Poor man

I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model I will not post a meme about the new Claude model

1:20 AM, grinding

Are there any resources with attack vectors/ bugs/ vulnerabilities specific for prediction markets? For example (something I thought of): - what if Yes No shares > 1$? What if Yes No, are below 1? I'd like to get more ideas. @deadrosesxyz I guess you know a lot since you probably tried to mitigate a lot of them as you built ParlayIt? Mind sharing some?

Yes, this is EXACTLY why you become a whitehat. Not everybody is/wants to be a criminal. There's still good and hope in the world.

I got a new job offer, they pay me 40.000$ USD per month, I just need to install their custom Zoom extension and I'm good to go.

I spent this week learning Soroban. I read all their docs so you don't have to :D Below is a list with some standout differences between EVM and Stellar and of course, Solidity vs Soroban that I hope you'll find valuable: • An EOA (Classic Accounts) can bundle 100 Operations in a transaction, but a transaction executing a smart contract (InvokeHostFunctionOp) is strictly capped at exactly one operation. It's like having "multicall" implemented at the protocol level for classic accounts, but smart contract invocations lose this capability. • Host vs. Guest: The "Host" is the underlying Rust-based validator managing hardware and consensus, while the "Guest" is the isolated WebAssembly sandbox where your contract runs. • The smallest base unit of the network token (XLM) is called a stroop, which equals 0.0000001 XLM or 10^-7. • Classic Accounts must maintain a minimum balance tied to a "base reserve" in order to exist. The current base reserve is (0.5 XLM), and each EOA must hold 2x base reserve (1 XLM). Dropping below 1 XLM results in account deletion. • State Costs Native Tokens: Classic Accounts use "subentries" to store data. Every single subentry requires the user to lock 1x base reserve (0.5 XLM) of the user's funds permanently, up to a hard cap of 1,000 subentries. If Alice wants to own USDC, she must hold 1.5 XLM on her account instead of 1, in order for it not to be deleted. • Stellar Asset Contracts (SAC) are built-in tokens at the protocol level. Think USDC, but natively supported. • The DoS Protection (Trustlines): To prevent attackers from DoSing Classic wallets via worthless SAC token airdrops that spawn subentries and lock up XLM, Stellar Classic Assets require explicit opt-in "Trustlines". You can't simply transfer these assets to a user's EOA. They must "opt in". • Wasm Token Contracts: Pure Soroban Wasm tokens abandon this lockup model. The transaction caller pays the storage rent, meaning a sender can force-feed tokens into a receiver's wallet without consent, exactly like the EVM. A bit confusing, I know. You have two types of tokens, basically. • Smart Contract Existence: Soroban contracts (C... addresses) bypass classic minimum balance requirements and operate on a dynamically metered I/O rent model paid by the transaction caller. • The Stellar ledger is a global key-value store where state is decoupled from the contract address. • Isolated Data: Code, contract instance configuration, and persistent data are all stored as completely independent LedgerEntry records in the global database. • No Guest Serialization: The Wasm environment contains no serialization code; the native Rust Host validates and serializes all XDR object types across the boundary. • The Primary Gas Limit: the transaction constraint is Ledger I/O storage access fees. • I/O Gas Exhaustion: Using unbounded Vec or Map containers for protocol data forces the Host to deserialize the entire structure on every call, leading to O(N) Gas Exhaustion and permanently bricking the contract. • No Free Storage: Permanent free state does not exist. If you do not pay rent to extend the Time-To-Live (TTL), the contract's state is either permanently deleted (if storage was Temporary) or archived (if the storage type was either Persistent or Instance). • If storage is archived, it can be restored, except for Temporary storage, which gets permanently deleted from the ledger. • Anyone can extend the lifetime of the storage. Calling extend_ttl() can be done by anyone and operates on comparative thresholds with no access controls. • The Wasm bytecode executable has an independent TTL from the contract instance data. If the code entry archives, the contract panics on invocation, even if the contract instance data remains valid. Calling env.storage().instance().extend_ttl() safely bumps both simultaneously, but only bumping persistent data will allow the Wasm code to silently expire. • No msg.sender: Soroban replaces msg.sender with Call-Stack Adjacency Validation and decoupled Auth Trees. Too complex to explain in a bullet point. • Implicit Trust Limits: If User -> Contract A -> Contract B, Contract B implicitly trusts Contract A because they are adjacent. The trust boundary terminates immediately at B; Contract C will reject Contract A. • Auth Trees for Deep Calls: To execute non-adjacent cross-contract calls safely (see the above point), intermediate contracts must publish an InvokerContractAuthEntry tree via authorize_as_current_contract. A bit too complex for a bullet point to dive further. • Invoking external contracts using standard invoke_contract will "hard" revert, while using the try_invoke_contract will handle the revert gracefully. • Reentrancy is blocked: Standard single-contract reentrancy is impossible because the Host blocks it, but cross-contract reentrancy is possible. • If a protocol manually locks state across contracts and fails to use Rust's Drop trait on an Err match, the protocol may remain permanently stuck. This is important in the context of implementing a ReentrancyGuard like functionality. • Precision Loss and Overflows: Soroban panics on overflow by default, but is limited to 128-bit math. Protocols utilizing high-precision multipliers (like ray math) should cast i128 balances to u128 prior to scaling. • No Contract checks. Because the Address type is cryptographically opaque to the Guest, tx.origin or is_contract() checks are impossible to implement. • Flash Loans are Single-Op: Flash loans execute entirely within a single InvokeHostFunctionOp execution stack; they do not require multiple operations. • Multi-sig Admin Freeze: The Host evaluates signatures against the account's "Medium" threshold. Altering that threshold to an unreachable value freezes the contract forever. Think of EOAs as having native Multisig capabilities built-in at the protocol layer. If you mess up your signing thresholds, your EOA will be locked forever, so don't be an idiot. • "Storage Collisions" on Upgrade: When updating a contract's Wasm binary, redefining the data types bound to an existing DataKey enum variant will break Host deserialization, corrupting legacy data. • Signature verifications: Granular authorization via require_auth_for_args() is dangerous if implemented lazily. Omitting safety checks allows attackers to intercept the payload and execute it with stolen parameters.

