Rhaydden

@rhaydden

long live defi

codebase

Joined June 2024

247 Following

439 Followers

118 Posts

rhaydden retweeted

WhiteHatMage

@WhiteHatMage

8 days ago

I hope one day people realize that any project without a healthy bounty program is vulnerable to critical exploits.

rhaydden retweeted

Peter Kacherginsky

@iphelix

21 days ago

https://t.co/ZoUP7EcyD6

rhaydden retweeted

nonse.eth ⟠

@NonseOdion

21 days ago

Balancer Hack Part 4: Breaking the protocol was the easy part. Escaping with the money was the hard part. Every successful exploit needs three things: 1. The right state. 2. The exploit. 3. A way to get out with the profit. Most researchers focus on #1 and #2. But #3 is often what determines whether a bug is actually exploitable. In Part 4 of my Balancer hack series, I break down how the attacker escaped after manipulating the invariant. They had to overcome two major obstacles: • Internal defences: Balancer reverting with errors • External defences: MEV bots waiting to steal the opportunity The result is a practical playbook for turning a theoretical vulnerability into a feasible exploit. If you've ever found a bug and wondered, "Could this actually be exploited?" this article will change how you think. Read it here: https://t.co/nGkYoCz6Ln Your next high-severity finding may not need a bigger bug. It may just need a better escape route.

NonseOdion's tweet photo. Balancer Hack Part 4: Breaking the protocol was the easy part. Escaping with the money was the hard part.

Every successful exploit needs three things:

1. The right state.
2. The exploit.
3. A way to get out with the profit.

Most researchers focus on #1 and #2.

But #3 is often what determines whether a bug is actually exploitable.

In Part 4 of my Balancer hack series, I break down how the attacker escaped after manipulating the invariant.

They had to overcome two major obstacles:

• Internal defences: Balancer reverting with errors
• External defences: MEV bots waiting to steal the opportunity

The result is a practical playbook for turning a theoretical vulnerability into a feasible exploit.

If you've ever found a bug and wondered, "Could this actually be exploited?" this article will change how you think.

Read it here: https://t.co/nGkYoCz6Ln

Your next high-severity finding may not need a bigger bug.

It may just need a better escape route.

rhaydden retweeted

Leo Alt @leonardoalt

about 2 months ago

What if RISC-V had 1024 registers instead of 32? Can that solve register spilling & improve zkVMs? Claude and I implemented this experiment in LLVM's RV32 backend and integrated it with OpenVM for e2e proofs. Full results and write-up link below \/

$leonardoalt's tweet photo. What if RISC-V had 1024 registers instead of 32? Can that solve register spilling & improve zkVMs? Claude and I implemented this experiment in LLVM's RV32 backend and integrated it with OpenVM for e2e proofs. Full results and write-up link below \/ https://t.co/y1l6W4gQcy$

rhaydden retweeted

nonse.eth ⟠

@NonseOdion

2 months ago

After months of work, I’ve published Part 1 of my Balancer Hack series. This isn’t a post-mortem — it’s a guided walkthrough inside the attacker’s mind. We follow the thinking: spotting a subtle bug, hitting dead ends, refining ideas… until it becomes a full exploit. I wrote it to be experienced, not skimmed. Would love your thoughts. Huge thanks to @adeoluwami__ 🙏 for the review. https://t.co/C4GifWZhlA

NonseOdion's tweet photo. After months of work, I’ve published Part 1 of my Balancer Hack series.

This isn’t a post-mortem — it’s a guided walkthrough inside the attacker’s mind.

We follow the thinking: spotting a subtle bug, hitting dead ends, refining ideas… until it becomes a full exploit.

I wrote it to be experienced, not skimmed.

Would love your thoughts.

