Found a Medium-severity vulnerability in Zebra, @zcash's Rust full-node implementation, and reported it through the Zcash Bounty Program for a $37,500 bounty. Already patched and shipped in v4.5.0 — disclosure below. github.com/ZcashFoundation/z… @ZcashCommGrants Had some duplicates too. Feels good 😁

Age is an Illusion 1

𝕋𝕙𝕖 𝔹𝕖𝕤𝕥 𝕊𝕥𝕣𝕒𝕥𝕖𝕘𝕪

Very true!! But now I find the concept of private bug bounties better as most times when protocols in general hosts bug bounty program on a web3 bug bounty platform, they end up not fully maximizing the use of it because of the number of spam submissions/AI slop that eventually end up getting the protocol team frustrated and then pausing their bounty program

Almost every bug I report is on a code base audited by "top firms". Some were math issues in code written and reviewed by BigTech alumni with PhDs in cryptography from Stanford/Ivy-League. Everyone misses bugs. I miss too. AI misses bugs. Let's stop talking about finding bugs missed by lots of experts as something new and unheard of. It's so common I've been making a living off of it for 5 years straight. I'm not the only one.

🤯An AI security tool has 1st-place performance on security contests from just 1yr ago. Solidity-auditor v3 is out, FREE & Open Source. Thousands of Solidity developers are using the tool already. Upgrade your security baseline, use the tool🫡 pashov.com/solidity-auditor-…

Large Language Models > Self training :))

Just keep auditing and verifying that AI slop till you get a response from your LLM saying: "If you don't believe me then forget"

Huge win for my bug hunting buddy There are not many opportunities in web3 that could currently earn you $37,500 This guy did it by submitting one bug via @Zcash $1M bounty program Big congratulations 👏

Congratulations brother 😁👏 We keep winning!!!

It will eventually be crazily worth the sleepless nights, just keep at it... See you at the top :)))

After almost five years, I'm no longer at @immunefi I built and led the Managed Triage Service from the ground up. Hired the team. Wrote the playbooks. Triaged thousands of vulnerability reports and helped mediate one of the largest payouts in the history of Web3 security, and plenty more behind closed doors. I'm proud of what we built and grateful to everyone I worked with. Now I'm looking for what's next. I'm looking for a leadership position in security. Joining an existing team, or building one from zero. Triage, bug bounties, Web3 security, or anything that helps secure a project or the wider org. I'm also open to consulting. Helping teams spin-up an internal security function, or advising on what a project actually needs, especially on the internal side. I know how to run triage that's operationally efficient and doesn't miss the false negatives that matter. If you're hiring or know someone who is, I'd like to hear from you. My DMs are open

Got a valid low in my first audit contest on Jupiter lend on c4arena. Quite proud despite the fact it was downgraded because I got this using my workflow. 😁 More to come. Inshallah 🙏🏽

A privacy meetup at the most corporate Bitcoin conference is exactly where it should be, just to remind people what actually matters. See you at Bar Luca.

IMPORTANT Watch this simple video guide on how to correctly deposit ZANO and fUSD into AEON Pay to avoid loss of funds. Access the AEON Pay Telegram bot here: t.me/AEON_Pay_bot?profile Credit @Lil__Kingg

Big upgrade. Making privacy easy to integrate is what actually moves adoption forward, not just stronger tech, but fewer barriers to using it.

Three types of crypto users think they're private. Only one actually is. Some think they are private because they hold crypto, not fiat. Others think they are private because their blockchain has a privacy mode they switch on. Both get it wrong. The first group gets it wrong because they hold crypto on transparent chains where every transaction, every move is visible to anyone. The second group gets it wrong because every activity before they flipped that switch is already visible on-chain. And the moment they forget to turn it on, that’s another data point added to their public history. The real private ones never had to think about any of this. They use Zano. Privacy here isn’t a mode you switch on, it’s how the chain works from the first block. And when it’s time to spend, they extend that same privacy into the real world through AEON Pay, Zebec Card, and other options like @shopinbit, @DFX_swiss, and @BitcoinCom. No exposure. Just private. End to end. $ZANO

Integrations like this don’t just extend functionality. They unlock possibility. Making it possible to move assets between ecosystems without exposing positions, strategies, or balances, while still accessing shared liquidity. I don’t have to choose between access and privacy.

Still chasing a repeatable AI auditing workflow that goes beyond “good prompts.” (Day 3) I’m trying to build something that actually holds up across codebases, not a setup that works once and falls apart the moment the repo gets weird. That means: -> better methodology -> better tooling -> deeper research -> tighter skills -> and agents that can challenge each other instead of blindly agreeing After a lot of hours training my agents and refining the workflow, I still haven’t landed a payout-grade submission yet. But one thing has clearly improved my results: running Claude Opus 4.7 Max side by side with Codex GPT-5.4 The difference has been real. Not just in raw findings, but in: - comparing outputs - stress-testing assumptions - making one model critique the other - catching weak reasoning before it turns into wasted time I’d genuinely recommend using both if you’re serious about AI auditing. Funny part is I almost accidentally exploited a protocol on mainnet before I snapped back into audit mode 😂 Still refining. Still learning. Still pushing for a workflow that is actually reliable. #Immunefi #AIAuditing

So still in the pursuit of getting a perfect automated Auditing workflow/methodology beyond just using prompts that works/does not work at times depending on the codebase but also leveraging on tools, intense research, and skills.... (Day 2) After scanning over 10 different program contracts with my current flow and not getting a single payout-grade submission candidate (found a ton of leads but later died in production/mainnet), I decided to use the whole day in feeding my AI with tons of research papers from arxiv.org and some articles too published by other AI Auditors to compare with my current workflow to see what i am doing wrong, what i might be missing, and so much more... Then make improved/better changes to my workflow and implement them. So i would try this for another 5 - 10 different program contracts, see how it goes and update you all in Day 3 (Tomorrow). Also now making use of Etherscan & Alchemy API Keys for a faster production reach/test. Thank you @unsafe_call for the tip ❤️ #Immunefi #AIAuditing