We know how this one should be named.

I listened to this, and I recommend it. What @Ehsan1579 is doing is crazy. I suspected he was doing it with AI since October last year, lol, but he just confirmed it. Also, I noticed how he kept saying "we, we, we" so he is not a "1 man army" hunting 24/7 like a madman. That's how he started, but nowadays, there seems to be a team involved. Either way, congrats on your achievements and gj Mitchell for the interview!

This is worse than C4 shutting down, there, I said it.

Any good resources for learning Soroban, apart from their own docs? (I already audited Soroban in the past, but wondering if there are resources out there focused on the security aspect or more "advanced" topics) @StellarOrg

For the sake of clarity, the reason why I got so triggered is that 6 days ago, I sent a report to a protocol's BB program. The protocol has 8 figs TVL. The report has not been acknowledged in 6 days, the term for full resolution according to the platform's SLAs is 14 days, including the payout term. Seeing the behavior, this is what's going through my mind right now: > I'll be ghosted again. > What if their dev is OOO? > What if they are overwhelmed by reports? > What if they simply didn't log in to see if they have new submissions? > Will they treat me fairly or try to invent an excuse to not pay? > Will they even reply, at all?? > Did the dev die? :)) I like to believe that I did my due diligence: 1. picked a protocol with 8 figs TVL to ensure that they are not too small, and they should theoretically be able to pay 2. they are active on socials every day. They post almost every day Monday - Friday, including 2 days after I sent my report. 3. they have active users interacting with the contracts on a daily basis (today included). The report has a mainnet fork POC attached to it, proving the bug. I'm doing my best to provide as much value upfront as possible, make it as easy as possible for the person on the other end to see, and reproduce the bug and make the facts irrefutable. I can not do anything more than this, really. This is not a protocol draining bug, but it causes direct loss of funds for the protocol and its users in another way and the impact is Critical based on the program's rules. On one hand, I see other whitehats having their reports paid, but on the other, this is like the 6th or 7th protocol that I sent reports to, and it always feels off. I have yet to encounter a protocol that actually cares, is responsive, and treats me fairly. This has nothing to do with the platform itself (Immunefi). This is not a critique against them. I start to believe that they genuinely do whatever they can to the best of their abilities. Is this sufficient? Well, not really, but at least they try. They can't force protocols to behave decently or enforce payments, so they have to rely on the protocol's "honor/ word/ decency", same as we (whitehats) do. The problem is that some protocols don't honor their word and BB program rules. They simply take advantage of the information that whitehats submit through BB platforms, and then do whatever they can to not pay you or not pay you fairly. I start to think that the EXCEPTIONS are the ones that actually hold their word, while the RULE is that you'd get played one way or another. This is why, as a whitehat you have to go through this embarrassment. Protocols seem to pay only when they are cornered, and, unfortunately, that is, post an exploit .... that's why we see all these "return 75% of funds and keep the rest as whitehat bounty". That's when they are vulnerable, desperate, and they'd do "anything" to get "some" of the money back ... This IS NOT ME SAYING GO BLACKHAT, NO. That's NEVER an option, but I just wish protocols would treat BB submissions with the same degree of respect and seriousness. You know, just have a bit of honor and hold your promise. This is why I got so triggered. Thanks for coming to my TED Talk.