Huge thanks to @adeoluwami__ 🙏 for the review.

https://t.co/C4GifWZhlA

15K

rhaydden retweeted

nonse.eth ⟠

@NonseOdion

3 months ago

https://t.co/Th0kzNANv1

Rhaydden @rhaydden

4 months ago

@immunefi @__nnez hats off @__nnez !🔥

165

rhaydden retweeted

WhiteHatMage

@WhiteHatMage

4 months ago

I've created a site to share some ideas. My first post is about being a professional whitehat, and how I evaluate potential rewards to decide where to hunt. https://t.co/XcGP8BkHn9

317

284

29K

Rhaydden @rhaydden

4 months ago

@TheTradMod @immunefi @WhiteHatMage @Ehsan1579 @VulsightSec @zerocipher002 @lonelysloth_sec @alexfilippov314 @ZeroK_____ @usmannk @infosec_us_team @Haxatron1 Thank you for the encouragement Ser 🫡

134

Rhaydden @rhaydden

5 months ago

@dan__vinci @TheWeb3Mechanic @__nnez @Afriauditor You killin it man 🫡 More to come 🚀

Rhaydden @rhaydden

6 months ago

@Afriauditor Thank you for the continued motivation Ser 🫡 Wishing you a great 2026 🙏🏼

Rhaydden @rhaydden

6 months ago

@alexfilippov314 @ethereumfndn @sherlockdefi Top performance 🔥

147

Rhaydden @rhaydden

6 months ago

@valuevalk Congrats Ser 🫡

rhaydden retweeted

WhiteHatMage

@WhiteHatMage

6 months ago

Your security goal as a project with live code is to get whitehats engaged with your code for the long run. Incentivize hunters to check the code with a good bounty. Attract them with any other policies. Make it easy for them to discover your assets, and to run experiments.

rhaydden retweeted

Sev

@00xSEV

7 months ago

Results and lessons from ~1yr (2025) of full-time BB on @immunefi - 3 bugs marked as Crits and paid - 2 Crits confirmed but not paid for >5-6 months - spent ~3 months on this project - the project has been unresponsive for months now - just recently the BBP was paused - I’m hoping they’ll pay eventually; it would be my biggest payout so far, but the chances are pretty slim - the project even paid me for a different bug and has paid other people before, but decided to ghost here - TVL, max bounty, and fees (from DefiLlama) show the project is an active medium-sized one with solid fee income, not some abandoned thing - you never know if you’ll get paid or not and you have zero leverage - 0 dups, so that’s probably good - My income was lower than from contests in 2024, those 2 unpaid Crits would make a big difference - If you check the immunefi leaderboard for 2025, you can see the number of paid reports is usually not that big, most often single digits - compared to contests where you can find 10s or 100s of bugs per year, the variance in payouts is much higher - it often comes down to 1–2 bugs per year that pay >50%, so if you don’t get paid on those you take a big hit - It was motivating in the first months when I got several Crits - But later I had much less motivation because - long payment times - long reply times (SLA is almost never respected) - fewer bugs found, less feedback - zero communication with the project before you submit the bug - Strong upward and downward spirals: good results => learn more => get better, and the opposite - What I like about BB - you can go as deep as you want, as slow as you want, into so many projects and rabbit holes - full freedom, no deadlines, no responsibilities, no schedule - escalations on Immunefi work slowly (1–2 months+ usually) but they go deep into the issue - feeling appreciated, even a simple “good find” after a month+ on a project makes you feel it wasn’t in vain - What I didn’t like - you are ignored all the time - you never know when the project will reply, sometimes it’s month+ - you never know when Immunefi will reply on the issue, even if you ping in Discord you may just get something like “we are looking into it, will reply to your escalation asap” and then it can still take month+ to get a real answer - no communication with the project, you need to learn everything on your own - hard to navigate all the rules and define category and severity, and since you submit bugs so rarely the bureaucracy feels new every time - issues can be closed with no explanation, you work for months and just get “Closed, out of scope”, then you ask and it turns out to be more like “no fix no pay, if this loss happens we will just top up the contract from treasury” - you often feel low-balled, sometimes it might really not be a C but an M, but more often than not it feels like your effort is underappreciated - overall it feels more lonely than contests - you talk with the project or Immunefi maybe once a month or once every few months - most of the time it feels like talking to the enemy, me against them, the project wants to pay less and pay later, you want to get more and get it faster (at least respect the SLA) - it doesn’t feel like you are on the same side, more like you are in a fight - no shared chat or common context like in big contests when all of X/Twitter is talking about a single project (see Maker contest), here you are hunting on your own - Some thoughts on why the results are worse than I expected (and worse than last year in contests) - Jump between platforms? - each platform has its own rules, what gets paid in contests and is appreciated in private audits can be closed with no explanation in BB - so it might be that I was looking in the wrong places and spent my time on leads that were never going to be paid anyway - Didn’t learn enough? - on BB you miss a lot of the learning aspects of contests, if you miss something in a contest you usually learn about it pretty soon, but in BB you don’t have that feedback loop - you don’t really see how you compare to others (did they just get lucky, was I just unlucky, did I just choose the wrong project), without competition there is less motivation to learn and improve - Bad pace? - when you have so much freedom and almost no feedback, motivation slowly goes down, and your speed goes down with it - No team? No social? - I know this is my biggest leak overall, but in BB it’s an even bigger problem than in contests - after a contest a lot of people want to discuss it, the issues, the mindset, the meta-game, etc - less motivation to do X/Twitter, because it feels like if I share what I’m working on it might attract others to the same projects and I’ll start getting dups. And overall it feels like it’s me against the world, so why share (not necessary true) - Going too deep into things that are not fruitful? - with no deadlines and no pressure it’s very tempting to just explore how some tech works, just for fun - hard to say if that will eventually pay, and it’s harder to stay focused on the most dangerous places - I tend to spend months on one project, which is very risky if they don’t pay, and there are diminishing returns for most projects after 1–1.5 months - if I didn’t go that deep into every area I don’t fully understand, maybe it would be more like 2–4 weeks per project - I often feel like I need to check every idea I wrote down, but in reality the top ideas (marked as high probability by me) are the ones that pay, and 90% of other ideas are good for learning but probably not worth the time - Maybe no talent? No skills? - hard to judge myself - overall there are some signals that I’m not that bad, 6 confirmed Crits in a year is probably ok - Too inflexible? - when I first came to audits I followed a very checklist-heavy approach - now I’m more intuitive, I try to see what feels fishy, but I still rely on checklists and on going through the early ideas - I lean heavily on AI, it’s a new thing I picked up that changed my approach a lot - the projects I choose are mostly in my area of expertise and interest, maybe trying new languages or new types of protocols would help - Bad mindset? - many BB hunters jump quickly between projects, I still treat it more like a private audit and stay on one project until I feel there is nothing more I can do - many people do something like a 1 week intuitive scan and then move on - many work on several projects in parallel I'm still thinking about what to focus on in 2026 Right now I'm pretty tired of BB, but that might change after a break So probably some contests, maybe joining a team if I find one I usually set my yearly goals in January, so there's still some time to think and decide on the direction

