HackenProof

Security is a public good — and now the community can help fund it. We’re proud that HackenProof is part of the Ethereum Security QF Round by @thedaofund, hosted on @Giveth — a 500 ETH matching pool supporting people and projects working to make Ethereum and its L2 ecosystem safer. Quadratic funding means it’s not only about how much is donated, but also how many people support a project. So even a $1 donation can help strengthen the signal behind HackenProof. By supporting HackenProof, you support bug bounty research, whitehat hackers, and continuous security work across Ethereum and L2s. Donate by May 14: qf.giveth.io/project/open-s… Repost to help more people support Ethereum security. #HackenProof #EthereumSecurity #BugBounty #QuadraticFunding #Web3Security

Spot the Bug 🧠 Merkle reward claiming Two bugs in this one. Can you find both?👇

The minimum share protection had one flaw. It blocked supply between 1 and MIN_SHARES. It didn't block supply dropping to exactly 0. Full breakdown on the HackenProof blog: hackenproof.com/blog/for-hacke…

The attack chain: 🔸 100 ETH sent → unvested, invisible to totalAssets() 🔸 Last user exits → totalSupply() drops to 0 🔸 Dust deposit → shares minted 1:1 🔸 Vesting completes → totalAssets() jumps 🔸 Attacker redeems → full yield stolen

Most pentesters overlook the gap between actual balance and accounting balance. In ERC4626 vaults with linear vesting, that gap can become an attack surface. A dust deposit → major reward capture. Here’s how 👇

@sainathm501 Keep it up!

Another one on the board $250 bounty this time. Small steps, but consistent progress in Web3 security. Same me. Just more learning, more patience, more consistency. This journey is just getting started. More coming..... @HackenProof

@PERK_FUND Hello, we've sent you a link via DM

Our team needs to speak to somebody @HackenProof immediately. We found a vulnerability that puts millions of dollars of funds at risk. Time is of the essence!!!!

@md_ashmar Base

@HackenProof Discord and X

What is the best social media for bug bounty hunters community?

@durdom_evm Fair point

@HackenProof github, hackerone forums, and twitter are where the actual discussions happen. reddit's r/bugbounty is decent for beginners but the serious hunters coordinate elsewhere

@0zSchnack Incredible work! Well deserved bounty 🔥

There’s quite a memorable story behind one of the vulnerabilities. Almost three years ago, I first looked at this codebase. I still remember the strange gut feeling I had while trying to wrap my head around one particular component. I spent days looking for a flaw, some slight deviation from the intended behavior, but came up empty. Still, I couldn’t quite let it go. Over the following years, I kept occasionally coming back to the same file, mostly during holidays: reading line after line, hand-crafting payloads, writing fuzzers, running automated scans, and later consulting my favorite AI agents, all of which tried to convince me the logic was bulletproof. Not only did I not find any vulnerability, I didn’t even find a non-security-relevant bug. But that feeling of suspicion never went away. After getting home from a New Year’s party in the early hours of January 1, 2026, and not quite ready to call it a night, I decided to give it one more shot. For some reason, it finally clicked, and I spotted a very subtle interaction I had overlooked for years. 137 hours later, on very little sleep, I submitted the final piece of the working PoC. The hunt for the one that almost got away was over. Interestingly, the bug made a brief reappearance when the same pattern turned up in a few other projects later. No big bounties, though. P.S.: Don’t do this. Sunk cost fallacy is real. Huge thanks to the teams of the affected project(s) for demonstrating their commitment to security with smooth and fair bounty payments. I’m also very grateful to the entire @HackenProof team for their great work as always, and especially to @d0rsky and @Striukovskyi for their excellent support over the past years!

A $225K bounty win for @0zSchnack 🫡 Not one, not two, but three $75K payouts — an impressive streak. HackenProof salutes you. Keep hunting 🔥

@riseurp Congrats!

Yeay, I was awarded for a valid submission on @HackenProof hackenproof.com #hackenproofed #bugbounty

Yeay, I was awarded for a valid submission on @HackenProof hackenproof.com #hackenproofed #bugbounty x.com/W3B_AI_SR/stat…

@W3B_AI_SR Great find 💪

@Zer0day_sec For sure 😁

@HackenProof Epic. Payout is even too far. Bug confirmed is enough! 😃

@ziko29504803 More to come

@HackenProof more reports more findings more triaged more bounties

|￣￣￣￣￣￣￣￣￣￣￣￣￣￣| More bugs, more rewards |＿＿＿＿＿＿＿＿＿＿＿＿＿＿| \ (ᵔᴥᵔ) / \ / --- / \ _| |_

@Zer0day_sec On the flip side 🥲

@HackenProof |￣￣￣￣￣￣￣￣￣￣￣￣￣￣| Less sleep, more bugs |＿＿＿＿＿＿＿＿＿＿＿＿＿＿| ᕙ(⇀‸↼‶)ᕗ \ / / \ | |