Sabitlenmiş Tweet
0K
5.1K posts
0K
@ZeroK_____
@immunefi All Stars | A carefree cyber sailor. Solves security challenges. Secures protocols.
Multiverse Katılım Mayıs 2022
513 Takip Edilen2.2K Takipçiler
I always confuse these 2 guys because of their pfps. Anyone else?
English
ive invented a new type of permissionless blockchain where you need my approval to run the blockchain nodes but its permissionless because anybody* can use to pay me fees without permission I'm this new revolution in computation a company
*who passes stripe kyc and ofac
English
@chrisdior777 How you manage to focus all this time and not getting bored?
English
Checked my screen time today (working hours only).
9-10h daily for the past few months.
Thought I wasn't working enough.
Turns out I was right.
This space needs more high quality security and awareness - gotta push even harder.
English
0K retweetledi
🚀Dear builders and auditors, your Claude Code sub just became a 100x audit team.
Up to 95 specialized AI security agents running in one orchestrated autonomous pipeline.
Fully open-source.
"Plamen" is live 🔥🐉
English
@lonelysloth_sec @only01Essential @injective I’m glad that i changed my mind seconds before i decide to work on their BBP
English
@injective is a sad joke.
How long can it survive without the **extremely underpaid** help of top white hats?
**You should not submit bugs to them** unless you want to be equally mistreated.
That sort of behaviour is damaging to all SRs and the entire industry, including all legitimate BBPs run by serious people who actually care about security.
Let’s see:
Ignored critical LOSS OF FUNDS for 3 months.
Attempt to classify COSMOS bug as WEB. 😂
Claims impact is misleading but cant provide specifics of how much money could be stolen. Try to say bug not being exploited is a problem for the report 😂
The “head of engineering” @bangjelkoski is just throwing technical nonsense at the issue and pretending it sticks. Is he even technical at all? Does he know what a bug bounty is? Doesn’t sound like it. Sounds like Chat-GPT from ‘23 making excuses.
How likely is it that this was the first critical Loss of Funds bug to go unnoticed? Id say 0% likelihood.
**I’d say extremely likely it wasn’t the last one either.** Again 0% likelihood its the last protocol-ending level bug.
But it will probably be the **last time they are helped by white hats.**
f4lc0n@al_f4lc0n
the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised. My response: Are you suggesting I should have actually exploited the bug and caused real damage before coming to talk to you? For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. My response: You should know better than anyone that on a Cosmos-based chain, a single transaction can pack multiple messages. Just one transaction is more than enough to completely drain multiple whale accounts. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base. My response: First, this has nothing to do with the vulnerability itself. Rate limiting doesn't stop attackers from stealing funds. It only slows them down when they try to bridge those funds over to Ethereum. Second, when I submitted my report, the mainnet configuration for this feature was not set. In other words, this feature wasn't even turned on! In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000. My response: First, Immunefi has always put the impact of direct fund theft at the very top of its priority list. This is a fact that everyone knows. Second, you changed your bug bounty page after I submitted my report. Here’s the snapshot from November 8, 2025: web.archive.org/web/2025110816… . And now, there’s an extra line added to your bug bounty page: “IMPORTANT: Within the Assets in Scope table, the injective-core folder is listed for both Blockchain/DLT and Web/App due to overlap between the two within the same folder. However, for a report to be categorized as Blockchain/DLT, the resulting impact has to be directly involved with the block production process or with consensus failures. All reports not dealing directly with either of these are to be categorized as Web/App.” I’d really like to know when this line was added. and do you really value chain consensus more than users' funds? We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first. My response: You never even replied to my messages, and now you’re blaming me for not requesting mediation? I can post the original report if you agree. I left many messages, but you haven't replied to a single one. ---------- Finally: Stop making excuses from every angle and trying to use technical jargon to confuse people who aren't developers. That doesn’t work anymore these days. Anyone can just ask an AI to fact-check what both of us are saying. I have no ill intentions toward your project. All I'm asking is for you to be honest and handle this transparently.
English
@xKeywordx @PatrickAlphaC i'm currently recovering from severe food poisoning, will be back to work in 1-2 days
English
Yo @PatrickAlphaC can you please tell @DevDacian to check his DMs?? Also, look at the "Requests" tab in case my DM doesn't show up.
Please and thank you!
English
Imagine charging 4 figures for an "AI audit" with a dashboard.
Anthropic themselves price the compute like an expensive dinner, not like a used car.
Here is what a 25M token audit should cost:
- ~$123
- 52 agents
- 1,593 lines, full analysis.
The gap shall close 🔜🔜🔜
English
@danielvf @functi0nZer0 I just want EIPs to make sense at first reading.
I guess i’m a simple man too :(
English
@functi0nZer0 I just want batch transactions, and someone else able to sign to pay a TX. And that could be in Hegota.
So I'm almost a simple man.
English
@0xcastle_chain I read many unpopular opinion these days, and all of them are in fact correct and more accurate
English
unpopular opinion:
the Moonwell $1.78M exploit last November
wasn't really an AI problem.
it was a testing problem.
AI wrote the vulnerable code.
But a human approved it.
A human merged it.
A human deployed it.
we keep blaming the tool
to avoid blaming the process.
English
@only01Essential A white hat, a real whitehat, will never act like this, the idea of being a whitehat depends on many things, and payment fairnesses is a small part of these things.
English
@TopengaNFT @al_f4lc0n @immunefi @injective They always respond to mine and many other SR honestly, but protocol like these should get removed and blacklisted if the story told is correct.
English
@ZeroK_____ @al_f4lc0n @immunefi @injective immunefi team doesnt respond to escalations its really bad
English
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: github.com/injective-wall…
English
Unpopular opinion: the biggest risk AI poses to security researchers is not replacing them.
It's making them comfortable.
English
Who is going to be building the first AI contest platform exclusively for AI agents with judging done by another AI agent?
ross.wei@z0r0zzz
added @cantinaxyz scan + @certora formal verification + @joranhonig grimoire skill run making moloch/majeur the most AI audited code - ever.
English
PRO TIP for beginner protocol founders:
If a Web3 security firm offers to audit 4,000 lines of smart contract code for $5k in 4 days, you better save your money.
Cheap + fast audits usually mean one thing: nobody actually audited your code.
Don't fall for this.
English
@chrisdior777 It happened to me a year ago. The protocol was removed, but nothing else changed. Recently, I heard that it collapsed and no longer exists.
English
That’s unacceptable.
> The protocol team accepted the High
> The next day they make the file “out of scope”
> The guy gets paid nothing
This has happened to a lot of white-hats.
Such protocols deserve to be rekt.
#justiceforwhitehats
Silvermist@0xSilvermist
I found a valid High bug in a bug bounty. The project confirmed it. But I got $0. Here's what happened 👇
English
