Had the pleasure to perform this audit for @sanctumso alongside the great @movebrah 🫡 cantina.xyz/portfolio/b135b6…

Reminder: msg.sender.code.length == 0 is dead post-EIP-7702. An EOA can delegate to a contract for the duration of a tx - so it has code while still being controlled by a private key. Every contract still using codesize as an EOA check is now a bypass.

❗️🚨 BREAKING: Security researchers are now handing Nightmare-Eclipse vulnerabilities for free, in what looks like both a show of support and a reaction to how Microsoft treats researchers. First up: "Bitskrieg," violates Secure Boot trust and fully bypasses BitLocker. It seems aimed squarely at Microsoft's recent blog, where the company said its Digital Crimes Unit would bring cases against threat actors "and those that enable their criminal activity," language many researchers read as a threat pointed at them.

If you can't explain things well, people are just going to assume you are a slop cannon and you don't understand how your own projects work. If you can explain things "well," but you don't hold up under probing, people will assume you just memorized a script. The ability to learn well = the ability to explain what you are learning and to proactively challenge your own understanding.

🚨 Bitwarden CLI 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline. We’ll continue updating our coverage as more details are confirmed. socket.dev/blog/bitwarden-cl…

We're looking to hire a Staff Security Product Engineer. You'll be working on frontier security products: Clarion (an autonomous security operations platform) and Apex (an autonomous bug hunter). Link below:

Announcing the Solana Audit Arena ⚔️ A free, weekly security competition for Solana security researchers. Every Monday I drop a new Anchor program, built using the safe-solana-builder tool and real-world DeFi implementation. Why? → Junior researchers have no clear path to prove themselves → No practice ground with realistic Solana programs → AI is raising the floor; you need to be above it github.com/Frankcastleaudito…

I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall-of…

How is it possible that a call to address(1) returns data? Precompiles address(1) = call to ecrecover transaction tx-graph-eight.vercel.app/tx…

✨Introducing evmresearch✨✨ A knowledge graph of nearly everything I've learned about the EVM in the past six years The graph structure emulates the brain, exponentiating research speeds for both humans and agents evmresearch.io/

I audited an OTC escrow protocol on @solana 3 Criticals 4 Highs Every single critical came from a different root cause But they all shared the same origin: the program made assumptions about accounts it never actually enforced

#PeckShieldAlert The IoTeX[.]io Bridge @iotex_io has been hacked for over $8M worth of crypto due to a compromised private key. The hacker has swapped the stolen funds to $ETH and has started bridging them to #BTC via #Thorchain.

Published a writeup about a password reset flow using HMAC. An attacker could create valid tokens for other accounts by manipulating the values around the boundaries when the values got concatenated. asdf.foo/2026/02/13/using-hm…

One line of Move code that trips up every Solidity auditor: let val = (amount as u64); In Solidity, this silently truncates. In Move, this aborts the entire transaction. Same syntax. Opposite behaviour. Here's why it matters for audits:

2026, the year of the AI-driven attacker that could do back flips, they said. Meanwhile, there's a magic number that allows Auth Bypass against Ivanti EPM (CVE-2026-1603) something about a pledge 🙄