@muellerberndt The math is mathing. I mean you/we/others are trying hard to find a clear derivation error that is not resolvable. But that just hasn't been the case so far.
English
Mario Poneder
407 posts
Mario Poneder
@MarioPoneder
Ξ Smart contract security researcher @zenith256, @spearbit, @bailsecurity, @SecurityOak & @zerocool_ai | AI Red Teaming 🔄
Solidity, Rust & Cairo Katılım Ocak 2022
597 Takip Edilen1.4K Takipçiler
English
English
Had a fun time playing this year's @Wonderland CTF with the chads, thx to all the challenge creators and the great team that organized the event 🙏
@0xriptide @heavyw8t_ @MarioPoneder @zigtur
English
@wei3erHase @Wonderland I required a few swap hops to get to the necessary chips.
English
It was a pleasure taking risks alongside you legends and then making it count by betting it on black afterwards!
Thanks to @Wonderland and all the sponsors.
J4X@J4X_Security
Had a fun time playing this year's @Wonderland CTF with the chads, thx to all the challenge creators and the great team that organized the event 🙏 @0xriptide @heavyw8t_ @MarioPoneder @zigtur
English
English
English
@milotruck No need to apologize, your challenge was 🔥. It was definitely doable, we were just not good enough. Although I think it should have been worth 1000 points instead of 500. 😅
English
Turns out I did, in fact, cook too much
I would like to formally apologize to everyone who burned time/tokens trying to solve my challenge
I will set easier challenges next time
MiloTruck@milotruck
I think I cooked, maybe a bit too much Coming up with something that doesn't get one-shot by GPT-5.4 xhigh has been... an experience Look forward to seeing everyone at the CTF! A sneak peek of my challenge:
English
49 Critical + High Vulnerabilities. 97 Medium.
That's what Zenith Auditors have uncovered since January 2026 in just 38 audits.
Whether it’s a last-minute upgrade or a new primitive, we’ve got you covered with the right auditors for your stack, your needs, and your budget.
English
Totally agree — prompt injection feels like a natural extension of the smart contract security mindset.
Personally, I’m too occupied with Web3 work to properly participate in AI red teaming competitions right now 😅
But definitely not wanting to gatekeep the opportunity: app.grayswan.ai/arena
@GraySwanAI
In case someone wants to test their prompt injection skills in a priced competition setting.
Sock@sockdrawermoney
if you squint this says to me smart contract security researchers are perfectly primed as adversarial thinkers for prompt injection security research
English
@WhiteHatMage I've spent a lot of time with low level stuff (assembly and C) before Web3 ... I can assure you will :D
English
I'll take a week to perform an interesting and probably stupid experiment: Hunting for live EVM bugs by checking the deployed bytecode.
I'm allowing myself to cheat a little bit by checking the verified code to quickly understand what's going on. I'll also use a Yul decompiler for complex contracts and try a disassembler for simpler ones.
There are critical contracts out there holding really big bags that are worth the effort.
My main goal though is just to understand what's going on under the hood, and maybe get some inspiration for any potential unknown vectors. Also for understanding what's needed to get a clean input for any automated tools to perform further analysis.
I don't expect to find any bugs honestly. It will be painful, but fun at the same time.
I just love having the freedom to navigate any crazy paths I choose 🧙♂️
English
Diving into AI red teaming: prompts are like comments — non-binding. Same lesson across stacks: security boundaries must be enforced, not “requested.” For agents, the real boundary is between the decision (LLM) layer and the execution layer.
Sock@sockdrawermoney
English
@bytes032 @mrjasonchoi "Have a stroke of its mane, it turns into a plane."
English
@mrjasonchoi for a moment this reminded me of the: "look at my horse, my horse is amazing" video
English
“Then I told the horse, ‘cars won’t replace ya, but horses who drive cars will!’”
English
Our audit report for our partners @0xProject is ready.
BailSec was tasked with an audit of the CrossChainReceiver (Update).
BailSec - exposes risks that others overlook.
Link to the report on Github👇:
github.com/bailsec/BailSe…
English
@lonelysloth_sec I am starting to feel cringe for liking most of your comments and posts shown in my feed during the last weeks, but damn ... they're on point.
English
Being a programmer in the early 90s was great.
Then they invented help files which meant no more browsing manuals for hours.
Can you imagine? Half of all coding jobs died right there.
Then OO made code reuse too easy and you could write in a few weeks what used to take months.
Then Java had strong typing and GC, it got rid of most bugs -- no more hours figuring out a segfault -- we didn't even need QA guys! It all just worked!
Coding was too easy.
Then they fucking invented Python and made it even easier!
Even biologists started coding for fs sake. Biologists! Can you believe that!?!
Who would hire a programmer when even a biologist can write scripts in minutes -- without spending years understanding microcode and nand gates!?!
You could just go to this web thingy and read like a 10 page tutorial and start coding.
It was too much, it wasn't coding. Not the way I learned to love coding.
I quit.
Im glad I did.
By the year 2005, 1,000% of programmers had been fired and that's why nobody makes money as a coder today.
There's a lesson here.
Let's all give up bc we know when knowledge work gets easier they always fire everyone. Always. Never fails. Not a single time.
At least the government started giving everyone a hundred dollars a week in 1999 or we all would have starved to death.
English
@bailsecurity I've checked some of their reports in the past against competitors and came to the conclusion that these claims are justified.
(scope and commit were taken into account when comparing)
Not going to call anyone out, therefore DYOR.
English
Catching up on the current discussion around the state of Web3 security:
For Tier-1 audit firms, the conversation should be partly about cost - but primarily about AUDIT QUALITY.
If a client chooses a Tier-1 firm for top-quality security and pays premium fees, they should receive premium security reviews.
In practice, some established Tier-1 firms no longer consistently meet that standard, and many clients treat any audit report they receive as the top benchmark in the space — then present it publicly as such.
We’ve documented results like the one shown in the graphic across multiple audits against multiple traditional Tier-1 firms, and our clients are aware of it.
That’s how BailSec has won many engagements and thats why clients continue working with us: we consistently deliver deeper, higher-quality reviews.
English
@bytes032 It's only about the feeling of relief that the post won't be lost forever if you continue scrolling.
English
My secret toxic trait is bookmarking posts that I do not even intend on reading later
What am I doing lmao
English
It was a pleasure reviewing your protocol together with @strukt93! 🔍
Solomon Labs@solomon_labs
Audit complete. ✅ Your dollar rails have now been through two independent audits. One step closer to full access.
English
Cantina 🪐@cantinasecurity
A new high-touch security audit: @solomon_labs x Cantina Cantina audited the core onchain programs behind USDv, Solomon’s stablecoin system. No critical issues were found. All findings were resolved or acknowledged. A pleasure supporting the security of Solomon’s infrastructure.
English