theBugLifestyle

1.2K posts

theBugLifestyle banner
theBugLifestyle

theBugLifestyle

@botdidy

LOVE, LAUGH & LEARN

Travellers Rest, Hadspen Katılım Haziran 2015
630 Takip Edilen351 Takipçiler
theBugLifestyle
theBugLifestyle@botdidy·
Running a bug bounty is so that you get more whitehats than black hats to look at your code regularly and submit issues that could be exploited. It’s not so you just gift random people money 😂 You can easily do a private audit/bug bounty for less than the 10% or 100% lost.
English
0
1
4
354
theBugLifestyle
theBugLifestyle@botdidy·
@LBacaj But then it leave some processes running on the back ground even though the output and task has gone way up
English
0
0
0
49
Louie Bacaj
Louie Bacaj@LBacaj·
Something I appreciate about Open AI & their usage limits: they dont kill a running autonomous codex session mid way. Anthropic kills everything mid session. Even a running workflow w/ millions of fable tokens in progress gets burned, need to start it over later. It's terrible.
English
39
29
1.3K
64K
0xFrankCastle🦀
0xFrankCastle🦀@0xcastle_chain·
Nobody inside the audit industry wants to say this, so I will: we are losing, and the data is not subtle. Three consecutive record years of theft is not bad luck. 2025 closed at $3.4B stolen. 2026 crossed $840M before June, with incident count up 70% year over year. Recovery rates collapsed from 21% to under 1% in twelve months. Whatever we're doing, the trend line has already graded it. And before anyone says "just get audited", Bunni was audited by Trail of Bits and Cyfrin. It died from a rounding error and shut down permanently. Balancer ran for years, heavily reviewed, and lost $128M to swap math. Cetus had multiple audits. $223M. None of these were exotic attacks. They were logic bugs, code doing exactly what it was written to do, where what it was written to do was wrong. The class of bug that pattern-matching scanners can't see and that a human with three weeks and a spec that exists only in the founder's head will statistically miss. After 100+ audits, here's the uncomfortable math of my own profession: a serious protocol ships changes continuously. An audit is a snapshot. The report expires the moment the next commit lands, and everyone in this industry knows it and prices it anyway. I'm not saying fire your auditors. I'm one. Manual review catches things nothing else can, and that stays true. I'm saying the model "two humans, a few weeks, a PDF, good luck" was built for 2024's codebases and 2024's attackers. Both have moved on. The data says the industry needs a layer that doesn't exist yet. I've spent the last months mapping exactly where that gap is, and testing what actually closes it. More on that soon.
English
13
3
122
5.3K
theBugLifestyle retweetledi
HackenProof
HackenProof@HackenProof·
HackenProof tweet media
ZXX
3
13
145
3.8K
theBugLifestyle retweetledi
Shrushti Raut
Shrushti Raut@codewithsushi·
Maybe we all should try NOT to use any sort of AI for a week and see if we still have any THINKING ABILITY left!
English
23
2
43
1.9K
Mustarzid
Mustarzid@M_Autos96·
@botdidy You just gain a new follower will love to watch and learn from you for long
English
1
0
1
5
Tucker
Tucker@CrucibleCrypto·
step 1: Make anonymous twitter Step 2: Collect the many other whitehat reports with a similar situation to maximize anonymity Step 3: Publish all vulnerabilities to inform users their money is not safe because a true white hats job is protecting the people who put their hard earned cash into this products Step 4: Watch how the space suddenly starts shifting because protocols can't hide anymore.
English
1
0
2
90
theBugLifestyle retweetledi
theBugLifestyle
theBugLifestyle@botdidy·
After 5months +, i got a reply under my tweet and now under the @dopplerprotocol report. TRIAGED->ACKNOWLEGED->REJECTED Like just forget bout it man… Also I wonder who budkayo is 😂. LESSON LEARNT! 😂 You shouldn’t have moved to another chain 😂
theBugLifestyle tweet mediatheBugLifestyle tweet media
theBugLifestyle@botdidy

I submitted a high severity vulnerability on @dopplerprotocol by Whetstone since February 2nd which was triaged by @cantinasecurity. Today is the 1st of July and I’ve not received a single response from the Team (Zero response). Guess what else?

