Mackenzie MacKenzie 🛠️️
@0xMackenzieM
Followers
2,455
Following
845
Media
188
Statuses
2,787
Hacker Success @immunefi , Helping whitehats get paid, DMs open.
Joined January 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
No Riley
• 351812 Tweets
Peña
• 130996 Tweets
Hawk Tuah
• 114721 Tweets
Olise
• 70486 Tweets
#Smackdown
• 69638 Tweets
Doña Segunda
• 49127 Tweets
Ruby
• 44324 Tweets
Alexis
• 34077 Tweets
Polo
• 28753 Tweets
Melo
• 27848 Tweets
DIAN
• 25946 Tweets
كانتي
• 25150 Tweets
Game 7
• 23724 Tweets
CM Punk
• 20163 Tweets
NO GOAL
• 15932 Tweets
#DoctorWho
• 15369 Tweets
コインor時短
• 12844 Tweets
Pinned Tweet
Excited to be joining
@immunefi
serving as Hacker Success.
Web3's in a huge spot to define its future for the better and it feels good to be part of that.
Let's get whitehats recognized for their essential role, and treated and payed accordingly! Hoo-rah! 🫡💪
7
8
87
Here's my top 5 resources to help you become a 10x web3 security researcher:
1.
@pashovkrum
's auditing repo
2. Posts from
@pashovkrum
3. Curated resources retweeted by
@pashovkrum
4.
@pashovkrum
's interviews with
@andyfeili
5. My DMs with
@pashovkrum
Here are 5 resources that I use to improve my smart contract auditing skills daily:
Retweet to spread the knowledge 🫡
1. Twitter posts by
@pashovkrum
and
@bytes032
2. Code4rena past audit reports
3. Articles about every little problem that I am not aware of
4.
@pashovkrum
' s
4
25
104
9
27
136
Top contest auditors often DM me
“I want to start doing bug bounties but idk where to start, what’s your advice?”
Time for a short thread 🧵 1/4
3
13
89
#MackenziesPicks
Every week I'm going to put together a list of some of the most interesting Bug Bounties on
@immunefi
, with details about why they’re cool and worth you looking at.
It'll have something for every skill level & tech stack.
Read & Retweet if you like it: 🧵👇
5
18
77
Do you want to see a feed of all bug reports submitted on
@immunefi
?
@BeanstalkFarms
has this! You can check out all the bug reports they've received (Confirmed & Closed) right here:
6
15
72
Another step for more transparent BBPs. Putting
@h0wlu
out of business 😉
Check out the updates that've already begun
11
6
68
#MackenziesPicks
Bug Bounties on
@immunefi
with Recently Updated Assets. This means fresh code that other bughunters haven't seen yet!
To follow updates closely you can follow the "bbp-updates" announcements channel on
@immunefi
's Discord.
Read & if you like it Retweet: 🧵👇
1
11
62
This is what
@immunefi
's leaderboard looks like now.
What features would you want to add to it if you could have everything you want?
13
1
56
Just listened to the interview of
@0xmonsoon
by
@mis4nthr0pic
. I was suprised by just how impressive Monsoon is!
A few quick notes from the vid 🧵👇:
1
12
53
I'm starting to think I need to make a list of all the rookie whitehats I'm meeting on here so I can @ you all whenever I see a bug bounty which would be good for a beginner to test their skills on 🤔
23
2
50
2000 followers. Woah.
The greatest privilege of doing Hacker Success at
@immunefi
has been getting to know so many amazing SRs and so many new faces to the web3sec scene
Thanks guys and girl.
4
3
49
#BugBountyUpdates
I've compiled the most interesting bug bounty updates on
@immunefi
for you from the last week.
This is a new thread I'll be doing weekly. It'll have new assets in-scope, updated code, increased bounties, and other goodies
That said, Let's Begin 🧵👇:
1
6
40
🧵How I personally make smart contracts easier for me to debug and how I increase my chances to spot vulnerabilities
8
32
139
0
4
40
Sagely advice from
#39
on the
@immunefi
leaderboard
There's no secret sauce folks. Just read the code.
ty
@infosec_us_team
0
6
39
Started
@code4rena
in Jan 2023, already in top 5 on contests and making $1000+. This is a major accomplishment.
