Zero Cipher

482 posts

Zero Cipher

Zero Cipher

@zerocipher002

Senior Blockchain Security Researcher. Move/EVM/Rust. #15 All time Cantina Leaderboard. Founder @VulsightSec

Katılım Aralık 2014
551 Takip Edilen1.7K Takipçiler
Sabitlenmiş Tweet
Zero Cipher
Zero Cipher@zerocipher002·
$300,000 from a single bounty. Also yes, it was Move related. Move helps, but it doesn’t magically make protocols safe. The real bugs still live in assumptions, invariants, and integrations. Proud of what VulSight has been doing too. We’ve cleared over $500k in bounties in the last 2 months. If you’re a founder and you want an audit team that consistently finds criticals, we’re a DM away.
Immunefi@immunefi

Big congratulations to @VulsightSec for scoring their very first paid report on Immunefi. And it's huge, huge payout. Well done! You can pledge behind them here to earn IMU when they find bugs: immunefi.com/pledge/vulsigh…

English
8
8
138
7.9K
Zero Cipher
Zero Cipher@zerocipher002·
@DevDacian @cyfrin Do you think this demand is highly driven by the educational resources that cyfrin has created through the years?
English
1
0
2
282
Dacian
Dacian@DevDacian·
This week @cyfrin is running 7 private audits in parallel, engaging 20 top auditors! Audit demand remains extremely strong; our private audit business is on track for another record revenue year, growing by +25% 🚀 🫶 Blessed to be helping secure many top protocols 🫶
English
5
1
76
3K
Zero Cipher
Zero Cipher@zerocipher002·
@Hexen1337 @saxenism @Hexen1337 And are you positive that it was your submission that led them to fix the finding or did they claim anyone else reported it to them or they found it during internal testing?
English
1
0
0
116
m4rio
m4rio@m4rio_eth·
i also disclosed a bug to Aptos back in January, which in my opinion was critical, basically could take ownership of every smart contract, my only problem was that i did not have time to construct the full PoC, aptos setup was not friendly enough, run in multiple bugs trying to set up nodes and everything, team ack the bug and fixed it but wanted the full PoC, i got no reward 😂 unfortunately the bug is still in review on @HackenProof
Mudit Gupta@Mudit__Gupta

An arbitrary state write bug in Aptos chain was disclosed by @hexens today. This is the worst kind of bug possible on a chain. Why? Not only everything on the affected chain can be stolen but also most assets across all chain can be stolen. Your stablecoins, LSTs, everything

English
7
10
120
18K
Zero Cipher retweetledi
venture anthropologist
venture anthropologist@0xBalloonLover·
anthropic won't let you use fable for biology, chemistry, ai research, or anything that accelerates human progress. that makes it the perfect tool for developing blockchains
English
153
551
12.3K
461.8K
nnez
nnez@__nnez·
@WhiteHatMage Theory tested yesterday exactly as you called it lol. Original sub had no E2E PoC, and the team evaluated it inaccurately as "not expolitable" and closed it as Informative. Mine proved the exploit E2E, but still got closed because the root cause was "already evaluated."
English
3
0
10
545
WhiteHatMage
WhiteHatMage@WhiteHatMage·
I also have another theory about duplicates: some projects and platforms abusing nonsense slop submissions. You disclose an e2e-proven exploit, but it gets marked as a duplicate because of the "root cause". The slop report contains the vulnerable lines but no actual proof or has invalid claims. With enough slop, you cover all the lines where a reasonable bug could exist. Then the project reopens the invalid slop submission, pays it as Low, and avoids paying the actual Critical. That’s my worst nightmare. That shouldn’t happen ever.
WhiteHatMage@WhiteHatMage

I’d say that getting too many duplicates in old bug bounty programs is a sign that your hunting strategy needs improvement. Duplicates should be rare.

English
21
9
113
10.5K
Zero Cipher
Zero Cipher@zerocipher002·
@secorizon Only if cantina had sway over the bug bounty amounts, I would have bribed cantina to award me more favourable ones.
English
0
0
0
484
Secorizon
Secorizon@secorizon·
No serious bug bounty company would award a 500k bounty to its lead researcher and employee (at least since 2024), and brag about it. This is the very definition of conflict of interest. You control the client, triage process and final decision...
Secorizon tweet media
Cantina 🪐@cantinasecurity

$500,000 to @rileyholterhus through Cantina Bounties. 🪐 The researchers who consistently find the bugs that matter don't chase volume. They follow programs where scope is tight, triage is fast, and rewards match actual impact. Well done, Riley!

