WhiteHatMage (@whitehatmage) 's Twitter Profile
WhiteHatMage

@whitehatmage

Bug bounty huntoor. I cast Heal on protocols and Exorcise on bugs.
+$50M in assets at risk saved via bounty reports.

ID: 1672711592302067713

linkhttps://immunefi.com/profile/WhiteHatMage/ calendar_today24-06-2023 21:02:01

1,1K Tweet

1,1K Followers

298 Following

WhiteHatMage (@whitehatmage) 's Twitter Profile Photo

The key takeaway here (for any blockchain dev/SR) would be to: Create blocks/txs that that force the limits and capabilities of the chain and try to break it (locally obviously). It can be memory, CPU, or any system resource. It may break the block proposers, or the

Mitchell Amador (@mitchellamador) 's Twitter Profile Photo

This goes to show that there are usually vulnerabilities in old codebases, lying dormant awaiting the patient SR. And the more complex the codebase the greater the odds something is lurking there. GMX was diligent, had many audits, and still this happened.

usmann (@usmannk) 's Twitter Profile Photo

WhiteHatMage was not by any means the first time someone had the keeper put a contract as the refund recipient, but it was the first one with any sort of complexity. e.g. app.blocksec.com/explorer/tx/ar…

storm0x 🌩️ 💡 🗃️ (@storming0x) 's Twitter Profile Photo

When something critical happens is not uncommon to see it was a caused by a few issues considered lows stacking up into a critical Plenty of examples of hacks and bounties like this Devs should analyze all lows after audit with care, its value you paid for anyways

WhiteHatMage (@whitehatmage) 's Twitter Profile Photo

Will share the security advisory if the team creates one. For now the only public info for those who asked, is that it was on Cosmos

Will share the security advisory if the team creates one. For now the only public info for those who asked, is that it was on Cosmos
WhiteHatMage (@whitehatmage) 's Twitter Profile Photo

When doing bounty hunting don’t look for bugs, look for vulnerabilities. Bugs imply something is wrong, which won’t happen on a running system. Vulnerabilities imply there is some way of putting the system into an unexpected state. Check all possible inputs.

pessimist (@0xpessimist) 's Twitter Profile Photo

Last month, I reported a critical severity vulnerability in a Cosmos SDK-based blockchain project and was awarded a $20,000 bounty. Thanks to WhiteHatMage for the advice on handling communications in private bug bounties.

Last month, I reported a critical severity vulnerability in a Cosmos SDK-based blockchain project and was awarded a $20,000 bounty.

Thanks to <a href="/WhiteHatMage/">WhiteHatMage</a> for the advice on handling communications in private bug bounties.
LonelySloth (@lonelysloth_sec) 's Twitter Profile Photo

If you’re running a BBP Someone reports to you a bug that puts your entire TVL at immediate risk And your number one concern is “how can I pay less for the bounty? 0.05% of funds at risk is too much!” Why do you have a BBP? Why are you even in web3 actually?

WhiteHatMage (@whitehatmage) 's Twitter Profile Photo

Some great guys I talked to recently landed very good bounties. Nothing to do with me, but with them. They are outstanding hunters that are always looking for what’s next. Some just needed a little motivation. Truly beasts. I wish you all great success 🍀