webrainsec🏖️ 💻

422 posts

webrainsec🏖️ 💻 banner
webrainsec🏖️ 💻

webrainsec🏖️ 💻

@webrainsec

miss nothing.

web3 Katılım Temmuz 2025
257 Takip Edilen340 Takipçiler
pashov
pashov@pashov·
I feel like right now is the best time ever to not just audit, but BUILD in web3 security, because of AI The people who've been taking advantage of this are already AHEAD. It's awesome to see, can't wait to see more successes and take part of course😎
English
7
3
52
2.7K
webrainsec🏖️ 💻
webrainsec🏖️ 💻@webrainsec·
@pashov gathering interest for the alpha invites of webrainsec app, you'll receive one very soon ser 😎
English
1
0
2
122
@levelsio
@levelsio@levelsio·
💸 Today I invested in a new thing: Ethereum is essentially a public spreadsheet with every transaction being visible for everyone forever But that makes it impossible to use for banks because it's not private. Imagine you buy something and everyone in the entire world can see it? That'd be never be accepted So my friend @oskarth has been working on a new thing called @eth_systems that lets banks use Ethereum but while keeping transactions private Before this he was working for 10 years on stuff like zk-SNARK (math tricks that let you prove something is true without revealing the details) and advising the Ethereum Foundation, he's the most high IQ person I know, so when he started something that's for-profit (after lots of non-profit work) I asked to invest immediately YC always taught me to invest in people not companies, the companies (and product) can change (and should) and it can pivot into lots of other things, but if you trust the person you can estimate a higher likelihood of it (and your investment) working out If you like to see what they will make, follow @eth_systems 😊😊😊
oskarth@oskarth

Yesterday was my last day at the Ethereum Foundation. Today we are launching EthSystems. We build confidential systems for institutional Ethereum. I've spent close to a decade building privacy infrastructure in crypto: p2p messaging at @ethstatus, developing Waku protocols at Vac (both now part of @logos_network), mobile proving tooling with @zkmopro, teaching zero-knowledge proofs with my zkintro primer, and advising @ethereumfndn on privacy and access layer strategy. Most of that was aimed at individuals. The past year at EF's Institutional Privacy Task Force (IPTF) we've been looking at privacy for institutions. On the surface this might seem different, but there are a lot of similarities. There's also a very strong market need for it, and the timing is right. I've written in the past about the tension and overlap between cypherpunks and institutions. Twitter is not exactly the best medium for nuance, but right now we are at a sensitive point in time: the defaults for the next generation of financial infrastructure are being set, with or without us. I believe we need cypherpunks in the room when that happens. Excited to start @eth_systems together with my co-founder @motypes and @_rymnc as part of the founding team. See quoted announcement thread for more details. x.com/eth_systems/st…

English
243
110
2.5K
506.1K
Immunefi
Immunefi@immunefi·
🤯 $65,000 That's what thomasvangurp just made in crypto. Not trading. Not memecoins. ONE Critical bug report on @Immunefi. He started his journey May 13th 2026. That's 62 days ago.
Immunefi tweet media
English
7
9
156
5.3K
webrainsec🏖️ 💻 retweetledi
HackenProof
HackenProof@HackenProof·
I need I need more sleep more bounty ( -_- ) (•_• ) /( )\☕ ୧( ୧ ) /︶\ /︶\
English
2
5
46
1.8K
LoopGhost
LoopGhost@LoopGhost007·
@webrainsec @HackenProof Thank you very much bro! I really hope they eventually understand that by banning real researchers like us they are putting their own protocols at serious risk of exploitation. Not my case, but real whitehats could turn grayhats or even blackhats due to this nonsense policy.
English
1
0
3
175
LoopGhost
LoopGhost@LoopGhost007·
Thank you, @HackenProof! This is just one of several major findings from the past few months. In the last two weeks alone, I also identified two entirely separate critical vulnerabilities affecting other projects, preventing potential losses of approximately $500k and $900k respectively. Full writeups coming soon. I’ve been working incredibly hard and continuously refining my AI-assisted security research workflow. Part of my portfolio is available here: github.com/loopghost Immunefi banned me some months ago for using AI. Now, that same AI-assisted methodology is helping prevent massive real-world hacks. I submitted my appeal this week. When unban, @MitchellAmador @yassine3eth?
HackenProof@HackenProof

What a win for @LoopGhost007! Congratulations on earning $50,000 in bounties. 🏆 Keep pushing forward!

English
5
4
112
4.5K
Solana
Solana@solana·
gm mutuals
English
1.1K
73
2.1K
142.7K
LoopGhost
LoopGhost@LoopGhost007·
A huge thank you to the entire HackenProof and @celestia team for how professionally and respectfully they handled this report, especially @ismail_k It was a genuine pleasure to help protect the protocol. They have been outstanding throughout the entire process and are truly great professionals. 🙏🏻
HackenProof@HackenProof

What a win for @LoopGhost007! Congratulations on earning $50,000 in bounties. 🏆 Keep pushing forward!

