Max Zuvex

Moment of truth: every finding I submitted in @code4rena contests came from a method I built using AI. Over 7 contests my method earned 🥇🥈🥈🥈🥉 with a valid/invalid ratio >1 and multiple solo ands duo High/Medium findings.

@ArnieSec @0xEV_om You’ll have to face it eventually :)

You claim all the findings were found strictly using your method. However in a previous tweet you say you appreciate the brain workout on the forte contest… x.com/maxzuvex/statu… You are not open sourcing the tool, or giving any information on how it works. In 6 months you only did 7 or so contests from a method which you claim can be fully automated, either you hate money or you are lying. What are your intentions, since you aren’t open sourcing I’m guessing you want to keep an edge. This suggests you want to keep an advantage that generates money. But this is contradictory since you are not maximizing profits by doing every single contest. You claim the tool can be fully automated but yet the amount of contests done suggests that it can’t be. If you truly have a method that works far beyond what anyone else has created then I apologize, but this just sounds like a lie to me.

Hot take: The ai hype in web 3 security is mostly misleading and a glorified fuzzing tool at its current state. Let’s stop the bs marketing and actually post in depth research for those of us who are actually interested. I’m tired of seeing crazy claims and then seeing the comments explain the bug found is actually useless and just a marketing ploy. Most of the time these tools are tested with the help of elite level security researchers which already have the ability to find the bugs themselves without the help of ai. I’ll be impressed when someone with no tech background places top 5 with the help of an AI tool. As of now I remain unconvinced.

@ArnieSec @0xEV_om 1. No comment. 2. Almost every month since I started, I’ve placed in the top 3 once. It didn’t happen suddenly after six months. 3. In my humble opinion, earning a PhD can actually be easier than what some expert SRs are doing.

1. He’s not sharing any info on the process, there’s no way to verify his claim 2. He spent 6 months developing the tool, there’s auditors I could name that had 0 prior background and after 6 months they were winning contests so no advantage there. 3. The guys a PHD, he could have gotten the same results if not better if he never built the tool and locked in learning manual auditing

@0xMackenzieM @code4rena I think there’s still room to improve the precision and recall quite a bit.

@MaxZuvex @code4rena That's huge. There might be a big opportunity for you to apply these to large old codebases with bug bounties to pickup bugs that weren't well known 2 years ago. 19/34 is a great hitrate. Most skilled whitehats are closer to ~30%

Moment of truth: every finding I submitted in @code4rena contests came from a method I built using AI. Over 7 contests my method earned 🥇🥈🥈🥈🥉 with a valid/invalid ratio >1 and multiple solo ands duo High/Medium findings.

@0xEV_om I'm not planning to

@MaxZuvex open source it?

@carlos__alegre @code4rena I wouldn’t say it’s an integrated workflow, since I’m not a security researcher myself. The AI handles the full detection and validation process independently.

@MaxZuvex @code4rena I see, thanks for the clarification. :) Could we say then that what you have done is to integrate AI into your workflow in a very efficient way? In such a way that AI does most of the stuff?

@Simo1028 @code4rena Basically, it could be similar to existing auditing tools. In addition, it could handle clustering and be optimized for detecting easy or obvious false positives. It could also provide a short one-line comment for each finding.

@MaxZuvex @code4rena Great job! Saw your comment about the heavy load that judge will have in the future and I'm thinking about building an AI tool that will help with that...Do you have any opinion/idea on this? Would love a feedback!

@carlos__alegre @code4rena x.com/MaxZuvex/statu…

@MaxZuvex @code4rena Was it only AI, or you + AI?

@pete_sim1 @code4rena Appreciate it! Not completely end-to-end automated (though it could be). I’ve found adding some guidance along the way gives better precision.

@MaxZuvex @code4rena This is awesome. Were you guiding it along the way? Or was it purely automated? Been deep down this rabbit hole myself.

@WhiteHatMage @code4rena From what I’ve seen, reaching high coverage is one of the hardest parts when using LLMs, especially when there are a large number of bugs. Thanks for the suggestion, I’ll keep it in mind :)

@muellerberndt @code4rena Thanks!

@MaxZuvex @code4rena Nice work 🚀

@coffiasse @code4rena Total expenses were under $1k

@MaxZuvex @code4rena How much did it cost to call the AI API?

@TrilochanDev Have you ever tested @octane_security in public contests? If not, would you be willing to?

We are talking about real Critical and High findings, not 1 or 2 wei, iykyk

@_0x5am @code4rena Haha true 😅 thanks man

@MaxZuvex @code4rena This is somehow more of a flex than finding the bugs manually😅. Incredible work Max, look forward to seeing where your next challenge takes you!

@p_tsanev @code4rena I agree, there are many marketing traps around AI. Claims should be backed with results in public contests, like mine. I’ve recently seen @AlmanaxAI competing too, and I hope more firms join. I’ll elaborate, but for several reasons not anytime soon.

@MaxZuvex @code4rena This deserves the most engagement, if true, instead of all other AI marketing traps. And of course, until you elaborate further in more posts, this will only remain a post, but you do have a great chance to showcase an impressive advancement in the space, hopefully you do so.

For me, it was an experiment in precision. For the industry, it might be a glimpse of what’s next. I’m stepping away for now to focus on my next challenge.

I don’t believe AI will replace top auditors anytime soon. Experts are still ahead. But my experiment convinced me that AI is already competitive with mid‑level auditors, similar to what we’ve seen in many other fields.