Waydou

@ret2basic Very amazing, congratulations 🙌

After ~3.5 years in web3 security, I finally achieved 300 crit/h/m count!😂Here is my updated portfolio: ret2basic.me/audits.html Any firm looking for contract-based auditor with move/solana/cosmwasm/daml experience? Happy to chat😁

Most security firms are quietly moving away from audit competitions. This is one of the biggest mistakes happening in crypto security right now. There is a simple way to think about audit value: what does it cost to find a critical vulnerability? We looked at the actual data on what it costs to find critical bugs in crypto, and the numbers are not surprising. Finding a critical vulnerability in an audit competition costs $6,548 on average. The exact same severity bug through a bug bounty program costs $114,000. That is 17x more expensive for the same result. Now look at the traditional audit model. Some top firms charge $100 per line of code. Others charge as high as $25,000 per auditor per week. A single engagement can easily run $200k to $500k+, and you are getting maybe 2 to 4 people looking at your code. But cost per critical is not even the most interesting part. The interesting part is the structure of who is looking at your code. When you hire a firm, you get 2 to 4 auditors. Maybe they are great. Maybe one of them is having a bad week. You are making a concentrated bet on a small number of people. An audit competition attracts hundreds of security researchers. These are some of the best hackers, people who have found real vulnerabilities in major protocols. These hundreds of researchers are now armed with AI tools. They understand codebases faster. They write PoCs faster. They find bugs that would have taken DAYS in just hours. Think about what that means. You are not just getting hundreds of humans. You are getting hundreds of AI-augmented humans, each running their own workflow, each with their own intuition about where bugs hide. The scaling dynamics are extraordinary. The firms moving away from competitions are optimizing for predictable revenue, not for their clients’ best outcomes. That is understandable from a business perspective. But if you are a project choosing where to spend your security budget, you should optimize for bugs found per dollar spent. Audit competitions now also have scaling pots. The prize pool grows with the scope of the codebase. This aligns incentives in a way that fixed-fee engagements never can. But what about AI spam, low-quality submissions, and the time it takes to triage all of those submissions? Immunefi is addressing these with mechanisms like pay-to-submit, managed triage, and AI triaging agents, which are already showing very strong promise. The best security strategy is not either or. But if you have a limited budget and you want the most eyes, the most diverse skill sets, and the best cost per finding ratio, audit competitions are still the obvious choice.

@hklst4r @KelpDAO That’s insane, can’t wait to read your bug analysis

It seems @KelpDAO $rsETH is attacked for 292M worth of $rsETH (P1). Kelp DAO $rsETH 遭到攻击，损失约 292M. 所有有rsETH抵押物的lending协议均可能面临亏损！包括 AAVE, Compound, Euler, Fluid。AAVE代币价格已经下跌11% There's no any liquidity for selling rsETH now on Ethereum, which means any lending market with exposure to rsETH is at risk! (including AAVE, Compound, Euler, Fluid). Notably AAVE token price already dropped 11%. - The attacker borrowed against these rsETH for at least 100M worth of ETH on @aave on multiple chains including Ethereum and Arbitrum. - @compoundfinance suffered from a 56M collateral exposure in rsETH (P3). - @eulerfinance, however, is still at risk with positive LTV. I have opened a ticket but yet got no reply. (P2) - @0xfluid is also affected with 8M exposure in rseth-wsteth lp collateral. (P4) R.I.P. Aave umbrella (261.63M total staked, umbrella WETH only has 56M liquidity.). I think it might compensate for this bad debt

@immunefi @ZKPassport Identity verification via zkPassport is currently failing (app errors), preventing bug submissions. Support request already submitted, but no response yet. Several users are affected (per Discord). Could the team provide an update?

@lyes_boudjabout Thanks a lot! Will definitely keep working harder

@waydou9 Congrats 🎉 Keep going !

