🚨SlowMist TI Alert🚨 💸 Loss: 14.411518807585587 ETH 🔍 Root Cause: Storage slot collision between `ATOHook.rewards` mapping slot and Solady `ReentrancyGuard` fixed slot (`0x02215292eb9609279094554c6e223f800950648ddfa3da30329838d6c170928d`). The `nonReentrant` modifier in `getReward()` writes sentinel value `0xffffffffffffff` to the guard slot, which is simultaneously read as `rewards[attackContract]` due to the collision. This inflated reward is paid as ETH each call, allowing 200 repeated claims. 📌 Attacker (EOA): 0x2d2aafc193c24e59bd16139056ac9b4df4d37ad0 📌 Victim Contract: 0xa10de71ddb4e0d51938ef6e0118822e157a62888 📌 Attack Contract: 0x2441e480f62bf609a08da09143e4baf8a817d757 Storage collision between reward accounting and reentrancy guard enables unlimited reward drainage. Powered by #SlowMist.AI etherscan.io/tx/0xe4e2cc3b06…

100 private audits. 7 1st place contest finishes. Thousands of hours of experience. These three Zenith Security Researchers are among the industry’s best, but they didn’t start that way. Here's their advice for those of you who are starting out (or just looking to level up):

If you’re wrong, own it. If you mishandle a responsible disclosure, take your lumps. @codephobic I followed USD8’s own security.md, privately submitted a Loss of Funds bug with a working PoC, then watched it get quietly patched with no credit and mocked as spam. This is exactly how you teach researchers that responsible disclosure is a sucker's game. I documented the case here: github.com/SuplabsYi/Crypto-… cc @openzeppelin @demibrener @holajotola

We've published a paper that explains our views on AI competition between the US and China. The US and democratic allies hold the lead in frontier AI today. Read more on what it’ll take to keep that lead: anthropic.com/research/2028-…

I am not here to trash $Cantina outright, but this is the truth from multiple whitehats who’ve hunted there. Cantina positions itself as the premium Web3 bug bounty platform AI spam filtering expert triage Spearbit backing promising high-signal reports and fewer headaches than the big general platforms. They host massive programs $Coinbase, dYdX $1M scopes, $Aave CTFs, etc. and pay out real money. That is why top researchers still show up. But the complaints are piling up, and they’re not just “tough triage.” They’re systemic issues that leave whitehats burned, valid critical bugs rejected with gaslighting, and protocols getting away with it. Here is what researchers are actually experiencing > Triage that defaults to the client’s perspective. Cantina’s own docs admit they “default to client’s perspective” in disputes. Mediation often downgrades critical findings e.g., monetary loss capped at Low severity even when the auditor showed clear fund loss risk). One firm documented ~104 judging errors in a single contest wrong dupes, invalid rejections, severity drops and still waited 8 months for resolution while token prices tanked and payouts shrank in value. > Rejections that look like gaslighting. The now-public CVE-2026-4931 case is the clearest example. Researcher submitted a critical integer truncation bug in Marginal V1 with mainnet fork PoC, EVM traces, video walkthrough, and exact SafeCast fix. Protocol emergency paused four days later, stealth patched the exact issue, then Cantina rejected it claiming impossible uses Gnosis Safe” and misidentified bytecode. Even after CERT/CC assigned the CVE (CVSS 9.1 Critical), radio silence from Cantina/Spearbit. Researchers call it straight-up denial to avoid payout. > Insane delays and ghosting on resolved findings. 8 month contest resolutions are not rare. Payouts drag even after mediation. One top auditor outperformed the leaderboard 3-7x in solo findings… then vowed never to return because the postcontest experience was “terrible.” > Reputation/signal penalties that punish edge cases. Like other platforms, rejections tank your signal score. But Cantina’s strict filtering (meant to kill spam) combined with sponsor-favoring verdicts makes it feel like the house always wins on close calls. > Fellowship exclusivity clauses that lock researchers in. Cantina Fellows can’t submit to other platforms or notify projects directly even if millions are at risk. All intel funnels through Cantina first. Bow down or leave energy. > Client scam allowance. Platforms like Immunefi will boot a sponsor after repeated non payment. Cantina reportedly allows sponsors 5 bounty scams per year before any real consequences. That’s not researcher first. Compare that to platforms with clearer SLAs (HackenProof-style fast triage payment timelines) or stricter sponsor accountability. Cantina’s “high-signal” model is great for protocols they get fewer noisy reports but it’s extracting value from the whitehat side. Simple fixes that would change everything: Enforce real mediation: one or two sponsor violations = removal. No more 5-scam allowance. •Independent appeal board (not defaulting to client view). •Require protocols to escrow full bounty pools upfront (like some competitions already do). •Publish transparent triage reasoning and let researchers challenge false bytecode/“impossible” claims with evidence. •Drop the aggressive exclusivity clauses and give Fellows actual freedom. •Public SLAs: triage in X days, mediation in Y days, payment in Z days after fix. No more 8-month black holes. Cantina pays some of the biggest Web3 bounties and has real expertise behind it. That is exactly why the space needs them to fix this. Right now the system is pushing good whitehats toward frustration, private disclosures, or worse and that hurts everyone who cares about on chain security.