@Stake_Stone Hi, your bug bounty on immunefi is for an old version of the protocol, which seems to have had a bunch of updates, are you going to update the bug bounty too ? Thanks
Just sent a report to a bug bounty program that's self hosted by the protocol, feels like throwing a bottle to the sea. But again, on platforms it feels pretty much the same so we'll see
There’s a complexity level after which human experts outperform an LLM in accuracy, cost, and speed.
That level is pushed higher by new models (at exponential cost absorbed in training). It doesn’t go away.
The cheap chess analogies are completely backwards.
For bug finding, the idea there are bugs too deep for humans to find is the opposite of truth.
There are bugs so deep only humans can hope to find.
There’s a level after which not even having the human be assisted by an LLM makes a positive difference. It can degrade performance actually.
Classical computing can only work on fully formalized symbolic systems. Humans can do everything electronic computers can, with the same resource scaling laws. But at linearly trillions of times higher costs, time. The lower accuracy can be dealt with added logarithmic factors. But we can’t escape the fact we’re just slower.
Beyond that, humans can easily operate in not fully formalized systems too. Even completely informal systems. In fact that is easier for us than formal systems.
LLMs can bridge the gap and let computers operate with informal symbolic systems in natural language too.
The cost is making it a billion times more expensive than classical compute from the start. And adding an exponential component degrading accuracy, slowing down, and increasing costs.
You can move some of that exponential to training, you can use more tokens to compensate to some extent accuracy issues.
But you can’t escape the exponential.
There’s no free lunch.
@arsen_bt@WhiteHatMage@renegade_fi Agree or not agree, I personally understand and have thought about it many times. Although personally I don't cross this line and never will, I completely understand where he comes from and wouldn't be surprised if this becomes the norm if platforms don't change soon
I don't know who's handling the zendesk support at @immunefi but they know nothing about customer support, bring back Sandra, I feel she was the one carrying the whole company on her shoulders now it's pure downhill.
I complain that my report has been confirmed for 10 months and has not yet been paid, I request the opportunity to submit more reports and not be treated as a spammer, because all my reports were legit but never paid, result : account closed.
Summary of my bug bounty journey : getting pissed on by projects and platforms alike for the last 18 months, but because eveybody has the same experience, nobody says anything and it's absolutely normalized in the space
Bifrost’s architecture is built to ensure all vTokens remain fully backed at all times.
We reinforce this with regular third-party security audits and an active bug bounty program open to anyone.
Explore our latest audits: https://t.co/pDLNKpktVf
After a while spent in the depths of hunting bounties in web3, I can affirm with certainty that bug bounty programs are the biggest supplier of black hat hackers in the space.
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: https://t.co/lki2tL9bxw