This new @immunefi leaderboard widget looks dope.

I struggle to find and send valid bugs on @immunefi , invest time and effort into finding and validating them, send them, just to be ghosted, lowballed, disrespected, while criminals just steal the money, and get paid > checks note ~$3M as "whitehat bounty" ... This triggers me, really. I still have an Immunefi mediation which was open back on Feb 10, where the protocol HAS NOT RESPONDED ANYTHING, although they FIXED the bug in January ... Literally, the protocol did not reply anything about the mediation, although it was open more than 3 months ago, and the bug was fixed more than 4 months ago. This is how whitehats get treated and below you can see how criminals are treated as "whitehats" 🤡🌎

There are around only 24 hours left to donate to the DAO security fund. I would like to ask you to please donate to Cyfrin Updraft & Tooling. If you know someone who learned security with us, please consider donating! We have been the #1 education platform for onboarding security researchers and developers to Web3 for 3 years straight, 100% for free. qf.giveth.io/project/cyfrin-… Some stats: - Averages 8k students a week - Hundreds of thousands of hours of watchtime in aggregate - Millions of views on YouTube (500k on foundry 1 year ago, 600k 2 years ago, ~200k on intro to security, ~25k on assembly and formal verification, etc) - Thousands of stars on security education on GitHub Not to mention @SoloditOfficial, Aderyn, LocalSafe, WiseSigner, ERC-8213, @CodeHawks first flights & AI first flights (competitive audit live trainings) and more. If you don't like our education, we have a tooling page too: qf.giveth.io/project/cyfrins… Thank you for your consideration!

Throwback. It was December 2024 and Nethermind was launching the first AI Agent for Web3 security (I don't think anyone else believed that this would have a PMF). Senior SRs are 💩on AI, saying it's just a fad, it will pass, it will never reach the level of a human, etc, etc. Senior SR > AI is what they said ... I have receipts, but there's no reason to bring them forward; today, everyone sees that I was right and the best outcome comes from AI x Human auditor symbiosis. --- Now, it's May 2026, and everyone and their mothers are using AI in the audit workflow. It is THE STANDARD. Everyone has multiple specialized Agents working for them. Almost all companies have their own internal AIs; some companies sell themselves as "AI-first" and "manual audits second". --- I don't know what will come next, but at this point, I'm certain AI will not replace (all) auditors. The bar to break into the industry is way higher today, but the opportunity is still here. Protocols need security now more than ever. AI is great at catching bugs, but at the end of the day, human guidance is what defines the outcome of a security review. It's like a pilot driving a car. Put me in an F1 car, and I won't be able to use it at more than 30% of its capacity because I don't have the skills. But if you are a great driver, that's when you can get 100% out of the car. In my view, the same is true for AI security. You MUST know what you are looking for and guide the AI. That's when the greatest results are achieved.

End of an era

Big fumble. Seeing the hype I would've made these "Pops" like limited edition watches. Make a collection of 30.000, similar to NFTs and randomize their traits (dials, bezels, casebacks, second and hour hands, etc) Make 1% of them "grails" with very rare traits and all of a sudden it would've probably been the most sought after watches in the world. Guess they need to hire NFT degens in their marketing departments.