Trust
@trust__90
Head of Trust Security, DM for booking | Master of hand-to-hand audit combat | C4/Immunefi/Sherlock VIP | Hacked Embedded, IoT, iOS in past life
Check out our GOAT lineup at Trust Security's new roster page! trust-security.xyz/team Magical things happen when you bring the provably best auditors on the planet to collaborate rather than compete. Book your/our success story today.
Imagine a world where saying researchers should not be abused is a controversial take.. That's what happens when a firm with unlimited cash shows up and buys its way into market dominance. Dumping on researchers with extractive policies simply becomes the new Nash equilibrium
Hot takes that I think shouldn’t be hot, and should be “the default” 1. The contest platform is ultimately responsible for the payout. It is the contest platform that promises payout, so if a platform doesn’t pay out, no matter the drama, it is the platform’s fault. 2. The…
- Keep state-changing LoC under 500 - use ++counter pattern for mapping keys - don't support native tokens - keep state machine in open view via state enums - 1:1 test/LoC ratio - format every line of code with a ruler See, winning the game ain't that hard
"Well played", indeed Mr @trust__90
Exploit Bounty Opens We will allow the attacker a 12h grace period starting now to contact us, after which a bug bounty will be opened rewarding 10% of funds returned if the intel leads to a recovery. We already have several leads regarding the IP addresses and on-chain…
Why Low-Severity Findings Say More About Your Audit Than Critical Bugs Many audit firms focus their sales pitch on number of Highs found as if this number isn't just noise without plugging in context: prior audits, peer review, test coverage levels, code complexity, line count…
A critical in git released yesterday that can be triggered by git clone of untrusted repo. That's the dream vector to pwn auditors and steal their bounties / audit money. Patch your systems before quoting any new clients! And expect visitors in your inbox in coming weeks...
Turns out you can can score 5-fig bounties in contests without actually discovering any issues, just a semi-functional brain needed. In the March 2024 OP Fault Proofs contest, devs fixed a critical issue a day before it started but didn't merge it in. 🔗 github.com/ethereum-optim……
Ok Zigtur, next time a high EV opportunity presents itself which fits my specializations, I will turn it down, or maybe stop half way when realizing it's too easy, because a rando on the internet does not approve of it.
For sure he is a beast. That is not even a question here. But I don't really understand why he spent so much time on a project that didn't even look at OP specs.
Decided to give Cantina a try last October, 8 months later results are finally out... Tens of solo findings in 1st Java audit and outperforming top Cantina leaderboard bros by 3-7x feels pretty good, not gonna lie. It's a shame the post-audit experience was so terrible I vowed…
Everything we've been told about "Code is Law" defense not standing a chance in court has been a lie. Mango Markets / Avi Eisenberg charges just been dropped by a federal charge. The same logic used to dismiss the case can be used for pretty much any permissionless DeFi…
As a veteran of the audit contest industry, I will tell you how deals like these are made. > Be protocol with money and do 3+ collaborative audits > Know that the codebase probably doesn't have significant bugs > Want to signal to the community, investors and other stakeholders…
The @PumpDotFun $2,010,000 competition results are in. 🪐 Your top-ranked researchers: 🥇 @juaan & @0xSpearmint (team): $2,762.43 🥈 @KoolexC: $1,745.85 🥉 @_0xarno_, @0xhuy0512, lukaprini, @shaflow01, @zigtur: $1,000.00 each Thank you to everyone who participated. Full…
Doubling down on a factually incorrect take is hilarious. No, you should be the one checking facts before posting. Scroll labelled as known a novel attack path which exploits the code after they already fixed the original issue they referred to. It doesn't get any shadier and…
This is the response from the @immunefi team. The bugs in question were either out of scope (no impact) or already reported (duplicate) I suggest you check the facts before posting.
If facts are true, this is shameful and borderline criminal behavior by @Scroll_ZKP . Clear chain freeze PoC at near-zero cost and they close report, then offer $1k in a $1M bounty? How does deprecating the feature next month qualify for the "no-fix, no-pay" policy? Unfortunately…
On Feb 17 2025 I reported a critical vulnerability to @Scroll_ZKP. $100m+ in TVL was at risk for more than 2 months. Anyone could force Scroll L2 into an indefinite re-org, halting the chain so that no user transactions would be included in blocks and the chain would not move…
Warning ⚠️: Not a new bounty writeup We auditors all like to focus on the juicy crits and keep non-tech work to a minimum. Who cares about paperwork and meetings when you just found a novel way to drain a DeFi contract? But all things should be done in moderation, and too often…
In late 2024, TrustSec discovered a consensus bug in @OPLabsPBC Optimism client. In the worst case, op-node would have a wrong view of the L2 state, causing a chain split from other clients. For our research, OP Labs generously awarded us with a $7.5k bounty. Check out all the…
