rust mafia

@ceo_hyperfocus @0xsadikbaba Yes, bit blackhats don't care. Bugs don't care. I think negotiating 10% with blackhats is a much better idea than upfront deposit of 500k for protocols managing millions or billions in tvl. Don't you think?

@0xsadikbaba No project will be paying bounties this size upfront. Just due to the fact that this capital will be just lying dormant, without use. Like a security deposit in the bank, but without any yield. Cool agitation, but I suggest to be more realistic. Appeal would be cool, tho.

I am not disgraceful to Immunefi, but this is the truth. Immunefi has far more complaints from whitehats about valid bugs being verified, then projects refusing to pay, lowballing massively, or ghosting completely. HackenProof? Almost zero public complaints on non-payment. Immunefi stays mostly quiet. They don’t respond, don’t escalate, don’t take real action. Reports get closed after 6+ months and you can’t even complain anymore. No appeal box. Whitehats are left hanging with zero leverage. I have seen critical bugs (reentrancy, fund theft) confirmed by triagers then projects offer $1k instead of $250k+ and Immunefi does nothing. Simple fix. Protocols that run bug bounties on Immunefi must deposit the full bounty funds upfront If they refuse to pay a verified researcher, Immunefi can immediately release the money or mediate properly. No more “we changed our mind” games. Meanwhile HackenProof (platform with lower bounties) has clear SLAs triage in 3 days, review in 7-14 days, payment in 3 days after fix. Auditors almost never publicly accuse them of non-payment or ghosting. Cleaner process, less drama. Immunefi pays the biggest bounties that’s why we all hunt there. But the current system is pushing good whitehats toward frustration or worse. Add an appeal box. Enforce deposits. Stop staying quiet. Fix this and the whole Web3 security space wins. #BugBounty #Immunefi #HackenProof #WhiteHat #CryptoSecurity

@0x15_eth Guess who isn't ever exhausted and whose results cannot be invalidated? A blackhat Do with this info what you may 🙏

The level of mental exhaustion that comes with being a Web3 security researcher in this space is not for the weak fr. Most people who are new to this industry only see the big payout posts, but they have no idea... (and I mean no idea) what it actually takes to earn one. You spend countless hours hunting bugs, testing exploits, and writing reports, only for platforms to throw your work in the trash. They wrongly invalidate, downgrade severity, reduce payout amounts, ghost reports, take forever to respond, and take even longer to pay. You’re constantly fighting to eat. Man, it’s brutal. Yes, the payouts can be good if you manage to land one, but the process is so exhausting that it can leave you wondering whether it was even worth it. It’s mentally draining, and honestly, the protocols you spend so much time trying to protect often don’t really care about you. Whitehats are treated unfairly in this space, and at times it feels like some protocols don’t deserve the effort people put in to keep them safe. To anyone thinking about getting into Web3 security: think twice and really ask yourself if this is what you want. Please don’t get distracted by the payout posts. You have no idea what you may have to go through behind the scenes. You’re probably better off finding another space that gives you more peace of mind. I go soon japa too cos omo... 🤣

@adeolRxxxx Guess who doesn't have to submit 2 findings, A black hat

broooo. Now on C4 is 2 findings. not even new talents, i dont complete actively on C4 until this year, and i am affected badly.

@elyx0 @MetaMask @totdking

I want my money @MetaMask elyx0.notion.site/Metamask-7702-…

@33audits @totdking

@thedawgyg @PeterSRWeb3 @totdking

@PeterSRWeb3 Started as a blackhat. Introduced to bounties 20 years later. And use same thought process now that I did then and it works. I've made quite a bit in my 10 years of bounties (tho I didn't hack from mid 2022 thru 2025 and just started again)

So many people jumping into bug bounties right now... I'm genuinely curious—what's the actual success rate? Like, what % of hunters actually land their first payout? Or consistently make money? Feels like 95%+ quit early with zero $$$ 😅 Thoughts? Stats? Your experience? 👇

@developerjordy @totdking

there is real talent on the platform already, solo researchers that have won public contests, but also security firms who helped secure Lido, Euler, Polygon and more. so, if you're in need for an audit, you can post your audit scope for free. Audit? Need4Audit.xyz

@ChaseTheLight99 I once got a dev gig in erlang for aelstrom chain, or somewhat , forgotten the name but it was crazy 🤣

It's surprising how many niches there are in Web3 security. Often I get DMs from frens in my network asking if I know a auditor for XYZ language. At times I have never even heard of the language. Some recent examples : Motoko, Clarity and Sway There are so many ways to win

@pashov @osec_io @totdking

How do you learn to find vulnerabilities in Rust code? Read audit reports. Here is a list of the usual go-to auditing company for Rust codebases - @osec_io. Even I myself once applied to join them as an auditor. A MUST read for future great security researchers👇

@HatsFinance That's really sad Hope you guys find what would make you happy again and bring out the best of y'all