It's amazing just how quick people can get success in Web3 Sec! I've seen this story again & again. There's so much room to grow I love it
4
1
36
Many top web3 whitehats are Dev leads/ CTOs/ Technical Founders
In the coming years we'll see a lot of project founders coming from web3sec & leveraging their experience here.
I can't imagine that
@gogotheauditor
@pashovkrum
@bytes032
@0xOwenThurm
won't rocket higher!
3
1
36
Almost at 1k followers 🥳 and 50+ DMs with you guys. Absolutely wild how friendly this community is!
4
0
36
It's a common fact that the "Project scammed me on
@immunefi
!" tweets spread a lot farther than the "Thanks
@immunefi
for getting me unscammed :)" that come afterwards.
Mediation is here to help, even if takes awhile as was the case with
@0xkazimm
@immunefi
The Immunefi team is beyond fantastic and I know they are working very hard to limit the number of unfair cases.
I believe many of the cases shown on Twitter where a whitehat had a bad experience with a project on Immunefi were later resolved successfully.
I would definitely
2
2
19
6
4
36
SRs be DMing me "Please invite me to
@immunefi
's invite-only programs"
I like the hustle. Mini-thread on how to get invited 👇🧵
1/5
Btw, yesterday we launched Immunefi's first Invite Only Program with
@hinkal_protocol
which you can check out here:
How do I get invited you might ask? Well, I certainly know that
@0xMackenzieM
wanted to write about this so won't steal it from him, but in
3
0
10
1
5
35
Amazing Article by
@joranhonig
It's short, it will make you a better bughunter & auditor. Give it a read.
Here's my key notes: 🧵👇👇👇
2
11
33
@zachobront
literally told me "I'm gonna win the Blast competition"
Insane skill, confidence and follow through
I fear for those who are competing against him on
@eulerfinance
💀
It's official. 🚀🪐
The results are in for our massive $1.2M
@Blast_l2
security competition:
Here are your top 3 ranked researchers:
🥇
@zachobront
: $201,484.57
🥈
@Guhu95
: $119,941.96
🥉
@tinchoabbate
&
@saucecri
(
@theredguild
): $74,729.62
Amazing work. Leaderboard below:
7
10
106
2
1
33
Boosts will make bughunting the best way to improve.
Traditionally bug bounties have the slowest feedback loop to learning. Maybe 2nd to only solo audits 🤔
With 24h project response times and direct Q&A and reports being published after boosts will be the fastest way to learn
2
4
33
#MackenziesPicks
This week's list is Bug Bounties with the fastest bug report resolution time!
That means the median time for a project to update a report from ‘Escalated’ to either ‘Closed’ or ‘Paid’.
Read & Retweet: 🧵👇
4
10
29
@deadrosesxyz
This project just had some minor updates to make. They're back up now. Just bad timing 😓. We're changing how we announce these sorts of things to prevent this in the future.
In the meantime feel free to DM/tag me or
@Specivik
for questions about projects that're paused/removed
2
1
32
That's a wrap for the first Bounty Boost!
Thanks to
@DeGateDex
and the nearly 100 security researchers who submitted bugs to the first-ever Bounty Boost.
Soon we’ll send out the Rewards, and publish the Bug Reports, Leaderboard and stats from the Boost.
1
8
30
I was just talking to
@0xMacroDAO
about the different skillsets of Audit Firms vs Contest Auditors vs Bughunters.
The skillsets are incredibly different. Security Researchers who'd excel at one might suck at the other
1/4 Thread:
2
6
31
Hey all, I'll be on vacation till after Christmas 🎄 and offline for most of that time.
When you need any hacker support send a DM to
@OddlySpecivik
No big hacks while I'm out now ya hear
3
1
31
Bug Report 101:
If a project offers you a lower amount than their bug bounty program says do NOT accept it.
“... projects are strictly prohibited from trying to negotiate with security researchers to lower the payout.” —
@immunefi
2
4
28
My
@immunefi
-cation is complete. I feel blessed to meet so many extraordinary whitehats as part of my day-to-day. Routinely you guys impress me with how giga-brain AND good-hearted you are. That's how I know we're gonna do great things.
2
1
29
I don't expect whitehats to want to read severity classification documents for fun.
