🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

The key takeaway here (for any blockchain dev/SR) would be to: Create blocks/txs that that force the limits and capabilities of the chain and try to break it (locally obviously). It can be memory, CPU, or any system resource. It may break the block proposers, or the

I love when serious protocols share the post mortem in a writeup. I appreciate the shoutout 🧙🏻‍♂️

This goes to show that there are usually vulnerabilities in old codebases, lying dormant awaiting the patient SR. And the more complex the codebase the greater the odds something is lurking there. GMX was diligent, had many audits, and still this happened.

Shoutout to Jiri123 for finding and preventing another serious vulnerability. Great job man

WhiteHatMage was not by any means the first time someone had the keeper put a contract as the refund recipient, but it was the first one with any sort of complexity. e.g. app.blocksec.com/explorer/tx/ar…

x.com/i/article/1943…

When something critical happens is not uncommon to see it was a caused by a few issues considered lows stacking up into a critical Plenty of examples of hacks and bounties like this Devs should analyze all lows after audit with care, its value you paid for anyways

Do you think there are more hunters/whitehats or blackhats looking at code actively as their main job?

Will share the security advisory if the team creates one. For now the only public info for those who asked, is that it was on Cosmos

When doing bounty hunting don’t look for bugs, look for vulnerabilities. Bugs imply something is wrong, which won’t happen on a running system. Vulnerabilities imply there is some way of putting the system into an unexpected state. Check all possible inputs.

Last month, I reported a critical severity vulnerability in a Cosmos SDK-based blockchain project and was awarded a $20,000 bounty. Thanks to WhiteHatMage for the advice on handling communications in private bug bounties.

If you’re running a BBP Someone reports to you a bug that puts your entire TVL at immediate risk And your number one concern is “how can I pay less for the bounty? 0.05% of funds at risk is too much!” Why do you have a BBP? Why are you even in web3 actually?

Some great guys I talked to recently landed very good bounties. Nothing to do with me, but with them. They are outstanding hunters that are always looking for what’s next. Some just needed a little motivation. Truly beasts. I wish you all great success 🍀

J4X nmirchev8 n4nika deth Kristian Apostolov bogo zanderbyte Martin Marchev Later that night after some rakia