usmann

@DeepDishEnjoyer assume a wealth-insensitive buyer is selling front, buying back. presumably has to roll (selling enough to close the spread seems incompatible with delivering..). so next thing would be to sell 2nd month and buy 1st/3rd. why CLN though? july/4th month seems far here

@WhiteHatMage heimdall over dedaub for real? i havent used heimdall since early days, so im very behind on it

Here are some thoughts after spending many long sessions reading bytecode, decompiled Yul, and decompiled Solidity: . EVM programs are simple, and so is the generated bytecode. Security by obscurity doesn't really work. . Current decompilers work quite well. I'd pick Heimdall for Solidity and sevm for Yul. . Decompilers aren't perfect, though. I also ran into bugs that produced incorrect outputs. . Reading decompiled code or raw bytecode takes far more effort than high-level source code, and it gets exhausting quickly. . There are many unnecessary checks and conversions that could be stripped out to make the logic clearer when hunting for business logic bugs. --- . Most serious projects verify their contracts. Still, I believe checking the deployed bytecode is worth the effort for contracts holding really big bags. . Any bugs in verified contracts would most likely only come from compiler issues. . Compilers keep evolving, and newer versions may fix previously unknown bugs. However, any vulnerable bytecode that's already deployed on the blockchain stays exactly the same. . For older contracts, I'd cross-check their deployed bytecode against the verified source code. --- . There are still plenty of unverified contracts out there. . Some publish their code on GitHub. Others choose not to, like certain CEX-related contracts. . The rest tend to be on small side-chains or from smaller projects. Most of them don't offer any bug bounties. --- . Detecting flawed access control is trivial once you decompile the bytecode. . I believe you could build a robust static analyzer on top of the decompiled code without much effort -- or even an AI-powered one. . There are no strong incentives for good actors to do so, though. Projects with bounties mostly have verified code. Only blackhats would be motivated to build such tools. . Building something like this could be a good candidate for a grant to secure a chain, although operating it might be complicated. --- . Vyper produces much cleaner bytecode than Solidity. --- Overall, I learned some tricks even though it wasn't the first time I've analyzed decompiled code, and I gained a deeper understanding of where certain specific bugs might appear. I'd recommend it to everyone interested in understanding EVM programs better. I'd also advise developers working on projects with millions at stake to do a manual review of their old deployed codebases. There's always more than meets the eye when checking the actual bytecode.

@noampomsky ty burger oracle icymi dont forget ABV

@usmannk I did it’s not as good

okay I went to every place suggested and the uncontested best burger in SF imo is the smash burger at niku butcher shop

@tinchoabbate @Zodomo i liked @samczsun’s a lot. no longer up but maybe you can build from source github.com/openchainxyz/o…

@Zodomo yes of course, thanks! I should have mentioned I'm looking for sth web based. Like a quick and dirty version of Tenderly.

any open source Ethereum transaction tracer?

@Smacaud1 @storming0x $2M buys a lot of false positives!

@storming0x Maybe attacker was just lucky on this one might have spent a lot on tokens to false positives

$2.7M profit for a $0.30 exploit cost is an insane ROI. Even assuming a 10% bounty from total funds at risk. Imagine what a $20/month codex sub may get you? 😜

@storming0x completely vanilla amp also oneshotted it, prompt in img

Claude wasn't able to one shot it as codex but did smell something was off and suggested to not deploy the contract at all : )

@Andrew_Semenza @FangYi11101 i think you're right that it has become substantially more well known over this time period. in fact i bet we would both be surprised by how much stuff fits in this category. impression is lots happened since 2010 in this regard

@usmannk @FangYi11101 yeah for sure; i was exaggerating the more general question is whether "sophisticated patisserie" in general has become more ubiquitous/well-known or whether that impression is just a function of me being an adult now

Did the median resident of, say, SF or NYC know what a kouign amann is circa 2010?

@Andrew_Semenza @FangYi11101 also im not sure the median resident of SF NYC knows what a Kouign Amann is in 2026. and London my money is solidly on no

@Andrew_Semenza @FangYi11101 canele is ubiquitous in taiwan

@deadrosesxyz @saxenism agree, and will add these posts make it hard to understand what the reporter is even asking for. i am not sure these posts warranted being written. (myself as someone who has been stiffed of a 500k bounty in a very cut and dry case before)

@saxenism sorry to break it to you, but if the protocol doesn't have a public bbp with predefined terms, you cannot demand money from them (regardless of the severity of issues).

