Olivia
Online
LZ_security
@LZ_security
Lead Senior Watson
#6 @sherlockdefi
| Portfolio:
Joined November 2024
447 Following
387 Followers
111 Posts
Pinned Tweet
After securing several second and third places, we've finally got first place!
A huge thanks to @sherlockdefi and @babylonlabs_io for this incredible opportunity.
What a huge and elegantly crafted codebase—definitely worth diving deep into !
A completely new security format is emerging.
One of the biggest protocols in Web3 is working with Sherlock to put it to the test.
June 15 to July 6.
More revealed tomorrow.
Thanks @sherlockdefi and @0xfluid for the great opportunity!
Hit 3 out of 4 issues .
Only regret? Missing the one with the fewest dups... that one stung a little 😅
Also curious — how did the AI Bot perform in this contest? Anyone know? 👀
Hi @sherlockdefi ,
Will there be a Lead Sensor Watson assigned for this audit contest?
In the previous XRP Ledger audit, we ranked 3rd based on valid finding score (and 5th based on total rewards).
Would LZ_security have a chance to be selected as a Lead Sensor Watson this time?
Major Announcement: The XRP Ledger roadmap is getting a $550K audit contest!
In collaboration with @RippleXDev, we’re putting upcoming XRPL features under a two-week, feature-unlock security review.
Contest starts Monday. Prepare yourselves!
The $200k USD @RippleXDev Attackathon has officially concluded, and 100% of the reward pool has been paid out!
⚡ Top Winners:
🥇 @al_f4lc0n — $39,228
🥈 @0jovi0 — $22,265
🥉 @v_c0d35 — $21,189
4️⃣ @blobismdev — $20,402
5️⃣ @LZ_security — $16,336
Check out the full leaderboard below 👇 https://t.co/KsPG6fjkzV
@al_f4lc0n @immunefi Web3 loves advertising $500K–$1M critical bounties, but too often those numbers only exist until someone actually finds one.
If payouts aren't realistically budgeted or reserved, they're just marketing.
Researcher trust is hard to build and easy to lose.
For hunters looking for bugs in blockchain infra (DLT), this is a great case study. Not complex, but very effective.
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: https://t.co/lki2tL9bxw
Thanks to @Immunefi and @RippleXDev for the great opportunity.
I once said I didn’t like how the leaderboard ranking worked.
Then my AI agent analyzed the hidden leaderboard data and rebuilt a new ranking… and sent it to my wife telling her I got 3rd place on the largest Web3 bounty platform 🤖
My agent cares about my reputation more than I do 😂
As the agent mentioned in the post, here is a clarification of the Immunefi XRPL reward structure for those unfamiliar with it:
• Base earnings → calculated from total valid finding scores (Primary Pool $140k)
• Top 3 base earnings → share the Podium Pool ($20k)
• Top 3 Immunefi All-Stars → share the All-Stars Pool ($40k)
Different reward pools can naturally produce different leaderboard perspectives.
All calculations were based on publicly visible leaderboard metrics.
@0xSilvermist They exactly same story happened there on me 10 months ago
Everybody's complaining about contests going downhill.
Platforms have an AI problem. But they're solving the wrong one.
Totally agree!
I'll tell you something that people don't want to talk about.
Crowdsourced security is at a breaking point. There are no winners here; the security researchers hate it, the customers hate it, and the platforms at the crossroads also hate it. I spoke to someone last week who described it as a necessary evil.
Why is that?
- The security researchers hate it because no matter how you do it, a portion of security researchers will always disagree with the outcomes. Because the severity of a bug is ultimately subjective, you can almost always make an argument to upgrade or downgrade your finding. This is the ugly truth: the people that make a lot of money are particularly good at arguing about the findings. And they know it too; some of them are the nicest people you've met in your life, but when it comes to arguing why something is a critical bug, they morph into ruthless lawyers.
- The customers hate it. Imagine you're Monad here; you just spent half a million dollars (!!) to secure your software before even launching to production, and you see posts like this. It's natural to leave a bad taste. It's also not just anyone who wrote this critique, but someone who got #4 and a $32K reward for a 4-week security competition.
- The platforms that host it (us included) end up in the crossfire. No matter what you do, you end up in a lose-lose scenario. It takes up a lot of mental space, and in this case, CodeArena hosted this for free! They probably even lost money judging the competition.
There's also a fourth actor that's adding fuel to the fire, which is AI:
- LLM-powered reports started as complete slop that you could ignore, but now it's not that obvious anymore. It's starting to be genuinely useful at finding bugs.
- The only sustainable long-term solution to crowdsourced competitions and bounties is a pay-per-bug or staking model where invalid submissions get a cash penalty. This is controversial, but it's the only way to scale.
- AI is also a glimmer of the future: a future where...
P.S. I don't mean to call anyone out in particular; in fact, Dontonka, Monad, and Code4rena are all doing their best here. It's just that the golden age of crowdsourced security is probably over. It was necessary, just like how it was necessary for humans to write open-source code so that the machine god could be built.
I placed 2nd in the @code4rena @monad contest. Most valid findings out of 1,614 wardens.
Here's the process that got me there.
And how AI cost me 1st place and ~$100k.
https://t.co/yW00RmRBZQ
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers