Pavel Shabarkin

On Feb 17 2025 I reported a critical vulnerability to @Scroll_ZKP. $100m+ in TVL was at risk for more than 2 months. Anyone could force Scroll L2 into an indefinite re-org, halting the chain so that no user transactions would be included in blocks and the chain would not move forward. All funds on L2 would be frozen. @Scroll_ZKP downplayed the report. There was no meaningful communication about the issue—only continuous ghosting and silence. The @immunefi team mediated, yet did not correctly classify the vulnerability, which clearly falls under "Primacy of Impact." When I requested a re-evaluation, I received no response. As a result, I am disclosing this to the public to highlight Scroll's lack of security proficiency, their unfair resolution process, and their treatment of white-hats. You can find the link to the full report and complete timeline below. @redhairshanks86 @0xBalloonLover @Wublockchain @coindesk @cointelegraph @TheBlock__ @aave @EtherFi @ambient_finance @l2beat Full impact of the issue: - The Scroll chain can be halted deliberately at zero cost to the attacker. - Withdrawals remain blocked for the duration of the attack (potentially indefinitely, as it is free to sustain). - Halted block production prevents critical time-dependent DeFi actions (e.g., topping up positions to avoid liquidation, oracle price updates), putting user funds at risk. - The sequencer stops collecting transaction fees because no L2 user transactions can be included in blocks. - Anyone on the internet can trigger the attack, and Scroll has no preventative measures. --- Timeline - **Feb 17 2025** – Issue submitted on Immunefi. - **Feb 18 2025** – Scroll claims the issue was known from a Trail of Bits audit 14 months earlier and says it will be fixed in the Euclid upgrade (still 2+ months away). Scroll closes the report. - **Feb 18 2025** – I request Immunefi triage, providing code commits that show Scroll attempted—but failed—to fix the issue. I emphasize that, while the attack vector is similar, the impact and exploitation mechanism are different. - **Feb 24 2025** – Immunefi reopens the report for discussion with Scroll. - **Feb 27 2025** – Immunefi asks Scroll for an update. - **Mar 03 2025** – I contact Scroll to stress that the issue is public and exploitable on the live protocol. - **Mar 03 2025** – I DM @yezhang1998 on Twitter about the Immunefi report. - **Mar 04 2025** – Scroll says the issue is out of scope, labeling it "Throttling or suppression of operations without loss of user funds," and notes a similar report from Nov 06 2024. - **Mar 04 2025** – I request Immunefi mediation to confirm the submission's uniqueness and ensure a fair bounty. - **Mar 13 2025** – I ask Immunefi for an update. - **Mar 17 2025** – Immunefi classifies the issue as **High severity** ("causing network processing nodes to handle transactions from the mempool beyond set parameters"). They confirm the bug is unique, acknowledge Scroll's attempted fix was ineffective, and suggest a goodwill bounty because Euclid will deprecate the vulnerable functionality (in ~1.5 months). - **Mar 17 2025** – I reiterate that an attacker could freeze $100m+ on L2 and highlight Scroll's "Primacy of Impact" policy, which requires considering broader consequences. - **Mar 19 2025** – Scroll acknowledges receipt and promises to follow up shortly. - **Mar 27 2025** – I ask Scroll for an update. - **Apr 03 2025** – I ask Scroll for an update. - **Apr 03 2025** – Immunefi also asks Scroll for an update. - **Apr 09 2025** – Immunefi contacts Scroll directly. - **Apr 09 2025** – Scroll offers a payment of only **$1000**, stating the mechanism will be deprecated in the Euclid upgrade (3-4 weeks away). - **Apr 09 2025** – I reject the bounty, explaining the protocol is still vulnerable and detailing potential losses had the vulnerability been exploited on Feb 17 2025. - **Apr 15 2025** – I ask Immunefi to confirm "Primacy of Impact" applies and that the network remains vulnerable. - **Apr 22 2025** – Scroll responds with a single "." and closes the report. - **Apr 22 2025** – I ask Immunefi to explain Scroll's response and provide an update. - **Apr 29 2025** – I notify both Scroll and Immunefi that I will publicly disclose the vulnerability on Apr 30 2025 unless the report is treated and rewarded fairly. Here is the full audit report with a complete explanation of the issue, PoC scripts, a local network setup guide, and a PoC video. A full triage history (screenshots) is included at the end of the blog post—please review it! notion.so/shabarkin/Crit…

AI will be closing the gap of vulnerability spread humans were missing during previous cycles. Not saying it will be bullet proof but we can find more issues in old software. mtlynch.io/claude-code-fo…

@om_patel5 Why not using codex then? I like Claude’s default more for its open explanation of the topic otherwise I pick codex which does it naturally.

