I don’t think anyone conversant with FV claims the goal is to find all bugs.
To discredit it, you must show a bug that violates a formally specified and proven property.
Otherwise you’ve found a limitation of the spec, not a failure of the proof.
If you’ve “formally verified” a codebase in the last year, drop a link in the comments.
We will find bugs in it.
Do not believe the lies of the formal verification industrial complex.
We are building the next generation of Web3 security researchers.
300+ trained.
Real audits. Real impact.
Web3 doesn’t lack tools.
It lacks security talent (white hats hackers)
We’re fixing that.
Support Guild Academy 👇
https://t.co/u9S2a4od8X
Happy to announce that i came top 4 amongst 1000+ researchers. Can’t lie, this was a tough contest on @sherlockdefi and a lot of battles had to be won but above all i’m glad i came out on top.
More wins incoming!!!
Expect a lot more from me this year..i’m all in..
During our ongoing investigation into the April 13 Token Gateway exploit, we have identified that a number of regular Hyperbridge users, distinct from the original attacker, also withdrew funds from the DOT escrow during or shortly after the incident.
After the attacker drained the pools, the price of DOT in those pools became severely distorted relative to other assets. This meant that a small amount of another token could be swapped for a disproportionately large amount of DOT, which some users bridged back to Polkadot.
Whether or not this was done with full understanding of the circumstances, these funds belong to the affected liquidity providers whose pools were drained. We are offering a 14-day voluntary return window. Funds returned to the address below will be treated as good-faith acts.
Return address (Hyperbridge Sovereign Account): (https://t.co/PEcZ3y9OxT)
After this window closes, wallet addresses still holding unreturned funds will be referred to law enforcement alongside the on-chain evidence our forensics partners have compiled. These wallets have been identified and their full transaction histories are documented.
If you are unsure whether this applies to you, or if you need assistance with the return process, reach out [email protected].
What this exploit has made clear, expensively, is that verification logic needs more frequent audits and adversarial testing at every layer of the stack.
That is the standard Token Gateway will operate under going forward.
This one has a bit of story behind it.
Less than 12h after the report was submitted, it was confirmed by the team. The team didn’t even try to argue about how catastrophic the impact was. They were fast responsive and professional and transparent with their users, something I really admired. They simply straight told me because of a large hack last year that they suffered from they’re struggling financially and they’re letting a lot of their people go. The direct impact was around 7 million dollars. They were honest and I like honesty so instead of the normal 700k bounty, I accepted the 300k, I don’t regret my decision and I hope the project bounces back even stronger during these hard times, I admire them and their security standards and I wish them the best.
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: https://t.co/lki2tL9bxw
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: https://t.co/lki2tL9bxw
A CRITICISM WITHOUT AN ALTERNATIVE IS MERE NOISE
The educated approach to any disagreement at all is not noise - it is a better alternative. Not louder complaint or a more violent outrage - A better alternative. That is the standard by which serious people engage serious matters.
So let us, for the sake of argument, assume - without conceding - that this administration bears full responsibility for the fuel price crisis. Let us grant you that, fully and without debate.
Now answer the question: what will Peter do differently?
Can Peter stand at a podium in Abuja or on a X space, or on a church pulpit and command the global price of crude oil to descend? If the answer is no - and it is - then we are already dealing with forces no presidential will can bend by declaration or decree.
With revenue inherited in decline, will he restore the subsidy he swore, with equal passion, to abolish from his very first day in office? Where will the funds come from? From which federation account? From which economic miracle?
And the war - the grinding, grinding war that has unsettled energy markets and fractured global supply chains - will Peter summon Trump and Netanyahu to a meeting, look them in the eye, and instruct them to behave so that the world may return to what it was or he sends them to wash planes toilets and efritin?
I understand the temptation. Speaking ill of government is the shortest road to cheap engagements. Painting the nation in darkness is now the most convertible currency in the clout economy.
Uninformed criticism requires no research, no alternative, no intelligence - only volume and a willing audience.
But a critique without an alternative is not patriotism. It is performance.
Your job as pilot is to fix it.
If you need the passengers to tell you how to fly the plane before you'll acknowledge the fire, you're not a leader. You're a liability.
4/