21. Assumptions break under a pessimistic lens. Security Researcher @Hashlock_, My sensei @0xSorryNotSorry, prev Game Designer voodoo.io old acc: @notereneth
Joined May 2023
- Tweets 690
- Following 825
- Followers 1,164
- Likes 5,146
90 Photos and videos
Pinned Tweet
18 Jul 2025
Last month, I reported a critical severity vulnerability in a Cosmos SDK-based blockchain project and was awarded a $20,000 bounty.
Thanks to @WhiteHatMage for the advice on handling communications in private bug bounties.
10
9
116
7,623
pessimist retweeted
Jun 14
Platforms allowing it are as guilty or more, because they legitimise and enable the practice.
Happened to me on Immunefi: project had "Up to $500k" for Critical and "Up to $100k" for High with a stated floor of $25k for High impacts concerning theft/permanent freezing of unclaimed yield.
Confirmed my chain halt critical. Offered $20k. Mediation said they couldn't do anything because "muh Up to". So by their understanding, $1 would've been fine too.
Naturally, as pro scammers, they never paid lol <3
2
1
21
711
pessimist retweeted
Jun 9
You provide the data for the models to be trained. You didn't opt in, but they took it for free anyway.
There's no attribution whatsoever.
Then they sell it back to you.
Then they tell you selling it back to you is too risky, so they keep the results of your work to themselves.
Why would anyone ever publish anything again?
We're headed to the new dark ages.
Exponential Intelligence Implosion.
5
4
58
2,372
pessimist retweeted
Jun 5
AI discovers a bug that humans overlooked—> the entire X community discusses how AI will replace them and so on—> then forgets about it—> repeats the process with new models.
Human whitehats find a bug—> there’s no hype (sometimes they don’t even pay them)—> and then forget about it.
Why do you even make things look like a battle between AI and humans? It’s us against blackhats and hackers!
1
6
47
2,024
Jun 3
Listen white hat,
Hackers try to cheat systems through deep thinking, they find exploits, but they don’t try to cheat thinking itself. Many of you have had your brains hacked: your attention spans shortened, your thinking is outsourced. You’re left with nothing.
But you're building an AI harness, and you want it to find every bug in the world. Turns out, to build a solid AI harness, you need weeks and months of deep thinking before even taking the first step. But some of you have already given up that capability.
2
6
39
2,037
Jun 3
> Starting now, duplicate submissions on Immunefi will no longer count against a security researcher's standing on our platform.
I have a humble suggestion. Imo, the main factor that should negatively affect SR is submitting Invalid reports.
Many productive white hats submit out-of-scope findings, inevitably. In most cases, this is not because they failed to read the bug bounty page, but because the project was already aware of the issue internally, it had been mentioned in a comment or discussion somewhere, or sometimes due to technical reasons.
Submitting an OOS report should have a lighter impact than submitting an Invalid report, with a lower penalty coefficient.
Real talk: we should have shipped this earlier.
Starting now, duplicate submissions on Immunefi will no longer count against a security researcher's standing on our platform.
If your report happens to be a dupe, it won't be held against you in the automated restriction system. Period.
Dupes are a normal part of bug bounty work. Two researchers can independently find the same issue within hours of each other. Penalizing the second submitter discourages exactly the people we need most: the ones hunting hard, moving fast, and reporting in good faith.
The researcher experience on Immunefi is the single most important lever we have for keeping crypto safe and secure. Every friction point we leave in place is a tax on the people protecting billions in user funds. We owe them better, and we're going to keep tightening this until the platform feels like it was built by researchers, for researchers.
A whole lot more changes in this direction coming. Keep the feedback coming. SR Summer is coming on Immunefi.
1
1
20
1,919
Jun 3
“But what if it's OOS due to white hat's lack of attention (to known issues & rules)?”
Exactly why I suggested lower affect instead of no affect, unlike what happens with duplicates. Devoting manpower (or AI tokens) to check every single case just for this would be impractical and unnecessary at scale; no need to even consider that approach.
1
152
Jun 3
Never send a bug report to Injective. You probably remember what @al_f4lc0n went through, but even worse happened, you may hear the story soon. Do not make any business with them.
Jun 3
Today, we're launching the @Injective bug bounty program on Cantina.
The scope covers the following: injective-core, Peggy bridge, swap, RFQ, and five web surfaces, including Helix, Mito, and Hub.
Which bounty are you going after first? Program details: cantina.xyz/bounties/79042c5…
3
6
73
5,073
Jun 3
Even if you don't care about receiving a bounty, don't do it. I've also submitted bug reports multiple times in the past without expecting anything in return, simply because of my belief in and passion for crypto. But the fact that Injective can still be listed on any bug bounty platform, or even remain in the industry at all, is a clear negative.
Don't care about what I say? From the GOAT himself:
x.com/lonelysloth_sec/status…
Mar 18
@injective is a sad joke.
How long can it survive without the **extremely underpaid** help of top white hats?
