Naka-pin na Tweet
copper screw
949 posts
copper screw
@ScrewCopper
White hat hacker - Crypto/Defi. “It's always You vs You!”
Sumali Ocak 2023
419 Sinusundan178 Mga Tagasunod
Think I’m leaving twitter for a while
Way too much FUD to be productive nowadays
English
I personally want to know the type of beasts incubated in @bailsecurity .
Finding 20 crits/high after cantina audit is insane bro😭
English
@0xCharlesWang This was 20th of Feb, in the internet it’s safe to assume someone has a copy of what you say even if you upload it briefly :p
English
I have around 15-20 reports where we have audited the same commit / after another company has finalized an audit.
In all examples we find many many critical/high/medium issues.
For a long time, I didn’t want to share this information.
But I think it’s time soon. The truth will be revealed and many companies will face consequences from providing insufficient audit quality that puts clients at risk.
English
@p_tsanev feel like the trend of old live contracts getting rekt by AI skills-script kiddies will continue
English
🚀Dear builders and auditors, your Claude Code sub just became a 100x audit team.
Up to 95 specialized AI security agents running in one orchestrated autonomous pipeline.
Fully open-source.
"Plamen" is live 🔥🐉
English
@gray_rhinos @h4x0r_dz Don’t be dumb, if he stole it he would be a black . It’s a 0day exploit
English
Fun fact: 90% of the Web3 bug bounty programs are scams
they list huge reward amounts mainly as a marketing tactic.
f4lc0n@al_f4lc0n
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…
English
There is a lesson here, if you’re submitting a bug. Make sure you archive the bounty web page, save protocol configurations at current time and capture all fixes and commits and upgrades they do by timestamp. Scary even experienced hunters are treated like this, now imagine you!
f4lc0n@al_f4lc0n
the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised. My response: Are you suggesting I should have actually exploited the bug and caused real damage before coming to talk to you? For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. My response: You should know better than anyone that on a Cosmos-based chain, a single transaction can pack multiple messages. Just one transaction is more than enough to completely drain multiple whale accounts. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base. My response: First, this has nothing to do with the vulnerability itself. Rate limiting doesn't stop attackers from stealing funds. It only slows them down when they try to bridge those funds over to Ethereum. Second, when I submitted my report, the mainnet configuration for this feature was not set. In other words, this feature wasn't even turned on! In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000. My response: First, Immunefi has always put the impact of direct fund theft at the very top of its priority list. This is a fact that everyone knows. Second, you changed your bug bounty page after I submitted my report. Here’s the snapshot from November 8, 2025: web.archive.org/web/2025110816… . And now, there’s an extra line added to your bug bounty page: “IMPORTANT: Within the Assets in Scope table, the injective-core folder is listed for both Blockchain/DLT and Web/App due to overlap between the two within the same folder. However, for a report to be categorized as Blockchain/DLT, the resulting impact has to be directly involved with the block production process or with consensus failures. All reports not dealing directly with either of these are to be categorized as Web/App.” I’d really like to know when this line was added. and do you really value chain consensus more than users' funds? We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first. My response: You never even replied to my messages, and now you’re blaming me for not requesting mediation? I can post the original report if you agree. I left many messages, but you haven't replied to a single one. ---------- Finally: Stop making excuses from every angle and trying to use technical jargon to confuse people who aren't developers. That doesn’t work anymore these days. Anyone can just ask an AI to fact-check what both of us are saying. I have no ill intentions toward your project. All I'm asking is for you to be honest and handle this transparently.
English
@bangjelkoski @injective Ik the very moment I read this it was going to be some bs
Stuff like this pushes people to be black hats
Imagine the next moment someone finds a critical in your protocol.
Do you think they’ll report it ? :)
English
Security is paramount at @injective and we take our bug bounty program very seriously.
First and foremost, the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised.
For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base.
In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000.
If the poster had requested a mediation we would explain to him the dynamic rate limiters and monitoring systems we have in place and why his stated figures are misleading. However, he did not do so. We always follow the procedures set forth by the Immunefi program and expect the submitter to do so as well.
We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first.
f4lc0n@al_f4lc0n
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…
English
copper screw nag-retweet
the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised.
My response: Are you suggesting I should have actually exploited the bug and caused real damage before coming to talk to you?
