Sam

I'm super proud of myself. One step closer to quitting my job and becoming a full-time auditor. Thank you to @cantinaxyz for the opportunity.

@pashov Lambo owner AMA 🙏

👋Hi

@zooko gmgm

hey errybody please reply to this so i can see who u r kthxbye

@dcbuilder Hey

Hello friends and friends of friends

@xuwinniexu 🙋‍♂️

I've been designing a game recently and am now looking for some beta testers. If you're interested in simulation games, text games, LLM-native games, or simply something new, feel free to leave a comment or send me a DM.

@pashov 🙋‍♂️

More than a year ago. Some killer security researchers came out of this internship. Many got hired in big companies with good salaries - very welcome. If another internship cohort sounds interesting, do comment below - let's see if there are people that would want this

@pashov This is what makes PAG chads🫡

🧠AI security tools are booming. Still, many are slow, painful to set up or expensive to run. solidity-auditor v2 drops tomorrow. 1 command install. 8 parallel specialist agents. <10min on 5000 nSLOC. Runs locally on a cheap API plan. Free (even though it probably shouldn't be)

the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised. My response: Are you suggesting I should have actually exploited the bug and caused real damage before coming to talk to you? For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. My response: You should know better than anyone that on a Cosmos-based chain, a single transaction can pack multiple messages. Just one transaction is more than enough to completely drain multiple whale accounts. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base. My response: First, this has nothing to do with the vulnerability itself. Rate limiting doesn't stop attackers from stealing funds. It only slows them down when they try to bridge those funds over to Ethereum. Second, when I submitted my report, the mainnet configuration for this feature was not set. In other words, this feature wasn't even turned on! In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000. My response: First, Immunefi has always put the impact of direct fund theft at the very top of its priority list. This is a fact that everyone knows. Second, you changed your bug bounty page after I submitted my report. Here’s the snapshot from November 8, 2025: web.archive.org/web/2025110816… . And now, there’s an extra line added to your bug bounty page: “IMPORTANT: Within the Assets in Scope table, the injective-core folder is listed for both Blockchain/DLT and Web/App due to overlap between the two within the same folder. However, for a report to be categorized as Blockchain/DLT, the resulting impact has to be directly involved with the block production process or with consensus failures. All reports not dealing directly with either of these are to be categorized as Web/App.” I’d really like to know when this line was added. and do you really value chain consensus more than users' funds? We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first. My response: You never even replied to my messages, and now you’re blaming me for not requesting mediation? I can post the original report if you agree. I left many messages, but you haven't replied to a single one. ---------- Finally: Stop making excuses from every angle and trying to use technical jargon to confuse people who aren't developers. That doesn’t work anymore these days. Anyone can just ask an AI to fact-check what both of us are saying. I have no ill intentions toward your project. All I'm asking is for you to be honest and handle this transparently.

Security researcher ily2 has just earned a staggering $3,000,000 from submitting a critical smart contract bug via Immunefi. That's the largest single payout in web3 security in recent memory. In total, he's submitted 3 reports. All 3 were paid. 100% accuracy. His leaderboard update is coming soon, but you can pledge IMU to him now and earn when he finds the next one: immunefi.com/pledge/ily2

@PashovAuditGrp A great addition to the space, let's go!

🚨JUST IN: Pashov Audit Group🤝Discord Welcome to our new community with technical topics around security, AI and dev. We live and breathe web3 technologies🫡 Join, RT and comment below for a chance to win 3x full-year Claude/GPT subscriptions👇 discord.gg/pashovauditgro…

I’ve been getting a lot of questions about how this bug was found, so here are the answers: kritt.ai/technical-revi… This is a technical review of how Claude Code was used to uncover this crazy bounty, and more broadly how AI can be leveraged to find Critical and High-severity issues.

@legendydx Earning less than $10 in a contest is a rite of passage.

@denicmarko Amazing! Cryptozombies is a tiny bit outdated now though, I'd recommend replacing it with @CyfrinUpdraft

@infosec_us_team There's gotta be a word for when someone creates exactly what you've been dreaming of. Free and open-source too. Cannot wait to try this. We really don't deserve you guys♥️

@krikoeth @0xmahdirostami This is the way. Do you recommend Toggl?

@0xmahdirostami tracking with toggle, no pomodoro, I just stare at screen for 8-12 hours 😄

Had the best year again. Doubled my 2024 income over 1300 hours. 💰 Spent the last three months recharging - family time and a side project I've been building. No $$ goals for 2026. This year I want to double the HOURS. ⏰ Splitting my time: Bug bounties and the side project. Wanted to start in the new year but couldn't wait. Starting today. 🚀 Happy new year, may Devana guide you in your hunts! Time to work! 🎯

@Hcrlen I don't think I could find a bad one😅. It all depends where you're starting from and what you wanna learn.

@_0x5am brother can you list me some goods rareskills blog that i should read ?

Only took 18 months😅. If an elite SR is nice enough to give you guidance, be disciplined enough to follow it through. p.s. it's always cyfrin -> ethernaut -> damnvulnerabledefi + rareskills.

@veritas_web3 🫡

@_0x5am Chris is a legend and you’re a chad for being consistent. Great job!

@solwrrr 🫡. Cyfrin is the best place to be + learning alongside school or work is not for the weak, I'm rooting for you bro!

@ShieldRey 6 months is still infancy in this field (especially if you don't come from a relevant field). Don't be so hard on yourself and try and not restructure your path too much/often, you will just feel like you're getting nowhere. Pick something and stay consistent.

@_0x5am I have done 6 months. I still feel underachieved or maybe restructure the learning path

@chiboy0123 Pretty much, I started with Crypto zombies but that was before @CyfrinUpdraft was a thing.

@_0x5am Is that a roadmap