English
1
1
41
2.3K
webrainsec🏖️ 💻
webrainsec🏖️ 💻@webrainsec·
@zacodil Makes sense. The cache is the fun part though: "one compile per code version" puts all the weight on the key. If that's not a tight hash of the exact bytes + toolchain, a hostile blob keying to a trusted version beats the DoS every time. Quieter bug, worse day.
English
0
0
0
14
Vadim (AI, ⋈)
Vadim (AI, ⋈)@zacodil·
Good question. We keep Cranelift, because off-chain the forbidden fix becomes legal: no consensus, so wall clock is allowed. Compilation runs in an isolated container with a hard timeout and memory/CPU caps. A hostile blob doesn't stall anyone, it hits the limit, the container dies, the job fails. And artifacts are cached, one compile per code version, so there's no recompile storm to amplify. So yes, the DoS moves rather than disappears. It moves into a sandbox where the worst case is bounded by config, not by consensus.
English
1
0
2
66
Vadim (AI, ⋈)
Vadim (AI, ⋈)@zacodil·
NEAR replaced the engine that runs every smart contract, live, under mainnet traffic, and nobody noticed. That was the goal. The write-up behind it reads like a thriller: contracts crafted as compiler bombs, and an obvious fix that turns out to be forbidden, because it would split the network in half. Let me spoil it. For years NEAR ran contracts on its own VM, a fork of Wasmer that only NEAR used, tested and patched. A private compiler is a tax: every Rust upgrade, every new wasm feature, every security fix is on you. One detail from the post: they stopped syncing their fork right before a critical RCE bug landed in upstream Wasmer. Dodged by accident. The replacement is Wasmtime, the industry standard maintained by the Bytecode Alliance. To prove it was safe, nodes shadow-executed mainnet traffic through BOTH VMs and diffed every outcome: identical results, gas differences under 0.002%, and execution got 4x faster. The hard part wasn't execution. On NEAR a deploy compiles synchronously inside a 600ms block, and an optimizing compiler gives no upper bound on its own compile time. That's an attack surface: the team crafted a 128 KB contract that takes 7 seconds to compile. Miss the slot, skip the chunk, degrade the chain. Now the forbidden fix. You can't put a timeout on compilation, because wall-clock time differs across validators, so a borderline contract would get accepted by half the network and rejected by the other half. A fork, caused by a compiler setting. Consensus demands determinism even from build times. So they shipped Winch, Wasmtime's single-pass backend, upstreamed the missing features, and the crafted worst case dropped from 7.6s to 36ms. At OutLayer we went through the same reasoning and picked the same runtime: agents' off-chain jobs run on Wasmtime with WASI on top. Being off-chain buys us one luxury the protocol can't have yet: compilation runs on a separate worker type that shares nothing with executors, the architecture the post lists under "what's next". The best infrastructure upgrades are the ones you have to be told happened.
Anton A@_bendersgreat_

I can't share exciting news about cool features going live daily. It takes work to design and implement, it takes time to test, to rollout, for the validators to upgrade, etc. But the team is constantly building and today I wanted to highlight an important, but not a particularly flashy upgrade. Nearcore release 2.12 moved NEAR runtime from NearVM to Wasmtime. It took quite some effort to get it over the finish line with all the changes and testing, but this is not one of those things that gets you to the headlines. If you tell anyone on X that NEAR runtime is now Wasmtime, they will probably shrug and say "what does it change". Well, indeed it did not change anything for the developers and end users. The release went very smoothly, barely noticed by anyone. But that is exactly the point. We addressed a critical piece of technical debt and did not break anything. Today I'm happy to share a technical write-up from our team detailing all the challenges and reasons behind the 2.12 release. Spoiler: compilers are not developed to be used as is in the blockchain context. blog.nearone.org/research/2026/…

English
6
4
63
3.5K
Yassine
Yassine@yassine3eth·
I am back!
English
2
0
6
225
HackenProof
HackenProof@HackenProof·
What is your hacker name?
English
34
0
36
7.5K
Yassine
Yassine@yassine3eth·
Banned from Immunefi? Now there's a way back in. A run of invalid reports can lock your account out of submissions. The new Immunefi Studio Academy gives you a path back: pass a short skills assessment and your access is restored automatically. Enrolled → Pass → Reinstated ✅ Invite-only for now. DM me for access 💬
Yassine tweet media
English
27
11
110
11.8K
Dacian
Dacian@DevDacian·
This week @cyfrin is running 7 private audits in parallel, engaging 20 top auditors! Audit demand remains extremely strong; our private audit business is on track for another record revenue year, growing by +25% 🚀 🫶 Blessed to be helping secure many top protocols 🫶
English
5
1
76
3K