The results of the $80,000 Initia Cosmos competitive audit are in! Congratulations to everyone who submitted valid findings, especially to @bernd_eth for securing over half of the total prize pool along with 7 solo high-risk findings submitted! Much respect to @initia for their unwavering commitment to the highest security outcomes. Full list of winners in thread 👇

The final 100 ETHSecurity Badge holders are in! That brings us to 200 security experts, guiding how TheDAO allocates its funds and also coordinating behind the scenes to make Ethereum safer. Big thanks to everyone who engaged with the process and helped shape it, and to @bonfiresai for building the tooling that made it possible.

1,206. That’s how many awards were distributed to C4 Wardens in 2025. Thank you to all of the Wardens who committed their time each day to making C4 the place where the best researchers compete. And a special shoutout to the Wardens who finished in the top 10 on the C4 Leaderboard over the past 365 days!

We’ve had a glowup! Since 2017, we have conducted over 600 audits. Today, we offer everything from protocol design to operational security, training, economic advisory, and pentesting. New look, new services. The same uncompromising quality! Book. Secure. Relax.

Welcome back to Sherlock's Vulnerability Spotlight, where we highlight an impactful vulnerability uncovered during a Sherlock audit. This week, we have Deposit Spoofing. It was uncovered by @0xalpharush & @bernd_eth on the @zetachain Cross-Chain Contest. 🧵

Let's go! Happy to have placed 2nd 🥈 in the recent @zetachain contest, hosted by @sherlockdefi Although my streak of 4 consecutive Cosmos SDK audit contest wins has ended, I'm still proud to help improve the security of this ecosystem. On to the next challenge!

🏆 @zetachain Audit Contest Results 🏆 Congrats to: 1. @gjaldon - $93,612 35,000 ZETA 🥇 2. @bernd_eth - $41,431 20,000 ZETA 🥈 3. @0xSimao - $9,440 10,000 ZETA 🥉 $200,000 rewards ➡️ $15.8M paid out in rewards.

SR-Boat Cannes edition A full day of touching water and finally getting some sun with @amyyy_g_ @heavyw8t_ @MartinMarchev @mattaereal @n4nika_ @bitbugshar @MarioPoneder @eugenioclrc @bernd_eth @p_misirov @BazziBazzani @HickupH @kamensec @rotcivegaf @gorgut_ @0xWeisss

🏆 @zetachain Audit Contest Results 🏆 Congrats to: 1. @gjaldon - $93,612 35,000 ZETA 🥇 2. @bernd_eth - $41,431 20,000 ZETA 🥈 3. @0xSimao - $9,440 10,000 ZETA 🥉 $200,000 rewards ➡️ $15.8M paid out in rewards.

hello world computer

2024 was another amazing year for TrustSec! Super proud of the impact the team has made year-round. We've done a bit of everything: - Solo audits - Team audits - Public contests - Bounties - Bounty coaching - Retainer services - Consultation - Mathematical modelling - Gas audit - Test audit - R&D outsourcing - Emergency services - Judging - In-house contests Total revenue for the year is $4,646,000, with ~$1,450,000 paid to other members for their exceptional work. This is a serious step up⬆️. We thank our clients for trusting us with their most sensitive assets in an increasingly competitive security landscape. We express our gratitude through the quality we bring to each and every engagement 🙏. Below are some of the projects that we directly impacted in 2024, we want to name them as they are now part of the TrustSec family tree, each in their own way. - @aave - Bounty - @zksync - Audit - @Uniswap - C4 Contest top #3, Bounty - @Optimism - Audit, Sherlock contest top #1, bounty - @reserveprotocol - Strategic retainer & audits - @Curvance - Strategic retainer, contest judging - @Juice_Finance - Strategic retainer, audits, R&D, in-house contest - @graphprotocol - Audit - @StoryProtocol - Strategic retainer & audits - @AbstractChain - Audits - @MIM_Spell - C4 Contest top #1 - @THORChain - Audit, contest judging - @withAUSD - Audit - @OlympusDAO - Audits - @0xSplits - Bounty - @StakeDAOHQ - Audits - @perpprotocol - Bounty - @AgoraGovernance - Audits - @linkpoolio - Audits - @HookProtocol - Audit - @zerolendxyz - Immunefi Contest top #1 - @heylunchbreak - Audit - @LairFinance - Audit - @CloberDEX - Audits - @dHedgeOrg - Audit - @BaselineMarkets - Audit - @3_finance_ - Audit - @sentimentxyz - Bounty - @hypercerts - Audit - @onchainheroes - Audit - @squeeze_dot_it - Audit - @sigmatrading - Audit - @Mozaic_Fi - Audits - @prtyDAO - Audit - @sommfinance - Bounty - @PhenomPokerApp - Audit - @KAYEN_Protocol - Audits - @xeal_ai - Audit - @tenderize_me - Audit - @y2kfinance - Bounty - @degenexpress69 - Audit - @CashmereLabs - Mathematical modelling - @UniversalSwaps - Audit Throughout the year, we've kept looking for ways to optimize our team's processes and hive mind strategy, as that is one of the defining factors of a team audit's success. We've also searched for industry-wide soft spots, going at times where no one has stepped before. With the high demand, we've also strengthened our lines with rising stars, who swiftly proved their great skills. In 2025, we aim to strengthen our existing bonds with clients while expanding our network through new partnerships. We'll also try to find more ways of sharing our expertise with the community, something we did not allocate sufficient time to this year. So here’s to a New Year filled with growth, collaboration, and success - together, let’s make 2025 the most secure year yet!

devcon may be over but these hackers are people of focus, commitment and sheer fucking will, they are just getting started. give them a follow 👇

Since YOU have shared attack specifics, it is within my rights to respond and refute your incorrect assessment. Your argument: "Max approval to a router contract is a user error." - The attack doesn't require max approval. It can steal any approved funds. - Interaction with routers is generally approve(), then someSwap(). Between the two calls there will by definition be a window where attack can sandwich and steal the approved funds before being swapped (unless it's only ever used by contracts who do these atomically, which absolutely can't be inferred here). - Even if that's not the case, anyone with remote understanding of DeFi protocols knows theft of max approval is in scope unless there is a specific warning against it in the docs. A user would not be making a mistake by doing max approve. It is quite embarrassing to even see this line of defense being made in public. - We demonstrated live money at risk, if all that is not enough. Security platform judges, please comment with how this would be judged in your feed.