0Zeta

@cityhikers Oh no, that’s bad luck. But it happens. You can’t catch every bug. And to be honest, my gut feeling has betrayed me plenty of times, costing me lots of time.

@0zSchnack Thanks for the story behind this I really enjoyed it! I have a similar story but I did not find the bug, I had the suspicion but a blackhat found it before I could report it, all because I did not follow my gut feeling like you did!

There’s quite a memorable story behind one of the vulnerabilities. Almost three years ago, I first looked at this codebase. I still remember the strange gut feeling I had while trying to wrap my head around one particular component. I spent days looking for a flaw, some slight deviation from the intended behavior, but came up empty. Still, I couldn’t quite let it go. Over the following years, I kept occasionally coming back to the same file, mostly during holidays: reading line after line, hand-crafting payloads, writing fuzzers, running automated scans, and later consulting my favorite AI agents, all of which tried to convince me the logic was bulletproof. Not only did I not find any vulnerability, I didn’t even find a non-security-relevant bug. But that feeling of suspicion never went away. After getting home from a New Year’s party in the early hours of January 1, 2026, and not quite ready to call it a night, I decided to give it one more shot. For some reason, it finally clicked, and I spotted a very subtle interaction I had overlooked for years. 137 hours later, on very little sleep, I submitted the final piece of the working PoC. The hunt for the one that almost got away was over. Interestingly, the bug made a brief reappearance when the same pattern turned up in a few other projects later. No big bounties, though. P.S.: Don’t do this. Sunk cost fallacy is real. Huge thanks to the teams of the affected project(s) for demonstrating their commitment to security with smooth and fair bounty payments. I’m also very grateful to the entire @HackenProof team for their great work as always, and especially to @d0rsky and @Striukovskyi for their excellent support over the past years!

@DisturbedCoin In most cases, you have to get permission from the affected projects if you want to disclose any information about reported vulnerabilities. I‘m currently working on some writeups about other vulns I have discovered a while ago, though. :)

@0zSchnack i'm impressed with how you said a lot of things but not what you actually found as the exploit, im new to auditing, is that how it works? are you forbiding of speaking about it?

@DmytroMatviiv Thanks! Looking forward to many more reports through HackenProof! 🫡

here we are! congrats @0zSchnack!

@BulusOlive3112 Sure!

@0zSchnack That’s a great example of cross-context thinking that GitHub issue basically acted like a seed for the breakthrough. Would love to dig into how you connect patterns across repos like that. mind if we continue this in DM?

@d0rsky Thanks! Time to get back to hunting, I guess 🫡

@0zSchnack Legendary streak! Confratz🫡

It was a lucky coincidence. A few days earlier, I had read an old, unresolved GitHub issue in a different repository. It reported a degraded user experience under certain circumstances, which intrigued me and led me to investigate the issue. As a result, I learned a few new things and got inspiration for new angles to explore and new failure modes to look for while hunting. When I went back to the web3 codebase that night, that new perspective made me look at a certain mechanism differently, which helped me finally crack the puzzle.

@0zSchnack Insane persistence, what finally made it click after all that time?

@BPIV400 @p6rkdoye0n Hi Barry, is security@cosmoslabs.io still maintained? Tried to reach you with a small inquiry. :)

I'm posting a response on behalf of Cosmos Labs. This is not a security vulnerability. However, it is a bug that the team will address in due course. There’s no risk to consensus, liveness, or funds as a result of this bug. Furthermore, the reported behavior only shows up if a validator uses block sync with an untrusted peer. Once synced, the nodes will perform as expected, even with malicious peers. When closing the report, we asked the submitter to open a public issue on GitHub, so it can be tracked properly. We'll fix it as part of our regular bug process. Separately, the same researcher had another report that got flagged as spam by our spam filtration system. We’ve reopened the report, and it’s actively being reviewed. More generally, AI is changing the way that bug bounty programs must operate. Researchers armed with AI tools are submitting massively more valid and invalid submissions to our program than ever before. Our program has seen a 900% increase in submission volume from last year, on the order of 20–50 a day. As a result, we're working hard to adapt our approach in this new landscape in a number of ways: 1. Training agentic reviewers on real, verified reports and deploying them in production 2. Tightening how we score submissions 3. Prioritizing trusted researchers with proven track records 4. Working with other bug bounty providers that offer more advanced triaging and permissioning features than HackerOne Since Cosmos Labs took over the program, response times and triage quality have improved significantly, showing an over 50% improvement in vulnerability resolution time in spite of the increased submission volume. We appreciate the reports and the patience as we keep tightening things up.

Had a great time playing @Wonderland CTF at @EthCC Finally got back into Solidity after a long break

@immunefi Any way to get a second report slot faster? I just tried to submit two bugs, but could only create one due to the limit for new accounts. 😔

@Wonderland @EthCC Any love for L1/DLT challenges? 👀

Go down the rabbit hole with @Wonderland at @ETHCC. We’re hosting the largest live CTF ever. Details soon. ctf.wonderland.xyz

New Blog Alert! We've just posted a detailed review of the latest bug fixes on VirtuSwap! Discover how hacker can steal funds using virtual pools with multicall and improve your bug hunting efficiency! Dive into the full analysis following the link in comments👇