SECURITY WITH SISI This week’s topic: Telegram wallet Drainers If you keep up some of these habits, you'll be their next victim. ◈ Using your main wallet for every site and interaction ◈ Connect wallet” request from telegram bots ◈ Never revoking access There's an influx in telegram based drainer scams lately. Not the old, boring kind. These ones are slick, interactive and feel legit. One major method i noticed is Fake telegram bots or account pretending to buy OG usernames. Let’s say you’re offered the chance to sell your OG username. You click the bot, connect your wallet, approve a “message signature”... and boom Your wallet’s empty. The bot sends a malicious signature request disguised as a verification or payment step. You think it's harmless. “Just signing a message" Some signatures give access to session keys used in wallet drainers like Angel Drainer. These keys stay active and can drain assets over time even days later. Recently a user signed into a “username marketplace bot” on Telegram. They just clicked through. Didn’t notice the bot used a fake domain and asked for a signature. 20 minutes later, all their ETH and USDC gone. The bot? Still running. New victims daily. I have personally encounter a few scammers and entertain chats with them cause i like learning their tactic that way. Here is the plot twist? These drainers are sold as kits: Plug and play tools scammers rent for 30% of the stolen funds. They even offer customer support Welcome to Drainer-as-a-Service. Popular ones are : ▪ Angel Drainer ▪ Inferno Drainer (now shut down but clones exist) ▪ VenomKit and many more Here’s how to stay safe: ◈ Never connect your wallet to random telegram bots or websites, especially those offering usernames, NFT or token claims. ◈ Use burner wallets ◈ Stay updated, wallet drainers evolve monthly. Tools like Revoke cash Blowfish Pocket Universe can alert you to shady approvals/signatures. ◈ Don’t trust, verify. Always check the URL, the project and the community before you click. Telegram, discord, fake Twitter job offers… drainers are where you are. Keep your wallet cold and your security habits clean Thank you for reading, stay safu and don’t get rekt

A moving babe will jam her MSc and PhD degrees someday ✨

Me crying over every little thing even though I’m a very wicked person

Most of y'all already saw me on TikTok, sooo it's pointless now lol

Gm guys, missed me?

Abeg Abeg

This is what I was scared of, lol

Hi guys

I know my sage plant is straight up cursing me out rn cause it's about to rain again. Sorry sweedy, this ain't Italy.... it's Ibadan 🤧

Meanwhile i saved ecosystem from a massive $800m hack and the team is offering me $4k. Whitehats lose everytime.

Transmission Found hermians.xyz/

【長友佑都 僕らには大きな夢がある】 news.yahoo.co.jp/pickup/6580…

【神奈川県教委 教諭5人を懲戒免職】 news.yahoo.co.jp/pickup/6580…

I am not here to trash $Cantina outright, but this is the truth from multiple whitehats who’ve hunted there. Cantina positions itself as the premium Web3 bug bounty platform AI spam filtering expert triage Spearbit backing promising high-signal reports and fewer headaches than the big general platforms. They host massive programs $Coinbase, dYdX $1M scopes, $Aave CTFs, etc. and pay out real money. That is why top researchers still show up. But the complaints are piling up, and they’re not just “tough triage.” They’re systemic issues that leave whitehats burned, valid critical bugs rejected with gaslighting, and protocols getting away with it. Here is what researchers are actually experiencing > Triage that defaults to the client’s perspective. Cantina’s own docs admit they “default to client’s perspective” in disputes. Mediation often downgrades critical findings e.g., monetary loss capped at Low severity even when the auditor showed clear fund loss risk). One firm documented ~104 judging errors in a single contest wrong dupes, invalid rejections, severity drops and still waited 8 months for resolution while token prices tanked and payouts shrank in value. > Rejections that look like gaslighting. The now-public CVE-2026-4931 case is the clearest example. Researcher submitted a critical integer truncation bug in Marginal V1 with mainnet fork PoC, EVM traces, video walkthrough, and exact SafeCast fix. Protocol emergency paused four days later, stealth patched the exact issue, then Cantina rejected it claiming impossible uses Gnosis Safe” and misidentified bytecode. Even after CERT/CC assigned the CVE (CVSS 9.1 Critical), radio silence from Cantina/Spearbit. Researchers call it straight-up denial to avoid payout. > Insane delays and ghosting on resolved findings. 8 month contest resolutions are not rare. Payouts drag even after mediation. One top auditor outperformed the leaderboard 3-7x in solo findings… then vowed never to return because the postcontest experience was “terrible.” > Reputation/signal penalties that punish edge cases. Like other platforms, rejections tank your signal score. But Cantina’s strict filtering (meant to kill spam) combined with sponsor-favoring verdicts makes it feel like the house always wins on close calls. > Fellowship exclusivity clauses that lock researchers in. Cantina Fellows can’t submit to other platforms or notify projects directly even if millions are at risk. All intel funnels through Cantina first. Bow down or leave energy. > Client scam allowance. Platforms like Immunefi will boot a sponsor after repeated non payment. Cantina reportedly allows sponsors 5 bounty scams per year before any real consequences. That’s not researcher first. Compare that to platforms with clearer SLAs (HackenProof-style fast triage payment timelines) or stricter sponsor accountability. Cantina’s “high-signal” model is great for protocols they get fewer noisy reports but it’s extracting value from the whitehat side. Simple fixes that would change everything: Enforce real mediation: one or two sponsor violations = removal. No more 5-scam allowance. •Independent appeal board (not defaulting to client view). •Require protocols to escrow full bounty pools upfront (like some competitions already do). •Publish transparent triage reasoning and let researchers challenge false bytecode/“impossible” claims with evidence. •Drop the aggressive exclusivity clauses and give Fellows actual freedom. •Public SLAs: triage in X days, mediation in Y days, payment in Z days after fix. No more 8-month black holes. Cantina pays some of the biggest Web3 bounties and has real expertise behind it. That is exactly why the space needs them to fix this. Right now the system is pushing good whitehats toward frustration, private disclosures, or worse and that hurts everyone who cares about on chain security.

With your ban policy?? Okayyyyy

Contests are dead, cantina killed them

An important update from the C4 team. 🧵

🤯CODE4RENA SUNSETTING. THE END OF AN ERA Thank you for everything, code4rena, forever in our hearts <3