Found an uninitialized implementation contract in a factory. Anyone can initialize it which writes an arbitrary bytes32 to the protocols shared storage. There is no impact on the overall system (trust me I checked) but I was tempted to initialize it with “Korok was here” as such

Sometimes after finding a bug I’ll implement a fix myself. To test the dev skills! This backfired today when I forgot to revert my fix, then ran my PoC (one last time for good luck) before submission… suddenly the bug was gone. For 5 minutes I thought I’d lost my mind hahaha

The latest iteration of @cantinaxyz rep score makes it much harder for the average auditor to increase their score. I’m curious what others think of this change. I’ll share my thoughts below 👇 As a Cantina user who was, and continues to be, adversely impacted by this change I

I managed to get a high with only 1 duplicate in the Velvet contest. I’m happy with the result. Thanks @cantinaxyz for the opportunity. The grind continues!

Imagination is a great way to make auditing more fun. In games you often spawn as an insanely fit, perfectly aged, and untiring hero free of mundane concerns like food, money, or household chores. Not so with auditing. Every bit of an auditors ability is earned.

I’ll add that I obviously don’t think judges are doing this intentionally. They have so much on their plates that their default response to downgrade / invalidate is rational and likely even correct most of the time.

As an auditor if you aren’t certain of a finding and ready to fight for it judges will gaslight you into thinking valid findings are invalid or lower than they truly are. I love bug hunting but it astounds me how many different skillsets and virtues are required to do well. ⚔️

I feel like auditors also need some strategic ignorance or delusion. Most would be highly demotivated by the reality of what it takes. Better to be irrationally optimistic and deal with it day by day. Every time I sit down I think to myself “I’m just here to learn”

To be fair the Thai does say “No food is allowed in the area. NO WEAPONS ALLOWED”. Maybe It’s just me but the image text mismatch just feels wrong 🥲

Always fun to find “bugs” in real life. What is the parallel in code inaccurate validations? Good thing I’m only carrying this food 🔫 🤣

Earned 4th place in the Size contest (tied with others). It always blows my mind the difference an extra low dup count finding can make. In this case it was the difference between a $171 and $4500 reward. Congrats to the other competitors who found bugs. Back to the grind!

I switched from bounties to contests in Feb. It’s a different rhythm but I’m getting into it. Happy with this performance 7th place with 2 mediums and 1 low. This was my first @cantinaxyz competition, great platform. Judging is strict but that’s better than the alternative.

Shoutout to @Montyly for embodying the ethical hacker ideal—challenging me and sharpening my arguments in service of the community. “As iron sharpens iron, so one person sharpens another.” 🙏😌

I battled @Montyly in the DMs for HOURS yesterday on the topic of ethical disclosures. ⚔️ A great conversation that has honed my arguments. He suggested the @theTrustlessDAO process might resemble extortion or blackmail. I strongly disagree. My counterpoint: it’s not illegal

I’ve long believed that a well-developed imagination fuels creativity, and together, they create a massive advantage—not just in bounty hunting, but in life. At some point, imagination and creativity form a self-reinforcing loop: imagination sparks creativity, and creativity

Inspired by @WhiteHatMage's post, I might start calling disclosures made outside traditional BBPs “wilderness bounties.” After all, “hunter” has always sounded cooler than “security researcher,” and there’s something epic about the idea of hunting in the wilderness. Not everyone

5/5 I believe GitHub is robust enough to handle this use case, but a few rough edges like this may need smoothing. I’ve now updated TrustlessDAO's the guides, website, and docs to explicitly note when protocol and researcher should pull to sync their local copy, ensuring they

4/5 Rational actors won’t attempt this since it’s easily detectable bad faith that immediately kills the deal and has reputational consequences. People generally only attempt dishonest actions when they think they can get away with it—few will take the risk knowing their bad

3/5 It’s not something that quietly happens—Git treats history modification as a serious action requiring explicit user intervention. If bad behavior occurs, the honest party has indisputable evidence via their local copy, which they can easily share.

2/5 Git’s design naturally protects against silent history tampering. Any rewrite requires an explicit force push from the attacker, creating divergent histories. When the honest party tries to interact with the modified repo, Git displays prominent warnings about the divergence