pessimist
651 posts
pessimist
@0xpessimist
21. Assumptions break under a pessimistic lens. Security Researcher @Hashlock_, My sensei @0xSorryNotSorry, prev Game Designer https://t.co/0ZHCkSxkRc
เข้าร่วม Mayıs 2023
802 กำลังติดตาม1.2K ผู้ติดตาม
You should read every one of @Dooflin5’s blogs
asymmetric research@asymmetric_re
On Solana, events are often reconstructed from transaction traces, and failed transactions still emit data. @Dooflin5 details a bug in Across that could have allowed attackers to spoof deposit events and trick relayers into filling orders with no real deposit behind them.
English
The gap between "found a bug" and "got paid for a bug" is the PoC.
This skill just filled it. Free and open source. 🔥
cholakov@cholakovvv
🚀 This month I got 3 bug bounties paid out and built an open-source Claude Code skill along the way. Finding the bug is the hard part, but what really determines the outcome is how well you demonstrate its impact. That's where the PoC matters most: if it's not a mainnet-fork end-to-end test on real deployed contracts at the current mainnet state, it doesn't really prove impact. I iterated a lot before figuring out what actually works. Now it's a skill anyone can install. Free & fully open source 👇 github.com/cholakovvv/fou…
English
@HackenProof nk11: north korean team of 11 hackers!? jk, congratz :)
English
A $75,000 win for nk11 💰
He’s done it again - another $75,000 earned, and it’s far from his first big win.
HackenProof salutes you. Keep hunting 🔥
English
pessimist รีทวีตแล้ว
There is another way to look at this.
The LayerZero/KelpDAO hack was caught in about an hour. Teams saved another $72M+ by reacting instantly. It took JPMorgan 20+ years of ignoring screaming red flags before Madoff’s $65B Ponzi finally collapsed.
Market manipulations like the RAVE token pump-and-dump got uncovered and crushed in under 24 hours by on-chain sleuths and exchanges. JPM’s own LIBOR, FX, and precious-metals rigging cartels ran for 5+ years before anyone outside the chat rooms noticed.
A $60B Enron-style rug pull would be damn near impossible to hide on-chain. JPM managed to keep that one going for years through offshore shells, fake trades, and straight-up hiding the debt from analysts and investors.
Maybe they’re concerned they wouldn’t be able to peddle opaque financial instruments on-chain without anyone noticing? You know, like the mortgage-backed securities they sold in the 2000s that triggered the $15+ trillion market meltdown.
Are they really “concerned about our industry”? Or are they just using the latest hack as perfect cover to push their “institutional” DeFi vision and JPM Coin while CLARITY Act negotiations are still live?
DeFi is not "scaring institutions away", it is scaring JPM that they will have to work honestly and transparently.
Immunefi@immunefi
It's exactly what we've been saying, and now JPMorgan agrees. Security is the key blocker to institutions coming onchain. And whoever solves this problem is going to unlock tremendous growth. theblock.co/post/398611/jp…
English
pessimist รีทวีตแล้ว
Do all your coding inside a VM.
Seriously.
UTM for Mac is free, works fantastically, and lets you run Mac inside Mac.
Get into the habit now before you get rekt by library supply chain issues you cannot control or anticipate.
mac.getutm.app
Or buy a second laptop. Not having separation nowadays is lunacy.
CoinDesk@CoinDesk
LATEST: A senior blockchain security researcher at CertiK told CoinDesk on Wednesday that North Korea’s Lazarus Group is running a new macOS-focused campaign dubbed “Mach-O Man” that targets executives at fintech, crypto and other high-value firms through routine business communications.
English
pessimist รีทวีตแล้ว
ok, so mythos was leaked apparently.
did the world end and I didn't notice?
what sort of apocalypse is going on right now?
English
One of the reasons I became interested in Web3 security is him.
