Existing crypto security work is overwhelmingly focused inside the perimeter. Smart contracts, on-chain logic, protocol-layer audits.
The validator daemon's network surface and RPC architecture are systematically under-examined.
NR-2026-001 is what that gap looks like in practice:
https://t.co/gfsI09ZgOY
Trace validation against production captures is the move I keep wanting to make for validator-infra attack-surface work. The gap rn is that the interesting traces aren't the cooperative ones. They're the ones from nodes under adversarial load. Is anyone running Quint against captures of that shape yet?
🚨 JUST IN:
@TransitFinance appears to have been hacked for ~$1.88M.
Stolen funds are sitting in DAI on Ethereum, with reports saying they originated from Tron.
Root cause is still unclear.
Transit sent an on-chain message offering a bounty if funds are returned within 48h.
I run a lot of attacks on my home located validators..... This is one of the funniest messages I've seen from Claude.
Yes please, you ease off, because that's exactly what an attacker would do.
Validator infrastructure attacks have no MITRE. No taxonomy. No shared training data. Until today.
We've just published the first piece on Hugging Face today: 31 bundles, 7 vulnerability families, #Sui and #Solana. Open format, CC-BY-4.0.
https://t.co/O8aY3e2Auh
@m4rio_eth Please call when you’ve all resolved this. I’ll take you out for a fish supper. Meanwhile, I’ll go back to my desk and have some ai tell me that I’m doing just fine today.
Not everyone does responsible disclosures because they want to profit from the bug bounty.
Some of us do them because we actually care about the decentralised world.
So many disclosures are dismissed these days for this reason. We need a new way to do this.
Cool but also.... the auditing-landscape conversation is missing a layer. Validator-daemon network surface and RPC architecture are systematically under-examined right now.
NR-2026-001 documents three architectural findings in Agave's RPC tier that fell through Anza's RPC DoS carve-outs for exactly this reason.
https://t.co/gfsI09ZgOY
Strong agreement on the coordinated-response work. The complementary gap is validator-daemon network surface and RPC architecture ---->
Systematically under-examined right now, and structurally outside incident-response frameworks.
NR-2026-001 documents three architectural findings in Agave's RPC tier that fell through Anza's RPC DoS carve-outs for exactly this reason.
https://t.co/gfsI09ZgOY
Strong agreement on the program-layer work - bugs surviving heavy scrutiny is exactly the pattern.
The complementary gap is one layer down: validator-daemon network surface and RPC architecture, systematically under-examined right now.
NR-2026-001 documents three architectural findings in Agave's RPC tier that fell through Anza's RPC DoS carve-outs for the same reason
https://t.co/gfsI09ZgOY
Existing crypto security work is overwhelmingly focused inside the perimeter. Smart contracts, on-chain logic, protocol-layer audits.
The validator daemon's network surface and RPC architecture are systematically under-examined.
NR-2026-001 is what that gap looks like in practice:
https://t.co/gfsI09ZgOY
Submitted three Agave RPC findings to Anza last week. Closed as out of scope under "RPC DoS" carve-outs.
Two of them aren't rate-limit DoS. They're architectural.
Operator advisory + reproducers:
https://t.co/nb3kXqFQ1T
#Solana#Agave
@mert Just the tip of the iceberg people. We need to prepare. In the last week alone we’ve sent one major chain four separate dos vulnerabilities. We reckon we have a solution for what’s coming. Let’s do it 💪
1/ Threat intelligence sharing for blockchain validator infrastructure is broken in a specific, boring way:there's no standard format for capturing what an attack against a validator actually looks like.
So we built one. 🧵 Look mum, I did something!
Your validator raised their commission from 5% to 10% last week.
Did they tell you? I'll bet you a pint of milk they didn't.
We now track every commission increase across Solana, in real time. 🧵
Bug bounty programs are often so restrictive, there's no point in doing them. Which is why "good people like us" end up flooding your emails with messages, which invariably end up in spam, or ignored.
The issue you should be more concerned about is "the bad people UNlike us".
These are the ones who aren't reporting but are silently waiting for "some event" that you'll likely not notice until it's too late.
And whilst we're building products to protect you, for the short-term, utilise this vibrant community of people who'll often help you for free.
@p6rkdoye0n Over six months ago we published a simulated attack on Sui. Having discovered that 40% of their validators were running with exploitable CVEs.
It was dismissed by their team.
Aka the tinkerbell effect. We believe it's fine because we don't understand.
https://t.co/MNlAwLALPu