But those who do have a serious advantage imo in understanding what bugs project's care most about.
Here's
@immunefi
's in-depth encyclopedia on bug severity
Severity classification/categorisation processes of three leading smart contract security services providers that shape our ecosystem:
Immunefi -
Code4rena -
Sherlock -
3
11
99
2
8
30
I've never seen a critical bug with a poorly written report.
I hypothesize this isn't because the best hackers are good writers. But because they're good thinkers. Then what to write is obvious, and only the most egregious projects dare deny them.
3
1
29
@0xnirlin
I have accidentally wrote you a short novel
tl;dr
Contests as an industry is immature and we're still solving the the problem of contests ROI reliability. LSW is a great bandaid. But to scale to 20+ contests running simultaneously we need to innovate as an industry.
Full
7
1
26
There's a lot of great web3sec communities, new and old, but the real value is the 1-1 friends you make.
Consider this your reminder to slide in someone's DMs today, just say hi and that you like their posts, and see where it leads
7
0
25
If you're at the $10k/mo point you know what you need to do to reach the $50k 👀
My experience as a security researcher:
- Months 0-4: <$1,000/month
- Months 5-7: $10,000/month
- Months 8-9: $50,000+/month
Success is not linear. Keep grinding ✌️
84
55
935
1
2
24
Yo
@PwningEth
you mind finding a $20mil bug real quick?
We gotta pump this up to $100mil.
We've done it.
We've now facilitated $80m in payouts to whitehats.
$100m soon!
Congratulations, everyone.
7
15
105
1
1
24
Heading out to Taiwan rn for my 2 week vacay 🎉
For help on Boosts or with all those big sexy bugs you're finding you can reachout to
@OddlySpecivik
&
@0xjonah1
plz no big hacks while I'm out 👀 (it does feel like there's been less lately tbh)
6
0
23
When a
@zksync
engineer shows up the web3 sec game and goes after the Kings
@OpenZeppelin
1/6
I'm truly inspired by security engineers who openly share their discoveries. While I've been relatively quiet on social media, I now realize the value of discussing my findings. So, here's the 1st of 3 vulnerabilities I've uncovered in the
@OpenZeppelin
library!
9
35
211
0
0
21
@HatsFinance
I'd guess the last minute nature of them. I really like how
@cantinaxyz
organized
@eulerfinance
months in advance.
I know more than a few SRs avoiding private audits so that they can participate in it
3
1
22
Seeing multiple Medium severity bugs linked together into a Critical is beautiful to see.
Seeing a Medium severity bug be paid, and later another whitehat submit it showing how it could be Critical, is so painful.
A step-by-step guide to finding a critical issue in every private audit:
1. Choose a standard medium-severity issue.
2. Crank it up to critical severity.
3. Congratulations! You're up there with the greats. Feels good right?
5
8
106
3
0
21
This thread isn't really about bot races. It's about a bigger question. How do we raise up rookie security researchers?
The real solutions will be less kind than "let them farm dupes".
Right now there's a chasm between CTFs and professional security work
@code4rena
: A humble suggestion to introspect on your internal data regarding bot races & decide whether to continue them in their present form or not.
A 🧵⬇️ into the potential harm these races might cause to budding auditors.
11
3
28
2
2
21
1
1
20
If you want to share a write-up on your bug report please send it to
@sayan_011
for him to add to his growing list!
And here's the most 3 common rules on sharing your bug report (whether it was paid or not) 🧵:
2
6
18
Here's a great writeup of a new whitehat's experience on
@immunefi
. I encourage all of you to do this and help increase transparency in bughunting (and build yourself a rep).
1
4
19
~20% of $1mil+ payouts on
@immunefi
are non-solidity.
This is means that non-solidity SRs have a great ROI for their skills since the vast majority of projects are in solidity.
The hitrate for non-solidity bug reports is much higher too
Observation: 90%+ of the $1M+ payouts in Immunefi are non-solidity
Lesson: If everyone else is doing it, don’t do it.
11
5
160
1
2
20
The more I think about it, the more it makes sense to bughunt on projects with good rewards for Medium severity bugs.
It's just a good safety net for your earnings
2
0
19
Listening to the
@gjaldon
interview on
@opensensepw
It's full of good tips: on learning, on auditing, on twitter, on good work habits in our space.
