Lots of people asking me how I did this. I want to summarize the whole process.
It’s called an independent audit or security research with no job, no invite, and no special access.
You do not need permission to audit because smart contracts are public code that holds money, and anyone can read them and report what is broken.
Here is the process.
→ Pick a relatively small, new project with a team you can actually message. New code has more bugs, and small teams reply faster. (EVM projects in most cases).
→ Get the verified source from the chain explorer. That is the real code and contract that is running.
→ Read it with a few questions in mind.
Who is allowed to move the money?
What happens at the risky moment when funds move between contracts?
Can a stranger trigger something only the team should?
You are hunting for just one wrong assumption at the moment, and you can as well use AI for faster reviews and code checks.
→ When you think you found it, prove it on a local copy of the chain, never on the real network.
A copy behaves like the real thing but touches no real funds. If you are right, it shows the money moving. If you are wrong, you find out before you embarrass anyone.
→ Write it short. What the bug is, what it costs, the exact code, and the exact command to reproduce it.
The best line you can give a team is "Do not trust me; run this yourself."
→ Send it privately. Don't post details while the bug is still open.
→ The team might bring you in to fix the bug with them, or rather, you submit your report and PoC (Proof of Concept).
Ask for their offer of a reward for the bug; criticals pay the highest.
→ Help them check the fix after the new changes.
The rule that matters most is to test on copies only.
Never inflate a medium bug into a critical.
Tools to learn. A chain explorer to read verified sources and Foundry to run a local copy of a chain and test against it.
The first bug is the hardest because you do not believe you can do it yet. But you can by finding the wrong assumption, proving it on a copy, reporting it with respect, and repeating it again.
🚨 Blockaid detected an @Ostium Vault exploit on Arbitrum.
An attacker used a registered PriceUpKeep forwarder and future-dated authorized oracle reports to create artificial trade profit, triggering a ~$18M USDC payout from the vault.
More details in 🧵
recently noticed an interesting audit lesson from a bug that looked completely harmless.
a vault’s preview func promised 100 units.
but the real withdrawal path applied a 1% downstream fee, then its safety check still required the full 100 units.
actual output: 99 → trx reverted.
no funds were stolen...the withdrawal path simply stopped working wen idle liquidity was unavailable.
the bug was hiding between 2 innocent functions, one estimated a fee-free result, while the other executed a fee-bearing path.
as a security researcher always compare previews with real execution across fees, rounding & external calls.
Metric pools captured $6bn+ in volume last quarter.
Every pool deployed on Metric inherits routing across the best DEX aggregator network the moment it's deployed.
Your distribution shouldn't start from zero.
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: https://t.co/lki2tL9bxw
The telegram group and discord will remain publicly open - that said the group is now over 75 strong, which is amazing, but also gives me some worry due to the confidential nature of bug bounty programs.
That said I am trying to figure out a verification process for access to private teams of established and verified bug hunters, while leaving the community free to start their own teams at will.
1 bad actor can just lead to so much trouble and considering I only had 30 followers when I started the community this was not the level of response I expected.
I appreciate all the people already in and those continuing to join, I will work hard to make it a community that provides immense value to all members and experience levels.
If you have ideas for a verification process please let me hear them, I'm open to community feed back and ideas from those with experience in managing bigger groups.
Calling all researchers!
@Trip is launching a limited-time campaign that will pay out 2x the usual reward for any High or Critical severity vulnerabilities in scope.
Severity will be confirmed by our triage team based on our published severity rubric and our standard bounty program rules apply.
Lasts from July 13 to July 29.
Visit the program page for more information and to see how to get started: https://t.co/Inld0K780h
Thanks for all the awesome work you do and happy hacking!
✅ [New DualDefense Contest]
A fresh challenge just dropped on HackenProof!
The DualDefense Contest with @PushChain is now live.
Reward pool: up to $70,000
End Date: August 2, 2026
Scope: Push Chain L1 codebase
Last Audit: by @hackenclub
Join the contest now!
Upside co-founder Alex Bauer just shared 5 plays from his agentic GTM playbook:
00:00 - Why AI gives confident wrong answers
08:30 - The military trick that fixes agent prompts
11:51 - Build agent memory with a radiant librarian
13:10 - Run multi-agent juries for attribution
15:15 - Why cheap AI tools fail at real work
These 17 minutes of agentic GTM tactics will replace 15 paid AI-for-revenue-teams courses.
Watch it, then read a relevant guide below:
Anthropic just released a 4-hour course to getting a $500k AI engineering job:
00:15 - The right way to prompt Claude
33:21 - What makes Claude act dumber on your code
01:33:39 - How Anthropic use Claude every day
02:50:56 - The fix that makes Claude way smarter
This 4-hour Anthropic free course replaces about 10 paid engineering courses.
Watch it today, then read the step-by-step guide on building loops below.
@codewithsushi a thinking man...the definition of a man is a thinking being. Thanks to AI now we sublet a few thinking to them so that we get time to think about other issues.
A Stanford mathematician who spent 10 years as a professional magician just described the market in one sentence:
"I've spent my life on two tricks: making a rigged deck look random, and making a random one look rigged. The market is the first trick, and almost nobody catches it."
That's Persi Diaconis. He has a free lecture that asks one question: does anything actually happen at random? The answer is: far less than you think.
The market is his first trick in the wild. It looks like pure chance. Buried inside is a faint rig, a 50.75% tilt no eye can see. Your gut reads a losing week as a broken system and a hot streak as skill. Wrong both times. The tilt is invisible to human intuition, which is exactly why funds hand the decision to the math.
None of it is hidden. Diaconis has taught it for decades. The probability goes back to 1713. The lecture is free.
Here's the trap: you feel every win and every loss, but you cannot feel the average. And the average is the only thing that pays. It takes thousands of trades for a 51% edge to separate from luck, and almost everyone quits long before then.
The math is free. The patience to trust it past your own eyes is the edge.