English
2
2
10
2.3K
theBugLifestyle
theBugLifestyle@botdidy·
Well, well, well. We’ve seen what they do when they find you but Ever wondered how they find you - the protocol? There are many ways and different theories and one is to search X on “protocol” lol Are you safe?
Cos(余弦)😶‍🌫️@evilcos

@hedera 网络上的借贷协议 @bonzo_finance 由于预言机有关漏洞导致约 $9M 资产被盗(其中约 $1M 是白帽行为): bonzo.finance/blog/bonzo-len… 当黑客提交了一个完全是 0 的签名 ⁠[0,0]⁠,并指向一个同样为 0 的公钥时,底层的数学验证方程两边同时变成了 0,从而导致“等式成立”,通过验证,更新了个极其夸张的预言机价格。随后完成后续攻击利用…

English
0
1
5
794
theBugLifestyle retweetledi
theBugLifestyle
theBugLifestyle@botdidy·
The bugs exploited today are Bugs that couldnve been reported or have been reported or was not reported. You refuse to host a bounty, you refuse to pay bounty, yet you launch your program on a permissionless ecosystem. If this is isn’t suicide, I dunno what it is.
English
1
1
6
319
theBugLifestyle retweetledi
magnusweb3 | CertiK
magnusweb3 | CertiK@magnusweb3·
To the security researchers reading this: you deserve better than the spam queue. You know the cycle. You find a valid critical. The project disputes severity. The payout drags for months. Meanwhile open platforms bury real findings under thousands of junk submissions. That's the exact problem CertiK Hunt launched to kill. Invite-only, so signal beats volume. Programs and researchers both vetted. And the part that matters most: every program's scope and severity terms are defined up front — built on CertiK's industry-standard severity framework — so you know exactly how a finding gets classified before you commit a single hour. One week in: 300+ researcher applications, first program live, first reports already in triage. On July 15, the team behind Hunt presents at our Manhattan HQ — and takes questions face to face. So, researchers: what's the one policy that would make you commit your best hours to a platform? Drop it below. I'll put your answers in front of the team on the 15th — and tag you with what they say. Want to ask them yourself? RSVP: luma.com/n5zlmsjf
English
2
8
21
2.2K
theBugLifestyle retweetledi
theBugLifestyle
theBugLifestyle@botdidy·
I submitted a high severity vulnerability on @dopplerprotocol by Whetstone since February 2nd which was triaged by @cantinasecurity. Today is the 1st of July and I’ve not received a single response from the Team (Zero response). Guess what else?
theBugLifestyle tweet mediatheBugLifestyle tweet media
English
10
4
73
14.5K
theBugLifestyle retweetledi
theBugLifestyle
theBugLifestyle@botdidy·
The contract was smart, the dev wasn’t. I’ll explain. First you need to know that smart contracts can hold logic but EOA can’t because it has no code. So the dev is like okay, we’re not going to check if an account is an EOA using ‘account.code.length>0’ cause it’ll be weak.
beac@beacon302

🚨 ~$226k drained from BFB. Exploit Tx : app.blocksec.com/phalcon/explor… Root cause: a flaw in BFBToken price defense mechanism. Contract allowed _priceDeflPool() to be triggered through zero-value EOA→EOA transferFrom() calls. Every execution burned 5% of the BFB held by the PancakeSwap LP and immediately called sync(), progressively reducing the LP BFB reserve. Attacker repeatedly abused this behavior (~151 flashloan-backed iterations), pushing the reserve close to zero and severely distorting the AMM price.

English
6
4
32
5.7K