eren

We owe you a lot. If it weren't for Code4rena, I probably wouldn't have become interested in web3 security; might not even have realized such a field existed at all. Being such a great pioneer, thank you sincerely for the immeasurable contributions Code4rena has made to web3 and for all the people it has onboarded into the space over the years.

If what they spent $20k on is just a null-pointer dereference bug, then they must have done something incredibly wrong -- because I found the exact same type of bug with around $7 of spending using Claude Opus 4.6. That $7 includes not only detection, but also creating a PoC draft and asking all the questions I needed. And the bug I found was in a real, widely used (kinda lol) cryptography library, affecting multiple companies' products. Unlike what Anthropic seems to have found, mine can provably crash the related session and create a repeatable DoS at zero cost. "Mine" might not be the most accurate wording actually, it’s more like Opus's, or our, you get what I mean :D If we're going to calculate the value created by correlating it with the results, then instead of throwing $20k at the machine, you could get the same, or possibly better, result by having me spend $7 with Opus. It shouldn't be that hard to see that it's mostly humans that scales LLMs capabilities.

A little lesson they'd rather you never learn. If a project lowballs you on their bug bounty hard enough (say, offering you less for a Critical than what their own Medium tier pays) they may be in material breach of their own terms. And if they're in breach, your confidentiality obligations may no longer bind you. Before you publish: give them written notice, state the breach, and a reasonable deadline to fix it. That's not a courtesy, that's procedure. Don't accept being underpaid and gagged at the same time. Platforms can punish you in-platform, but that's your choice to make. Defend your honour.

If the process regarding my three pending bug reports ends badly, I may take a break from bug bounty work -- either until the bull market starts to come back or until the number of AI spammers decreases and project teams start to act more ok towards bug bounty hunters again. This is something I do in my spare time and the treatment I've recently experienced suggests it may not be worth it (at least around these times). I hope my unresolved reports are ultimately handled fairly so that I won't feel the need to take such a break. It's heartbreaking to see that every bug bounty hunter goes through this rn. I'd also like to thank the project teams who consistently remain professional, respect bug bounty hunters and their work, and care about timelines -- simply for doing what should be normal.

As I observe the growing use of AI on both the development and security sides -- and therefore the increasing density of low-quality commits or updates -- I become more convinced that if we had liquidity that was truly decentralized at the level of DeFi Summer, we would all got rekt. What's "protecting" things right now is the centralized and mutable nature of projects. But if you accept that this is how it should be, then you are part of the problem in this industry. Ever since we started treating centralization not as a risk but as a design choice, we've been on the wrong path.

Since this rant is a roller-coaster of topics, I will divide it into four sections. 1-) How do the best bug bounty hunters deal with problematic project teams? Spoiler: they are mortals like us and can't magically fix anything. I think that by listening/chatting with the best bug bounty hunters, I've understood their strategy: Just keep hunting. From the start, they choose the target mindfully. Hunt on bigger targets (in terms of TVL and bounty size, read this amazing article by @WhiteHatMage on this: whitehatmage.github.io/posts/bug-hunt…) but even then they don't assume that the process will go smoothly, and they focus on finding new vulnerabilities on a different target while their existing reports are being (not) resolved. They try to create as many opportunities as possible so that some bad faith actors won't totally stall them. However, this doesn't mean they don't care about unresolved reports. On the contrary, they behave very professionally in messaging channels and do not let go of a project that tries to avoid paying. This is their full-time job, and they want to get paid. 2-) Why this sucks? Unfortunately, the above situation shows how inclined we are to create more black-hats than white-hats, because there are only two scenarios that can create the incredible level of devotion I mentioned above: * You received one large payout, and because of that, no matter how many bad experiences you have, your belief that another large payout will come never fades. * You have an incredibly strong attraction to feeling like a hero and doing what is ethically right. Note: Many people do bug hunting *occasionally* (like myself), and the situation is completely different for that case. These two scenarios are related to creating devoted full-time bug bounty hunters. If we don't have established standards and legal enforcement (aka incentives), we will remain limited to creating only a ridiculously small number of consistent elite bug bounty hunters. We shouldn't wait for every project to get hacked in order for them to get incentivized to allocate more resources to security. 3-) Market actual security, not your newest product. Because products/services will change over time -- sometimes it will be AI, sometimes audit competitions -- but the need for security will never disappear. What we need to show project teams is not just which fancy tool to use to achieve security, but that they genuinely need a “security-first” mindset. Security is not achieved through a single best product, but rather by getting various services. Instead of only launching a large bug bounty or only paying for one expensive audit, distributing the budget across both of these will produce a much better outcome. It feels like, instead of sharing the pie wisely, we are allowing most of it to be captured by the newest trend. Nothing done with a “let's not miss the boat” mentality is truly innovation. There will be some successful products/services, but most of them will be forgotten, sunset, or be forced to evolve. 4-) Not all founders have been reading @RektHQ for years like we do Maybe you don't think much about it, but it is also important to realize that not all project teams have the same level of maturity. They just don't really think they need to allocate much to security. We need to teach some VCs that security is an actual thing and not a fucking marketing tool. You wouldn't believe how often I've heard bug bounty hunters say about major projects that “X project's codebase is terrible / is a mess.” Do you think the developers, founders, and VCs of those projects are even aware that this is the case?

