gh0xt
258 posts
gh0xt
@Taridoku
Web3 Security Researcher | Hacking solidity | Intern @burraSec GitHub: https://t.co/aLTo0sY3UD
Katılım Mart 2024
267 Takip Edilen270 Takipçiler
alhamdulillah, first time auditing Cosmos SDK and Go in general.
becoming more sure of the statement: security is a mindset, and language-agnostic.
thanks for the opportunity! @code4rena
English
me 4 months ago: "i know web3 security" 🔐
me now: *stares at a smart contract like it's hieroglyphics* 👀
went MIA. forgot everything. embarrassed. back anyway. 😭🔥
comeback arc starts TODAY. 🧵⬇️
#Web3Security #BuildingInPublic
English
@moo9000 Identified (by Claude?) on April 28th.
Misattributed (by Claude?) on April 28th.
Posted (by Claude?) on April 28th.
Peak clown world.
🤡🤡🤡🤡🤡🤡🤡🤡🤡🤡
English
"Coded" by Claude on Feb 1st.
"Audited" by Claude on Feb 2nd.
"Fixed" by Claude on Feb 3rd.
Deployed to mainnet (by Claude?) on March 19th.
Funded on April 24th.
Rekt (by Claude?) on April 28th.
Welcome to the future. 🤡🤡🤡🤡🤡🤡🤡
PeckShield Inc.@peckshield
It seems a @tradingprotocol vault, i.e., YieldCore-3rd-deal, was exploited with $398k loss. There is a missing check on the caller authorization, which is exploited to drain all funds from the vault. Here is the related tx: etherscan.io/tx/0x6b04344d5…
English
The conclusion is that DeFi was never truly secure; it was a matter of coverage. We (whitehats) didn't have the capacity to scan all the protocols. We merely look at public competitive audits and protocols that run BB programs, but we do not look at any other protocol.
I think Agents are running around the chain 24/7 now, analyzing every smart contract.
The Agent finds a potential vuln, validates it, and then probably does the exploit autonomously.
I can not recall any other time when we had 30 days straight with a new exploit every day, either due to smart contract bugs or private keys being compromised.
This is crazy.
chrisdior@chrisdior777
One of the toughest months Web3 has faced. April 2026: • 30+ security incidents • ~$630m drained This chart shows the hacked projects, estimated losses, and the cause behind each incident.
English
We just love to dish out excuses so we feel good bout situations.
Same ai slop we blame are the same these mfers use to do 3 fucken solid exploits in a day.
Bro it’s skill issue and would forever be.
There is still one hacker there saying ai can’t find bugs but this same tool is used to fasten hacks every single day.
We are still blinded by off chain reports and contests. When we ready for the real deal, we’d move onchain
gh0xt@Taridoku
@adeolRxxxx @AftermathFi Secondly, even those that do have bounties, bad experiences on bounties keep screaming at everyone, plus, because of AI slop, the barrier to entry has been raised. So not a lot of people aren’t looking.
English
@adeolRxxxx @AftermathFi Yeah but it can reduce your chances though. I’m just saying it’s not at straightforward, a lot of things to consider
English
@Taridoku @AftermathFi Bug bounties don’t stop hacks from happening g
English
Another hack @AftermathFi. It’s been raining.
$1.4m gone
I think I have to finally say.
We white hats are not in a ready position to fight against blackhats on chain.
We are so bounded and limited to contests and bug bounties that our scope is dependent on these.
Maybe when we see beyond ourselves, we’d be a ready match for blackhats.
Those mfers are active on blocks, we are there fighting for a report to be escalated in our favor.
This is becoming sad.
WE CANNOT WIN, OUR TRAINING MODEL IS FLAWED.
English
@adeolRxxxx @AftermathFi Secondly, even those that do have bounties, bad experiences on bounties keep screaming at everyone, plus, because of AI slop, the barrier to entry has been raised. So not a lot of people aren’t looking.
English
@adeolRxxxx @AftermathFi I think it’s more nuanced than that.
Some of the guys getting hacked don’t have bug bounties, so many SRs wont see them. Not faulting SRs because under bug bounty programs you have to deal with not getting paid for your work, now imagine not having a mediator.
English
Honestly its a very big mistake for a protocol not to do audit competition.
I will always advice competition over any private and co audits.
You can never compare huge amount of eyes, experts and beginners, AI and normal brains, and free lows you can get and patch before you move to the next phase.
Audit competition ( contest) is really underrated now.
Immunefi@immunefi
Most security firms are quietly moving away from audit competitions. This is one of the biggest mistakes happening in crypto security right now. There is a simple way to think about audit value: what does it cost to find a critical vulnerability? We looked at the actual data on what it costs to find critical bugs in crypto, and the numbers are not surprising. Finding a critical vulnerability in an audit competition costs $6,548 on average. The exact same severity bug through a bug bounty program costs $114,000. That is 17x more expensive for the same result. Now look at the traditional audit model. Some top firms charge $100 per line of code. Others charge as high as $25,000 per auditor per week. A single engagement can easily run $200k to $500k+, and you are getting maybe 2 to 4 people looking at your code. But cost per critical is not even the most interesting part. The interesting part is the structure of who is looking at your code. When you hire a firm, you get 2 to 4 auditors. Maybe they are great. Maybe one of them is having a bad week. You are making a concentrated bet on a small number of people. An audit competition attracts hundreds of security researchers. These are some of the best hackers, people who have found real vulnerabilities in major protocols. These hundreds of researchers are now armed with AI tools. They understand codebases faster. They write PoCs faster. They find bugs that would have taken DAYS in just hours. Think about what that means. You are not just getting hundreds of humans. You are getting hundreds of AI-augmented humans, each running their own workflow, each with their own intuition about where bugs hide. The scaling dynamics are extraordinary. The firms moving away from competitions are optimizing for predictable revenue, not for their clients’ best outcomes. That is understandable from a business perspective. But if you are a project choosing where to spend your security budget, you should optimize for bugs found per dollar spent. Audit competitions now also have scaling pots. The prize pool grows with the scope of the codebase. This aligns incentives in a way that fixed-fee engagements never can. But what about AI spam, low-quality submissions, and the time it takes to triage all of those submissions? Immunefi is addressing these with mechanisms like pay-to-submit, managed triage, and AI triaging agents, which are already showing very strong promise. The best security strategy is not either or. But if you have a limited budget and you want the most eyes, the most diverse skill sets, and the best cost per finding ratio, audit competitions are still the obvious choice.
English
Happy to announce that i came top 4 amongst 1000+ researchers. Can’t lie, this was a tough contest on @sherlockdefi and a lot of battles had to be won but above all i’m glad i came out on top.
More wins incoming!!!
Expect a lot more from me this year..i’m all in..
English
Although it’s a bit harder for beginners to break into Web3 security these days, I actually think it’s easier to learn now.
When I started a few years ago, there wasn’t much information out there. Now, there’s a lot more, and it’s much better organized.
It all depends on you and your desire to become a security researcher. If you work hard and keep going, you’ll make it as a security researcher.
English
I’ve been off cooking something and it’s finally here:
THE ULTIMATE AZTEC SMART CONTRACT COURSE 🩷🔐
Now live on YouTube (link at the end of the thread)👇
English
I will do everything in my power to make defi great by improving security on all different fronts (focused on smart contracts however)
English