Thrilled to see the results from my very first contest ✅ I submitted just one finding… it got validated… and ended up being the only valid bug in the entire contest🤯 Guess that means 100% coverage on my first attempt 😅 Beginner’s luck? Sure, but I’ll take it 😏 Big thanks to @sherlockdefi for the fun experience. On to the next hunt 🕵️‍♂️

This Security Researcher has earned $3,612,409 hunting bugs on Immunefi. 32 live critical vulnerabilities found, saving hundreds of millions of dollars from hacks. Meet @lonelysloth_sec, ranked Top 5 all-time on @Immunefi. We asked him how he does it. One practical bug bounty strategy that has helped him find better bugs: "Protocols share a lot of code. When you find a bug that isn't exploitable, take some times to check if the same bug doesn't show up in other protocols where it might be. Study families of protocols, compare their code. Things are getting more and more interconnected." The habit, routine, or mindset that has made him more consistent as a researcher: "Curiosity. I don't rest until I understand every part of the system. Even if I end up not finding a bug, I want to understand it." A memorable bug or win, and what helped him find it: "I have quite a few public disclosures, but for one project between '24 to '25 I got paid for 9 critical bugs. I spent months getting to know every last detail of their (very large) code base. More than a breakthrough it was about persistence in one target, learning everything about it, and using everything I knew on it. They weren't the highest paying bugs I found, but I'm very proud of that achievement. I still find bugs in that project." His advice to a researcher trying to level up or land their first bounty: "Find motivation in the journey, because it's a long one. Enjoy understanding something that previously was mysterious to you, the feeling of knowledge accumulating. It compounds and will eventually lead to your bounties. Keep trying -- you need to give luck a chance to find you."

Took my time with @0xFireFist 's x-ray v2. Ran it on three different projects I'm auditing right now before posting anything. The auto-generated diagram is the standout. Saves real hours getting oriented in an unfamiliar codebase. And it's open source. Free. Zero excuses not to try it. Thanks for shipping this 🙏

One thing I kept noticing while learning ZKVMs is that there's a real gap between understanding SNARKs/STARKs at a theory level and understanding what a ZKVM is actually doing under the hood. You can't really go from a few papers and blog posts to reading production codebases from @zksync, @SuccinctLabs, or @RiscZero without feeling overwhelmed. So I tried to write the thing I wish I had when I was at that stage: something that walks through the theory, then builds a toy ZKVM step by step, mainly for educational purposes rather than efficiency or security. ubermensch.blog/articles/mak…

⚔️ Solana Audit Arena — Week 2 Results MissionX has been dissected. 42 submissions. 11 researchers. 17 unique vulnerabilities. This week's top researchers: 🥇 @4nescient — 15 pts 🥈 @kyan_novoyd — 12 pts 🥉 @zuhaib44 — 6 pts 4️⃣ @0xSantii — 4 pts 5️⃣ @R4Y4N3___ — 6 pts (new entry) 🔥 Best finding: @4nescient — reserve1 underflow in buy() sells reserved payout tokens and bricks migration. 🚀 Rising researcher: @0xKarl98 — first week, strong methodology. Full breakdown in the thread 🧵👇 Repo: github.com/Frankcastleaudito…

Why don’t Anthropic just use Claude Code 🤷🏻‍♂️

Appreciate it 🙏 that one was satisfying to find.

A useful reminder: no major findings is also information. Wrapped up @flyingtulip_ and @OpenCover on @sherlockdefi . No big findings here, just two clean and solid codebases. Sometimes the takeaway is simply that the team did a solid job. On to the next.

Two months ago I joined the Cyfrin Updraft program to learn smart-contract auditing. Today I landed 3rd place in my first #FirstFlight contest on @codehawks_! 🚀 Huge thanks to @PatrickAlphaC and the Cyfrin fam for all the guidance. I’m off to hunt more bugs, grab that first unique high.😅 The best is yet to come. Learn more on: 🔗 codehawks.cyfrin.io/c/2025-0… #SmartContractSecurity #Web3Security #Ethereum #Auditing

When I first learned Solana, I was searching for a resource that explained how Solana programs work under the hood, beyond just Rust. I couldn’t find one I liked, so I wrote my own. Get nerdy: ubermensch.blog/under-the-ho…