Essential

1.2K posts

Essential

Essential

@only01Essential

Bug huntoor GoLang | Rust | Move | C++ | Solidity

analyzer Katılım Aralık 2022
96 Takip Edilen2.7K Takipçiler
quasar
quasar@quasar249·
finally top100 on immunefi
English
5
1
53
2.6K
Essential
Essential@only01Essential·
@LoopGhost007 @NibiruChain @alephium Crazy. @QuaiNetwork did the same to me lol. I found a bug were anyone could mint their native token, they fixed it then sent me $100 worth of their tokens. I was genuinely in shock. They've ignored all of my messages since then
English
1
0
5
468
LoopGhost
LoopGhost@LoopGhost007·
This is nothing compared to the way @-@alephium scammed me. They are world-class scammers. Never seen anything like this in my life. Reported a full permissionless bridge drain and they said it was low severity and paid 250$ and a chain halt bug that they fixed and then ignored my messages forever. Never replied back.
English
9
1
9
617
Essential
Essential@only01Essential·
Found a bug in @NibiruChain and they are posting me in a branch product. I found and reported a serious chain halt bug in nibiru, which they fixed, then they claimed it was a cosmos bug and thus not going to pay for it, I have never seen a more pathetic excuse than this: github.com/NibiruChain/ni…
Essential tweet media
Sai@SaiDotFun

Shoutout to @only01essential for being an active member in the Sai community. From finding bugs to helping strengthen the platform, your contributions don't go unnoticed!

English
9
3
65
10.3K
PseudoArtist
PseudoArtist@0xWeb3boy·
Yay 🙌 Another Medium Blockchain/DLT bug bounty got confirmed ✅ Onto the next one ✌🏻✌🏻
PseudoArtist tweet media
English
26
0
165
5.7K
Essential
Essential@only01Essential·
@NoahBiliamin @immunefi Reach out to immunefi support on zendesk or on discord and a team member will help you. And frankly speaking 9 days isn't a lot of time, depending on the severity of the bug, give the project more time, but alert immunefi
English
2
0
1
110
arkade ⚡
arkade ⚡@NoahBiliamin·
@only01Essential I don't know what to do. I submitted a big report on @immunefi about 9 days now it's been escalated but no response from the project as at 9 days now. Idk what to do. I'm kinda new to this 😭 Please help
English
1
0
4
102
dara
dara@dvrvsimi·
some context on why i asked this question, found a bug of high severity on @immunefi (around this time last month) that was closed because it was only in scope and not deployed, protocol was nice to demote to low and still reward cheers to more 🎉 (after my acc is unlocked 🥲🙏🏽)
dara tweet media
dara@dvrvsimi

question for my bosses @only01Essential @0x15_eth @lonelysloth_sec sometimes you find something tangible in the scoped assets but the bug doesn't exist on deployed source, how do you report such? 🙏🏽

English
5
0
41
3.3K
Essential
Essential@only01Essential·
I see. So you don't believe there was any time wasted there. Let me rephrase it this way then. Assuming you are contracted for a private audit were you are paid per unique confirmed valid bug. At the same time the client pays for security audits in other firms(unbeknownst to you). By the time you finished with your review all your bug report gets marked as already known and you are pointed to a report for an audit that just concluded. I guess you'll say thank you to the team after spending two weeks auditing their code?
English
3
0
5
124
Bluedragon 🇮🇳
Bluedragon 🇮🇳@shibi_kishore·
@only01Essential @adeolRxxxx @ProgrammerSmart @cantinasecurity Bruh i am a security researcher till now and participated in many contests and bug bounty before i know how SRs feel and experience. There is not an single point proving strong unfairness in this situation. Just telling time waste is not a strong point as i mentioned before.
English
2
0
0
104
Essential
Essential@only01Essential·
Given that you are on the other side of the fence it wouldn't make sense to you(or you'll just pretend it doesn't). Using your logic, as a project founder, I could start a conditional contest on sherlock then start another a week before the contest finalizes on cantina on the same commit. Then a week into the contest on cantina, mark all the findings from sherlock audit as out of scope. I guess this will make sense to you? Back then, maia dao, had a contest in sherlock and code4rena concurrently. This new rules are just here to frustrate security researchers, and you are here acting like it's a norm
English
1
0
4
118
Essential
Essential@only01Essential·
@dvrvsimi @0x15_eth @lonelysloth_sec When bug hunting, I will avoid any code that isn't live, since most projects value impact, if it isn't live yet, there's basically no impact
English
2
0
6
210
dara
dara@dvrvsimi·
question for my bosses @only01Essential @0x15_eth @lonelysloth_sec sometimes you find something tangible in the scoped assets but the bug doesn't exist on deployed source, how do you report such? 🙏🏽
English
4
0
14
5.5K
Essential
Essential@only01Essential·
@Qomolangma406 It seems you think it's all about the tool. I can list security researchers that have found a lot of live critical bugs with their own tools. The researcher mostly makes the model. A model could be garbage to one researcher and gold to another
English
1
0
5
314
Qomolangma
Qomolangma@Qomolangma406·
@only01Essential Only white hat security gurus have access to that AI tool used to find the bug. And it only became available May 28th.
English
1
0
0
359
Essential
Essential@only01Essential·
I wonder why people are posting so much about Claude finding the critical ZCash bug as if it’s a big deal. HyperBridge got hacked, then launched a program on HackenProof and paid out about $120k within its first week or two for a ton of critical and high-severity bugs. My point is, I don’t believe the bug was hidden in plain sight; security researchers simply weren’t incentivized. Notice that the bug only came out after they ran a bug bounty program, attracted a lot of talent, and then closed the program. I would wager that the bug would have been found on the very first day on @HackenProof or @immunefi if they had launched a program, especially during this AI-assisted audit period we’re in. If an AI model found it, anyone with a subscription could have found it too. A formal bug bounty program really helps, I hope projects learn from this and launch a bbp on any of this big platforms. And note, for web3, launching on bugcrowd if it isn't just the web2 aspect you are as good as not having a program(talking from experience)
English
8
1
114
4.4K
Essential
Essential@only01Essential·
@0x15_eth So true, same reason I do just dlt audits too. It's impossible for teams to rigorously audit every aspects during their normal audit runs
English
2
0
18
657
0x15.eth
0x15.eth@0x15_eth·
For those asking why I focus more on blockchain projects/DLT than smart contracts, it’s simply opportunity cost and attack surface. Blockchain projects are usually much larger and more complex than smart contracts. They have more moving parts, more interactions, and more room for mistakes as (particularly cos devs are constantly introducing new code changes) The probability of finding a critical bug in a complex blockchain codebase is often higher than in a typical smart contract. Many blockchain projects also don’t audit their entire stack. Audits may cover specific components, while large parts of the infrastructure remain less scrutinized. More complexity. More attack surface. More opportunities to find impactful bugs. It’s simply a strategy.
English
10
8
200
5.5K
Essential
Essential@only01Essential·
@mamunwhh @cantinasecurity In my case they reached out via a comment in the submission to send them an address so they can process my reward. I think you should wait. Give them more days or properly reach out to cantina for help. X isn't the right medium for this
English
0
0
0
100