I taught Claude to talk like a caveman to use 75% less tokens. normal claude: ~180 tokens for a web search task caveman claude: ~45 tokens for the same task "I executed the web search tool" = 8 tokens caveman version: "Tool work" = 2 tokens every single grunt swap saves 6-10 tokens. across a FULL task that's 50-100 tokens saved why does it work? caveman claude doesn't explain itself. it does its task first. gives the result. then stops. no "I'd be happy to help you with that." no "Let me search the web for you" no more unnecessary filler words "result. done. me stop." 50-75% burn reduction with usage limits getting tighter every week this might be the most practical hack out there right now

if LLMs are the main threat for cyber attacks, then probably the best defense is just littering everything with tons of prompt injections. Hack the LLMs while they try to hack your system. Whenever they hit the wrong port, return a prompt injection. Whenever there's a JSON that accepts extra fields, add prompt injection there. Hidden prompt injection in every html tag. Smart contracts with utf encoded prompt injection in the bytecode. This is not advice -- just public brainstorming of research ideas.

CAREFUL: anthropic built a signature system into claude code. every API request gets signed with a cch= hash thats computed in compiled zig code if you recompile the client yourself it just sends zeros instead. they can instantly tell its not legit right now you literally can't use your anthropic sub on ANY third party tool. only official claude code or pay for api credits separately currently decompiling the official binary to reverse this - would be huge for all third party clients like opencode, openclaw etc to fully bypass anthropic enforcement and actually use the tokens you're already paying for

My startup was hacked! I launched my own travel eSIM service, eSIMPal It started making money, the users were happy, and all was good, but today I woke up to a hacked website Somebody managed to get three 50 (!) GB eSIMs for Kuwait and Saudi Arabia for free, and we started using them heavily I wired up Claude, and we discovered the issue: the user could pass a parameter from the client to the server and make the eSIM cost 0 dollars I fixed the issue and blocked this user, and he only managed to use 5 GB worth of data The internet is full of sharks, boys – triple test all the payment-related code, make sure different LLMs cross-check each other's work Now I'm writing code with GPT-5.4 and making Opus 4.6 review everything for vulnerabilities And my hacker bro, if you are reading this, I'll get you your Saudi eSIM, don't worry Use the promo code IHACKEDESIMPAL for 10% off and chill

Was going to write something like this post months ago, injective was horrible during a crit I found in their protocol 3 months ago and was approved to be at leat High by Immunefi. But I don't like to publicly shame projects, I just see their slow and unresponsive and dismissive behaviour especially with reasons that don't make sense and move on and not even bother looking at their codebase.

@al_f4lc0n @immunefi I understand the struggle! Thank you for sharing your story!

I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…

1/ By now, anyone paying attention knows where AI cognition is landing. A 🧵on where this is all going.

6/ The AI auditor narrative isn't putting us out of business. It's shrinking the supply of who can do what matters and expanding the demand to pay for it.

sent this to the team today everything great comes from being able to delay gratification for as long as possible and it feels like we're collectively losing our ability to do that

@thdxr @kitlangton opencode generated those snapshots.

@shabarkin @kitlangton your disk is full?

@kitlangton @thdxr 691 | .run() SQLiteError: database or disk is full code: SQLITE_FULL at #run (bun:sqlite:185:20) at (src/session/index.ts:691:10) at run (node:async_hooks:62:22) at use (src/storage/db.ts:136:28) at (src/session/index.ts:682:14) (src/session/processor.ts:419:2

@thdxr @kitlangton you are right, somehow 800gb+ of ssd got filled. investigating...

we spoke to a company today who's security team is so concerned by ai code they're considering banning ai tools your first reaction might be "they're gonna get left behind" but if you are practical their concerns aren't invalid if you are a huge multi national org with tens of thousands of employees and they just got a button that appears to do their work, it's gonna get pushed a lot and the process around knowing what is making it to production is totally melting being honest we're all getting a bit lazier see that kiro related aws outage as a real life example so they're genuinely arguing over how much this is going to be allowed esp since the net productivity gains for the average dev seem to be pretty low

One underrated downside of LLMs getting better is that they're quietly killing team communication during audits. Before, you'd ask a teammate if they understood a specific mechanism, or bounce questions about the codebase off each other. Now, most of the time you're better off just asking your LLM directly. The set of questions still worth asking your teammates (or even the client) instead of your LLM is shrinking fast.

sharing one of our findings for @Uniswap V4 in total, we found 3 live bugs (2 in CCA and 1 in Core) with @therealgregoAI all reported, confirmed, and fixed humble shout out to the uniswap team as being great to work with

If you seriously think this is gonna find some live complex vulnerability, you’re tripping lmao.