-targeting protocols that push unaudited commits straight to chain. Currently at 50% complete. still building and implementing. One of its features is that when it hits a protocol with closed-source code on-chain, it automatically decompiles the bytecode back into clean, human-readable source, then throws its entire knowledge graph and reasoning engine at it. It systematically breaks down every layer until the protocol is fully reverse-engineered and every vulnerability is exposed. This is just the beginning.

cybersecurity guy walking into another war room 4th time this week

@_kujen5 @immunefi @CyfrinUpdraft @PatrickAlphaC @cantinasecurity that is some determination you've got congrats on getting ahead of 90% of people, now aim for 9% more.

This is an insane moment for me. FIRST EVER WEB3 PAYOUT on @immunefi !!! I started learning about Web3 on December 2024 from @CyfrinUpdraft and @PatrickAlphaC Started my first contest on @cantinasecurity on June 2025. First payout on April 2026! NEVER STOP THE GRIND! Lessgerit!

@ValvesSec fucking love this, thanks

🚨Free for anyone who wants to get better at Web3 security!!! Most researchers struggle with: • Too much passive reading • Not enough real-world attacker pattern recognition That’s exactly what we’re fixing with the Valves Security Training Hub. 📚 Instead of just theory, you will train on how attackers actually think, so you can spot vulnerabilities faster and with confidence. If you’re serious about improving, this is for you. Start training 👇 training.valvessecurity.com

@Xy63ry0rx @adeolRxxxx don't worry he'll be right soon

@adeolRxxxx lol everything happening now is the humans written code not vibecoded he’s wrong

He actually said it:( Now hacks happen every day, hour

@adeolRxxxx The current major hacks are mostly opsec failures privKey compromise, vibe-hacking older protocols, the vibe-coded and vibe-audited protocols have not started getting hacked.

@adeolRxxxx what he said hasn't even started happening.

@WhiteHatMage do you think social engineering should be in scope for bounty programs

We have so many compromised key and infrastructure hacks because of how centralized web3 has become. But, we also have so few code hacks in comparison because of how centralized web3 has become.

@hamidonsolo you must have been reading about the brain alot recently or at some point in life, I not only study web3 bou nty hunting, I study the brain too, and I've come accross everything you said about the brain, especially how the dmn activates when you're not doing anything

@hamidonsolo that's the spirit

meanwhile your boy :) dont trust them we will still be there even in 2 years

@rRat1315 this is the abi Smuggling challenge, how did you configure your foundry to show opcode during execution?

Web3 low level is so fun

.

@cyfrin this will be like dvd challenge on mainnet.

BattleChain fixes this. Bug bounties: "find a vuln, write a report, we'll pay you (maybe)." BattleChain: "find a vuln, exploit it, keep 10%, return the rest." You stole the money. You sent it to the recovery address. You keep your cut. No politics. No discretionary payouts. On-chain Safe Harbor agreements make it legal.

As of today, BattleChain testnet is LIVE. The pre-mainnet, post-testnet blockchain, where whitehats legally attack your smart contracts before they reach production. Deploy. Get attacked. Ship stronger. Here's why we built it, what it is, and how you can get involved 🧵

@Al_Qa_qa wrong right?

@Al_Qa_qa omg, it's been staring at me all this while, call the emitting function directly and call delegatecallIt, the emitted msg.sender will be the eoa that made both calls.

We have a lot of whitehats, and many comments indicate that the sender should be `address_this`. But in the provided contract, this does not apply to calls to `callIt` or `delegateCallit`. But guess what! The situation can still be met. Can you find how?

@Al_Qa_qa @Al_Qa_qa correct?

@Al_Qa_qa the msg.sender will match iff the contract had a function x(), that calls both callIt() nd delegatecallIt() at once, so on calling x() the emitted msg.sender will be address(this) on both calls.

Do you know the situation where `call` behaves exactly like `delegateCall`? If the target is `address(this)`, they match the affected contract storage. Calling both in the contract below will increase `num` by 1. But do you know when the `msg.sender` will match?!

.