English
12
0
67
20.8K
Zero Cipher
Zero Cipher@zerocipher002·
@GalloDaSballo Quite interesting stuff. I am curious on how likely do you think there are some extreme edge case critical vulnerabilities in smart contracts that neither manual auditing or LLM based auditing can find?
English
0
0
1
90
Alex the Entreprenerd
Alex the Entreprenerd@GalloDaSballo·
Contrary to what you may think: - 5 people spent 2 years working on this - It cost 6 figures to make this happen - E2E fuzzing is still a specialised skill because wisdom is not cheap We’ve open sourced everything we built for you to carry on the torch I’m doing a full breakdown this Friday at EthPrague
Recon@getreconxyz

Did you know we open sourced a fuzzer, an AI Framework and a VS Code / Cursor Extension for Fuzzing Solidity? - One click to scaffold - One line command to have AI work for you - One command to run a 10x fuzzer All on our Github

English
5
7
122
12.3K
Zero Cipher retweetledi
VulSight
VulSight@VulsightSec·
🌴 The @VulsightSec team has landed in Miami for @consensus2026! May 5–7 | Miami Beach Convention Center If you're building in Web3, let's talk: 🔐 Smart Contract Audits 🛡️ Protocol/Infra Security Audits 🤝 Security Partnerships DM us to grab coffee or meet up on the beach. ☀️ #consensus2026 #Miami #web3 #Security
VulSight tweet media
English
0
1
4
846
T1MOH🪐
T1MOH🪐@0xT1MOH·
May 1st 2026. The day I've been AI-pilled. Thank you @DevDacian
English
6
1
45
2.8K
Immunefi
Immunefi@immunefi·
Crypto's most controversial Security Researcher is coming on The Immunefi Show. Who do you think it is?
Immunefi tweet media
English
27
6
88
18K
Zero Cipher
Zero Cipher@zerocipher002·
@pashov If a person wants to do excellent Business Development, what tips do you have.
English
1
0
7
2.4K
pashov
pashov@pashov·
I'm a multi-millionaire (liquid) tech CEO, who has an exotic car collection (yes, Lambo included). I was in China earlier this month. Visited Hong Kong, Shenzhen, Guangzhou and Macau. AMA
English
72
5
263
30.9K
Zero Cipher
Zero Cipher@zerocipher002·
@0xriptide Protocols would use any way available to them to scam whitehats out of their hard earned rewards.
English
1
0
22
518
riptide (japan)
riptide (japan)@0xriptide·
After this LZ incident, do you think project teams will now consider more "theoretical" bug bounty submissions?
English
16
0
28
4.3K
Zero Cipher
Zero Cipher@zerocipher002·
Name drop any protocol that in your opinion that one should never hunt on its bug bounty 👀
English
9
1
25
2.8K
Gabriela Moreira
Gabriela Moreira@bugarela·
I'm happy to announce that @quint_lang is becoming its own company with me as its CEO. I have an incredible team joining me in this new journey as we spin out of @informalinc into Quint Co. Quint remains open source at its core, and I'm confident that the ecosystem we are building around it has the value needed to empower our amazing team to expand and maintain tools we'll all be using more and more. AI code generation has created the opportunity for Quint not only to become sustainable, but to scale at the level we always dreamt of. I've been working hard to decrease cost and increase value of formal specifications for about 8 years, and AI agents have impacted both these factors so incredibly much that I'm now reading about formal methods from new people on social media everyday. And as with every opportunity given to me and Quint this far: I will absolutely take it. Over the past years, Quint became not just a surface syntax for TLA+, but a tool for trust and understanding. Through Quint, I got insights about complex systems in a way I have never experienced before. AI is creating a big trust and understanding gap that I know Quint can fill, not by providing some checkmark, but by being the executable specification language that brings confidence holistically: from the design phase all the way through testing and production. So, CEO, I know. I've internally transitioned into this role a month ago, and I couldn't have predicted how natural it feels. I'm so used to thinking about what is best for Quint and have always taken decisions very seriously, even at times when I was a one-person team. In some ways, it feels like I'm just doing the same things but with a whole lot more help. My vision has been clearer than ever, and I'm getting to exercise it many times a day, every day, across business, marketing, management and technical decisions. By my side, I have people that complement my passion with respectable experience: - @zarinjo, CTO, who provokes way more than I can, opening paths that I never regret pursuing. - @josef_widder, Chief Scientist, the only person that was able to make me love Quint more than I already did, more than once. - @ArianneFlemming, COO, which is one of those rare people that can understand banks, lawyers, technical people, and everything else as far as I'm concerned. She explains everything to us and barely needs any explanation herself. - An extremely talented and fun technical team of real and amazing people. I'm filled with gratitude, but we are far from done, of course. I'm confident and working hard. I'm taking this seriously while also enjoying my dream come true. I thank everyone of you who did anything for Quint in these past four years, and I promise my dedication and passion to everything that awaits us in the future.
Gabriela Moreira tweet media
English
14
12
54
6.1K
Zero Cipher
Zero Cipher@zerocipher002·
After doing extensive Bug Bounty and interacting with dozens of protocols. In the Infra Space among the major blockchains, I believe only these protocols (currently) actually care about security: 1. Solana 2. Ethereum 3. Monad 4. Sei Most of the other blockchains don't care about either security or respecting whitehats.
English
11
1
77
3K
Zero Cipher
Zero Cipher@zerocipher002·
@_wdm33 Not really. The conclusion is based on how protocols react after someone reports a "problem"
English
0
0
0
80
wdm33
wdm33@_wdm33·
@zerocipher002 Could it be they're just the ones with the most problems?
English
1
0
0
324