Cryptor

Wow! I am speechless. Making the top 10 in the UniswapV4 competition was something that I never expected in my wildest dreams. Thanks @cantinaxyz and thanks to the sponsors at @Uniswap for hosting such a great competition!

@0xcastle_chain This is a problem created with public submissions, which would be a distraction, as SRs would be better off focusing on the contest instead of looking at other submissions. And SRs who started "late" will be discouraged by the volume of submissions and not compete

@Cryptor256 So what about duplication issue, SR can just open the issues section and resubmit all the Findings to get points

Announcing the Solana Audit Arena ⚔️ A free, weekly security competition for Solana security researchers. Every Monday I drop a new Anchor program, built using the safe-solana-builder tool and real-world DeFi implementation. Why? → Junior researchers have no clear path to prove themselves → No practice ground with realistic Solana programs → AI is raising the floor; you need to be above it github.com/Frankcastleaud…

Let’s be real: this is embarrassing. Seeing this and recent Monad C4 drama makes me wonder why this space treats contest players and bug bounty hunters so poorly? They are the last line of defense. Keep this up, and they will either walk away or turn into blackhats.

@WhiteHatMage Most of them have small scopes and only pay out criticals

I'm surprised because I've never heard of any serious whitehat actively hunting on Sherlock. I've also never seen any paid bounty on the platform. So why is it?

@lonelysloth_sec Many of those AI companies do not practice what they preach. They’ll claim their models can replace jobs, and then you go to their careers page and see 50+ open roles across multiple industries

AI companies are doing their best to convince the world that: - they will take all jobs, so basically concentrate all economic activity. - be the main factor in global military power. Then — surprise! — the government wants to take over. They aren’t naive. Nationalization was always their exit strategy. How else could the founders make their billions before everyone realizes their sci-fi promises are impossible to deliver?

Great article for learning ZK security. On another note, how am I just now hearing about this $500k bug bounty? Clearly need to do a better job curating my feed. Recommendations for who to follow in the ZK/Audit space?

Added my portfolio to my profile. Some stuff is a work in progress but happy to see my latest result reflected and crossing the 50K mark

The C4 report for Succinct is out. This is a great resource for those learning ZK *Security*. I came in top 5 in this contest, finding the only high finding, but there are plenty of solid Medium finds that I unfortunately didn't catch. I think it will be good to go over each one of them in the future, since it wasn't that many code4rena.com/reports/2025-0…

@J4X_Security That isn't the problem IMO. The problem is that contests are dead so there are no opportunities for newbies to apply their AI skills. There are bug bounties but that is another can of worms

The craziest part is that this was in September 2025. So 3 iterations behind the current OpenAI line, for example. Makes you question how much the agent has improved in the 6 months, on top of the models getting a lot better. An AI agent winning a public contest with some really good auditors participating is definitely a special moment for auditing. There are definitely still limitations to agents; there are definitely still auditors that can outperform them, but we definitely have to stop the "All AI auditing is BS" thinking, bc it is definitely here to stay. Tbh, 80-90% of beginners/juniors can already be replaced by Cursor/Claude with enough tokens and good prompting. Back when I started doing contests in 2023, I remember my first bug was a simple ERC-4626 rounding issue in the wrong direction. Got about 1k for that. Next bug was a transfer restriction not being checked on transferFrom, got a few hundred bucks for that. None of these would pay you more than 1c in current contests, as every LLM would instantly find them. But exactly these small wins kept me going at the start, paid my rent, and helped me improve my skills. This isn‘t really possible for newbies anymore. Does that mean we should all stop auditing, learn a trade, and let it be? Nah, but we should be aware that we need to either learn to augment these tools or be replaced. The tools are still bad at consulting and strategizing; they usually still need a human to sort out the false positives, and they def need humans to develop and improve them. But going through Cyfrin Updraft, then just casually doing a few contests, and becoming an SR at an agency is not gonna be possible anymore. Congrats to @octane_security for this 🫡

IMO the protocol already believes their code is secure. The contest is mainly a signal to users that due diligence was done, even if they know it won’t attract elite SRs. At this stage it’s more about optics and reassurance than security.

I know this is a joke, but contests/BBPs already function like unpaid internships—minus the mentorship, structure, or career path. When satire mirrors reality this closely, something’s broken.

@TheWavexyz What's going on with Cantina? They should be better than this

"Competitions are not dead" Meanwhile the said competitions:

This is crazy. Where is the transparency? This creates an obvious conflict of interest, and auditors will have no confidence that their findings will be judged fairly

@windhustler It helps to follow the right people and curate your feed. A lot of web3 security folks have been pivoting to engagement bait instead of posting insightful content

I miss the 2023/2024 web3 security vibe. There’s literally 0 substance on my feed rn and it’s getting worse by the day.

@0xapple_ @flyingtulip_ To my knowledge, @flyingtulip_ had a bigger pot size and offered a position at blackthorn for the winner so the incentives are there. This is just a small ~$25k contest. Auditors may end up waiting months for a 2 dollar payout

@Cryptor256 Try taking a look at the @flyingtulip_ contest on Sherlock, over 1,700 findings on only 1,648 nSLOC😂

+400 submissions 5 days into a ~$25K contest. I really don't know what to say at this point.

@mathrielx Submitted findings =/= Valid findings

Another day in the Flying Tulip contest done Honestly feeling so strangely funny right now sometimes I audit something, it clicks, I get excited… and then later I just unvalidate it again 😂 Meanwhile in Discord people are like: “I submitted 4 findings,” “5 findings,” “1 high, 1 medium”… and I’m sitting here like… am I really that bad? (Totally possible, rookie mistakes ) or is something else going on? Because from where I stand… this codebase just feels really solid, and that’s both inspiring and intimidating. Anyway - tomorrow I’ll keep digging, learning, and hunting for leads! @0xSimao 🫡

Happy New Year everyone! To fellow security researchers feeling discouraged by the contest slowdown: this isn’t new, and it won’t last. Stay disciplined, keep studying, and you’ll come out ahead when the cycle turns.

@0xShaedyW @0x15_eth In Sherlock, if your account was bricked due to spam, you can simply create a new one.

@0x15_eth It doesn't reduce spam, but aims to... It's like a cure for a headache, but doesn't prevent the initial feeling. Many SRs won't come back to Sherlock after finding their Monolith payout withheld.. But I totally understand your POV ser

Sherlock… For others you can be sure that when you find a valid bug you will get paid But with Sherlock if you have a valid finding there’s no guarantee you will receive that payout

Can any experienced web3 bounty hunters tell me how long they spend on a codebase before they give up and move on, assuming no bugs were found?