Zero Cipher

$300,000 from a single bounty. Also yes, it was Move related. Move helps, but it doesn’t magically make protocols safe. The real bugs still live in assumptions, invariants, and integrations. Proud of what VulSight has been doing too. We’ve cleared over $500k in bounties in the last 2 months. If you’re a founder and you want an audit team that consistently finds criticals, we’re a DM away.

Applied to a relatively very small scale Blockchain Conference in the middle east to speak on the topic of our reported High Severity bug in the Ethereum Geth Client. Got hit with: "Organic speaking slots are full. Though you can pay us if you would still like to speak."

@0xnirlin @hrkrshnn Context

I think I just had the AI enlightenment moment @hrkrshnn keeps talking about.

@GalloDaSballo Quite interesting stuff. I am curious on how likely do you think there are some extreme edge case critical vulnerabilities in smart contracts that neither manual auditing or LLM based auditing can find?

Contrary to what you may think: - 5 people spent 2 years working on this - It cost 6 figures to make this happen - E2E fuzzing is still a specialised skill because wisdom is not cheap We’ve open sourced everything we built for you to carry on the torch I’m doing a full breakdown this Friday at EthPrague

🌴 The @VulsightSec team has landed in Miami for @consensus2026! May 5–7 | Miami Beach Convention Center If you're building in Web3, let's talk: 🔐 Smart Contract Audits 🛡️ Protocol/Infra Security Audits 🤝 Security Partnerships DM us to grab coffee or meet up on the beach. ☀️ #consensus2026 #Miami #web3 #Security

@0xT1MOH @DevDacian Context 👀

May 1st 2026. The day I've been AI-pilled. Thank you @DevDacian

@immunefi Kim Jon un

Crypto's most controversial Security Researcher is coming on The Immunefi Show. Who do you think it is?

When you know that projects are scamming by self donations on giveth programs but can't prove it

@pashov If a person wants to do excellent Business Development, what tips do you have.

I'm a multi-millionaire (liquid) tech CEO, who has an exotic car collection (yes, Lambo included). I was in China earlier this month. Visited Hong Kong, Shenzhen, Guangzhou and Macau. AMA

@0xriptide Protocols would use any way available to them to scam whitehats out of their hard earned rewards.

After this LZ incident, do you think project teams will now consider more "theoretical" bug bounty submissions?

Name drop any protocol that in your opinion that one should never hunt on its bug bounty 👀

Wild thought: When you train for lucid dreaming, you learn to check things like your hands or the time on a clock because dreams mess those up. AI image/video models make very similar mistakes (extra fingers, broken text, inconsistent details). Feels like AI is mimicking human consciousness on a level.

@bugarela @quint_lang @informalinc Congratulations. Best of luck to you :)

I'm happy to announce that @quint_lang is becoming its own company with me as its CEO. I have an incredible team joining me in this new journey as we spin out of @informalinc into Quint Co. Quint remains open source at its core, and I'm confident that the ecosystem we are building around it has the value needed to empower our amazing team to expand and maintain tools we'll all be using more and more. AI code generation has created the opportunity for Quint not only to become sustainable, but to scale at the level we always dreamt of. I've been working hard to decrease cost and increase value of formal specifications for about 8 years, and AI agents have impacted both these factors so incredibly much that I'm now reading about formal methods from new people on social media everyday. And as with every opportunity given to me and Quint this far: I will absolutely take it. Over the past years, Quint became not just a surface syntax for TLA+, but a tool for trust and understanding. Through Quint, I got insights about complex systems in a way I have never experienced before. AI is creating a big trust and understanding gap that I know Quint can fill, not by providing some checkmark, but by being the executable specification language that brings confidence holistically: from the design phase all the way through testing and production. So, CEO, I know. I've internally transitioned into this role a month ago, and I couldn't have predicted how natural it feels. I'm so used to thinking about what is best for Quint and have always taken decisions very seriously, even at times when I was a one-person team. In some ways, it feels like I'm just doing the same things but with a whole lot more help. My vision has been clearer than ever, and I'm getting to exercise it many times a day, every day, across business, marketing, management and technical decisions. By my side, I have people that complement my passion with respectable experience: - @zarinjo, CTO, who provokes way more than I can, opening paths that I never regret pursuing. - @josef_widder, Chief Scientist, the only person that was able to make me love Quint more than I already did, more than once. - @ArianneFlemming, COO, which is one of those rare people that can understand banks, lawyers, technical people, and everything else as far as I'm concerned. She explains everything to us and barely needs any explanation herself. - An extremely talented and fun technical team of real and amazing people. I'm filled with gratitude, but we are far from done, of course. I'm confident and working hard. I'm taking this seriously while also enjoying my dream come true. I thank everyone of you who did anything for Quint in these past four years, and I promise my dedication and passion to everything that awaits us in the future.

@ScrewCopper Havent worked on them.

@zerocipher002 Stacks l2?

After doing extensive Bug Bounty and interacting with dozens of protocols. In the Infra Space among the major blockchains, I believe only these protocols (currently) actually care about security: 1. Solana 2. Ethereum 3. Monad 4. Sei Most of the other blockchains don't care about either security or respecting whitehats.

@DefiGodwin_ Just something I experienced personally.

@zerocipher002 Hmm Why do you say so?

@0xSpearmint I wouldn't say so 👀

@zerocipher002 No Sui?

@_wdm33 Not really. The conclusion is based on how protocols react after someone reports a "problem"

@zerocipher002 Could it be they're just the ones with the most problems?

@revofusion @Optimism @zksync @Starknet Haven't worked on them so didn't add them. Btw great work on ethereum :)

@zerocipher002 I would add @Optimism, @zksync and @Starknet.

@BensonDynasty_ The problem is that at the end he has the entire funds.

@zerocipher002 Depends on the program rules, but typically: First reporter gets bounty Whitehat attacker might get discretionary reward Execution without coordination can get messy, even if intent was good.

Suppose we have a critical drain vulnerability that two whitehats find at the same time. One reports it to the bbp. Meanwhile when the report is being reviewed, the other whitehat executes a whitehat attack to secure the funds. Who gets the bounty 👀

@meshaqRapha0761 So the whitehat B gets a higher one?

@zerocipher002 I think both get paid. Whitehat A gets the full official bug bounty for the responsible disclosure while Whitehat B (who actually drained & controls the funds) gets the negotiated recovery reward directly by the project.