Results of @centrifuge on @sherlockdefi are out, Should’ve put more hours int this to grab all edge cases, still happy with finding the only high in the contest especially that this is one of the largest code bases that I’ve had the chance to audit , needs to keep going. 🔥🔥🔥

@0x18a6 @centrifuge @sherlockdefi thanks boss 🙏

@waydou9 @centrifuge @sherlockdefi this one is huge!!

@Huntoor @centrifuge @sherlockdefi Thank you boss 🔥

@waydou9 @centrifuge @sherlockdefi Lets go beast🔥. Congrats

@Yaioxy @centrifuge @sherlockdefi Thank you 🙏

@waydou9 @centrifuge @sherlockdefi Not an easy one, large nsloc, big congratulations 🔥🔥

@gowtham_ponnana @trailofbits @CarterToB Congratulations!

Today, I'm officially announcing that I'll be joining @trailofbits in January 2026. It's one of the companies I've always wanted to work for since starting my cybersecurity journey. Huge thanks to @CarterToB for keeping me in the loop and for your support—you made the process much easier. I'll be working under @thebensams, and I'm excited to help secure top protocols. Special thanks for believing in me, Ben 🫂 By the way, Ben also approves that I'm 6'6", so no more doubts, anyone 😏 Thanks to @Montyly for all the tips and sharing your experience about ToB. When I applied, I wanted to work with you, but life had other plans. That's it, everyone! I'm now a new family member of Trail of Bits ❤️❤️ [So basically, I've engraved my age onto AirPods to remember when I made it into ToB] — Thanks for the home-setup, team 😅😘 While there's some time before I join, I'm gonna touch some grass 😉

1/ Introducing The Mentorship Series 0xsimao.com/blog/introduci… I’m personally mentoring a small, hand-picked group of auditors in 2026. 1st announced tmr. 3 months of 1-on-1 mentoring with me each. Targets: 0 → 4 figures 4 → 5 figures Step 1: Like and repost this post.

ngl whoever gets in is very lucky

@0xSimao it goes to spam for some reason

Also, if you subscribe in the website it goes to your email, really nice for that toilet visit 🚽 DM for plumbing 🪠

@0xSimao this is amazing, can't wait

1/ Thinking of starting a serious of deep dives in the best paying bugs in audit contests, no AI, no BS, just pure alpha, every day around this time, written by me. This would likely consume a lot of my time, so like and repost if you would be interested in this!

@0xSimao We need your playlist

> Be an auditor > Found this cool musician randomly > It’s in another language so I can’t understand shit > Can stay focused with 0 distractions > ???? > Free crits > Lambo

@RareSkills_io is it possible to have the CTF they did in a repo?

The full recording of Ultimate Security Games Season 1 has been published. Here are some of the highlights. The full recording is linked in the reply. Congrats again to team Europe!

@Jeyffre @Montyly Great event, where can we find all the puzzles?

This was the last CTF that @Montyly from Team Europe cracked at the Ultimate Security Games (surprisingly fast I might add). I'll put the spoiler in the reply in case you want to have a crack at it yourself. The Ultimate Security Games was absolutely fire. Major shoutout to @guy_de, who was the brains behind the operation, and @shashanator89, who pulled her crazy operations magic to keep all the huge number of moving parts in sync. Also, shoutout to @LostIn_Web3 for persistently extracting shipments that got stuck in customs. Also, @NFTMerchant was the guy who thought of this and helped us iron out the details. I'll share it in a later thread, but we faced an incredible amount of bad luck with delayed shipments, lost luggage, bad weather, faulty audio equipment, and power outages, but Guy and Shash kept plowing through. I'm going to be taking it easy today -- you can catch me at the @proofofrakija event at 4 pm today.

@thepantherplus Protocols who don’t perform a second audit after a multi vulnerabilities mitigation

in web3 security who should be beaten with this?

@lhoussainePh @thepantherplus @centrifuge @sherlockdefi Hahah same 😂😂😂

@thepantherplus Me if I don't find bugs in @centrifuge contest in @sherlockdefi