noct retweetledi
The latest 𝕏 algorithm has been published to GitHub
github.com/xai-org/x-algo…
English
noct
160 posts
noct
@mr__ow1
I find bugs for a living 👾 | most of my tweets are notes-to-self
Katılım Temmuz 2024
395 Takip Edilen16 Takipçiler
noct retweetledi
Big news from Immunefi: we just shipped Proof of Duplicate, and it's *the* feature I've been wanting to see for a long time.
For years, one of the most frustrating experiences a whitehat could have was submitting a report, putting in the hours of research, the careful write-up, the working PoC… and getting back a one-line "duplicate, closing."
No justification and no transparency. No way to push back. That era is over.
Starting now, when a submission is closed as a duplicate, it points to the original report. The researcher can read the original. They can compare the reports for themselves... and if they believe the call was wrong, they get a formal dispute button.
Verdict upheld means the report stays closed. If the verdict is overturned, the report gets reopened and goes back through triage like nothing happened, including reward eligibility.
This matters beyond the feature itself. The whitehat community is the immune system of crypto. Every protocol secured, every exploit prevented, every billion in TVL that didn't get drained.
For this immune system to keep working, things have to keep improving for whitehats. Proof of Duplicate is just one piece. There will be more.
SR Summer 2026 is coming.
English
noct retweetledi
noct retweetledi
I spent 10 hours writing down every weird vault bug I've found.
9 bugs in total
- 5 for building a vault
- 4 for integrating with one
Most of them sound obvious until you realize your project has them
@0x3b/9-common-vault-bugs" target="_blank" rel="nofollow noopener">paragraph.com/@0x3b/9-common…
English
noct retweetledi
A skill that:
- turns a smart contract vulnerability finding into a submission-ready Foundry PoC
- forks mainnet
- exercises real deployed contracts end-to-end.
github.com/cholakovvv/fou… 🚀
English
noct retweetledi
@MitchellAmador Great !! Just continue listening to valid feedback of SRs and you guys will remain undefeated 🙌🏻
English
Real talk: we should have shipped this earlier.
Starting now, duplicate submissions on Immunefi will no longer count against a security researcher's standing on our platform.
If your report happens to be a dupe, it won't be held against you in the automated restriction system. Period.
Dupes are a normal part of bug bounty work. Two researchers can independently find the same issue within hours of each other. Penalizing the second submitter discourages exactly the people we need most: the ones hunting hard, moving fast, and reporting in good faith.
The researcher experience on Immunefi is the single most important lever we have for keeping crypto safe and secure. Every friction point we leave in place is a tax on the people protecting billions in user funds. We owe them better, and we're going to keep tightening this until the platform feels like it was built by researchers, for researchers.
A whole lot more changes in this direction coming. Keep the feedback coming. SR Summer is coming on Immunefi.
English
noct retweetledi
Q) How do you find bugs using AI both manually and automated?
Prior to AI finding bugs was about asking the code a lot of "what if" questions then answering them yourself plus also knowing what to look for (code smells, important protocol properties, heuristics etc while having an attacker mindset).
This is still the same with AI - AI just makes it faster and more efficient to answer many of these questions.
So when using it manually, basically just ask it lots of questions, the more focused the better. Eg pick a part of the codebase and ask it lots of "what if" scenario questions like "what if this happens", "could this happen" etc.
Focus on something important and try to think of all the ways it could break, then ask the AI a lot of specific questions about it, run through many different scenarios using the AI, explore the possibilities together.
When it comes to building automated AI vulnerability finders that is a different ball-game; now you'll need to engineer efficient multi-stage workflows that should model a realistic audit process. You'll need to:
1⃣ teach AIs how to think, what to look for, the questions it should be asking. This is the most important thing as if you get this right it can find bugs in all future unseen codebases since it isn't pattern matching.
You need to understand the mental processes an elite hacker would go through to find different types of bugs, then teach that to an AI.
