$300,000 from a single bounty. Also yes, it was Move related. Move helps, but it doesn’t magically make protocols safe. The real bugs still live in assumptions, invariants, and integrations. Proud of what VulSight has been doing too. We’ve cleared over $500k in bounties in the last 2 months. If you’re a founder and you want an audit team that consistently finds criticals, we’re a DM away.

anthropic won't let you use fable for biology, chemistry, ai research, or anything that accelerates human progress. that makes it the perfect tool for developing blockchains

🌴 The @VulsightSec team has landed in Miami for @consensus2026! May 5–7 | Miami Beach Convention Center If you're building in Web3, let's talk: 🔐 Smart Contract Audits 🛡️ Protocol/Infra Security Audits 🤝 Security Partnerships DM us to grab coffee or meet up on the beach. ☀️ #consensus2026 #Miami #web3 #Security

When you know that projects are scamming by self donations on giveth programs but can't prove it

Name drop any protocol that in your opinion that one should never hunt on its bug bounty 👀

Wild thought: When you train for lucid dreaming, you learn to check things like your hands or the time on a clock because dreams mess those up. AI image/video models make very similar mistakes (extra fingers, broken text, inconsistent details). Feels like AI is mimicking human consciousness on a level.

After doing extensive Bug Bounty and interacting with dozens of protocols. In the Infra Space among the major blockchains, I believe only these protocols (currently) actually care about security: 1. Solana 2. Ethereum 3. Monad 4. Sei Most of the other blockchains don't care about either security or respecting whitehats.

Suppose we have a critical drain vulnerability that two whitehats find at the same time. One reports it to the bbp. Meanwhile when the report is being reviewed, the other whitehat executes a whitehat attack to secure the funds. Who gets the bounty 👀

Personal security tip (that may or may not work) Always keep a small amount like 100 USDC in your MetaMask wallet. So you would likely know if your PC is compromised. Likewise for a hardware wallet, store funds using a pass phrase. While keeping a small amount of funds in the default wallet.

The first place I look in any lending protocol isn’t the interest rate model. It isn’t the oracle. It’s the liquidation logic. Blacklisted collateral token. Transfer reverts. Liquidation blocked. Bad debt can accumulate silently. Zero-amount interaction. Revert. Position can become stuck permanently. Multi-asset basket where a partial liquidation removes the highest-LTV asset and the health score worsens instead of improving. Three edge cases. Each one worth treating as high severity until proven otherwise. One question decides everything: “Can this position ever reach a state where liquidation reverts or fails to improve solvency?” If yes, the protocol may have a trapped bad debt path. It just doesn’t know it yet. If your protocol has liquidations and you haven’t tested what happens when they can’t execute, that’s one of the first places I’d look for a critical.

I need to acquire 20k Test Hype tokens on the HyperLiquid Testnet @HyperliquidX. Would anyone be able to help with that? Would be even willing to buy them if anyone's selling.

Thank you for your critical finding. We would like to reward you a bounty of 12 redbulls.

Response to a critical report in a bug bounty that would have caused losses of 8 figures dependent on a feature that was to be activated in 2 weeks. "The finding even though critical is not valid for a payout as the deployment is 2 weeks away and we would fix the bug before deployment" MF how would you even would have fixed it in the first place if I didn't report it??

Your Stack Is Split Across Move, EVM, Rust, and ZK 4 ecosystems. Each fails in very different ways. 1. EVM → reentrancy variants accounting/invariant bugs 2. Move → resource lifecycle bugs cross-module interaction failures. 3. ZK → under-constrained circuits. 4. Rust on Solana → PDA validation gaps CPI guard bypasses. A generalist who's "pretty good" at four ecosystems misses the bugs specialists catch. One ecosystem specialist can't help you when your stack spans two. If your protocol spans more than one ecosystem and needs a team that can audit across the full stack. Feel free to reach out to us.

Audits happen. Reports get filed. Protocols still get drained. This is why I only work with teams that treat security as survival, not marketing. There are a lot of reasons this keeps happening: • The team gets the audit report and fixes the Highs. marks everything else as "acknowledged." ships. • "Acknowledged" means "we read it and accepted the risk" but actually means "we don't have time and the deadline is Friday" • The patch for the critical finding introduces a new vulnerability in the fix. Nobody reviewed the remediation. they just assumed patching was safe. • The audit covered commit abc123. The deployment was committed by xyz789. six new functions added after the audit completed. Nobody mentioned it. • Six months after launch there's a new integration. no re-audit. the integration is 40% of the attack surface. • The economic exploit that drained everything wasn't in the code. The code was correct. The math was wrong. The audit reviewed code. not economics. • Leadership says "we can't afford a longer audit" then spends 20x the audit cost on the launch marketing campaign • The post-mortem after the hack says "we have now engaged additional security partners." the new partners review the same codebase. Nobody asks why the first audit missed it. Every one of these is fixable. We don't sign off until the deployed commit matches the audited commit. And we treat "acknowledged" findings like ticking time bombs, because that's what they are. If you want an audit team that solves the problems above instead of contributing to them,DM us at @VulSightSec .

For a protocol with a bug bounty on multiple platforms, Which one would you use to submit your Crit/High? And Why?

Three years ago I submitted my first Web3 contest entry on Code4rena. Found one QA issue. Thought maybe I'd chosen the wrong career path. This year I collected $300,000 from a single critical bug report. This space rewards depth and patience in ways I didn't fully understand when I started.

Everyone thinks they understand flash loan attacks. Most don't. Most people think flash loans are about the money. Borrow millions. Manipulate a price. Return the loan. Pocket the difference. That's the surface. What if the attack isn't related to the capital. What if it utilizes the state manipulation that the capital enables within a single transaction. Beanstalk. April 2022. $182 million. The attacker didn't exploit a price oracle. They used the flash loan to temporarily acquire governance control. Passed a malicious proposal. Drained the treasury. In one transaction. The vulnerability wasn't in the flash loan mechanics. It wasn't even in the price feed. It was in the assumption that governance proposals couldn't be executed within a borrowing window. I found a similar governance timing assumption in a recent audit. The protocol had a 24-hour timelock on proposals. No protection against flash-loan-powered quorum acquisition. The team had reviewed every oracle interaction. They hadn't considered that an attacker could borrow their way into governance power. Never audit flash loan surfaces by just looking at the surface. Audit what the loan temporarily makes possible.

Recently, saw some chatter about how total payouts vary across web3 bug bounty platforms. So I compared the top 10 earners on each: Immunefi: $55.3M HackenProof: $6.3M Cantina: $1.5M Immunefi is ~8.8x HackenProof. HackenProof is ~4.2x Cantina. Curious how much of this is: - platform maturity - deal flow - private vs public payouts - where top researchers choose to spend time (Note some of these numbers could be inaccurate as I calculated these numbers on publically available information in the leaderboards)