🚨 Important announcement: Sadly, we’re announcing that Hats.finance is entering a final wind-down of its hosted operations. After a lot of reflection, we’ve reached the point where keeping a centralized UI and servers running is no longer sustainable, and there isn’t a new legal or operational wrapper planned to continue that hosted stack. This is not easy to share. Hats have been a long, fascinating, sometimes brutal journey. Since 2021, we chased one belief: a decentralized market deserves decentralized security. Vitalik’s narrative about systems sharing Web3's DNA was a compass for us, and Hats was built in that spirit. But reality didn’t match the original thesis. Smart contract security budgets did not scale to DeFi-level volumes as we expected, and rapid progress in AI security tools, along with the maturation of secure, reusable smart contract building blocks, reduced the need for a protocol like Hats to sustain meaningful long-term demand for the HATS token. What happens now: * The Hats.finance hosted frontend and backend (UI and servers) are expected to go offline on Dec 31, 2025. Most functionality that depends on that hosted stack will be phased out. * The Hats protocol remains deployed on-chain and governed by the DAO. Core contracts are intended to continue functioning according to their code. * An IPFS build of the frontend is available today and may remain accessible via public gateways as long as it is being served (e.g., by pinning providers or community nodes). As payments to our current pinning provider (e.g. Pinata) will stop, we cannot guarantee its continued availability or performance. Action for users with deposits: If you want to withdraw via the hosted UI, we recommend starting a Withdraw Request by Dec 17, 2025 (7-day cooldown plus 7-day withdrawal window). If you miss the window, you can re-initiate a new request, or interact directly with the contracts at any time, subject to their logic and network conditions. Thank you to everyone who believed in this experiment, used it, partnered with it, and pushed it forward. We’ll do our best as contributors to support the community through the wind-down. Shared in our capacity as individual contributors to the Hats protocol, for information purposes only.

@emeduduna Bro I legit thought you typed caprisun is the thief of joy 😭

Comparison is the thief of joy But you sef, stop moving too slowly You can do better!

@PushChain @winsznx @chaincircle_ Chaincircle

0️⃣1️⃣ ChainCircle by @winsznx 💰 @chaincircle_ lets people create cross-chain savings circles where anyone can save together without bridging or switching networks. 🔗 chaincircle.org

Project G.U.D. community voting goes live today at 2 PM UTC! 🗳️ Vote for your favourite projects by liking and replying to the tweets below to win $200. Top 3 most liked community projects win $1000. Voting window: 15 Nov – 22 Nov 2025 Here are the projects👇

@mrdesoky0 @the_IDORminator @totdking

Free Bug Bounty course by Z-wink (@the_IDORminator ) ranked #1 in the US on Bugcrowd! Learn from the best, especially if you're into IDOR & Broken Access Control: t.me/ZwinKU

@gowtham_ponnana @totdking

I get a lot of DMs asking how I get private audits, how I achieved all this while I'm so young, or if I'm just lucky enough? Man, I believe in just two things: 1. I'm a hacker (or let's call it security researcher) and I'm doing my "duty"—to find bugs in a given codebase/target. That's it. Nothing more. All this money and fame were just by-products. I know that if I perform consistently and do well in my work, the rest follows. Same applies to you too. If you really love security, just do it without any expectations. Yes, it hurts when you see no results, but that's where you "shine". And yes, even if I lost my job, lost all my private audits, lost everything, I would still fucking do my freaking job—"To Find Vulnerabilities". No questions asked. 2. Again, I "work" because I'm addicted to the dopamine rush that I get after pwning something. There are plenty of occasions where I got a chance to hack into exchanges/protocols and steal all the money and run away (yep, I know how to make them vanish), but never did. Cuz, I believe that at the end, "It is someone's hard-earned money and I cannot justify the luxury of it". "And I'm not here to prove how good I am." - My work speaks for me. I will continue to do the same regardless of where I am, where I work, where I stay. At the end, simply "Have that hunger to grow". Works!!!

After 50 long hours of debugging and tagging young toly on the @AckeeBlockchain discord channel for help, i finally did it!!! I completed task 3 of the @AckeeBlockchain security course on rust 🦀 with all 27 tests passing. Now i can breath, thank you @andrej_xyz.

@BengalCatBalu @totdking

Learning cryptography for Web3 Security turned out to be way easier than I expected. At first, I thought I had to understand every formula and proof. But like most things in crypto — you only need the core concepts that actually appear in real audits and protocols. This thread is my path to learning crypto for Web3 Security 🧵

@Goodylili Missed this one this time . Next time then

I’m giving out my M1 Air MacBook. Was going to sell it but I remember when I was starting out in tech and I also needed a laotop (didn’t get a free one). I hope this makes a difference for new owner. Instructions 👇

@0x_Money @SoloditOfficial Where you don reach like this

Starting #100daysofSR today I'll be working on - understanding protocol design of defi mainstays(uniswap v2,v3,v4, aave v3 etc) - reading @SoloditOfficial findings - doing shadow audits - doing actual contests lets see where we are at the end of the year 🏌️‍♂️

@avidseries 9/11 💀