pessimist
@0xpessimist
Followers
3K
Following
3K
Media
57
Statuses
422
Blockchain Security Researcher. Proud member of @0xDup1337, Contributing @_pioneerlabs
Joined May 2023
Last month, I reported a critical severity vulnerability in a Cosmos SDK-based blockchain project and was awarded a $20,000 bounty. Thanks to @WhiteHatMage for the advice on handling communications in private bug bounties.
8
8
74
Correction: Not a full refund, it was 50%. But this doesn’t change my points at all; it makes the business model even worse. 😄.
0
0
0
There’s a lot to say, but in the interest of keeping this criticism constructive, I won’t go over every single point. By posting this tweet, you’re damaging your own marketing, because any reasonable SR or project founder might stop taking you seriously after seeing it, and.
A lot of people probably wonder what my company, Pantheon Labs, actually is and what the goal is. Basically, in a couple months, once I build more of a name in the cybersecurity space, we’ll be offering full audits to blockchain companies directly. Each audit will guarantee that.
3
0
37
My notes are full of quirks I've come across in codebases and attack vectors that currently have no impact but could become critical as conditions evolve. I've seen this happen more often in Blockchain/DLT programs, but it applies to smart contracts as well, especially with the.
@0xpessimist dont report these. if i find bugs with no funds or dos risk i just keep them. the tweet by storm above the qt is correct. lows stack into a crit.
0
0
7
I second this. Projects that don't accept (reward) low severity reports usually don't take security seriously enough.
@storming0x @WhiteHatMage The best bounties don’t just have “Critical” only programs with a ton of restrictions. Security gets better with every valid report and our projects get this. What’s low today could be critical tomorrow.
1
0
13
RT @joranhonig: I like the shift that happens a couple of days into a complex codebase. You start out overwhelmed, having no clue how every….
0
5
0
RT @0xriptide: @WhiteHatMage disclose too early and you fuck yourself. disclose too late and everyone gets fucked.
0
3
0
We need to recognize that things like arbitration, a vault program, and an active support channel are not just features; they represent a stance. And I don’t know a single security researcher who doesn’t support that stance. We can debate how well these features are implemented.
1
2
18
Title goes hard.
+1 more critical this month. The project is offering its maximum reward ($500,000). The attack required no capital, prerequisites, or access to any privileged role; anyone could have exploited it.
0
0
56
Where I'm at currently:. My goal remains the same, I haven’t given up. However, there’s been a small hiccup: Like most of you, I tend to hunt based on projects I'm interested in rather than picking from platforms. Unfortunately, only one of them is currently listed on Immunefi.
I will be an Immunefi All-Star this summer,. let the countdown begin.
5
0
38
The best whitehat, on the best Web3 security podcast.
BOUNTYHUNT3RZ Episode 17: w/.@lonelysloth_sec .@0xriptide.discuss how it feels hitting 7 figure bounty payouts, how to find obscure bugs that no one is looking for, why bounty hunters find bugs auditors miss, ZK bugs and things to look for, approach to learning new complex
1
3
32
We need more Cosmos-SDK blockchains on @immunefi. It’s a huge ecosystem, but only few projects have a BBP. Also, private BBPs drive away most white hats.
3
1
58
RT @0xpessimist: @cantinaxyz @ethereum @ethereumfndn @alexfilippov314 @zigtur These might be the world's most profitable medium severity fi….
0
1
0
Good blog post by @1_00_proof. Highlights a fact that has been known for years but still isn't given enough attention:
1
1
13
RT @immunefi: Immunefi All Star 100 day challenge to join the best hacker program in the world. Who's in? . Post, tag us, grind on Immune….
0
6
0