Alhamdulillah, i have won the @InfraredFinance contest. Its been a while since my last posted win😅. 2nd consecutive contest and win, is it the rise? Some stats: - Time spent: 7 days - was the only one to find all high severity issues - Found the only solo in the code The main thing iam happy with in this contest is the amount of learning i got: - read a lot of EIPs (some were unrelated to the code but was intuitive to read more through) - read some geth code, and got a grasp of how consensus/execution layers work on the code level - read one GEAS - run my first local node to build a POC Downside for the above learnings is the % of coverage of those beautiful medium severity edge cases by those beautiful auditors This code has one of the longest call flow i have ever seen. I Love staking More than DEXs Auditing, Had much fun auditing this one Also i may decrease my contests participation alot(in general and not related to specific platform) Plans? - Leverage more time on niches i believe in and love - Join firmsss - Only participate in contests that add to my knowledge and have proper incentives - Become a judge (judging protocols that i love auditing), meh least likely because of the big amount of spams currently in the space and how judging may make me a hated person from newbies.

an efficient AI would cost me 10$/day. but finds what an average auditor would find. i try to make it more deep, costs me 1K/day. it finds what an auditor with that "rate" would find too. there has to be a sweet spot between the twos or i'm getting scamed.

At one point i'm gonna get my bounty with my way. this is more than a human can tolerate. zero preconditions drain closed as out of scope. "off-chain will protect against it" i have months of onchain off-chain behaviour that proves it won't protect against it. ears are closed

As promised. Today, we have a big announcement We're launching registration for SpecSiege. It's our double-check format for audits. First, an internal private audit went through the code with a full manual review. Then the community review follows. 10 days of open review on a fairly large codebase, we know, but the chance to work on an ERC-6909 European bond platform, an institutional project, doesn't come around every day. - €15K total pot (€13K community pool, €2K fixed for the lead researcher). - If only Lows are discovered, €5K is distributed instead. Simply find bugs after us and get rewarded. We value your participation. We're not here just to squeeze you. Link below ⬇️

If LLMs finding bugs missed by multiple human auditors makes it super-human. When I find bugs missed by multiple humans and AI does it make me super-super-human? When then people catch bugs I missed do they become super-super-super-human? Congrats to teams finding bugs with whatever tools they use. But for the people making a living off bounties, finding stuff missed by dozens of the best auditors is just a Tuesday. Nothing super human about it.

where are those roadmap to success posters. i miss you guys.

It is happening! Week 4 is finally live. Join the Super League of Solana hackers, find vulnerabilities in the FrankSol protocol built with Anchor V2, and earn real money. 1st place: $500 2nd place: $300 3rd place: $200 Like and repost as a sign of participation — let's go!

The norm is to not follow SLA

thinking in systems bug hunting intuition AI => you can audit pretty much anything

what does that even mean?

Real question for auditors if you entered a contest at half capacity, submitted last minute, found valid bugs that got misduplicated, and missed the PJQA window to dispute them… is that a W or an L?

Hype/Fomo comes for illiteracy. you really should learn about how LLM works under the hood and how its claimed THINKING works. it doesn't only protect you from fake hype, but it also makes you use ai at places where you know it would work.

one beast approach in bug bounty is to pick a constantly upgraded protocol, drink its code and stay dormant there. you may not ever find any thing, but this is always a risk. combine this approach for like 3 protocols and do some side plumbing KEK. thank me latter

i think every one know this, but when you put the two statements together it feels intuitive. "if you are NOT using ai, you will be left behind" "if you are using ai ALOT, you will be left behind" there is a sweat spot in between to preserve your frontal cortex.

Constantly auditing top protocols and challenging yourself makes you smarter everyday and makes auditing less complex codes be very like a toy. constantly auditing simple protocols in your comfort zone makes you dumber every day, and makes auditing complex protocols a nightmare.

understanding the protocol and write a very targeted prompt feels more fun, effecient and effective

one of the worst that can happen to you during an audit is to get into a tunnel vision state. you get sucked into a specific function with specific flow. stuck ineffectively.

> the only winners are actual elite human auditors: black hats and bug bounty hunters.

you are a good auditor when you submit smart bugs (logical). but what some misses is that you are a bad auditor when you submit invalid/info bugs. AI made it really easy to run and generate reports. please don't treat your private audit report bugs by kilo. VERIFY.

sometimes i browse some finished contests randomly. its insane how some valid bugs for 5 figures can never be valid in 1 million years in a contest and be marked as spam in another contest. insane how trivial bugs are considered smart here and unrealistic there. i'm confused.

as we are speaking, some auditors are using claude code to perform parallel private audits. wdyt?, is this a productivity boost or illegitimate?