TruthLover
709 posts
TruthLover
@0xtruthlover
In God we trust, all others must verify their code.
Katılım Temmuz 2023
2.2K Takip Edilen148 Takipçiler
English
English
There’s quite a memorable story behind one of the vulnerabilities.
Almost three years ago, I first looked at this codebase. I still remember the strange gut feeling I had while trying to wrap my head around one particular component. I spent days looking for a flaw, some slight deviation from the intended behavior, but came up empty.
Still, I couldn’t quite let it go. Over the following years, I kept occasionally coming back to the same file, mostly during holidays: reading line after line, hand-crafting payloads, writing fuzzers, running automated scans, and later consulting my favorite AI agents, all of which tried to convince me the logic was bulletproof. Not only did I not find any vulnerability, I didn’t even find a non-security-relevant bug. But that feeling of suspicion never went away.
After getting home from a New Year’s party in the early hours of January 1, 2026, and not quite ready to call it a night, I decided to give it one more shot. For some reason, it finally clicked, and I spotted a very subtle interaction I had overlooked for years.
137 hours later, on very little sleep, I submitted the final piece of the working PoC. The hunt for the one that almost got away was over.
Interestingly, the bug made a brief reappearance when the same pattern turned up in a few other projects later. No big bounties, though.
P.S.: Don’t do this. Sunk cost fallacy is real.
Huge thanks to the teams of the affected project(s) for demonstrating their commitment to security with smooth and fair bounty payments.
I’m also very grateful to the entire @HackenProof team for their great work as always, and especially to @d0rsky and @Striukovskyi for their excellent support over the past years!
HackenProof@HackenProof
A $225K bounty win for @0zSchnack 🫡 Not one, not two, but three $75K payouts — an impressive streak. HackenProof salutes you. Keep hunting 🔥
English
@PashovAuditGrp Planning to join the team... Just need to finish some priority stuff first. I respect what you guys doing 🫡
English
World-class security researchers. Care for web3 projects. Undisputably elite security.
Pashov Audit Group. The smart people work with us. It's a beautiful thing, and we love every second of it🫡
English
English
@only01Essential Submitted 3 critical reports in row...all valid but dups 😭
English
I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity…
I deposited $100 USDC to report this one, hope there is no too many dups
English
He's back.
@GrumpyLord36678 just got a $50,000 payout.
Their total earnings are now $171,633.
At what threshold should they finally drop the Grumpy and become CheerfulLaurie?
Pledge $IMU on their profile: immunefi.com/pledge/GrumpyL…
English
@0xtruthlover @immunefi And I still have a dozen of escalated reports so we will see ig
English
English
@GrumpyLord36678 @immunefi Sorry to disappoint but seems like there are plenty of valid findings in the Audit 😭
English
English
waiting for another 20+ reports in review 👀
HackenProof@HackenProof
Meet our Bug Machine @dan_fronts - 20 paid reports in under 2 months 🔥 @dan_fronts joined HackenProof in February and didn't wait to warm up: he delivered 20 validated, paid reports. Thank you for your work - this is only the beginning. The community sees you. Keep going!
English
English
🚨🤯BIG NEWS - @asen_sec(the AI Security master) joins PAG🔥
Today, non-AI-native security is a guaranteed failure.
Asen had the most findings on the Monad public contest (>1600 participants, >160k lines of code), and has many bug bounties confirmed. Time to win, together🫡
English
Over half a year ago, I posted about using AI to win security contests, back when a lot of people were still skeptical.
Since then, a lot has changed. Autonomous AI auditing has become a much bigger part of the conversation, and its capabilities are getting harder to ignore.
After being away for a few months, I wanted to see if my old pipelines were still competitive. Grateful to have ranked 2nd in the latest @chainlink contest on @code4rena. 🥈
It’s still early, and there’s a lot to improve, but the direction feels clearer than ever.
Max@MaxZuvex
Moment of truth: every finding I submitted in @code4rena contests came from a method I built using AI. Over 7 contests my method earned 🥇🥈🥈🥈🥉 with a valid/invalid ratio >1 and multiple solo ands duo High/Medium findings.
English