2⃣ create an efficient workflow that models how an elite hacker would conduct a real audit while also leveraging the distributed power and scale of AI
3⃣ ensure the workload and required knowledge is efficiently distributed among a team of agents, such that each agent has a specific focus to avoid context bloat (remember point I made about how when using AI manually, it works much better if you ask specific questions regarding certain components - same principle applies here)
4⃣ implement various workflows to deduplicate, merge, validate the potential findings, as well as provide every agent with the context and input it needs to do its job while avoiding providing it with a bunch of unnecessary information that bloats its context
5⃣ have an efficient process for continual improvement such that the AI can continue to improve itself to find an ever-increasing diverse range of bugs, ideally with minimal human input
English
noct retweetledi
Great article by @0xPaladinSec
Thanks to @radev_eth 🫡
Paladin Blockchain Security@0xPaladinSec
English
noct retweetledi
🚀 This month I got 3 bug bounties paid out and built an open-source Claude Code skill along the way.
Finding the bug is the hard part, but what really determines the outcome is how well you demonstrate its impact.
That's where the PoC matters most: if it's not a mainnet-fork end-to-end test on real deployed contracts at the current mainnet state, it doesn't really prove impact.
I iterated a lot before figuring out what actually works. Now it's a skill anyone can install.
Free & fully open source 👇
github.com/cholakovvv/fou…
English
noct retweetledi
noct retweetledi
How top auditors find deeps bugs
They know code by heart.
Your goal: walk every function in your head.
- Not "re-read."
- Not "double-check"
- Not "almost understand."
But actually audit from the head.
Test yourself:
• Close the code
• Pick a function
• Explain it out loud, step by step
• Stuck? You're not ready for criticals yet
If you can't walk it blind, you aren't into code
If you aren't into code, you don't understand it
English
noct retweetledi
We live in a time between times.
The hackers have incredible technology to find bugs quicker than the defenses can put up.
These are the biggest public hacks I think I’ve ever seen since getting into security.
This has to change. We need to use the same tools as defense.
English
noct retweetledi
Elite level security researcher who's mediocre with AI can crush it in web3 security, unlike an elite AI guy who's mediocre with security research.
All of the skills you were building during these years were well worth it. Sprinkle some of the new magic tech on top & crush it🫡
English
noct retweetledi
Most security firms are quietly moving away from audit competitions.
This is one of the biggest mistakes happening in crypto security right now.
There is a simple way to think about audit value: what does it cost to find a critical vulnerability?
We looked at the actual data on what it costs to find critical bugs in crypto, and the numbers are not surprising.
Finding a critical vulnerability in an audit competition costs $6,548 on average. The exact same severity bug through a bug bounty program costs $114,000. That is 17x more expensive for the same result.
Now look at the traditional audit model.
Some top firms charge $100 per line of code. Others charge as high as $25,000 per auditor per week. A single engagement can easily run $200k to $500k+, and you are getting maybe 2 to 4 people looking at your code.
But cost per critical is not even the most interesting part.
The interesting part is the structure of who is looking at your code.
When you hire a firm, you get 2 to 4 auditors. Maybe they are great. Maybe one of them is having a bad week. You are making a concentrated bet on a small number of people.
An audit competition attracts hundreds of security researchers. These are some of the best hackers, people who have found real vulnerabilities in major protocols.
These hundreds of researchers are now armed with AI tools. They understand codebases faster. They write PoCs faster. They find bugs that would have taken DAYS in just hours.
Think about what that means.
You are not just getting hundreds of humans. You are getting hundreds of AI-augmented humans, each running their own workflow, each with their own intuition about where bugs hide.
The scaling dynamics are extraordinary.
The firms moving away from competitions are optimizing for predictable revenue, not for their clients’ best outcomes.
That is understandable from a business perspective.
But if you are a project choosing where to spend your security budget, you should optimize for bugs found per dollar spent.
Audit competitions now also have scaling pots. The prize pool grows with the scope of the codebase.
This aligns incentives in a way that fixed-fee engagements never can.
But what about AI spam, low-quality submissions, and the time it takes to triage all of those submissions?
Immunefi is addressing these with mechanisms like pay-to-submit, managed triage, and AI triaging agents, which are already showing very strong promise.
The best security strategy is not either or.
But if you have a limited budget and you want the most eyes, the most diverse skill sets, and the best cost per finding ratio, audit competitions are still the obvious choice.
English
noct retweetledi
noct retweetledi
Just came across this, got tagged a while back but somehow only saw it now. Beautifully written man, and honestly it hit hard because it felt like I could’ve written half of it myself, especially the part about the beginning. Your journey mirrors mine in ways that are almost eerie.
