Found a live bug in EigenLayer (this was a few days before the cantina contest). It was discovered during reviewing the offchain sidecar rewards calculation.

M4ML completed

interview invites will be going out soon, stay tuned!.

We have manually reviewed all the applications and will be sending out 20 interview invites soon. To give an idea of the quality, the people who have made the cut have had 50+ H/M bugs in audit contests, multiple top finishes, private audit portfolio.

270 applications so far, reviewing them this week.

We will be taking on 3-4 security interns this round. 6-8 weeks paid internship. I will be acting as one of the mentors . Apply here.

wrote a blog post for this.

planning out a more structured internship intake - security engineers and an internal LLM role, will post more details when it gets finalized.

Some sparring at the local dojo in Osaka 🇯🇵

Finished dm course, over 400 hours in total now

Just had a review with this number of findings. Ideally a second round of review should be done with different testers. There are certain biases that build up as you become more familiar with a code base that makes it harder to check all your assumptions the second time round.

The protocol could try to protect you by refusing to testify or give evidence on court? But it won't make a difference since there will be plenty of public blockchain data as evidence to make the conviction.

A negotiated white harbour agreement post hack, at best might serve some purpose of protecting you from a civil case, but the protocol has no power deciding whether you get charged criminally by the state, that agreement between you and the protocol have no sway here. It is the.

Hack a protocol, negotiate to return 90% of the funds and keep 10% as a "bug bounty". Same as hacking a database of PII and negotiating a "bug bounty" for the deletion of PII. It is literally demanding a ransom payment.

If going by case law, the current precedent is that you 100% can get prosecuted even if you return the funds under a negotiated safe harbour agreement post hack. Shakeeb Ahmed: 8.8 million stolen from Crema Finance, returned most funds with agreement protocol will not report.

This required a immediate patch to sidecar and is now also fixed onchain after the slashing update. Fortunately, this issue hadn't been exploited before detection.

The only validation onchain was:. 𝘳𝘦𝘲𝘶𝘪𝘳𝘦(𝘥𝘶𝘳𝘢𝘵𝘪𝘰𝘯 % 𝘊𝘈𝘓𝘊𝘜𝘓𝘈𝘛𝘐𝘖𝘕_𝘐𝘕𝘛𝘌𝘙𝘝𝘈𝘓_𝘚𝘌𝘊𝘖𝘕𝘋𝘚 == 0, 𝘐𝘯𝘷𝘢𝘭𝘪𝘥𝘋𝘶𝘳𝘢𝘵𝘪𝘰𝘯𝘙𝘦𝘮𝘢𝘪𝘯𝘥𝘦𝘳());. Which allowed zero duration.

The risk was that if any AVS submits any reward type with 0 duration, it can halt the rewards calculation in the sidecar and lead to a denial of service.

Growing up, when entering a new class environment she was always below average. When exiting, she was able to achieve above average or near the top. Though she was never a top student. Parents encouraged her to set goals, she incrementally did so building confidence in her.