Most of all
@gjaldon
has a very relatable story. I recommend it
3
5
19
Classic
@deadrosesxyz
answer 😂
january was a sick month
- managed to complete 5 private audits
- sneaked in a few contests inbetween and became LSW on Sherlock
29
6
224
2
1
19
50% of the support I give whitehats is reading the bug bounty terms for them.
40% is sharing info about basic rules.
5% is bug report coaching (pro-tip make your PoC prove your bug's impact)
5% is tricky nuanced cases
Not sure how I should feel about this.
3
0
19
I'm back from Taiwan y'all, my blood flows rich with bubble tea and stinky tofu, ready to get rich securing web3
3
0
18
This is the dream story.
@0xmonsoon
has the attitude that will make it big.
He's building cool projects, learning cool tech, doing cool work, and ofc making v cool friends. Even he failed he'd still be winning!
✨✨✨CAREER UPDATE✨✨✨
I am joining
@OpenZeppelin
as a security researcher.
Its an honor to get a chance to work with a team that I have admired and respected for long.
50
5
286
2
0
18
"Can projects pay their bug bounty in worthless tokens?"
No!
@immunefi
's policy is that if a token doesn't have good enough liquidity then you can have them pay you out in something that is liquid. No payouts in magic beans here.
1
1
16
I got a refreshing message variant of the "How do I get started?" msg.
Instead he told me all he's going to do and asked for feedback. I'm excited for you
@thisvishalsingh
2
1
17
A great read if you intend to submit a Crit on
@immunefi
.
Have you ever wondered how to calculate funds at risk for your bug report submission?
Wonder no more.
Check out our new guide, written by
@omikomikomik
0
7
34
2
3
16
The legendary Pwning.Eth
@PwningEth
(
#3
rank and $8 mil earned on Immunefi) is doing an AMA on OpenSense.
The Q's asked & his Answers are great! Check it out
Anyone who wants to do a public good should compile it into a twitter thread!
1
3
16
For all the Security Researchers who don't know what to write/post on twitter take this lesson from the champs
@SpearbitDAO
Focus on high-quality & technically advanced content. imo even rookies benefit more from their challenging content vs. beginner materials.
@0xMackenzieM
@pashovkrum
We tend to stay away from beginner content you may see saturate the timeline (e.g roadmaps, top 10 vulns, etc.) and more towards material that is beneficial for security researchers with experienced backgrounds or those with less experience but wish to challenge themselves.
1
2
35
2
1
17
Reminder for you to check out the Puffer Boost. $50k pool + $200k/50k/2k/1k per Crit/High/Med/Low
2
3
16
4
0
17
I could fill a book with all the times top whitehats have responded with this
In just one month of bug hunting I managed to earn more money than in 6 months of auditing 🤯
19
10
217
0
2
15
Ahaha too true
0
0
15
I'm seeing a lot of successes lately. But especially a lot of appreciation for 1-1 help & encouragement that lead up to that success.
It reminds me that nothing is as effective as 1-1 support, or scales as well as passing it on
0
1
16
Discussing $100k payouts is always gonna be a sensitive discussion.
@KrisApost1
handled it like a pro, I hope he shares some tips/thoughts on the process.
And ofc always feel free to reach out for help 🫡
@bot226331491
@OddlySpecivik
@0xMackenzieM
Not at all. All sides were extremely professional. Navigating bounties for the first time is not an easy feat.
0
0
2
0
0
16
Amazing writeup.
"Cool, now we have a bug. What’s the maximum amount of damage we can cause by abusing it?"
This is the attacker mindset you need to when you bughunt.
This is how I found my second high severity vuln on
@immunefi
, under
@trust__90
mentorship:
12
18
199
1
3
13
When you need to learn:
✅ Contest Audits
When you want to make money:
✅ Bug Bounties
When you want to make money while learning:
✅ Work on teams with your friends
@peak_bolt
@code4rena
@sherlockdefi
@immunefi
I spent more time on C4, I think. The good thing about C4 is there's a feedback loop, so you know which issues you didn't spot. Whereas on Immunefi you don't know what you missed.
My payouts on Immunefi are larger than C4 though, not sure if it's due to luck...
