blchead | Felipe

6.5K posts

blchead | Felipe banner
blchead | Felipe

blchead | Felipe

@blchead

Founder @DefundsFinance | Member of @SuperteamBR | ex SorcererTrading | https://t.co/lj8qcMKNbb

Brazil Katılım Ocak 2019
643 Takip Edilen1.7K Takipçiler
Syfer
Syfer@0xSyfer·
@blchead How did you feel ? 🫶🏻
English
1
0
1
18
blchead | Felipe retweetledi
Jito
Jito@jito_sol·
JIP-38 is now live. Value should live with the Network. This proposal formally establishes Jito as a token-centric network, committing 100% of the Jito DAO's revenue share from @JTX_trade to programmatic buyback and burns of $JTO for at least 1 year from JTX launch.
English
28
38
219
98.3K
kaue
kaue@kauenet·
Pushed a few commits to @blchead's auditor-skill and released v7.0 with: - even more checks & attack vectors - @0xcastle_chain & @trailofbits skills integration - full audit firm lifecycle / methodology - rust pre-scanner + cross-audit memory - auto exploit poc/patch generator Can easily say this is the most comprehensive and capable security skill for Solana builders. If you're shipping, install it now at: github.com/solanabr/audit… @superteam is a cheatcode and @SuperteamBR keeps delivering, LFB 🦾
English
11
4
66
3.2K
blchead | Felipe
blchead | Felipe@blchead·
Auditor skill needs to be open source and if we work together in it as a community we will be always one step forward. @SuperteamBR is q cheat code. Lfg!
kaue@kauenet

Pushed a few commits to @blchead's auditor-skill and released v7.0 with: - even more checks & attack vectors - @0xcastle_chain & @trailofbits skills integration - full audit firm lifecycle / methodology - rust pre-scanner + cross-audit memory - auto exploit poc/patch generator Can easily say this is the most comprehensive and capable security skill for Solana builders. If you're shipping, install it now at: github.com/solanabr/audit… @superteam is a cheatcode and @SuperteamBR keeps delivering, LFB 🦾

English
0
1
13
626
kaue
kaue@kauenet·
Felipão raised this flag a couple weeks ago and I quickly & comprehensively verified - @MeteoraAG has vulnerable Mainnet code, even though no pools are currently hackable. I believe having users potentially exposed with vulnerable code on production makes this at the very least a HIGH severity. The bigger issue I see is platforms like @ooosec_com allowing such important concerns be flagged as DUPLICATE with no proof or transparency. ANY bounty creator can flag ANY submission as duplicate with no further proof, then fix the findings and leave security researchers with nothing. I'm not saying Meteora is doing so - I fully believe them that there was another bounty submission among these lines and it's a valid flag, the only thing I'm raising here is that more transparency is always welcome! And I trust @MeteoraAG community will compensate @blchead proportionally to the care and attention he has put in their protocol to protect users 😍
blchead | Felipe@blchead

I recently submitted a CVSS 7.7 (High) authorization vulnerability affecting @MeteoraAG Before sharing fully transparent (BUT removing critical info) I spoke with team and as I don't agree with that, I want to know CT opinion. The issue allows a configured shareholder to divert one side of dual-token fee claims, resulting in DIRECT THEFT of protocol/partner fee revenue. - A shareholder with even a 1-unit share can steal 100% of one token side. - The attack is repeatable on every fee accrual. - The theft is silent (the diverted fees never appear in the vault or events). It undermines the fundamental guarantee that fees are distributed according to shareholder allocations. The report was classified as DUPLICATE. After I followed up with additional evidence, including: - an end-to-end PoC reproduced on a local fork, transaction hashes, - proof that the issue remained exploitable on deployed binaries, - blast-radius analysis covering thousands of affected vaults, Meteora responded that: - the issue is still exploitable on the deployed DFS integration; - the duplicate status is only about bounty eligibility, not the validity of the finding; - that my PoC and exposure analysis are useful for prioritization. This raises a question I'd like to discuss with the bug bounty community. If the issue was already known, why does it remain exploitable on production? And more broadly: How is a researcher supposed to know whether a live vulnerability is already known internally? From the outside, there is no distinction between: - a brand-new vulnerability, - one that has already been privately reported, - one that is internally tracked, - one awaiting a future fix. Every one of those requires the same audit effort, reverse engineering, code review, exploit development, and responsible disclosure. I'm not questioning the duplicate policy itself bc most bug bounty programs have one. I'm questioning the lack of transparency around known-but-unpatched vulnerabilities. Should protocols provide more visibility when a CVSS 7.7 (High) issue capable of silently diverting protocol fees remains live? Or is it simply accepted that researchers may spend days producing original analysis and PoCs for vulnerabilities that have zero possibility of a reward because that information is impossible to know beforehand? I'd be interested in hearing how both protocol security teams and other researchers think this should be handled.

English
3
2
17
930
O³SEC
O³SEC@ooosec_com·
@kauenet @MeteoraAG thanks for the input, let us cook and get back to you with update.
English
2
0
2
12
blchead | Felipe
blchead | Felipe@blchead·
Hey @claudeai can you please turn off the auto scroll when claude asks for an approval? Like when I am reading the chat it literally goes all the way down to approve and i have to scroll up again to continue. Just show the approval without auto scroll? is that already possible and I am doing wrong?
English
0
0
1
101
blchead | Felipe
blchead | Felipe@blchead·
I recently submitted a CVSS 7.7 (High) authorization vulnerability affecting @MeteoraAG Before sharing fully transparent (BUT removing critical info) I spoke with team and as I don't agree with that, I want to know CT opinion. The issue allows a configured shareholder to divert one side of dual-token fee claims, resulting in DIRECT THEFT of protocol/partner fee revenue. - A shareholder with even a 1-unit share can steal 100% of one token side. - The attack is repeatable on every fee accrual. - The theft is silent (the diverted fees never appear in the vault or events). It undermines the fundamental guarantee that fees are distributed according to shareholder allocations. The report was classified as DUPLICATE. After I followed up with additional evidence, including: - an end-to-end PoC reproduced on a local fork, transaction hashes, - proof that the issue remained exploitable on deployed binaries, - blast-radius analysis covering thousands of affected vaults, Meteora responded that: - the issue is still exploitable on the deployed DFS integration; - the duplicate status is only about bounty eligibility, not the validity of the finding; - that my PoC and exposure analysis are useful for prioritization. This raises a question I'd like to discuss with the bug bounty community. If the issue was already known, why does it remain exploitable on production? And more broadly: How is a researcher supposed to know whether a live vulnerability is already known internally? From the outside, there is no distinction between: - a brand-new vulnerability, - one that has already been privately reported, - one that is internally tracked, - one awaiting a future fix. Every one of those requires the same audit effort, reverse engineering, code review, exploit development, and responsible disclosure. I'm not questioning the duplicate policy itself bc most bug bounty programs have one. I'm questioning the lack of transparency around known-but-unpatched vulnerabilities. Should protocols provide more visibility when a CVSS 7.7 (High) issue capable of silently diverting protocol fees remains live? Or is it simply accepted that researchers may spend days producing original analysis and PoCs for vulnerabilities that have zero possibility of a reward because that information is impossible to know beforehand? I'd be interested in hearing how both protocol security teams and other researchers think this should be handled.
blchead | Felipe tweet mediablchead | Felipe tweet mediablchead | Felipe tweet mediablchead | Felipe tweet media
English
15
0
35
4.7K