Welcome back & congratulations! @okkothejawa
Immunefi@immunefi
The Jawas have officially moved from scavenging droids to scavenging bugs. Congrats to security researcher @okkothejawa for finding a High severity smart contract vulnerability and earning $50,000! Pledge $IMU behind him and earn $IMU every time he senses a disturbance in the code: immunefi.com/pledge/okkothe…
English
pessimist รีทวีตแล้ว
CU optimizations come with risks.
@_fel1x discusses a critical bug we found in p-token before mainnet, subtle enough to survive in a heavily scrutinized codebase.
English
Somehow this kind of PoC is:
1. You get to be called a white hat.
2. It solves the duplication problem.
3. It guarantees payout.
Is this the norm now? Somehow if you do this, it is a white hat act.
We skip the platform middleman and go straight to exploit?
Seems so wrong for me tbh
dango🍡@dango
The white hat has returned the funds in full, and has been awarded a bug bounty. User funds are completely unaffected. Our appreciation to the white hat for identifying the bug, securing the vulnerable funds before further damage could happen, and assisting us in strengthening our system. Team is now working on deploying additional guardrails to prevent similar situations from happening again. We expect dango.exchange to resume operation within the day.
English
pessimist รีทวีตแล้ว
"In security, 99.99% is still a failing grade. And right now we're not winning."
Lazarus Group could already be running an AI hacking tool for months at a time targeting your protocol. You wouldn't know.
@0xriptide (@therealgregoAI) · Lilian Cariou (@Certora) · @MitchellAmador (@immunefi)
Mod: @PataoPT
@ Rekt Security Summit
English
If what they spent $20k on is just a null-pointer dereference bug, then they must have done something incredibly wrong -- because I found the exact same type of bug with around $7 of spending using Claude Opus 4.6.
That $7 includes not only detection, but also creating a PoC draft and asking all the questions I needed. And the bug I found was in a real, widely used (kinda lol) cryptography library, affecting multiple companies' products. Unlike what Anthropic seems to have found, mine can provably crash the related session and create a repeatable DoS at zero cost. "Mine" might not be the most accurate wording actually, it’s more like Opus's, or our, you get what I mean :D
If we're going to calculate the value created by correlating it with the results, then instead of throwing $20k at the machine, you could get the same, or possibly better, result by having me spend $7 with Opus. It shouldn't be that hard to see that it's mostly humans that scales LLMs capabilities.
Ananay@ananayarora
Marcus Hutchins, the guy famous for stopping the WannaCry Ransomware, probably has the best take on Mythos doing vulnerability research
English
pessimist รีทวีตแล้ว
Nice marketing, but transparency and public scrutiny are essential to real security
When will @hyperbridge join @immunefi and put their code to a real test like Axelar, Wormhole, and others?
No system is invulnerable solely due to architecture choices
English
pessimist รีทวีตแล้ว
People act as if LLMs were as good at scaling as normal software.
They feel the LLM doing X is very exciting because now you can just pay for more compute and do it at any scale!
Nothing could be further from reality.
In many tasks LLMs scale worse than humans.
LonelySloth@lonelysloth_sec
The most fundamental limitation about LLMs which you can easily see in practice again and again: It doesn’t scale from demo to large scale. It can do X perfectly once in scenario Y, so impressively your sure it’s AGI. Then it never does it again in any other scenario — or worse it does X in scenario Y’ instead of doing X’ which is what you wanted. It’s not that it’s “intelligence” is brittle. It’s like trying to cover a surface completely with a sparse collections of points. If you have lots of points and you squint hard it might look right. But in the real world the area covered is still infinitesimal
English
Before even getting into the topic of finding zero days with LLMs, there are still plenty of dead simple bugs like this (quoted) in crypto. There aren't many unique contracts that has significant amounts of money in them, either no company/individual that have a proper LLM tool has seriously checked Ethereum (or other chains) extensively, or LLMs don't perform that well when we try to scale the work they do.
pashov@pashov
🚨~$130k exploited today from SubQuery Network. Vulnerable code was written >2yrs ago. Access control missing. Basically, anyone can call the method below and set their own contract as the withdraw target for Staking rewards. Would your auditors catch this one?
English