Several public claims have been made about this disclosure. The factual record differs. Correcting once, with citations. For context: findings were submitted on January 6. A bounty expectation was explicitly stated on Day 1. No discussion of bounty amount occurred until the team unilaterally posted a $2,500 Snapshot proposal on February 2. When we responded with our assessment of what the findings were worth and explicitly stated we were open to negotiation, the response from dStack's co-founder, verbatim: "Can I take it as a threatening to us? Sorry then we don't need to continue this conversation. Feel free to publish everything in this group." ------ Onto the public claims made: "Dude ask us a bounty $100000" The message sent to the dStack team contained a stated position referencing industry comparables, specifically Oasis Protocol's $100K Critical ceiling on Immunefi for equivalent TEE infrastructure. The $100K figure was a valuation for Findings #4 and #7, which together form the compound attestation bypass, reflecting their trust-root impact and platform-wide blast radius. For the remaining findings, the message stated: "For the remaining confirmed issues, including the two High findings and the two Medium findings, I am open to discussing a consolidated bounty." It closed with: "I would prefer to resolve this constructively and privately." That is a negotiation position with an explicit invitation to discuss. No counter-offer was made. No revised amount was proposed. No mention of what the protocol could and could not afford. "He threaten us to make PR crisis" The message explicitly separated publication from bounty: "Publication proceeds regardless of the bounty outcome. These are separate tracks." A disclosure timeline was provided. The message stated more than once a preference for private resolution, including closing with: "I would prefer to resolve this constructively and privately." The co-founder's response is quoted above. We mentioned our writeup would go out on Wednesday, and that is exactly when it was published. "Fixed in a week" Jan 6 to Feb 10. One month. Telegram group, shared Notion pages, multiple PDFs exchanged, severity rebuttals, fix reviews, and a second researcher added for validation. dstack's own blog post timeline reads "Jan–Feb 2026." A Critical vulnerability present since the library's first commit does not become less Critical because the patch was fast. "Most of them are AI slops" 7 findings were submitted to the team, and 6 were accepted by them. Code fixes were committed for each one. CVE-2026-22696 was published as Critical by dStack's own lead developer on GitHub Security Advisories. The description reads: "bypasses the entire remote attestation security model." Either the findings were valid and required fixes, or they were not. The commit history, the CVE, and the GHSA reflect the former. "We paid $100k to security researchers in 2025" and "We are not able to afford that" Both statements were posted publicly within hours of each other. ------ What remains unaddressed: 1. Why do severity classifications differ across the Snapshot proposal, the GHSA, and the blog post? 2. Why was the shared Notion page that documented mutually agreed severity classifications cleared after Feb 8? 3. If the verifier omitted required verification steps since inception, and users relied on that verifier for hardware trust decisions, how is 'no action required' the correct conclusion in your blog? ------ Every factual claim in this thread and this response is supported by Telegram logs, shared documents, and screenshots. Private communications have not been published. That is a choice, not a limitation. We stand by the findings and the disclosure process. We will not be engaging further on characterisations. The technical record speaks for itself.

@VibenBeach @drabdrab_ @AutismCapital @rtwlz @lukeigel hm, it's wrong in the original source. try copy/pasting the name assets.getkino.com/documents/EFTA…

@drabdrab_ @AutismCapital Interesting! @rtwlz & @lukeigel lots of people are relying on Jmail for Epstein docs … what would be the reason for a slip like this where some people might think it’s someone else?

Epstein does have the occasional rogue banger from time to time 💀💀💀

@WhiteHatMage @yassine3eth in fact im not sure any of us in the OP are good pledges in 2026

@WhiteHatMage @yassine3eth yes! i'm in this img but stop pledging me people

Hey pledgers and hackers 👋 We're building the Hacker Pledging homepage. What would you like to see beyond this? 👇

@TheTradMod @immunefi @WhiteHatMage @Ehsan1579 @VulsightSec @zerocipher002 @lonelysloth_sec @alexfilippov314 @rhaydden @ZeroK_____ @infosec_us_team @Haxatron1 appreciate it but i am not actively participating anymore! feel free to revoke and distribute it elsewhere

I pledged 1000 IMU to 10 whitehats I believe will dominate on @immunefi in 2026! 🔥 @WhiteHatMage @Ehsan1579 @VulsightSec / @zerocipher002 @lonelysloth_sec @alexfilippov314 @rhaydden @ZeroK_____ @usmannk @infosec_us_team @Haxatron1 #OnchainDefender immunefi.com/s/pp/?staker=0…

@ControlZ_1337 @Montyly in this case you can tell that it was bullets -> paragraphs especially because the information density is low. as a reader, 10 times out of 10 i would prefer it just be written in any language and google translated to english rather than this process

This is how I use AI for writing: 1. I first write everything in a pretty sloppy way - just dumping my thoughts and intent onto the page. 2. I then feed that into AI to clean it up and make it sound better. 3. Finally, I review the result and fix any mistakes or inaccuracies the AI might have introduced. The AI doesn't write entire passages.

Pretty cool to see technical details about @ControlZ_1337's AI bug finder This is the type of AI post everyone wants to see

the point of the post is ostensibly to convey information, if entire passages were generated by ChatGPT then I could have just asked it myself. also another good reason is it destroys credibility with the reader. In this case you can see there was much more done than just asking it to point out language errors

@usmannk @Montyly English isn’t my native language, so I use tools like ChatGPT to help me phrase things better and avoid grammar mistakes. I use AI to find bugs - why wouldn’t I use it to help with writing too? (This comment was written with the help of ChatGPT)

@hrkrshnn @Montyly excited to see what you guys have cooked up but it sounds like you meant this to show you heeded the feedback. i think this is actually doubling down on what he is criticizing.

@Montyly x.com/hrkrshnn/statu…

The AI takes here are so out of touch. There are models out there that have won gold medals in Math Olympiads, achieved superhuman performance in ICPC (beating all humans), solved unsolved math problems, and some people think web3 security is different?