1
0
5
1
1
16
People of all skill levels ask "How do I get a mentor?"
The essence is to do what
@pashovkrum
is saying. Put in the work, and show you're putting in the work. This makes people want to help you.
ie. This is why
@opensensepw
is taking off, cause
@mis4nthr0pic
hustles!!!
Here is what's going down in my DMs:
- How do I master web3 security?
- Go through Secureum bootcamp
- Link?
Frens, if you can't find the link to the bootcamp how do you expect to find bugs later🤔 If you want to be a great researcher you'd have to research✌️Go find it yourself
23
13
261
4
0
15
Dear Whitehats, how valuable would it be to have your bug report stress-tested before submission, so there's no room for project downplaying it?
ie. Have all the weak spots and missing details brought up, and be given directions on how to make it rock solid.
3
1
16
@sayan_011
Ahahahahaha. Highly suspicious. I'd want to see other audit reports by this team, and if they're often like this, I'd focus on bughunting on the projects they audited 😎😎
2
0
15
This is a huge policy shift! It'll prevent so many in/out-of-scope disputes.
Whenever you read a bug bounty program ctrl+f for 'Primacy of Impact' to see if they use it (ie.
@zksync
does).
And please ask me any questions you have about what exactly this means!
Ever had a bug report with a real impact, but the asset was out of scope, so the bug report was closed?
We're introducing a new best practice standard called Primacy of Impact to solve this problem.
Read more:
8
17
65
0
2
15
I love
@bytes032
audit threads, why don't more of you write them?
Surely it crystallizes your learnings to write it all out, plus the friends you make.
I explored the
@compound
protocol during the
@rubicondefi
contest at
@code4rena
.
In this thread, I'll summarize what I've learned. 🧵
11
47
205
2
1
15
Absolutely killing it!
Of course, a single million dollar bug puts these to shame 😏
I made $46150 doing 4 solo smart contract security audits in April, finding various critical & High severity issues. I also missed 1 (that I know of) but that’s life as a security researcher. This makes it the 3rd consecutive month doing >$40k in solo smart contract audits
36
20
508
1
0
14
@RobertMCForster
That sounds absurd, if it's an
@immunefi
bounty and you'd appreciate some help send me a DM with the report #
best of luck in any case
0
0
15
Solo High + bug writeup = instant micro celeb
Thus it has ever been
0
0
15
A perk of bug hunting is you get to deep dive the code to your own satisfaction. This is why the biggest bugs were on projects that the bug Hunter finds interesting. No time limit, no external pressure, just you and your curiosity.
If you are doing bug hunting on Immunefi, it's possible to not find anything in a codebase, but over time, you will learn exponentially.
3
1
34
2
3
15
I'm not gonna say that following your interest and diving deep will lead to $250k bounties ... but I'm not NOT gonna say that
@0xMackenzieM
@CurveFinance
Studied Curve some time ago and this time, filtering Avalanche projects on ImmuneFi lead me back to Curve.
Because it was a fork of Curve 😉
1
1
10
1
0
15
I'm doing an interview with
@opensensepw
in 30 minutes, come join and ask any all your bughunting/Immunefi questions
1
3
15
This is the most important tip for whitehats of all levels.
It's the reason you should make PoCs for all your bugs. The practice sharpens your attacker mindset so you can find that 1 bug which is worth more than all your others combined.
1
2
14
$218k / 25 Medium bugs, that's ~$9k per Medium bug report!
#ImmunefiStats
The July payout stats are in! Here's what whitehats made on Immunefi last month.
Just beautiful to see.
2
6
40
2
1
14
Stormy is a beast!
Winning 1st place in the
@eBTCprotocol
competition at
@code4rena
last year with the only critical vulnerability found, and now winning their
@immunefi
boost...
That's one web3 security beast!
It's an honor to have Stormy as an Associate Auditor on the Hunter Security team. 🫡
2
5
56
0
1
14
@immunefi
@fuel_network
This is gonna be a paradigm shift. Audit contests will move from one-and-done events to major education & ecosystem building events
0
0
14
@cergyk1337
breaks the top 50 and onto the leaderboard! Congrats mate 🥳
And I see you
@yttriumzz
closing in also 👀
#LeaderboardWeeklyUpdate
!