**You should not submit bugs to them** unless you want to be equally mistreated.
That sort of behaviour is damaging to all SRs and the entire industry, including all legitimate BBPs run by serious people who actually care about security.
Let’s see:
Ignored critical LOSS OF FUNDS for 3 months.
Attempt to classify COSMOS bug as WEB. 😂
Claims impact is misleading but cant provide specifics of how much money could be stolen. Try to say bug not being exploited is a problem for the report 😂
The “head of engineering” @bangjelkoski is just throwing technical nonsense at the issue and pretending it sticks. Is he even technical at all? Does he know what a bug bounty is? Doesn’t sound like it. Sounds like Chat-GPT from ‘23 making excuses.
How likely is it that this was the first critical Loss of Funds bug to go unnoticed? Id say 0% likelihood.
**I’d say extremely likely it wasn’t the last one either.** Again 0% likelihood its the last protocol-ending level bug.
But it will probably be the **last time they are helped by white hats.**
9
482
pessimist retweeted
May 27
The state of the use of LLMs for coding right now is:
It's increasing everyone's productivity 100x -- for doing things we never got to do before **because they aren't valuable enough**.
The actually valuable things are still hard, so we do less of them.
***The ROI isn't low -- it's negative. And it's not the LLMs fault!***
That's what you get when you rush to adopt a tool with no understanding and no plan, and you measure people by how much they spend rather than by how much value they add.
**It isn't even about how good or bad LLMs are**
If you don't know what's good for you, having a god that answers all your prayers is a curse.
7
3
35
2,942
pessimist retweeted
May 13
I hope this is a joke and that Cantina is not turning blackhat
Reminder: using an autonomous tool to exploit a deployed codebase without prior consent is unethical, and the outcome is likely illegal
We already know LLMs can find bugs. There is nothing useful to demonstrate here
Even if this is only an advertising stunt, which I hope it is, it is bad messaging to send to the community
We just gave Apex, our autonomous bug hunter an real Ethereum wallet with money and let it loose on the internet.
Will report back in 24 hours.
6
5
134
16,634
May 13
We owe you a lot. If it weren't for Code4rena, I probably wouldn't have become interested in web3 security; might not even have realized such a field existed at all. Being such a great pioneer, thank you sincerely for the immeasurable contributions Code4rena has made to web3 and for all the people it has onboarded into the space over the years.
May 13
After careful consideration, we’ve made the decision to wind down @code4rena. This community has meant a great deal to everyone who has been part of building it, and sharing this news is not easy.
4
26
773
pessimist retweeted
May 8
Why does Anthropic need a Bug Bounty?
Why not just point Mythos at their own stuff?
114
106
3,451
147,963
pessimist retweeted
May 6
People who know nothing about AI or coding will instruct the AI how to code and then evaluate how well it did before making the company liable for what the AI coded.
What could possibly go wrong.
This is an email I sent earlier today to all employees at Coinbase:
Team,
Today I’ve made the difficult decision to reduce the size of Coinbase by ~14%. I want to walk you through why we're doing this now, what it means for those affected, and how this positions us for the future.
Why now
Two forces are converging at the same time. We need to be front footed to respond to both.
First, the market. Coinbase is well-capitalized, has diversified revenue streams, and is well-positioned to weather any storm. Crypto is also on the verge of the next wave of adoption, with stablecoins, prediction markets, tokenization, and more taking off. However, our business is still volatile from quarter to quarter. While we've managed through that cyclicality many times before and come out stronger on the other side, we’re currently in a down market and need to adjust our cost structure now so that we emerge from this period leaner, faster, and more efficient for our next phase of growth.
Second, AI is changing how we work. Over the past year, I’ve watched engineers use AI to ship in days what used to take a team weeks. Non-technical teams are now shipping production code and many of our workflows are being automated. The pace of what's possible with a small, focused team has changed dramatically, and it's accelerating every day.
All of this has led us to an inflection point, not just for Coinbase, but for every company. The biggest risk now is not taking action. We are adjusting early and deliberately to rebuild Coinbase to be lean, fast, and AI-native. We need to return to the speed and focus of our startup founding, with AI at our core.
What this means
To get there, we are not just reducing headcount and cutting costs, we’re fundamentally changing how we operate: rebuilding Coinbase as an intelligence, with humans around the edge aligning it. What does this mean in practice?
- Fewer layers, faster decisions: We are flattening our org structure to 5 layers max below CEO/COO. Layers slow things down and create coordination tax. The future is small, high context teams that can move quickly. Leaders will own much more, with as many as 15 direct reports. Fewer layers also means a leaner cost structure that is built to perform through all market cycles.
- No pure managers: Every leader at Coinbase must also be a strong and active individual contributor. Managers should be like player-coaches, getting their hands dirty alongside their teams.
- AI-native pods: We’ll be concentrating around AI-native talent who can manage fleets of agents to drive outsized impact. We’ll also be experimenting with reduced pod sizes, including “one person teams” with engineers, designers, and product managers all in one role.
