Hunter

Alhamdulillah, i have won the @InfraredFinance contest. Its been a while since my last posted win😅. 2nd consecutive contest and win, is it the rise? Some stats: - Time spent: 7 days - was the only one to find all high severity issues - Found the only solo in the code The main thing iam happy with in this contest is the amount of learning i got: - read a lot of EIPs (some were unrelated to the code but was intuitive to read more through) - read some geth code, and got a grasp of how consensus/execution layers work on the code level - read one GEAS - run my first local node to build a POC Downside for the above learnings is the % of coverage of those beautiful medium severity edge cases by those beautiful auditors This code has one of the longest call flow i have ever seen. I Love staking More than DEXs Auditing, Had much fun auditing this one Also i may decrease my contests participation alot(in general and not related to specific platform) Plans? - Leverage more time on niches i believe in and love - Join firmsss - Only participate in contests that add to my knowledge and have proper incentives - Become a judge (judging protocols that i love auditing), meh least likely because of the big amount of spams currently in the space and how judging may make me a hated person from newbies.

@0xnirlin wdym, you didn't make your agent yet?

Fuck AI audit agents

@WhiteHatMage How is that considered a skill?

If you’re just starting out with bug bounties, here’s a secret: finding the vulnerabilities is the fun part. Actually getting paid? That’s the real skill.

@0xCharlesWang In general, why speculating?, if i have a clear attack path, then its high and not low. if i don't have a clear attack path, then there are two options: 1. its actually not exploitable 2. its exploitable but i won't bother searching enough, lets just report rounding as low.

This is usually the low severity finding everyone ignores because it’s „only dust“ …. Until it’s no longer „only dust“

> the only winners are actual elite human auditors: black hats and bug bounty hunters.

you are a good auditor when you submit smart bugs (logical). but what some misses is that you are a bad auditor when you submit invalid/info bugs. AI made it really easy to run and generate reports. please don't treat your private audit report bugs by kilo. VERIFY.

@adeolRxxxx I call this AI tools MEV. Good for others that goes one layer more deep.

So basically, I have not been resting as I am currently competing in contests and also consistent in bug bounties. > So I think it would be nice to share my dups with the public for those who wanna learn. > But bug bounties have been a hell hole, or maybe let me say crazy. A bounty dropped last week in the heat of the day. I was asleep when I got pinged by my tool. I quickly woke up, checked, and saw it was in DLT. I have been preparing all my life for this. 4 hours just after this dropped on @HackenProof , I was able to find a critical that could allow an attacker to drain the entire pool in a single transaction by forging a block. I quickly wired an end-to-end POC to prove this issue, even estimating the time it would take the attacker. But unfortunately, I was met with "this issue has been found by another whitehat", bro, 4 hours?? Here, if you wanna learn: github.com/blessingblockc…

@Al_Qa_qa i disagree, audits are time bound, your best use of time would be to prevent hacks and disfunctionalities of the SMART CONTRACT, you don't need to use that small bounded time to guard for those mistakes.

@Huntoor We should make sure the Web3 works safely, and don't get tied to a given niche

There is a difference between Protocol security and safety. We all remember the 50M $USDC trade that resulted in only 35k worth of $AAVE - Is the protocol secure? Yes, there was no technical exploit - Is the protocol safe? No, users can still lose everything. The problem is that DeFi protocols are built to work fine only when used correctly. They aren't designed to protect unaware users. We must ensure protocols work regardless of the input, handling user mistakes whenever possible.

@oot2k1 Just trust me bro.

@Huntoor do you have an example?

sometimes i browse some finished contests randomly. its insane how some valid bugs for 5 figures can never be valid in 1 million years in a contest and be marked as spam in another contest. insane how trivial bugs are considered smart here and unrealistic there. i'm confused.

@oot2k1 What you describe is understandable, the space evolves. But what i saw in the same timeframe is complete madness

changed a lot over the years as well. I will never forget the 25k safe transfer issues. A good example as well is sequencer downtime, today it is mostly considered invalid but at some point in time it was in almost every codebase and judged medium-high. (I think its still ok to consider it a risk if the network is new and it would block liquidations or something)

@auditor_nate what is more problem is that discrepancy isn't small.

@Huntoor It’s nuts mate, particularly the last 8 or so months. Just 0 consistency what so ever on any platform

@MartinMarchev find all the bugs and make no mistakes

Unpopular opinion: the biggest risk AI poses to security researchers is not replacing them. It's making them comfortable.

@0xKaden easy to say when you have financial stability. but when life gets tough?, your kids will only care about food, not your respect in the space

hot take: being a whitehat means that you should be willing to disclose bugs regardless of whether you will be rewarded sure, disclosure deserves a reward, but your priority should be doing the right thing rather than getting paid besides, i think this approach will always be rewarded in some way eventually

@asen_sec > The people who make it now are the ones who adapt fast. that does what?

It's not too late to start in web3 security. But the game you're entering isn't the game you've been reading about. Contests take months to judge. Platforms limiting submissions. AI finds the easy bugs before you do. The people who make it now are the ones who adapt fast.

@adeolRxxxx i'm not exhausted of working, i'm exhausted of twitter

I don’t think I can continue this career path for long. - I’ve experienced exhaustion every day for the past week bro that I can’t even sleep at night. Bro I’m sad I’m mentally exhausted.

@adeolRxxxx @sherlockdefi contact rares | sherlock or fran | sherlock

Hi @sherlockdefi how do I login into my old acct on Sherlock without needing to create a new one?

as we are speaking, some auditors are using claude code to perform parallel private audits. wdyt?, is this a productivity boost or illegitimate?

you didn't create you first claude skill yet?

@oot2k1 yapping

Most profitable business right now in crypto: - validator + mev - market making - consultancy (audits, dev...) - ...? Right or wrong?