00xSEV's tweet photo. Results and lessons from ~1yr (2025) of full-time BB on @immunefi
- 3 bugs marked as Crits and paid
- 2 Crits confirmed but not paid for >5-6 months
- spent ~3 months on this project
- the project has been unresponsive for months now
- just recently the BBP was paused
- I’m hoping they’ll pay eventually; it would be my biggest payout so far, but the chances are pretty slim
- the project even paid me for a different bug and has paid other people before, but decided to ghost here
- TVL, max bounty, and fees (from DefiLlama) show the project is an active medium-sized one with solid fee income, not some abandoned thing
- you never know if you’ll get paid or not and you have zero leverage
- 0 dups, so that’s probably good

- My income was lower than from contests in 2024, those 2 unpaid Crits would make a big difference
- If you check the immunefi leaderboard for 2025, you can see the number of paid reports is usually not that big, most often single digits
- compared to contests where you can find 10s or 100s of bugs per year, the variance in payouts is much higher
- it often comes down to 1–2 bugs per year that pay >50%, so if you don’t get paid on those you take a big hit

- It was motivating in the first months when I got several Crits
- But later I had much less motivation because
- long payment times
- long reply times (SLA is almost never respected)
- fewer bugs found, less feedback
- zero communication with the project before you submit the bug
- Strong upward and downward spirals: good results => learn more => get better, and the opposite

- What I like about BB
- you can go as deep as you want, as slow as you want, into so many projects and rabbit holes
- full freedom, no deadlines, no responsibilities, no schedule
- escalations on Immunefi work slowly (1–2 months+ usually) but they go deep into the issue
- feeling appreciated, even a simple “good find” after a month+ on a project makes you feel it wasn’t in vain

