Got my first CVE: CVE-2026-48100 🎉 Over the last few months I’ve been heavily investing in AI-driven research workflows for Web3 security. It’s been exciting to see those workflows consistently translate into real-world findings. So far that journey has led to accepted High/Critical vulnerabilities across ecosystems including Polkadot, Celestia, Trezor, Chainflip, XRPL, Payy and others. This CVE comes from a critical soundness vulnerability in a ZK rollup that could have enabled the theft of roughly $3.5M USDC under the protocol’s intended prover model. Big thanks to the @payy_link team and specially for the smooth disclosure process. Advisory: github.com/polybase/payy/sec… Looking forward to the next one.

I also have another theory about duplicates: some projects and platforms abusing nonsense slop submissions. You disclose an e2e-proven exploit, but it gets marked as a duplicate because of the "root cause". The slop report contains the vulnerable lines but no actual proof or has invalid claims. With enough slop, you cover all the lines where a reasonable bug could exist. Then the project reopens the invalid slop submission, pays it as Low, and avoids paying the actual Critical. That’s my worst nightmare. That shouldn’t happen ever.

Louder for the people at the back 💯💯

Is it just me, or does Immunefi mediation often feel ineffective? I’ve never really had a good outcome from mediation. It feels like the process heavily favors the protocol, bending toward their demands while ignoring the researcher’s side. I guess it’s true that attention tends to go to the party paying the bill.

🚨 Cantina Apex is officially the top spammer in web3 security. 65 reports to MetaMask, 5 valid. 19 to Coinbase, 8 valid. 40 to Anthropic, 4 valid. 24 valid out of 167 closed: 14.37% accuracy. This is the future? A Spammertozoa?

By checking their findings, not pointing to anyone, but check what their ai found and then you know if they do what they claim, this if they even have any public proof. Ai agents like gregoAI and kritt ai is good example of how good ai agent should be.

Hello @MitchellAmador. I am currently involuntarily withholding a severe vulnerability affecting a protocol listed on Immunefi because my account is banned, and the project does not provide any alternative private disclosure channel. Please lift my ban. Funds are at risk.