Ana hesabımı takip ederseniz sevinirim: @0xpessimist Beni BuildChain'den (fka: scdevstr) tanıyan ve Blockchain ilgili işlerimi hala buradan paylaştığımı sananlar olduğunu fark ettim. 😁

Meet SOCI4L. SOCI4L turns your wallet into a measurable public profile, showcasing your on-chain assets, adding your links, and tracking real engagement, all in one controlled public identity. A wallet shouldn’t be a black box.

I don't care how many "crits" your AI tool found if you don't provide: * how many dollars at risk were actually saved * which chain(s) the affected contracts are deployed on * whether those contracts are still active * whether this resulted in a bounty or a white hat operation Thank you.

blockchain kulübünden, Vitalik'in post'larını çevirmek isteyen birisine yardım etmiştim. Devamında bir çeviri yayınlanmadı.

Özellikle Buildchain'deki eski gönderileri tarayanlar bu linkle karşılaşabilir, bu yüzden güncellenmiş URL'yi paylaşıyorum: vitalik.eth.limo/categories/tra… Buradaki Türkçe çeviriler maalesef yalnızca bana ait. Böyle bir ihtiyaç var mı bilmiyorum ama daha önceden bir üniversitenin ++

I decided to change my Satoru Gojo profile picture that had been there for a long time. The reason is actually simple: JJK doesn't even make it into my top 10 favorite anime, so I didn't want it to keep being associated with my profile. It felt like a pfp I had put on randomly somehow got stuck to me. The designs made for my profile during Immunefi Island 2 were really nice, and I wanted to bring that memories back. Yes, there are two Gojos there - the blue one is @thel4stc0de, who is a much better bug hunter than me, and now (I hope) there’s only one Gojo in the web3 security scene 😂. I now have a cute Pallas's cat (Manul) pfp. I'm bullish on whitehats with animal pfps. I don't think this will have any impact in terms of "my brand", because I've never really tried to use my profile as a brand. I already have three X accounts with a lot of followers, I'd probably use one of those if I tried to build a brand.

Aktif kullandığım hesabım @0xpessimist'i takip etmeniz için ufak bir hatırlatma ✨☕️

@shayne_coplan Against all odds. x.com/notereneth/sta…

Against all odds.

@0xerhant Hayirli olsun! Mutluluklar dilerim :)

its mister and misses now :)

Excited to share that I'm now part of @Hashlock_! I'll be spending more time on audits, so I might slow down a bit on bug bounties. Reaching my Immunefi All-Star goal could take a little longer - or maybe not. I'm still digging into a potential big finding. If it turns out to be valid, it's gonna be a story the whole space will want to hear :) I believe reviewing a wide range of codebases will definitely sharpen my bug hunting skills in the long run.

We need to recognize that things like arbitration, a vault program, and an active support channel are not just features; they represent a stance. And I don’t know a single security researcher who doesn’t support that stance. We can debate how well these features are implemented and how effective they are, but I wish this was what we were discussing regarding all bounty platforms.

Have you ever done any auditing on your phone before? (Ofc not a full audit 😂) OP: Yes, I even found multiple bugs!

Do you think I should change my nickname / go through a rebranding? I've been considering it for a while because I'm concerned it might carry a negative connotation. The idea behind it actually comes from a mindset that's optimistic from a SR perspective but pessimistic from a dev or user point of view — the belief that "There’s always one more bug". There's even an sc auditing company called Pessimistic Security (@pessimistic_io), as some of you may know, which I believe follows a similar conceptual approach with my nickname.

We won