Sabitlenmiş Tweet
Web3 Security
110 posts
@DefiLlama You could have added $500mm to this figure if I didn't help Venus stop an imminent exploit on their lending markets, for which their CEO @bradherenow promised me a $1m bug bounty and then reneged.
x.com/venus30295/sta…
Stopped 3% of the value of 10y of hacks and never paid.
Web3 Security@venus30295
English
Over the past 10 years, more than $17B has been lost from 518 crypto hacks.
English
@frostyz I cannot share the protocol name because of ongoing legal proceedings.
English
You have *no* idea how negligent and incompetent many protocol security teams are in this space. Here is how a protocol lost 9 figures to a hack by refusing to listen to me, denied a bug bounty payment, dared me to hack their protocol, and called me a liar.
English
I gave this team the exploit path days in advance, offered to help them patch it, then fought the attacker in the midst of the exploit, buying the team 3 hours of time to stop the attack, frantically messaging them to pause borrowing, and they did nothing.
English
@venus30295 scope ain't worth anything once an attack vector is realized. do you have more details about what has been reported back then?
English
The only fault of Aave (although with immense consequences) is listing rsETH as collateral. LZ (by at least poor design) and Kelp (by their poor choices) are equally at fault if not more. I think Aave will be more or less fine but never the same again. 😓
English
Nearly everyone working in interop knew about Layer Zero's 1/1 and 2/2 DVN configs and warned about them for years
But they got tired of being openly mocked and harassed by Bryan and the L0 army so they just.... stopped talking about it.
Lots of people vindicated this weekend.
English
The unfortunate state of crypto security: white hat bug bounty reporters would make more money disclosing their inside info on crypto hacks to Polymarket/Kalshi than directly to the teams managing customer funds.
English
White hat bug bounties allow teams to essentially receive free security research from the best players in the world, and paying up only if a true vulnerability is found! It is much cheaper to pay a modest bounty than lose millions of customer funds!
English
That's the state of play in crypto. Teams feel immunized because (1) they hide behind "this is failing in prod; you assume risk for using untested protocols"; (2) the reality of cross-border prosecution makes recovery for individuals very unlikely without law enforcement.
English
I will eventually write on safe harbor provisions and structured bug bounty legislation for crypto hacks. Right now it’s a Wild West. I think it’s primarily a principal-agent problem.
English
@zariat Indeed - white hat bug bounties allow teams to essentially receive free security research from the best players in the world, and paying up only if a true vulnerability is found! It is much cheaper to pay a modest bounty than lose millions of customer funds!
English
we need to be taking white hat researchers more seriously
these guys are buying megamansions, surely they can afford to pay the fkn bug bounties?
Web3 Security@venus30295
3 years ago I wrote about @aave 's incomplete bug bounty program and how it left depositors open to very common lanes of attack. governance.aave.com/t/the-aave-bug… These hacks will continue because teams are negligent and incompetent.
English
3 years ago I wrote about @aave 's incomplete bug bounty program and how it left depositors open to very common lanes of attack.
governance.aave.com/t/the-aave-bug…
These hacks will continue because teams are negligent and incompetent.
English
@Marczeller 3 years ago I warned AAVE, and their top lawyer, about how their incompetent and negligent security team's approach towards bug bounties would lead to more depositor losses. Nothing has changed.
x.com/venus30295/sta…
governance.aave.com/t/the-aave-bug…
Web3 Security@venus30295
3 years ago I wrote about @aave 's incomplete bug bounty program and how it left depositors open to very common lanes of attack. governance.aave.com/t/the-aave-bug… These hacks will continue because teams are negligent and incompetent.
English
All ETH that was staked via frontier will be available to the Aave DAO roughly a week from now.
The clearer the situation gets the more optimistic I get about aave V3 wETH core depositors.
Still a few moving parts but worst case seems behind us.
I’ll let the ones currently in charge of Aave communicates as they see fit.
We played our small part as we believed was best.
English
@aave I even messaged AAVE's main lawyer about this at the time and urged them to take action to protect depositors.
Nothing has changed.
English