My first report was also a Low for $2,000, and I remember that exact feeling, staring at the “Confirmed” status like it wasn’t real. Looking back, I think that first payout is what flipped a switch in me. It stopped being about proving I could do it and became about maximizing every opportunity, squeezing every drop out of every target, refusing to leave anything on the table, finding new ways that others never thought of or considered to have a higher advantage to dominate.
And yeah, you never really catch that first high again, you get way bigger bounties and still won’t feel it as much, but chasing it is half the fun.
Congrats on everything you’ve built, and thanks for putting this into words. It’s great to see you at the top.
GrumpyLord@GrumpyLord36678
Coming back to the “What’s the biggest thing bug bounties gave you?” Question, Money aside, BB taught me the art of not giving up and the art of not giving a fuck. Hunting for bugs has been a spiritual journey more than anything else... If you are in the beginning of your journey, you probably see other people making it big. Making big dollars like @Ehsan1579. You sit there and ask yourself just “How”. What do they have that I don’t? As rejections roll out and your reports get closed one after the other one, all you ever feel like is giving up. You might feel defeated, unsatisfied, all the small chatter in your head is telling you to give up… But your EGO won’t let you. EGO isn’t all bad, as society likes to condemn it. I’d go as far as to say that ego is the key ingredient in an industry as cut-throat as BB. In moments like these, your family, your friends and whoever you consider close will try to tell you that maybe it’s just not for you. Solution? -> cut everyone. Don’t let anyone get to you and put your head down, analyze what is going wrong, how to get better and try new strategies. That’s the only difference between the ones who make it and the ones who don’t. Do not take “no” for an answer. If a project closes your report but you know you are right, make sure you are right and then ask for mediation with all the facts you have. You’d be surprised how many projects close valid in-scope issues. Same thing applies if they try to reduce the severity or pay you “peanuts” for what it’s worth. I’ve been working in DEFI for years now, learning the ropes, building projects. All of them were a fluke until I tried Immunefi. I worked every waking minute for 8 months straight without any payout. Then… in September I got my first bug confirmed. A “Low” for $2000. I was ecstatic, I was excited. For literally 3 days, I was listening to music just staring and the “Confirmed” ticket. You see bug bounty is a bit like the casino, the difference is instead of betting money, you bet time (sometimes it does cost money too) and the payouts hit like a truck and you never quite expect it fully. It’s like a drug. And like a drug, you want more of it and you soon become accustomed to a certain level (“the tolerance”). They say you always chase the first high and it’s very true for bug bounty as well. The months following I was finally averaging at least 1 paid report per month. That was until January. I’ll never forget it, I had 9 confirmed reports in a row. The “High” hit soooo strongly. But with every high comes a low. Doubts cripple in, you start rationalizing it. You tell yourself that “I just got lucky”. The bug Immunefi posted on their page was from January. This cycle repeats endlessly. Turns out that February was an even better month for me. The thrill of the unknown and the unexpected is what makes it fun. I do not think I would be doing this if you took that out of the picture. It was a journey, a very difficult one I’d might add. But in the end, it was worth it. It built me into a stronger more resilient person. It thought me patience. Reports being closed hurt. Probably one of the worst types of rejection out there. But at some point in time you get used to it and have to learn how to detach yourself from the emotions and trust the process. It’s a numbers game after all. I am waiting for the leaderboard to update now (long due)! I’m curious to see if I finally made it into the top 100 of whitehats of all times. (Currently sitting at $175k in earnings from 22 reports) It’s all just a matter of time after all (;
English
noct retweetledi
Starting as a new Web3 security researcher in 2026 is challenging.
The market is tough for newcomers. Still, you can crush.
Your edge: obsession with delivering real results and value.
If you use it right, you’ll outgrow people with more experience.
Here’s what to do 👇
English
noct retweetledi
How to make a jump from Web2 hacking to Web3 hacking?
This is the question I started getting over DMs and I decided to answer all of them in a form of a Twitter thread so other can learn to.
knowledge will be compressed so keep that in mind🙃
Here we go!
🧵👇
GIF
English
noct retweetledi
Dear auditors don’t let the language scare you.
It’s the same logic.
Been working on diff languages and they’re very similar.
Maybe it’s time I try out Rust again or maybe not
English