ken

@shealtielanzz Let's play on a good day

Day 18/1001 Daily Summary🌸💗🍃 ~ Tried some homework. ~ Played chess with a colleague. Daily Quote ~ It takes hard-work to make a something look simple.

@MartinMarchev That's why they get missed. The dev are sure everything is fine, the auditors believed it too.

Lots of security researchers read code hoping something feels off. Sometimes it works. But the meaty bugs don't feel off. They look perfectly fine. The shift for me was simple. Stop just reading and start questioning. Every function. What is this doing and why. That extra layer of thinking while reading is the difference between finding lows and finding crits.

I've been digging into @immunefi bounties recently and it feels totally different working on contracts that have money inside. I mean `there is real money in this code🤯🤯🤯'

@00xSEV @1_00_proof @bountyhunt3rz @0xriptide Would you be my mentor sir

My notes from the @1_00_proof interview on @bountyhunt3rz (@0xriptide) - About the guest - Sept 2022: found a Notional issue (probably blog.notional.finance/ntoken-redempt…) - Kyber bug (mid-2023): 100proof.org/kyberswap-post… ($1m reward) - immunefi.com/profile/IAm100… (~$300k: 2C, 1H, 1L) - Background - Dev for many years - PhD in computer science, compilers - Pros/cons of being anon - + Meritocracy - - Being non-anon can show you have nothing to hide - Blogs > academic papers - Less dense, more analogies, easier to follow, less “trying to sound serious” - Write-ups can land anywhere on that spectrum - Boring, like mirror.xyz/0x2719F6Dfb850… - Honestly, most write-ups feel like this - Cool format idea: a user vs system chat, like kebabsec.xyz/posts/critical… @kebabsec - 2024 - Lacked focus - Did some private audits, but they distracted from BB even if they were scheduled 2 weeks out - Bounty on Morpho for nested vaults - Late liquidation - Debt socialization - Vault shares can be lent out - Sell shares (e.g. $1.2/share) => liquidation (price drops to $1.1) => buy back at $1.1 - Went deep, then got a sudden flash of insight, but only after fully understanding the system - Types scenarios into a text editor: “user borrows $X, LP stakes $Y, then price shock occurs” - Basically shorting things, and lending is a classic way to do it - My note: Btw, we found a similar bug on Euler contest, it was duped by me and by @AliX__40 - Similar bug from @0xriptide - Make a protocol incur bad debt via an ecrecover bug - LLMs can help generate ideas on how to push further - “The best time to plant a tree was 20 years ago. The second best time is now.” Web3 wasn’t around back then, so we work with what we’ve got rn - @0xriptide and @1_00_proof are around the same age - The field feels dominated by people in their 20s, but the pie keeps growing: more chains, more protocols, more surface area - Contests are a different mindset, and a great BB researcher can still find 0 bugs (happened to @0xriptide) - Things started centralizing really fast, like Deadwood (TV series): first, gold nuggets everywhere, then machines show up and eat everyone’s lunch - Platforms try to lock in talent with incentives - Harder to stay independent as an auditor now vs 2023 - BB is nice because you’re not time-constrained, you’re your own boss, and there’s no pressure to ship results in a week - Honing vs forging, 0 to 1 - Honing = improving something that already exists - Forging = creating something new - Simplified example: US invented the car, Japan improved it - Forging new bug classes is the goal, vs becoming an expert at finding tons of known classes - That can mean more time between findings - You go deep, spend a ton of time, and most of it leads nowhere - How to find a BB target - Look at Immunefi - Look at DeFi Llama - Jump into project Discords to see how much activity there is - Search for “bounty” (worked for Kyber) - Check the vibe and whether it feels alive - Etherscan - parsec.fi as an alternative - codeslaw.app (doesn’t index everything) - Glider by @hexensio for pattern searching is an alpha drop - Plans to write memoirs, keeps a huge pile of .md notes - Alpha drops - Look for DoS angles in traces, not just “steal funds” - For each long trace, ask: “can I break it?” or “can I call this directly with the same params?” or front-run it - Study software testing - People wrote about finding bugs 20+ years ago - Manual testing is closer to what we do than unit tests - James A. Whittaker books: goodreads.com/author/list/64… - Also his blog posts 100proof.org - Negotiations - Don’t come off needy - Avoid fiery language - Pointing at technicalities like a lawyer often doesn’t work - People are people, talk to them like people - A college course on negotiation can help - Anchor price: the first number anchors the range (as long as it’s not absurdly low) - BATNA (best alternative to a negotiated agreement) - If they won’t pay, what’s your move? No disclosure? - For 1:1 outreach (not using a platform like @immunefi), don’t dump everything in a TG group until you have confidence they’ll reward you somehow - You have no obligation to disclose anything - If you spend weeks, disclose, and they pay nothing, you’re stuck - But in some places, “pay me or else” can cross into illegal/extortion territory - You can ask for non-monetary guarantees before disclosure: direct line, fast responses, etc - You lose all leverage the moment you fully disclose, and there’s nothing you can do if they lowball, ignore you, or drag payment for months - Altruism doesn’t scale, so good payouts matter if you want BB to scale - Maybe we need a wall of shame or sustained PR for projects that lowball or don’t pay - youtube.com/watch?v=Kv45Fm…

