0xdeadbeef

@giovannidisiena Glad that this is still on the radar!

Rediscovered this article while working through my backlog. It's a great read! Highly recommend for all security researchers.

Calling Web3 Security Researchers 📢 We're doing an exclusive CTF challenge at the @SecureFi_io event in Brussels! Show your skills and win up to $5,000! 💸 Free Event Entry for CTF participants with the code: Immunefi_sr_securefi. Register now! tinyurl.com/SecureFi

@windhustler Cry

To all the researchers that are busy with private audits How do you manage the FOMO of not participating in all these contests?

@milotruck Audits are time constrained while BB are not. From a researchers POV its just a transition from a fixed-pay service to a pay-per-vulnerability service. Regarding contests its the same as not allowing the auditor to perform a second round of audit if many bugs are found

If you just audited a protocol and they have a bug bounty/contest after, should you be allowed to participate? I realized people have differing views on this as it's a morally grey area I'm leaning towards no

@Ash_Immunefi @immunefi Good luck!

👋Hi, Twitter fam! I’m excited to join @immunefi as Hacker Success! 🚀I'm here to support our talented Security Researchers and make sure their skills shine. Let’s secure the future of Web3 together! 🛡️✨

Are you coming to @EthCC? We’re co-hosting a CTF challenge at @SecureFi_io with @dWalletLabs. $5000 rewards pool up for grabs sponsored by Immunefi 💰 100% Discount for our SR community with the code: Immunefi_sr_securefi 😎 Sign up at securefi.io

@StErMi @EthCC There is the @SecureFi_io security event co-hosted by @immunefi. There is a CFP if interested! x.com/immunefi/statu…

I remember that some weeks ago, someone posted a link with all the side events for @EthCC. Can someone share the link? I would like to schedule all the events in my calendar and book the flights.

Go go go!

Glad to have @immunefi on board to co-host @SecureFi_io! CFP and registrations are open. SecureFi is a security researcher conference happening along side EthCC. Part of the community? Definitely want to be there More announcements coming soon!

🏆 @fairside Audit Contest Results 🏆 Congrats to: 1. @0xdeadbeef____ - $10,672.17🥇 2. @giraffe0x - $8,333.28🥈 3. ck - $3,706.89🥉 @0xdeadbeef____ made $13,200.00 fixed pay + $10,672.17 from the contest pot! $42,000.00 rewards ➡️ $8.4M+ paid out in rewards.

@giraffe0x Nice, I think I will give it a try! Especially with codebases which have poor documentation 🙃

Cursor ide has quite a sick AI chat >> than copilot's tbh. I use it during audits to quickly gain context of a complex function and to validate a possible bug. I found it most useful in these cases. Esp helpful for codebases which have poor documentation 😉 Sometimes I do ask it to just scan for obvious vulnerabilities but the hit rate is quite low

@DevDacian Why not give the power of judging to the project? Like in BB where no-fix = no-pay. If the project decides to get it fixed then you get paid. The project pays for the contest anyway so there is no incentive for them to dispute without reason

The downsides of the contest model no-one tells you about is: * countless hours of back-and-forth arguing with strangers over the Internet trying defend the uniqueness and validity of your findings, while also attacking the uniqueness and validity of others' findings since unique findings are what pays the big $ * your payout and rankings are completely in the hands of whichever judge gets assigned and many decisions can go either way which can drastically improve or decrease your results * judging decisions can be highly partial to certain "big names" who dominate particular platforms. For example @trust__90 is a huge name on C4 while @IAm0x52 is a huge name on Sherlock; if this contest had been on C4 I'd wager Trust would have been successful in his appeals simply due to his name power there * anonymous judging doesn't solve this issue as auditors are typically de-anonymized during the crucial appeal phase so the name power is still extremely important when arguing with strangers over the Internet * at times there have been very clear agendas to discredit certain auditor's findings with the judges virtually cycling through reasons to invalidate particular auditors' findings * there have been cases where a high profile name has found a finding in one contest on a platform, then on another contest on that same platform another lower-profile auditor found the exact same finding with even more impact and the high-profile name missed it, and immediately a campaign began to invalidate the finding of the lower-profile auditor * when frustrated auditors have appealed the above behaviors and asked "what is the ultimate epistemological standard for truth? How can it be valid when high-profile auditor finds it in one contest but invalid when lower-profile auditor finds it in a different contest with even more impact?" the answer was SILENCE - if contest platforms and judges want to ignore you they can and there's nothing you can do about it unless you want to air the dirty laundry in public like Trust has chosen to do in this instance When you see contest rankings understand that it is not just pure skills of the researchers finding vulns that got them there - it is literally hundreds of hours of arguing and debating with strangers on the Internet. If you are the type of person who loves PvP, loves zero sum games, and loves arguing with strangers on the Internet, then you will absolutely LOVE audit contests! But if you find this whole process emotionally draining and not fun at all, then you will have a much more enjoyable life doing private audits. It is no wonder that the vast majority of auditors grind out enough audit contests to build a reputation then transition to doing private audits and rarely go back to doing contests.

@pashov I don't think there is anything that irritates me more

- How did you make your money in web3? - I was a master negotiator in security contest vulnerability escalations, managed to get multiple solo findings through endless debates☠️

@aviggiano Seems reasonable, or pay overtime if they want more senior researchers

@0xdeadbeef____ True. Nowadays I don't do it anymore. So maybe projects should expec more beginners on weekends?

Why are security researchers expected to work on weekends? 🤔 Is this the same for devs? Audit quotes and contests are usually based on calendar rather then business days

@aviggiano Makes sense, I guess when it starts to become a more permanent thing it backfires

@0xdeadbeef____ Because many auditors start doing this on their free time. That was my case, so I loved weekend contests.

@securitypath 🤖

@0xdeadbeef____ I am expected to work 24/7 so I just work whenever I feel like

@bytes032 Yeah, its because its rebasing. It needs to rebase its balance to account for its underlying rebasing ETH balance

TIL that the WETH implementation on Blast doesn't use the standard WETH9 contract. 🥶