In short: AI is bringing a profound shift in how companies operate, and we’re reshaping Coinbase to lead in this new era. This is a new way of working, and we need to leverage AI across every facet of our jobs.
To those who are affected
I know there are real people behind these decisions — talented colleagues who have poured themselves into this company and our mission. To those of you who will be leaving: thank you. You’ve helped build Coinbase into what it is today, and I am sincerely grateful for everything you've done.
All impacted team members will receive an email to their personal account in the next hour with more information, and an invitation to meet with an HRBP and a senior leader in your organization. Coinbase system access has been removed today. I know this feels sudden and harsh, but it is the only responsible choice given our duty to protect customer information.
To those affected, we will be providing a comprehensive package to support you through this transition. US employees will receive a minimum of 16 weeks base pay (plus 2 weeks per year worked), their next equity vest, and 6 months of COBRA. Employees on a work visa will get extra transition support. Those outside of the US will receive similar support, based on local factors and subject to any consultation requirements.
Coinbase prides itself on talent density. Our employees are among the most talented people in the world, and I have no doubt that your skills and experience will be highly sought after as you pursue your next chapters.
How we move forward
To the team that is staying, I know this is a difficult day. We’re saying goodbye to colleagues and friends you've been in the trenches with. But here’s what I want you to know as we move forward together:
Over the past 13 years, we have weathered four crypto winters, gone public, and built the most trusted platform in our industry. We’ve made it this far by making hard decisions and by always staying focused on our mission. This time will be no different – nothing has changed about the long term outlook of our company or industry. And most importantly, our mission has never been more important for the world. Increasing economic freedom requires a new financial system, and we’re building it.
The Coinbase that emerges from this will be more capable than ever to achieve our mission.
Brian
5
4
61
2,255
Open for SR roles.
A brief summary about me:
1. All-time Top 10 Immunefi whitehat
2. Found bugs enabling ~$51M / ~$1M withdrawals (Tokemak, Wormhole)
3. Recently: $1.2M impact via BugChainIndexer
4. More fund-extraction vulns (undisclosed)
Details: github.com/kismp123
20
22
271
31,778
pessimist retweeted
After almost five years, I'm no longer at @immunefi
I built and led the Managed Triage Service from the ground up. Hired the team. Wrote the playbooks. Triaged thousands of vulnerability reports and helped mediate one of the largest payouts in the history of Web3 security, and plenty more behind closed doors.
I'm proud of what we built and grateful to everyone I worked with.
Now I'm looking for what's next.
I'm looking for a leadership position in security. Joining an existing team, or building one from zero. Triage, bug bounties, Web3 security, or anything that helps secure a project or the wider org.
I'm also open to consulting. Helping teams spin-up an internal security function, or advising on what a project actually needs, especially on the internal side. I know how to run triage that's operationally efficient and doesn't miss the false negatives that matter.
If you're hiring or know someone who is, I'd like to hear from you.
My DMs are open
38
19
220
26,769
pessimist retweeted
Apr 23
There is another way to look at this.
The LayerZero/KelpDAO hack was caught in about an hour. Teams saved another $72M by reacting instantly. It took JPMorgan 20 years of ignoring screaming red flags before Madoff’s $65B Ponzi finally collapsed.
Market manipulations like the RAVE token pump-and-dump got uncovered and crushed in under 24 hours by on-chain sleuths and exchanges. JPM’s own LIBOR, FX, and precious-metals rigging cartels ran for 5 years before anyone outside the chat rooms noticed.
A $60B Enron-style rug pull would be damn near impossible to hide on-chain. JPM managed to keep that one going for years through offshore shells, fake trades, and straight-up hiding the debt from analysts and investors.
Maybe they’re concerned they wouldn’t be able to peddle opaque financial instruments on-chain without anyone noticing? You know, like the mortgage-backed securities they sold in the 2000s that triggered the $15 trillion market meltdown.
Are they really “concerned about our industry”? Or are they just using the latest hack as perfect cover to push their “institutional” DeFi vision and JPM Coin while CLARITY Act negotiations are still live?
DeFi is not "scaring institutions away", it is scaring JPM that they will have to work honestly and transparently.
It's exactly what we've been saying, and now JPMorgan agrees.
Security is the key blocker to institutions coming onchain.
And whoever solves this problem is going to unlock tremendous growth.
theblock.co/post/398611/jpmo…
4
7
50
5,876
pessimist retweeted
Apr 22
Do all your coding inside a VM.
Seriously.
UTM for Mac is free, works fantastically, and lets you run Mac inside Mac.
Get into the habit now before you get rekt by library supply chain issues you cannot control or anticipate.
mac.getutm.app
Or buy a second laptop. Not having separation nowadays is lunacy.
LATEST: A senior blockchain security researcher at CertiK told CoinDesk on Wednesday that North Korea’s Lazarus Group is running a new macOS-focused campaign dubbed “Mach-O Man” that targets executives at fintech, crypto and other high-value firms through routine business communications.
26
47
782
130,422