Found a Critical zero-day in @cosmoslabs_io IBC Eureka a live bridge drain bug, threatening tens of billions of $$ in TVL. Missed by two world-class audits. Fixed within days of my report (public).
The bounty? Still hasn't come. Who knows if it ever will. But I realized something: the bounty was never the real win. The fix was: Users protected. Cosmos' 5-year exploit-free bridge record protected. That's a win, that was my primary goal.
I'm taking that WIN!
Diary of a Whitehat #DOAW - Entry 002 is finally here!
Full report: "A Win for Responsible Disclosure: How a Single Line of Code Stood Between Cosmos IBC Eureka and Catastrophic Bridge Drain"
This special report recognizes the positive roles of every stakeholder in this responsible disclosure win:
@Hacker0x01 for providing the enabling platform, @cosmoslabs_io for the amazing #bugbounty program, Cosmos Labs leadership @BPIV400 and @0xMagmar for the unwavering commitment to user and ecosystem security, and the #Web3security community at large.
Read full article on Zer0day Research: https://t.co/LH8i9oZP2Q and X Articles.
🎩🔍 #DOAW #ResponsibleDisclosure #Web3Security #Cosmos
The bug bounty ecosystem genuinely needs researchers who hold the process accountable without burning it down.
Accountability will safe the ecosystem from its own inherent threats.
- @Zer0day_sec
At https://t.co/LH8i9oZP2Q, we operate on a contingency model because we are CONFIDENT in our ability to find all & what others miss. If our research finds zero critical or high-severity vulnerabilities, you pay $0. DM open.
We find zero-days even after you think all angles are covered. We challenge every project today: request a free audit, and we will show you.
#freeaudit #adversarial #0dayHI #bugbounty #web3security #web2security #appsec
Sometimes you got to remind the triage team:
"Hey! We're on the same side. We're the good guys. Remember?"
Come on! Why the whole we-dont-negotiate-with-terr0r1st treatment? Hmm?
😃 #GoodGuys#WhiteHat#SecurityResearch#BugBounty
I found a Critical zero-day in @cosmoslabs_io IBC Eureka. A live bridge drain bug, threatened tens of billions $ in TVL. Missed by two world-class audits. Fixed within days of my report (public).
The bounty? Still hasn't come. Who knows if it ever will. But I realized something: the bounty was never the real win. The fix was: Users protected. Cosmos' 5-year exploit-free bridge record protected. That's a win, that was my primary goal.
I'm taking that WIN!
Diary of a Whitehat #DOAW - Entry 002 is finally here!
Full report: "A Win for Responsible Disclosure: How a Single Line of Code Stood Between Cosmos IBC Eureka and Catastrophic Bridge Drain"
This special report recognizes the positive roles of every stakeholder in this responsible disclosure win: @Hacker0x01 for providing the enabling platform, @cosmoslabs_io for the amazing #bugbounty program, Cosmos Labs leadership @BPIV400 and @0xMagmar for the unwavering commitment to user and ecosystem security, and the #Web3security community at large.
Read full article on Zer0day Research: https://t.co/LH8i9oZP2Q and X Articles.
🎩🔍 #DOAW #ResponsibleDisclosure #Web3Security #Cosmos
Found a Critical zero-day in @cosmoslabs_io IBC Eureka a live bridge drain bug, threatening tens of billions of $$ in TVL. Missed by two world-class audits. Fixed within days of my report (public).
The bounty? Still hasn't come. Who knows if it ever will. But I realized something: the bounty was never the real win. The fix was: Users protected. Cosmos' 5-year exploit-free bridge record protected. That's a win, that was my primary goal.
I'm taking that WIN!
Diary of a Whitehat #DOAW - Entry 002 is finally here!
Full report: "A Win for Responsible Disclosure: How a Single Line of Code Stood Between Cosmos IBC Eureka and Catastrophic Bridge Drain"
This special report recognizes the positive roles of every stakeholder in this responsible disclosure win:
@Hacker0x01 for providing the enabling platform, @cosmoslabs_io for the amazing #bugbounty program, Cosmos Labs leadership @BPIV400 and @0xMagmar for the unwavering commitment to user and ecosystem security, and the #Web3security community at large.
Read full article on Zer0day Research: https://t.co/LH8i9oZP2Q and X Articles.
🎩🔍 #DOAW #ResponsibleDisclosure #Web3Security #Cosmos
At https://t.co/LH8i9oZP2Q, we operate on a contingency model because we are CONFIDENT in our ability to find all & what others miss. If our research finds zero critical or high-severity vulnerabilities, you pay $0. DM open.
We find zero-days even after you think all angles are covered. We challenge every project today: request a free audit, and we will show you.
#freeaudit #adversarial #0dayHI #bugbounty #web3security #web2security #appsec
@BPIV400 Tnx for the clarification Barry.
Freeze and pause mechanisms failing to trigger is exactly what was documented in a Critical ICS07 freeze bypass I independently found and reported in IBC Eureka on April 1. Fixed April 9. Missed by 2 prior audits.
My report/research remains unacknowledged. The irony is not lost.
Sometimes you got to remind the triage team:
"Hey! We're on the same side. We're the good guys. Remember?"
Come on! Why the whole we-dont-negotiate-with-terr0r1st treatment? Hmm?
😃 #GoodGuys#WhiteHat#SecurityResearch#BugBounty