For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact.
My response: You should know better than anyone that on a Cosmos-based chain, a single transaction can pack multiple messages. Just one transaction is more than enough to completely drain multiple whale accounts.
Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base.
My response: First, this has nothing to do with the vulnerability itself. Rate limiting doesn't stop attackers from stealing funds. It only slows them down when they try to bridge those funds over to Ethereum. Second, when I submitted my report, the mainnet configuration for this feature was not set. In other words, this feature wasn't even turned on!
In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000.
My response: First, Immunefi has always put the impact of direct fund theft at the very top of its priority list. This is a fact that everyone knows. Second, you changed your bug bounty page after I submitted my report. Here’s the snapshot from November 8, 2025: web.archive.org/web/2025110816… . And now, there’s an extra line added to your bug bounty page: “IMPORTANT: Within the Assets in Scope table, the injective-core folder is listed for both Blockchain/DLT and Web/App due to overlap between the two within the same folder. However, for a report to be categorized as Blockchain/DLT, the resulting impact has to be directly involved with the block production process or with consensus failures. All reports not dealing directly with either of these are to be categorized as Web/App.” I’d really like to know when this line was added. and do you really value chain consensus more than users' funds?
We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first.
My response: You never even replied to my messages, and now you’re blaming me for not requesting mediation? I can post the original report if you agree. I left many messages, but you haven't replied to a single one.
----------
Finally: Stop making excuses from every angle and trying to use technical jargon to confuse people who aren't developers. That doesn’t work anymore these days. Anyone can just ask an AI to fact-check what both of us are saying. I have no ill intentions toward your project. All I'm asking is for you to be honest and handle this transparently.
Bojan Angjelkoski@bangjelkoski
Security is paramount at @injective and we take our bug bounty program very seriously. First and foremost, the figures referenced in the post are entirely misleading. There was no impact realized from this issue. Zero user funds were affected and zero addresses were compromised. For the stated vulnerability to work in practice, it would require execution of several suspicious transactions that would have an extraordinarily limited impact. Injective has dynamic rate limiting functionalities which are applied automatically based on our live monitoring systems. This functionality has been live on mainnet since last year and is publicly available in our code base. In addition to all of the above, this report was reviewed against the clearly defined terms of our Immunefi program. Based on those terms, issues such as those raised in this report that DO NOT impact block production or consensus are categorized outside of the Blockchain/DLT tier and carry a maximum payout of $50,000. If the poster had requested a mediation we would explain to him the dynamic rate limiters and monitoring systems we have in place and why his stated figures are misleading. However, he did not do so. We always follow the procedures set forth by the Immunefi program and expect the submitter to do so as well. We remain committed to fair, transparent, and consistent handling of all reports, and to maintaining the highest standards of security for the ecosystem. Injective has done so since its mainnet inception in 2021 and will continue to do so in perpetuity, always putting builders and security first.
English
@Al_Qa_qa U mean like ~
Call - delegate call
Call
Both having the same sender ? (Address_this)
Like needs another func that makes contract call itself which then delegate calls itself
English
We have a lot of whitehats, and many comments indicate that the sender should be `address_this`.
But in the provided contract, this does not apply to calls to `callIt` or `delegateCallit`.
But guess what! The situation can still be met. Can you find how?
Al-Qa'qa'@Al_Qa_qa
Do you know the situation where `call` behaves exactly like `delegateCall`? If the target is `address(this)`, they match the affected contract storage. Calling both in the contract below will increase `num` by 1. But do you know when the `msg.sender` will match?!
English
I noticed that many researchers have left Web3 security. There are several reasons for this. Some left because of market conditions. contests are almost dead and there isn’t much real hiring from companies. Others found Web3 security very difficult, and now there are also new risks and changes coming from AI.
However, the same experienced security researchers are still here, as always. many of the same people from previous years.
But junior auditors are already leaving, and new researchers are very unlikely to survive in the current environment.
English
@pashov But technically won’t the attackers who already use AI on on chain contracts benefit more too
English
Right now is the best time to Open Source tools built with AI - Skills for security research for example. I see this from Trail of Bits, Cyfrin & many others already.
