Olivia
Online
LoopGhost
@LoopGhost007
Doing my best to protect web3 protocols.
Joined August 2025
269 Following
124 Followers
339 Posts
@WhiteHatMage This has just happened to me on Hackenproof, and they marked it as a duplicate.
The fun fact is that they fixed the bug the slop report mentioned (its PoC no longer passes) but my report shows a complex attack chain that the original report was of course not covering.
I also have another theory about duplicates: some projects and platforms abusing nonsense slop submissions.
You disclose an e2e-proven exploit, but it gets marked as a duplicate because of the "root cause".
The slop report contains the vulnerable lines but no actual proof or has invalid claims.
With enough slop, you cover all the lines where a reasonable bug could exist. Then the project reopens the invalid slop submission, pays it as Low, and avoids paying the actual Critical.
That’s my worst nightmare. That shouldn’t happen ever.
@hrkrshnn This is what should be done. Projects who don’t care about their security don’t care about their users. They deserve this.
It’s the project the one that should be blamed, not the hacker.
@linuxcity And yet it is deplorable. They don’t care at all. I told them I had several critical vulnerabilities to disclose and they did not care.
They did not make any kind of effort to make me disclose them. They just didn’t care because they did not want to pay for it fairly
🧵[1/6]
Last week I privately disclosed a valid vulnerability affecting Alephium’s Wormhole bridge integration.
The issue was confirmed by the team. It allowed a permissionless attacker to drain the entire balance of a live mainnet contract.
@BigPepGhost https://t.co/J8uzZ02d78
🧵[1/6]
Last week I privately disclosed a valid vulnerability affecting Alephium’s Wormhole bridge integration.
The issue was confirmed by the team. It allowed a permissionless attacker to drain the entire balance of a live mainnet contract.
@BigPepGhost Your team totally lowballed me when disclosing a critical vuln draining your bridge with 250$. I told Maud I had additional vulns to disclose, you guys did not care. Now I see you are offering a 10% bounty to the attacker. Do you really care about security? Why are you surprised?
@0x15_eth Here’s what I was referring to.
They fucking scammed me and paid a miserable 250 USDC for another full bridge drain vector. But they offer 80k to the attacker.
This is wild. The way I’ve been scammed is crazy. They clearly want me to attack them lol
💬 Onchain Message:
To the individual responsible for the Alephium bridge exploit:
We are prepared to treat this incident as a white hat disclosure under the following terms:
1. Return 90% of the drained assets to:
0x238640C0F74A95485e986Fa26D434fF7B216D058
within 72 hours of this message.
2. You may retain 10% of the returned assets as a white hat bounty.
Upon receipt of the 90%, Alephium will consider the matter resolved and will publicly acknowledge your cooperation.
Contact [email protected] with a message signed by one of the addresses involved in the exploit for further communication.
We would prefer to resolve this matter quickly and cooperatively for the benefit of affected users.
Alephium Team
https://t.co/neFjYBp0uQ
Louder for the people at the back
💯💯
🧵[6/6]
Researchers notice. Attackers do too.
🧵[1/6]
Last week I privately disclosed a valid vulnerability affecting Alephium’s Wormhole bridge integration.
The issue was confirmed by the team. It allowed a permissionless attacker to drain the entire balance of a live mainnet contract.
The cause of the exploit has been identified. The exploit was NOT caused by a compromise of the guardian keys, contrary to some early external reports.
The team is now fully focused on recovery and remediation efforts. We are working around the clock to address the impact of this incident and support affected users.
Our next update will be shared on Monday. Throughout next week, we will provide additional information regarding the recovery process for users with ALPH locked in the bridge, further details on the exploit and its cause, and a comprehensive postmortem.
We sincerely thank our community for its patience and support while we work through this situation.
🧵[5/6]
What I am saying is that security culture is revealed by actions, not marketing. If a project wants experienced researchers to spend weeks looking for severe vulnerabilities before attackers find them, it has to create incentives that make that work rational.
@ipwning The decision of shutting everything down just because of that doesn’t really make sense though. It’d probably be easier to host the BBP on Hackenproof or Immunefi and pay them to triage their reports. 🤔
@Zer0H1ro @sherlockdefi @code4rena @cantinasecurity @immunefi @odei_ai Hey @Zer0H1ro , as a whitehat with experience in the industry, please choose @HackenProof.
@MitchellAmador Looking forward to it! Thanks for your attention to this matter, it’s really appreciated! 🙏🏻
@MitchellAmador Are you / Immunefi open to reviewing specific cases on request? I’d appreciate it 🙏🏻
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers