Update: Further investigation indicates the root cause is proof forgery due to missing input validation in the VerifyProof() function of @hyperbridge ’s HandlerV1 contract.
Specifically, the verifier does not enforce leaf_index < leafCount. If an attacker submits leafCount = 1 and leaf_index = 1, CalculateRoot() in the MMR path never incorporates the request commitment into root computation, so the proof can pass for arbitrary request content.
This fully decouples the proof from the message it is meant to authenticate, enabling attackers to forge seemingly valid cross-chain messages against any historical overlayRoot.
No jailbreak. No problem. 🔓
I built a tool that bypasses iOS SSL Pinning using OpenVPN + iptables — works with Burp Suite & mitmproxy out of the box.
👇 GitHub
https://t.co/N4QyCDaXvR
#CyberSecurity#BugBounty#iOS#Pentesting
I wish I knew this earlier.
There is a website that shows you what CSP bypasses are possible by pasting the CSP policy in it.
https://t.co/OtAxsKeFdo
Basically you can lookup vulnerable 3rd party JS libs and SDKs from the whitelisted CSP sources
#bugbountytips#bugbounty
This is what a $55,000 bug can look like, just add "/actuator/heapdump%23" and maybe it sticks.
Sometimes devs leave Spring Boot actuator wide open. All the secrets were redacted in /env, but heapdump sends ~100MB of live server-side memory with live auth tokens. The %23 was to bypass the WAF trying to block it, sigh. Start with "/actuator" or "/actuator/health" and if it hits, try all the other possible paths. #hacking #cybersecurity
$104K in 21 days from one mechanic on @Polymarket.
ExpressoMartini runs 15 min BTC windows with a straddle core but not the naive version: Up + Down only when combined cost dips below $1, then sizes asymmetrically toward the side already pulling orderflow.
BTC is the engine. When the book lags and contracts sit at 70-80c, he leans into the stretched side while keeping the hedge cheap, exits on compression, repeats. Alts are filler.
Most profit comes from timing the lag, not predicting direction. Liquidity decides size. Filters decide survival.
Live structure he’s using:
→ Up - BTC 15m
https://t.co/EhJCMSvSZB
Bot made $900 -> $208k in 3 months on polymarket
one of the most talked about bots on polymarket right now
farmed $208,521 pure profit in a quarter
focus exclusively on esports
mainly LoL and Dota 2
bot monitors live game
parses stream and official data faster than market reacts
when kill, objective, fight happens
polymarket price hasn't adjusted yet
bot enters, catches mispricing couple cents, exits
front-runs by seconds and farms spread
many now copying or building their own bots
competition growing but LoL/Dota live still has room
this is one of the most profitable bot directions on polymarket right now
his profile: https://t.co/d96yuCyK80
I just published a small blogpost , I found the CSP bypass a bit interesting so here you go
Bypassing CSP via URL Parser Confusions : XSS on Netlify’s Image CDN https://t.co/I1TgccURUO
New bypass drop 🔓 (no longer active)
We found a way to skip queue on a major cricket site by targeting specific file extensions — .json, .txt, .jsp, etc.
With this, @AkariCorp was able to monitor and buy almost every semi-final & final ticket.
Huge shoutout to @sleepy__dev for helping catch bypasses like these 🧠🔥
🟡 Bloom Extension on BSC 🟡
The Bloom Chrome Extension has enabled thousands of traders to enjoy top-notch performance right on their favorite platforms.
Now, we’ve enhanced it to unlock its full potential on BSC 🆕🟡
🤖 Supercharge your browser, download the BSC extension and get started! https://t.co/wnHUCUaoHt
If you’re in tech, get a LLC. There are no downsides besides the yearly fee.
1) Allows you to freelance and contract easier
2) Proof of work for Full time jobs
3) if you take a gap year you can use your LLC for your own startup
4) tax write offs
JUST DO IT