Here are some of the whitehats on fire this week:
👉 LonelySloth: moved to 6th from 7th!
👉 yttriumzz: moved to 62nd from 74th!
👉 cergyk: moved to 43rd from 55th!
Congratulations to all!
2
1
17
2
0
14
ITT
@0xriptide
says he has no secret to bughunting. Just follow your interests and read the contracts.
I know big audit firms have all sorts of fancy tools. But the best bughunters keep saying what Riptide is. It's that simple.
@ckksec
usually just check out anything interesting
my secret is just to read a bunch of contracts tbh
2
1
7
3
0
14
1
0
14
Pro tip: You can just ask projects where they think their code is weak.
Projects naturally have an intuition of their weak/confusing areas, they might not be able to explain it or fix it, but that's because they're devs, not security experts
Join us at our next Hacker Hangout on July 24 with a special guest -
@staderlabs_eth
🙌
Prepare your questions and check out their bug bounty program:
Link to the event:
1
4
19
2
3
14
I just remembered a lot of you asked to be tagged when I started making this, so pardon as i blot down all your handles:
@opensensepw
@cryptostaker22
@MostOddSoul
@DevABDee
@__Raiders
@mariodev__
@dev_chinmayf
@GidiRphotos
@DevDacian
@Baedirl
@seraviz
@marketdotdev
@0x_lugia
10
1
14
I second this!
The non-stop interviews with top quality hackers, the fun chats, and cool side-projects
@opensensepw
is creating is like watching alchemy be done.
He's singlehandedly disproving the myth the Security Researchers are anonymous anti-social weirdos
Props to the
@opensensepw
gang, putting out great event lineups 🔥 Building out a great community, it's interesting to watch
1
4
13
1
4
14
Too gud intern 😂
0
0
12
1
0
13
A reminder for whitehats that you do NOT need to include a fix in your bug reports. Sure, it might be nice, but don't sweat it, the bug you're bringing is what matters.
Your job is to find the bugs, the project's job is to fix them.
Some web2 bug bounty platforms make you wait months and even years to get paid, because payment only happens after a fix.
On Immunefi, hackers get paid after the bug is confirmed to be real.
No more waiting, no more uncertainty.
Don't settle for less.
5
4
65
0
3
13
This is why Immunefi's principle when mediating bug reports is always to assume the blackhat is patient, intelligent, well-funded ... cause people will do wild things for $200 😂
A hacker prepared 74 days, launched multiple complex price manipulation attacks, and earned $200 🤡🤡
9
6
80
0
0
13
You want to get some exp in bounty hunting but with less risk?
Try it out with one of our Boosts
- Duplicates get paid
- Direct project support
- 24h reponse times
- guaranteed reward pool
1
2
13
Whitehats tend to overexplain to a fault. Their strongest points get lost in all the caveats & maybes & many many minor points.
When your bug has a real impact that is your strongest point. Prove that. No need to clutter.
Some bugs exist for which you cannot attach a specific number and say, "this is how much would have been at risk."
Here's what I wish I had known before the discussion about such a bug concluded, with the project paying me approximately $300k.
A short thread 🧵:
8
10
83
2
1
13
@0xzaskoh
@peak_bolt
I'm excited to learn your results. One of my goals is to highlight that finding medium bugs is ROI worth it.
@immunefi
's rep is crit or bust, but 47% of payed reports are medium or lower and those get payed out in the $1000's! The same mediums as found on
@code4rena
4
1
11
#MackenziesPicks
Welcome to another Bug Bounty Program picks of the week! This time we have a little of everything; blockchain, wallet, DeFi, bridge. These projects are big & small. Easy & .... ok they're only hard.
Read on for good projects to bughunt on: 🧵
4
8
13
Phenomenal article.
@realgmhacker
has a historian's knowledge of all the best players in the space:
@PatrickAlphaC
,
@zachobront
,
@trust__90
,
@pashovkrum
etc. and synthesizes a little behind the scenes of how much discipline they apply.
🕵️ Why are you NOT an Elite Smart Contract Security Researcher? Here I try to tackle what makes one actually succeed in this space.
Show some love pls, it's my first website article ☺️
24
43
244
0
2
13