Undercover125

@0xriptide Good job Sir🫡 This was a sneaky bug 📘🌊

Churned out this poc w @claude_code any feedback would be appreciated

5/ LayerZero 1-of-1 DVN OApps The enabler of this attack was Kelp's 1-of-1 DVN config. There's plenty of LayerZero OFTs still running 1-of-1 DVN setups today. Pulled this list from @Dune

Built a dashboard to track the rsETH LayerZero OFT exploit rseth-dashboard.vercel.app Biggest DeFi hack in 2026- numerous defi protocols affected plus LayerZero OFT tokens/adapters Data curated from various X threads, on-chain txns, official post-mortems, etc. Shoutout to @banteg his threads carried the early understanding of this exploit. Since then, the key parties involved (@KelpDAO @aave @LayerZero_Core have also released various post-mortems. I built this dashboard to pull it all into one place. Check it out👇

@trq212 Hey I wanted to flag a change in behavior I've been experiencing. I use cc regularly to craft PoCs for security vulnerability research, and it's worked well for this use case until recently. Since yesterday, I've been consistently hitting a policy violation error when attempting similar tasks. Has there been any update to Claude's usage policies or safety guidelines that might explain this change? Any context would be helpful, thanks.

I want to do a few more of these calls. If your MAX 20x plan ran out of tokens unexpectedly early and you're willing to screenshare and run some prompts through Claude Code please comment. Trying to figure out how we can improve /usage to give more info.

@chamath If there was a product that does this, would you use it?

This may be a dumb question but I’ll ask it here anyways: I can’t find a good way for my various AI chats to automatically sync its conversation history into a structured knowledge base. So that as I update various chats from time to time and refine context, my knowledge base automatically grows with this new info.

I beg everyone in crypto to read this in full. I expected this to be another case of social engineering, likely some recruiter/job offer shit. I was very wrong. And the depth of the operation and personas makes me think they already have multiple other teams on lock. 😳

Thank you to everyone who spent time sending us feedback and reports. We've investigated and we're sorry this has been a bad experience. Here's what we found:

Shoutout @bountyhunt3rz for keeping me company. Hearing the perspectives of other SRs was useful

Managed to find a bug in monad, had to dig deep for this one. Was interesting to consider threat models and attack vectors unique to DLT networks. Codebase was alr reviewed by multiple tier 1 audit firms + public contest on code4rena. Locking back in🫡

@WhiteHatMage Please drop a skill.md for that ser

If you’re just starting out with bug bounties, here’s a secret: finding the vulnerabilities is the fun part. Actually getting paid? That’s the real skill.

I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…

another "benchmark" yet live bugs confirmed in bug bounties is the only real "benchmark" @therealgregoAI

if you are looking at AI security to complement your existing security stack, consider the following before you let your traditional audit partners upsell you on an "AI audit": most AI audits only give you a high level analysis, hence the low price point/quick turnaround then they give you hundreds of false positives and hope something sticks or else charge you to manually triage through these by their own SRs absolute waste of time we are not competing in this area we are competing against the top audit firms and security researchers to find the needle in the haystack we designed our @therealgregoAI security engine to go as deep as possible and grind for hours and hours running through thousands of exploit scenarios while filtering out 95%+ of false positives (very difficult to do! IYKYK) DM to enable the Grego AI Security Layer on your protocol and we will show you what everyone else missed

@sherlockdefi @Scroll_ZKP @WhiteHatMage Wingardium Leviosa

New on Sherlock: @scroll_ZKP Bug Bounty is LIVE! Max rewards: up to 1,000,000 USDC •Critical: $50,000–$1,000,000 •High: $10,000–$50,000 •Medium: $5,000 (flat) Get started here: audits.sherlock.xyz/bug-bounties/2…