Kit

Solana fixed the bug long ago ... The tech side went perfect: - It was easy to get in touch - 1 day to acknowledge the bug - 3 days to fix in prod Not so great: - 5 weeks to get a payout number - 12 months lockup - no props Overall: 7.5/10. I did disclose with them again.

Hashes for the Hashgod. Bounties for the brave. Fate pending. abcee4e2538c0cf76475b5e8b7c24963ce5ffdc18e88c123fa0f3aefe6e1620f

If you want to try and discover the bug yourself, check out the following and focus on the zk-ops: github.com/solana-program… If you want to check my report: gist.github.com/riproprip/05bf…

Solana fixed the bug long ago ... The tech side went perfect: - It was easy to get in touch - 1 day to acknowledge the bug - 3 days to fix in prod Not so great: - 5 weeks to get a payout number - 12 months lockup - no props Overall: 7.5/10. I did disclose with them again.

@WhiteHatMage Since you were being reasonable I had no choice but to follow …

@riproprip I'd bet it's a "translation" error, or they missed an update on the site. But with the EF you never know github.com/ethereum/ether…

How do we get “trillion dollar security”?

@WhiteHatMage Yes. Fun fact: Certain europoors get even less 😂

@riproprip $250k max bounty for securing $1T lmao

@0xriptide @AngleProtocol Congratz on finding a bug! Also: I am sorry for your loss. Weird how they still advertise a bbp on their homepage ...

when you submit a bug so good the protocol cancels its bug bounty @AngleProtocol

@pldespaigne @immunefi This is awesome! Maybe also let us sort by that value?

Working on a small but super useful feature @immunefi

@lonelysloth_sec @bytes032 Re the undercutting/not paying: Still think preventing this is the main feature hunters should care about when selecting a bbp platform. Whomever solves this wins.

@lonelysloth_sec @bytes032 Agree: Alignment does not come for free! My claim is that bughunters are aligned with projects when they report. By starting a bbp a project gains an advantage. Keeping the advantage is another matter … but it’s hard to value what you don’t get. Hence me blabbing about it.

What do you believe about web3 security that most would disagree with?

@bytes032 @GchTrivs Summoning @elyx0.

@GchTrivs For example?

@bytes032 @r0bre Imho the relationship between reputational damage and auditor income is not very direct. There is also a difference between being positively aligned by default vs being negatively aligned by choice: Why not team up with everybody vs picking just a few to maybe suffer with?

@r0bre @riproprip Actually both POV's are quite right.

@bytes032 We only get paid if and when we find a live actionable bug. Sometimes not even then. The input to payment relationship between projects and other security providers is a bit more lossy imho.

@riproprip Why?

Love the attitude. Haters will say it’s because there will be a lot of bugs. But I genuinely think this attitude is what is gonna make Sol win.

@WhiteHatMage Not wise. You and others helped me! Thanks for opening my eyes to my unusual bug hunting history. Before chatting with you I just assumed everybody would deliver like @raydiumprotocol. Turns out they are what every bughunter should hope for. Absolute professionals.

Here goes nothing. Witness me fellow bountyhunt3rz :)

5 weeks and 4 days to get a payout number. Meanwhile I had to do the trustfall and submit another POC to the same project . NGL to you. The wait wasn't easy. But hey: All is well that ends well. Thx to everyone that kept me from going insane due to heisenbergian payout angst!

@LanceAddison17 @PatrickAlphaC Why am I rambling on this while the ecosystem at large has provided plenty for me? 1) Stayed too long in the sun 2) I worry that “assuming the people smart enough to find the bugs are also wise enough to choose cooperation” is not a sufficient survival strategy. I’m out. GL+HF

@LanceAddison17 @PatrickAlphaC … the perfect last response that will finally convince them to kill the bug. I have no idea why I am doing this other than that my brain is irked by knowing that vuln is still live. Pretty sure I won’t get paid even if they fix due to [redacted, maybe ok reasons].

I spoke to a Solana project (Cyfrin does Solana work now!) about their codebase, and we asked them why they kept a piece of their codebase out of scope for an audit. Their answer: “We plan to keep it closed sourced so the security needs are less.” 1. Without a security review, you’re just delaying the hackers to break down your project and find holes. Relying on obscurity should never be your entire security plan! 2. It seems this is a trend across Solana projects. This needs to change! Also closed sourced contracts have issues regardless, but that’s for another day…