Tammy.eth

someone with 6 months of experience just got paid $100,000 for a single bug bounty finding. i'm at roughly that same point in my journey and haven't found anything yet. no valid findings. no contest payouts. just months of studying, breaking things in practice environments, and slowly learning to read code the way an attacker would. on the days it feels pointless, a post like that is the thing that resets the perspective. because it proves the timeline isn't as long as it feels from inside the grind. 6 months is enough, if those months go into the right things. reading real code, not just tutorials. building the instinct, not just the knowledge. i don't know when my first finding comes. but i know it's closer than it was yesterday.

@Satyam561562154 You can send a dm!

@TammyBuilds lets connect buddy

someone with 6 months of experience just got paid $100,000 for a single bug bounty finding. i'm at roughly that same point in my journey and haven't found anything yet. no valid findings. no contest payouts. just months of studying, breaking things in practice environments, and slowly learning to read code the way an attacker would. on the days it feels pointless, a post like that is the thing that resets the perspective. because it proves the timeline isn't as long as it feels from inside the grind. 6 months is enough, if those months go into the right things. reading real code, not just tutorials. building the instinct, not just the knowledge. i don't know when my first finding comes. but i know it's closer than it was yesterday.

i almost quit smart contract security in month 4 because someone i started with got their first finding before me. same start date. same resources. different result. and i took it personally. what i didn't see was that they were hunting 6 hours a day while i was still in tutorial mode. the timeline looked the same from the outside. the inputs were completely different. that realization is something i'm still actively working on shifting from watching what everyone else is doing to just putting in the hours that aren't visible yet. you're not behind the people ahead of you. you're just not seeing what they're actually doing to be there.

@TheBlockChainer google didn't make bad developers good. it made good developers faster. AI is doing the exact same thing and people are making the exact same mistake thinking access to the tool is the skill

I heard recently that AI has already replaced Auditors. Someone said: "There's no need to hire a web3 firm for smart contract audits, I think it's overkill, and AI does just as good a job nowadays." My way of explaining why that's not the case was like this: "Look at it also as, we all always had Google and Stack Overflow to search and solve our coding issues, but it made a difference who used them and how. So, AI is powerful, yet it makes a difference how it’s used in what context and who is using it." From my experience, it makes a huge difference for both development and auditing whether the person using AI is proficient.

@dethSCA the ones who can actually evaluate technical talent usually became technical themselves. founders who can't read the code can't vet the person writing it either

to all devs an audit isn't a stamp it's an argument that your code does what you think it does — and a list of every place it doesn't clean PDF? no pushback? you didn't get an audit, you bought a badge for your landing page

@pashov the ones who can actually evaluate technical talent usually became technical themselves. founders who can't read the code can't vet the person writing it either

web3 founders truly don't know how to hire good devs lol

@RealJohnnyTime most people read code to understand what it does. auditors read it to find where it stops doing what everyone assumed it would

Every exploit starts as a tiny inconsistency that everyone else scrolled past. The bug was always there. Someone just stopped to ask why.

@panditdhamdhere @gakonst foundry changed how i write and test contracts entirely. the speed of having everything in solidity instead of switching contexts to javascript is something you don't appreciate until you've used both

In last 6 years as a developer, this is the greatest ever tool i used in my tech career. Massive Respect @gakonst & Rust 🦀 maxis team.

@HildaGilbora spending time and spending time on the right things are two completely different things. took me longer than i'd like to admit to figure out the difference

@TammyBuilds Hmmmm, true. How you spend the time matters.

@HakimChbn73510 this is exactly what i've been working on shifting less theory, more actual hunting. the discomfort of not knowing if you'll find anything is the part most people avoid. trying to sit in it anyway

@TammyBuilds Just start real hunting , dont dive deeply in theorical and courses only , start hunting , focus in one or two bugs you see that youre really understand it theorically , and start real work , you will see the results bro

@HildaGilbora best decision i made was finding a structured path there instead of jumping between random courses. the difference in progress is night and day

@TammyBuilds This is true. I am currently learning on Cyfrin Updraft.

i spent 3 months "learning" smart contract security before i found a structured roadmap. i was watching random courses, jumping between topics, consuming content that felt productive but wasn't building anything real. after 3 months i couldn't tell you what i actually knew. then i found @CyfrinUpdraft and everything changed. suddenly there was a clear path, solidity foundations, then foundry, then advanced concepts, then security. each thing built on the last. i stopped feeling lost and started actually making progress i could measure. the difference wasn't effort. i was putting in effort the whole time. the difference was structure. if you're learning web3 security right now and feeling like you're going in circles — it's probably not you. it's the path. find a structured roadmap and follow it start to finish before jumping to anything else. the 3 months i spent lost were expensive. they didn't have to be.

@DanielOlaw53386 no be lie !!!

@TammyBuilds Tammy motion these days>>>

@iamwehi yeah it is cyfrin changed how i approached learning this space entirely. went from feeling lost to actually having a path worth following

@TammyBuilds cyfrin is really cool, highly recommend their signer courses

@ControlZ_1337 open sourcing the actual workflow instead of just talking about AI in auditing is rare. most people keep the harness private. interested to see how it holds up on real codebases

I think this finding is a good opportunity to announce something we’ve been working on. We’re currently cooking up an open-source project that’s essentially a public version of the internal system we use to leverage AI for vulnerability research and finding bugs (like this one). Stay tuned 🙂

@theayacommunity @panditdhamdhere

Are you spotting any familiar faces? 👀 We’ve got some insane builders & minds speaking at the Ethereum Build camp… but the real question is, how many of them do YOU already know? If you see someone you’ve learned from or followed → tag them below 👇 More details here: buildcamp-nine.vercel.app

@theayacommunity looking forward to this

@immunefi @__nnez would love to know how he decides a target is worth spending serious time on versus moving on. that filter seems like half the skill

This Security Researcher has earned $1,764,402 on Immunefi. $519,991 in 2026 alone (so far). Now @__nnez is coming on The Immunefi Show to break down his hunting process, how he chooses targets, and how to use AI to actually find bugs. What should we ask him?

@immunefi $140M paid out means the protocols that didn't get hacked because of those findings saved multiples of that. bug bounties are still one of the highest ROI security investments in the space and most protocols still treat them as optional

We've just crossed $140,000,000 in payouts to security researchers on Immunefi. Huge shoutout to every single SR who's gotten a payment. Collectively, you've saved countless billions from being hacked. Imagine what crypto would've looked like without those contributions.

@sherlockdefi the contracts passing audit while the signing flow or frontend introduces the real vulnerability is one of the most underreported attack surfaces in web3. the scope of "secure" has to expand beyond the solidity file

More teams are coming to Sherlock to test the full system their contracts depend on. Signing flows, frontends, wallets, infra, access control, integrations: this is where clean code still turns into real risk. Quick writeup below.

@FireFlySquid380 claude is useful for understanding code quickly and generating hypotheses but it hallucinates enough that every finding needs manual verification. treat it as a first pass, not a final answer

@TammyBuilds Is it helpful on using Claude Opus for bug bounty?