- What I didn’t like
- you are ignored all the time
- you never know when the project will reply, sometimes it’s month+
- you never know when Immunefi will reply on the issue, even if you ping in Discord you may just get something like “we are looking into it, will reply to your escalation asap” and then it can still take month+ to get a real answer
- no communication with the project, you need to learn everything on your own
- hard to navigate all the rules and define category and severity, and since you submit bugs so rarely the bureaucracy feels new every time
- issues can be closed with no explanation, you work for months and just get “Closed, out of scope”, then you ask and it turns out to be more like “no fix no pay, if this loss happens we will just top up the contract from treasury”
- you often feel low-balled, sometimes it might really not be a C but an M, but more often than not it feels like your effort is underappreciated
- overall it feels more lonely than contests
- you talk with the project or Immunefi maybe once a month or once every few months
- most of the time it feels like talking to the enemy, me against them, the project wants to pay less and pay later, you want to get more and get it faster (at least respect the SLA)
- it doesn’t feel like you are on the same side, more like you are in a fight
- no shared chat or common context like in big contests when all of X/Twitter is talking about a single project (see Maker contest), here you are hunting on your own

- Some thoughts on why the results are worse than I expected (and worse than last year in contests)
- Jump between platforms?
- each platform has its own rules, what gets paid in contests and is appreciated in private audits can be closed with no explanation in BB
- so it might be that I was looking in the wrong places and spent my time on leads that were never going to be paid anyway

- Didn’t learn enough?
- on BB you miss a lot of the learning aspects of contests, if you miss something in a contest you usually learn about it pretty soon, but in BB you don’t have that feedback loop
- you don’t really see how you compare to others (did they just get lucky, was I just unlucky, did I just choose the wrong project), without competition there is less motivation to learn and improve

- Bad pace?
- when you have so much freedom and almost no feedback, motivation slowly goes down, and your speed goes down with it

- No team? No social?
- I know this is my biggest leak overall, but in BB it’s an even bigger problem than in contests
- after a contest a lot of people want to discuss it, the issues, the mindset, the meta-game, etc
- less motivation to do X/Twitter, because it feels like if I share what I’m working on it might attract others to the same projects and I’ll start getting dups. And overall it feels like it’s me against the world, so why share (not necessary true)

- Going too deep into things that are not fruitful?
- with no deadlines and no pressure it’s very tempting to just explore how some tech works, just for fun
- hard to say if that will eventually pay, and it’s harder to stay focused on the most dangerous places
- I tend to spend months on one project, which is very risky if they don’t pay, and there are diminishing returns for most projects after 1–1.5 months
- if I didn’t go that deep into every area I don’t fully understand, maybe it would be more like 2–4 weeks per project
- I often feel like I need to check every idea I wrote down, but in reality the top ideas (marked as high probability by me) are the ones that pay, and 90% of other ideas are good for learning but probably not worth the time

- Maybe no talent? No skills?
- hard to judge myself
- overall there are some signals that I’m not that bad, 6 confirmed Crits in a year is probably ok

- Too inflexible?
- when I first came to audits I followed a very checklist-heavy approach
- now I’m more intuitive, I try to see what feels fishy, but I still rely on checklists and on going through the early ideas
- I lean heavily on AI, it’s a new thing I picked up that changed my approach a lot
- the projects I choose are mostly in my area of expertise and interest, maybe trying new languages or new types of protocols would help

- Bad mindset?
- many BB hunters jump quickly between projects, I still treat it more like a private audit and stay on one project until I feel there is nothing more I can do
- many people do something like a 1 week intuitive scan and then move on
- many work on several projects in parallel

I'm still thinking about what to focus on in 2026
Right now I'm pretty tired of BB, but that might change after a break
So probably some contests, maybe joining a team if I find one
I usually set my yearly goals in January, so there's still some time to think and decide on the direction

292

160

17K

Rhaydden @rhaydden

7 months ago

@Metalmindcodes @immunefi @FolksFinance Thank you Ser 🫡

Rhaydden @rhaydden

7 months ago

Thank you @immunefi and @FolksFinance for the opportunity 🙏🏻

Immunefi

@immunefi

7 months ago

🚀 The $30K @FolksFinance Wormhole NTT on Algorand Audit Competition is officially a wrap! 🎉 🔥 100% of the reward pool has been paid out!💰 🏆 Top Winners: 🥇 @0x_DyDx – $10,980 🥈 @_uhudo – $9,415 🥉 @rhaydden – $8,460 4️⃣ @yashar0x – $573 5️⃣ @Afriauditor – $573 Huge congratulations to all the winners and a big shoutout to every researcher who participated! Onward to the next hunt! 🚀