My take on the Zcash bug.
I never worked on Zcash as a target because I didn’t didn’t even know they had a BBP.
It it were a 2M bounty on Immunefi I think I would have been very likely to find it back in 2023.
I found three similar ZK bugs that year, plus 3 others in verifiers. All loss of TVL.
I read every single line of circuit code (multiple times) that had a an Immunefi BBP with max bounty >= 1M between 2023 and early 2024 and earned more than 1M from that effort, in just one year. Made even more later.
During all that time I didn’t even know there was a Zcash bug bounty. (Or Solana for the matter!)
Im sure there were other people doing this that found ZK bugs too.
I dont think anyone ever spent that kind of effort on their code base.
Most of those code bases I found bugs in had been heavily audited (that’s true in general for most findings).
“AI found this bug humans missed for 4 years” is a catchy headline
The reality is for 4 years they really didn’t incentivize humans properly.
And there are likely many other ZK bugs out there not found yet by humans, AI-assisted or not.
I wonder if any LLM could have found it without training of my own disclosures from 2023, ToB’s articles, RareSkills content etc
You can hope you will find all the bugs with an AI trained on data from 6 months ago at best — and hope your code only has bugs similar to publicly disclosed ones.
Or you can “risk” having to pay something like 1M instead of insta-crashing down 50% of market cap — or worse.
If exploited those are protocol-ending bugs.
We are building a tool that autonomously, with the help of AI, can generate @Certora specs for your Solidity codebase.
It will be free and open source.
Early version drops tomorrow.
Tune in 👀
We’ve received a lot of messages asking us to increase the NSLOC limit, and honestly, we really appreciate all the interest and support.
Because of that, we’ve decided to increase the limit to 1500 NSLOC.
Only 2 days left to apply.
🚨🚨 Free Audit Alert 🚨🚨
We’re opening 1 free smart contract audit slot for a promising protocol.
Requirements:
• Solidity codebase
• Less than 1000 NSLOC
• Team with a history of shipping products
• Credible backing / ecosystem presence (good to have)
How to apply:
Visit https://t.co/hLne5dcTyl, message us on Telegram at @NoemaLabs, or DM us here.
Applications close in 3 days.
A lot of people in Web3 security are building genuinely useful tools to make the space safer.
There are already some great ones out there. A few we personally take inspiration from are Plamen by @p_tsanev, an Autonomous AI agent and Claudit by @MartinMarchev, an MCP server for searching solodit findings.
We also wanna contribute our part.
So to all the builders, researchers, and protocol teams here:
What’s something you wish existed today?
What part of security work feels unnecessarily painful or inefficient?
What tool would actually help you?
Drop ideas below. If something makes sense, we’ll try building it.
From winning audit contests to building NoemaLabs, a firm aim at preventing onchain exploits
3rd place in the EigenLayer contest wasn’t luck, but a proof of skill and methodology
If your protocol needs real security researchers and not checkbox audits, keep an eye on this team.
Our site is live and we’re opening early relationships through our referral program.
If you know teams building in DeFi/infrastructure that need security reviews, feel free to connect us and get paid for successful referrals.
More info available on the site.
Our site is live and we’re opening early relationships through our referral program.
If you know teams building in DeFi/infrastructure that need security reviews, feel free to connect us and get paid for successful referrals.
More info available on the site.
Today, I’ve joined forces with my brother @Aasif1552 to start @NoemaLabs
Over the past few months, Web3 has seen millions lost to exploits, with attacks becoming increasingly amplified by AI and advanced tooling.
https://t.co/OXNdx9C4cQ
@belizardd All those cb fired post the work they were doing at cb, pretending as if they hate their job but remember, they never leave, until were fired.
Now busy spreading FUD only Once they are no longer part of the party. But will definitely take whatever offer any company gives out
@hrkrshnn@0xDontonka It’s not about the $ v, his experience is telling us about a broken system , what happens to him could have lead to zero rewards as well. The fact he still comes out with 35k after that terrible experience shows how competent, resilient he is and shows that he’s claims are true