Antics Decoded

@ZeroK_____ Good luck :) Would love to try it out with you

I built AI, and it passed a test I gave it, it found 3 out of 4 bugs that I already knew existed. Thinking a bit like a blackhat, it’s around 90% automated and 10% guided by me. No hype for now, it’s way too early to celebrate such a small success. But I genuinely hope I’m building something that can help prevent even 0.1% of the hacks happening today. If it works the way I want, I’ll share the full process and everything I learned along the way. If I win, all of you here should win too. We’re fighting blackhats, not each other. Don’t be too optimistic about this post(yet!) 😄 I just enjoy sharing small progress with the community.

@dersonxyz But I think the max credits stated should be the exact amount used to run a scan

@AnticsDecoded Yeah, looks like you just ran out of credits.

If you want to find vulnerabilities automatically in web apps and smart contracts, you should read this and give it a try

@jeffsecurity Do you have something like this but for Complex Blockchain/DLT Audits?

If you're crossing from web2 sec into web3 (or vice versa), this repo is gold. Hundreds of bug bounty writeups grouped by class - IDOR, race conditions, RCE, SSRF, auth bypass. github.com/devanshbatham/…

@DevDacian @cyfrin That’s great Is solace open source and can it audit large complex Blockchain/DLT codebases?

Beautiful composite exploit found by my AI Solace in @cyfrin private audit. Solace automagically chained together 3 individual component findings into a devastating critical drain attack 🚀 solodit.cyfrin.io/issues/onchain…

@zooko Ok Thank you!! And please also I’d like to confirm… are the rewards stated there the exact amount given to a researcher that gets a confirmed finding? For example, if I find and submit a critical vulnerability under the core nodes, do I receive $225,000 (Base payout & Bonus)

@AnticsDecoded Maybe post on that forum thread?

Good transparency update from the Financial Privacy Foundation, which administers the funds for the Zcash Community Grants Committee and others: forum.zcashcommunity.com/t/fpf-q1-repor…

@zooko Yes i have seen that already but that is not the confusion i am talking about. The confusion actually comes between the security researcher and the project reviewers/triagers. Some of the assets stated there like librustzcash isn't even aware of this

@AnticsDecoded I think this is the canonical information from the Zcash Community Grants Committee about that: forum.zcashcommunity.com/t/zcg-security…

@dersonxyz @hakiraio Can I Dm you I’m trying it out right now

@AnticsDecoded @hakiraio sure, hakira.io/hakira-ai

Using @hakiraio AI, I was able to earn $15,000 from multiple bug bounty programs. If you want to save time and discover real vulnerabilities in smart contracts and web applications, this tool is built for you.

@only01Essential Yeah definitely worth more but congratulations mate 🫂

Another project saved 🙌 A chain halt bug this time. $4,000 for the disclosure. Expected more, but we move

It will eventually be crazily worth the sleepless nights, just keep at it... See you at the top :)))

@arsen_bt This is more than gold and i can even use it better in training my LLms

4 questions I ask for every finding I miss. After every contest, I revisit what I missed. • Why did I miss it? • What thinking led me somewhere else? • Was I too shallow, or looking at the wrong thing? • What pattern am I now aware of? Your findings library grows. Your miss library grows faster. A year of this and you see patterns nobody else does.

@gosasu1 @Zcash And have you been paid for them?

@gosasu1 @Zcash Which LLM did you make use of or which tools? We could talk via private DM I also submitted vulnerabilities to Zebra

I recently reported multiple vulnerabilities to @Zcash and Zebra, and several GHSAs have been published github.com/ZcashFoundatio… github.com/zcash/zcash/se…

@revofusion @hrkrshnn How can I use it? Any github?

@hrkrshnn Kind of funny that formal verification has become a magic tool. It only proves what you say it proves, its not that far from invariant testing.

AI is going to do a lot of damage to 'formal verification' this year.

@quasar249 Do you use any tool for fuzzing?

Firedancer v1.0 audit contest, 3 days left. Several BHM issues, all turned out to be already patched in upstream - so ineligible as duplicates. Still fuzzing.

@hrkrshnn --dangerously-skip-permissions let me see if i could be the next black hat 👿

If you believe human in the loop is the future of AI, what config do you run Claude? 1. It asks permissions for everything; I approve all runs 2. --dangerously-skip-permissions

@pashov Yes definitely a good thing I would use it on new contracts and save more protocols from hacks

What if we open source pashov/skills solidity-auditor v3 that is better than most paid solutions and it can find Criticals left and right? Is this a good thing? What do you think

@Cayden_Liao @immunefi congratulations 👏 Which program?

I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity…