🚨 Blockaid detected an @Ostium Vault exploit on Arbitrum.
An attacker used a registered PriceUpKeep forwarder and future-dated authorized oracle reports to create artificial trade profit, triggering a ~$18M USDC payout from the vault.
More details in 🧵
recently noticed an interesting audit lesson from a bug that looked completely harmless.
a vault’s preview func promised 100 units.
but the real withdrawal path applied a 1% downstream fee, then its safety check still required the full 100 units.
actual output: 99 → trx reverted.
no funds were stolen...the withdrawal path simply stopped working wen idle liquidity was unavailable.
the bug was hiding between 2 innocent functions, one estimated a fee-free result, while the other executed a fee-bearing path.
as a security researcher always compare previews with real execution across fees, rounding & external calls.
Metric pools captured $6bn+ in volume last quarter.
Every pool deployed on Metric inherits routing across the best DEX aggregator network the moment it's deployed.
Your distribution shouldn't start from zero.
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: https://t.co/lki2tL9bxw
The telegram group and discord will remain publicly open - that said the group is now over 75 strong, which is amazing, but also gives me some worry due to the confidential nature of bug bounty programs.
That said I am trying to figure out a verification process for access to private teams of established and verified bug hunters, while leaving the community free to start their own teams at will.
1 bad actor can just lead to so much trouble and considering I only had 30 followers when I started the community this was not the level of response I expected.
I appreciate all the people already in and those continuing to join, I will work hard to make it a community that provides immense value to all members and experience levels.
If you have ideas for a verification process please let me hear them, I'm open to community feed back and ideas from those with experience in managing bigger groups.
Calling all researchers!
@Trip is launching a limited-time campaign that will pay out 2x the usual reward for any High or Critical severity vulnerabilities in scope.
Severity will be confirmed by our triage team based on our published severity rubric and our standard bounty program rules apply.
Lasts from July 13 to July 29.
Visit the program page for more information and to see how to get started: https://t.co/Inld0K780h
Thanks for all the awesome work you do and happy hacking!
✅ [New DualDefense Contest]
A fresh challenge just dropped on HackenProof!
The DualDefense Contest with @PushChain is now live.
Reward pool: up to $70,000
End Date: August 2, 2026
Scope: Push Chain L1 codebase
Last Audit: by @hackenclub
Join the contest now!
Upside co-founder Alex Bauer just shared 5 plays from his agentic GTM playbook:
00:00 - Why AI gives confident wrong answers
08:30 - The military trick that fixes agent prompts
11:51 - Build agent memory with a radiant librarian
13:10 - Run multi-agent juries for attribution
15:15 - Why cheap AI tools fail at real work
These 17 minutes of agentic GTM tactics will replace 15 paid AI-for-revenue-teams courses.
Watch it, then read a relevant guide below:
Anthropic just released a 4-hour course to getting a $500k AI engineering job:
00:15 - The right way to prompt Claude
33:21 - What makes Claude act dumber on your code
01:33:39 - How Anthropic use Claude every day
02:50:56 - The fix that makes Claude way smarter
This 4-hour Anthropic free course replaces about 10 paid engineering courses.
Watch it today, then read the step-by-step guide on building loops below.
@codewithsushi a thinking man...the definition of a man is a thinking being. Thanks to AI now we sublet a few thinking to them so that we get time to think about other issues.
A Stanford mathematician who spent 10 years as a professional magician just described the market in one sentence:
"I've spent my life on two tricks: making a rigged deck look random, and making a random one look rigged. The market is the first trick, and almost nobody catches it."
That's Persi Diaconis. He has a free lecture that asks one question: does anything actually happen at random? The answer is: far less than you think.
The market is his first trick in the wild. It looks like pure chance. Buried inside is a faint rig, a 50.75% tilt no eye can see. Your gut reads a losing week as a broken system and a hot streak as skill. Wrong both times. The tilt is invisible to human intuition, which is exactly why funds hand the decision to the math.
None of it is hidden. Diaconis has taught it for decades. The probability goes back to 1713. The lecture is free.
Here's the trap: you feel every win and every loss, but you cannot feel the average. And the average is the only thing that pays. It takes thousands of trades for a 51% edge to separate from luck, and almost everyone quits long before then.
The math is free. The patience to trust it past your own eyes is the edge.
If you audit smart contracts, you already know @DeFiHackLabs. It's the most complete open library of exploit PoCs there is, and SunWeb3Sec has done the whole industry a service by maintaining it.
But a PoC is a starting point, not an explanation. To actually learn from one you have to:
➡ get the Foundry test compiling (solc version, EVM version, remappings)
➡ source an archive RPC for the correct chain and fork at the exact block
➡ reconstruct the attack from raw trace output
➡ cross-reference the trace against the test's Solidity
➡ pull the source of every downstream contract from Etherscan - the PoC ships the attacker's code, not the victim's.
We built https://t.co/vP9Yq3H6ca to collapse that into one page.
What you get per hack:
✅ Pre-written vulnerability analysis, with the root-cause line highlighted directly in the source.
✅ A live EVM playground (think in-browser debugger) that replays the exploit deterministically.
✅ Opcode-level stepping plus line-level Next / Prev / Step-in / Step-out; click an opcode to jump to its source line.
✅ Full call trace (execution tree) so you can see exactly what called what.
✅ EVM state at every step: memory, stack, and storage.
✅ Matched source for every executing contract in the call tree - fetched from Etherscan, compiled, and source-mapped, so you never leave the page.
✅ Any chain, no RPC needed - the execution is recorded, so there's nothing to set up and nothing to rot: no rate limits, no stale fork blocks, no version drift.
The analysis + build pipeline is fully open source: https://t.co/SrCRX81rNJ - issues and PRs welcome.
Explore 840+ hacks 👉 https://t.co/VeFfnrWdK7
#SmartContractAudit #Web3Security #DeFi #Solidity #EVM #Foundry #Blockchain
Metric @metricxyz is one of those teams that comes very rarely
In just their first 2 months, they went from $0 to a top 15 DEX (let alone propAMM) on DeFillama, all in stealth
Glad to have seen their early days, hustling to get integrations into every single aggregator possible, chatting to token and RWA issuers and whoever they could, and it's paid off immensely well and will continue to compound
They could have always stayed as a propAMM, but I'm quite excited by their bigger mission: to democratise the propAMM stack as infrastructure for LPs, MMs and issuers to utilise and scale with