pks_ รีทวีตแล้ว
pks_
615 posts
pks_
@pks_eth
Web3 SR, always make mistakes. @immunefi All Star.
เข้าร่วม Mayıs 2018
494 กำลังติดตาม368 ผู้ติดตาม
pks_ รีทวีตแล้ว
On Solana, events are often reconstructed from transaction traces, and failed transactions still emit data.
@Dooflin5 details a bug in Across that could have allowed attackers to spoof deposit events and trick relayers into filling orders with no real deposit behind them.
English
pks_ รีทวีตแล้ว
During the last week I executed very long autonomous sessions of Claude Code Opus 4.6 and Codex GPT 5.4 (both at max thinking budget), in cloned directories (refreshed every time one was behind). I burned a lot of (flat rate, my OSS free account + my PRO account) of tokens...
English
pks_ รีทวีตแล้ว
Interesting parts of this research
🌕 the appendix of the paper
🌗 GitHub repo
🌑 the undisclosed quantum algorithm
🔗 quantumai.google/static/site-as…
Craig Gidney@CraigGidney
This is from a paper that should have appeared on arXiv today but due to technical issues will only be there tomorrow; for the moment it's at quantumai.google/static/site-as… See also this blog post on the idea: research.google/blog/safeguard…
English
pks_ รีทวีตแล้ว
Cross-chain bridges remain critical infrastructure, proof verification is the core of their security model.
New disclosure on our research page: a vulnerability in the Polygon Plasma bridge that allowed transaction proofs to be forged.
At the time of discovery, $800M in POL was at risk, exploitable in a single transaction with no prerequisites.
The research covers how the proof verification breaks, how the exploit was built, and what it means for bridge security.
Full technical deep-dive: hexens.io/research/polyg…
English
pks_ รีทวีตแล้ว
If @ethereum continues with this nonsense of zkVM vibecoded we're gonna end with the L1 fully hacked.
We all make mistakes and I'm sure we will get hacked too. The difference is that we try to avoid it. Some irresponsible people have been proposing to vibecode cryptography like it has no cost.
Andrej Karpathy@karpathy
Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
English
pks_ รีทวีตแล้ว
pks_ รีทวีตแล้ว
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: github.com/injective-wall…
English
pks_ รีทวีตแล้ว
pks_ รีทวีตแล้ว
Two protocols. One skipped command. The first confirmed live exploits of ZK cryptography weren't sophisticated, they were a setup ceremony nobody finished. It turns out default settings ship faster than trust.
rekt.news/default-settin…
English
突然想到一个点,你在 telegram 跟 openclaw 对话,跟你在 terminal 跟 claude code 或者 codex 对话,除了后者少了一些集成之外,有什么区别?
中文
pks_ รีทวีตแล้ว
pks_ รีทวีตแล้ว
Running OpenClaw locally? Do it safely.
This walkthrough shows how to run it inside Docker Sandboxes with Docker Model Runner:
- Isolated microVM
- No exposed API keys
- Controlled network access
- Fully private, local AI setup
Secure agent workflows in ~2 commands.
Read → bit.ly/4sgSKAy
English
pks_ รีทวีตแล้ว
We shouldn’t lose context every time we switch AI tools.
Introducing SharedContext ✨
- End-to-end encrypted
- Portable across devices
- Persistent across Claude, Cursor, Codex
- Shareable by link - same exact context
- Synced on the Blockchain
Only you can decrypt it. Fully Open Source and free.
"npm i -g ai-singlecontext"
Give it a try.
English
pks_ รีทวีตแล้ว
Introducing Glint. A real-time intelligence terminal for prediction markets.
We are monitoring the situation. So you don't have to.
It tracks signals from X, Telegram, OSINT, military flights, and whale trades. Classifies each one and maps it to the market it affects, in seconds.
Live 3D signal globe. Intelligence feed. Military flight radar. Whale trade tracking. Global tension index.
Powered by @Polymarket
Now live for public beta: glint.trade/BETA
English
pks_ รีทวีตแล้ว
Name one underrated/generous free tier service.
I’ll start: @Tailscale
English
pks_ รีทวีตแล้ว
Made a new thing.
walkie.sh
AI Agents can now talk to each other.
No server. No setup. Just talk.
npm install -g walkie-sh
English
@S8Vb8 @AlchainHust 一般这种春秋笔法的都是割韭菜。批量产没盈利的电子垃圾+贩卖焦虑 + 割韭菜。别的不说,opus 推理能力被 codex 对标系列甩几条街
中文
Same point, smile&non-conflict culture can't really help Thailand people get rich&dignified life, they must change. Otherwise, they will be only continue to exist in an endless cycle as a tertiary industry&sexual services nation, also an endless disaster for ordinary people!
@levelsio@levelsio
I've always wondered why there's so may 🇻🇳 Vietnamese indie hacker and startup success stories like @tdinh_me and so few from 🇹🇭 Thailand It seems the Vietnamese have 2 important things the Thai don't: - a very strong STEM education pipeline - agressive founders that like to go global - a relatively open market with space for startups to operate Thai's education system is legendarily bad and its founder are scared of confrontation because its culture is scared of confrontation (always smile and be happy) Great if you want tourists, terrible if you want succesful startup founders Ironic because Thailand has been the #1 spot for nomads and indie hackers for a decade (along with Bali), the Thai could have easily gotten knowledge how to do it from all the foreigners there but they just really didn't at all? Thailand has startups but they're mostly domestic or are just subsidiaries of large Thai conglomerates, a real failure also considering how many programs the Thai governments has created to promote startups for the last decade and the result has been, well, literally nothing! I think it's because the Thai economy is ruled by a few rich families and private conglomerates (like chaebols) while in Vietnam these got wiped out by communism in the 1970s/1980s so they started from a clean slate with almost nobody being rich or powerful Which gives more space for people to do startups I love Thailand and it's one of my favorite countries and people but this is something to really consider: do you want to remain a country for tourists forever and keep lagging behind or become a place for startups, tech and innovation? Because you tried for the last 10 years and failed at it quite spectacularly
English