This upgrades the baseline for the community - everyone benefits from this. Guys, let's lead this OSS effort🫡
English
@Ehsan1579 if you don't be loud with your voices, some other Whitehat will fall into the same things you did.
which did happen
English
Was going to write something like this post months ago, injective was horrible during a crit I found in their protocol 3 months ago and was approved to be at leat High by Immunefi.
But I don't like to publicly shame projects, I just see their slow and unresponsive and dismissive behaviour especially with reasons that don't make sense and move on and not even bother looking at their codebase.
f4lc0n@al_f4lc0n
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…
English
@injective All this but can't prioritize and payout the whitehat who saved your entire protocol ? ? ? ? ? ??
you people would be literal 0 networth, lose all your jobs and have lawsuits against you by users if that attack was executed ! ! ! ! !
English
This past week Injective went all in on AI. A full developer toolkit and a mainnet upgrade to power it. The chain also had its largest Community BuyBack yet.
Below are some of the top developments that happened on Injective from the past week 👇️
🟪 The new Injective Mainnet Upgrade is officially live, delivering speed and performance improvements across the network: x.com/injective/stat…
🟪 Injective's AI toolkit is here. Skills, MCP servers & AI agents that can trade, deploy contracts, and query data through natural language: x.com/injective/stat…
🟪 The March $INJ Community BuyBack is live. Over 61,000 $INJ ready to be removed from circulation forever while rewarding loyal ninjas: x.com/injective/stat…
🟪 Injective Summit attracts only the best, see the past company's that have participated: x.com/injective/stat…
👥 Ecosystem News
🟪 @CointelegraphAc's latest accelerator cohort is building on Injective, with @Kustodia_mx, @SvimFinance, @SuperApp_io, @azmth_ai, and @FalqExchange moving through the program: x.com/CointelegraphA…
🟪 @code4rena's Injective audit competition ends March 17. Still time to submit findings: x.com/code4rena/stat…
🟪 $USOIL is trading 24/7 on @HelixMarkets. Powered by Injective: x.com/injective/stat…
The AI stack is live. The tools are open. Now build ninjas.
English
@pashov Code4rena got 3$ for a full codebase, won’t most AI scans take the same cost 🫠
English
@StaniKulechov $50 million to $35,912. That is so insane.
Yeah, you need a more aggressive friction pattern than just a checkbox if they are about to lose over $100,000 in slippage.
"Yo, bro. The fuck you doing?"
Type "I will lose all my money" to proceed.
English
Earlier today, a user attempted to buy AAVE using $50M USDT through the Aave interface.
Given the unusually large size of the single order, the Aave interface, like most trading interfaces, warned the user about extraordinary slippage and required confirmation via a checkbox. The user confirmed the warning on their mobile device and proceeded with the swap, accepting the high slippage, which ultimately resulted in receiving only 324 AAVE in return.
The transaction could not be moved forward without the user explicitly accepting the risk through the confirmation checkbox.
The CoW Swap routers functioned as intended, and the integration followed standard industry practices. However, while the user was able to proceed with the swap, the final outcome was clearly far from optimal.
Events like this do occur in DeFi, but the scale of this transaction was significantly larger than what is typically seen in the space.
We sympathize with the user and will try to make a contact with the user and we will return $600K in fees collected from the transaction.
The key takeaway is that while DeFi should remain open and permissionless, allowing users to perform transactions freely, there are additional guardrails the industry can build to better protect users. Our team will be investigating ways to improve these safeguards going forward.
English
@cgtwts The real win is not avoiding the work - it's getting your brain back for the stuff that actually matters.
English
All those years of refusing to learn excel and PowerPoint is about to pay off
Claude@claudeai
Claude for Excel and Claude for PowerPoint now sync together seamlessly. When you’ve got more than one file open, Claude shares the full context of your conversation between them. Pull data from spreadsheets, build out tables, and update a deck — without re-explaining a step.
English
wait... what happens to our AI audit agents when claude raises the max price from $200/m to $1000/m?
do we start shilling manual reviews again?
English
copper screw nag-retweet
Even if you had it too permissive by a little or too strict. It will be a hell of a signal filter.
Highly doubt AI slop would be generated that passes the test.
And if people break the proof system it is a valid submission too (just probably way lower bounty).
At this point there are usable EVM ZK provers so should be feasible.
English