This is exactly what I’m seeing with @CapyFi_Protocol right now. 🚩
A “Closed” report doesn’t always mean an “Invalid” bug.
I recently submitted a Critical finding to @CapyFi_Protocol via @Immunefi. The report was escalated then after a day it got closed as "invalid / intentional design", yet the team executed emergency on-chain mitigations within minutes of closing the report. Now, mediation is being blocked. 🛑
Immediately after my report got closed, a controlled address redeemed 5.5 Billion LAC from the caLAC pool—overnight reducing the borrowable reserves by 62%.
To comply with @Immunefi rules and remain professional, I am NOT disclosing any technical details or the vulnerability's nature today. However, when a protocol emergency-mitigates a report while denying the researcher a bounty—and the platform blocks the dispute—it’s a failure for the entire ecosystem. 🛡️🤝
Transparency is the backbone of DeFi.
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: https://t.co/lki2tL9bxw
Anyone interested in indexed @traversymedia youtube content.
I built a high-performance search engine to find exactly what you need in seconds.
Check it out here: https://t.co/67tdwBKPvW
Features:
⚡️ Full-text search with Postgres GIN indexes
📝 YouTube transcript integration
@yazins I am working on doing the same for Chaikh Saad Al Kamali, the problem is that most of the content is not transcribed and not indexed so kinda needs more effort.
Check it out here: https://t.co/KmlBxlsqdM