I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…

This is best time, perhaps the last window, to break into web3 security. AI will be soo good. Imagine having to fly at 85K ft above sea level (most commercial planes can attain 30k - 50k ft), only a few military/spy planes can do that. AI will create a similar effect.

@blckhv Reality is merciless, the only people that determines if whitehats will valuable are the black hats. If you audit with AI and you get rekt, you come back to the white hats. Wisdom: don't be the textbook example

3 months ago, I joked that in 2026, auditors would earn $$$ from bugs AI agents miss. The joke became the market. Junior-level mistakes get exploited every day. AI is worthless without the human behind it. There is a lot of $$$ to be made as a whitehat + AI. Go grab them.🫡

security chads, see if your skills match the role

@Naksh005 good luck

just applied for growth lead at axiom heard they really value internal signals wish me luck guys

@RaphByt3s 😂😂 they're not in a haste...

@dayOneStudent The bad guys are always comfortable with any outcome 🤣 And once they hear u're releasing a new update, they become supercharged again. 😆

Note to new auditors: Discomfort is easier to endure than uncertainty, in web3 security, you have extremes of both. Once an outcome is guaranteed, all discomforts become bearable. You can dig through thousands of loc, and find nil. Black hats feel comfortable with both.

@thepantherplus If black hats can't exploit code any more, then I agree, auditors won't be needed

so you are telling me in the future AI will replace auditors too? and then humans won't be needed at all?

If you want to level up fast, understand the psychological dimension of web3 security. Pain threshold differs for everyone. Understand yours. The general bottom line is that tolerating more pain, increases your threshold. Audit difficulty codes.

The @FolksFinance Audit Competition is live! 💸 A $25,000 reward pool is up for grabs for finding bugs in project's Staking Contracts. 📅 Ends: March 17, 2026 💰 Reward pool: $25,000 ⌨️ Scope: 365 nSLOC of Solidity ✅ No KYC required Get hunting: immunefi.com/audit-competit…

@RaphByt3s Black hats place the price on security. They keep everyone on their toes... in a way driving innovation. Are they net positive or negative 😂

@dayOneStudent Think I like the both groups in some ways 😀 The black hats which we call the bad guys always has this type of mentality I personally call attackers mentality, u know what that type of mentality does to them? It pushes them a little step ahead, they question the unquestionable.

If you are wondering if you should start web3 security this year, take note of this: there are still bugs out there yet to be exploited There are two groups of people looking for them: the white and the black hats. The most hardworking group always gets ahead.

@__katz__ @Jeyffre It is but nobody cares about privacy and all what nots, users want comfort, crypto is opposite of that, it's not easy to use. But suppose that mental block is overcome, consumer behaviour changes, all of a sudden it's becomes a no-brainer to build such tools. Then it's too late.

I'm curious where you think the opportunities lie. My bet is boring old payments will be the only thing to write home about for the next 5 years.. and then DeFi will gradually catch on. To most people building means launching a protocol and some are excited about privacy. I'm not convinced these are really big opportunities yet.

If you've ever been thinking about starting a company in crypto, now is the time. Companies that start when the money is excessive tend not to build sustainable business models. If you can survive in this market, you know you have a real product. Validation in a down market is not the same as validation in an up market.

@abrahamonchain 💯💯

@dayOneStudent AI will not replace Auditors buh Auditors who use AI will replace those who don't.

50% of Security Researchers: Smart Contract auditing is over The other 50%: It's just getting started. Advice to newbies: The only way to know if ai will replace you is to start using it.

If you vibe-coded, don't vibe audit...

The chat that must not be read by anyone is now with AI. It used to be that friend...