Hacker News new | past | comments | ask | show | jobs | submit | usmannk's comments login

The answer to this question is out there, but the reports are not published yet.

I caution readers to not make rash judgements on their skill like this though. These bugs are really hard to find, and it was a minor miracle that I noticed these ones at all. I actually had a whole list of critical bugs in this codebase ready to report before the V2 upgrade was merged to master (which would put it in scope for a bounty). However the auditors managed to find every single bug on my list. I only noticed the ones that eventually made it here later, by a stroke of luck, and after I had already spent a ton of time looking at this codebase without noticing them.


congratulations ser

did you try other things like try to get employed by the team, or consider submitting an altruistic pull request? or was the bug bounty the adequate incentive from the getgo


Projects are free to change their terms and the page you link has been updated since I submitted my reports. The maximum was lowered to $1M and payment currency changed from USDC to SEI.


Right, yeah. I estimated that a savvy attacker might have been able to get out with 50 or even 100m from this, but they would also go to jail. So...


What sort of crime are you envisioning that exploiting this would fall under? It's not always fraud to satisfy a poorly written contract, although that is commonly the case.


Wire fraud, at minimum. This would constitute direct theft. Very similar cases have been tried and convicted several times now.


Everything is wire fraud / securities fraud


Someone has been reading Matt Levine


Despite what many programmers think, code is not law.

Just like a bug in a smart lock does not allow you to enter a house because "you were allowed in".


It was advertised in advance, but the real gamble is on if they'll pay. If you go to my other blogpost linked in OP, you can see a case where I was owed 500k and paid 60k.

You're right though that it's a lot of risk. It's not something that most of the leaderboard works full time on, though some of us do. The immunefi homepage has a list of all the bounties on offer.


Couldn’t there be a smart contract for this? I’ve no idea how.


It's up there but not singularly so. Twice there have been $10M! You can see the leaderboard where the majority of crypto bounties are represented here (https://immunefi.com/leaderboard/) but you have to search around for the actual reports.


Hey OP here, thanks for posting. Happy to answer any questions.


1. Roughly how many hours did you spend on the two bug reports (from recon to publication) that you have posted on your blog?

2. How extensive is your background in networking, blockchain programming and pen testing?

3. How many other bounties did you commit recon time to before the two successful disclosures?


1. This is really hard to enumerate. I basically am always doing recon and don't do it 1 target at a time either. I'd been looking at Sei's V2 upgrade code on and off for months, and made my report when they merged the v2 branch to master (this action put the code in-scope for a bounty). I'd found a handful of other critical bugs on the way but they were fixed eventually either in the course of normal development or audits. I definitely spent upwards of 40 very focused hrs in total investigating this codebase along with its dependencies Cosmos/Tendermint. Probably much more time less focused. Cosmos&TM are quite big. But those dependencies are used in many other projects too, so it can't be purely accounted towards time on Sei.

2. I am a very experienced security researcher/pentester/whatever we want to call it, specifically in the blockchain niche. I'm OK at the other stuff (reversing, cryptography, web, mobile, etc). Networking probably alright? I'm comfortable saying I have a good mind for security and a wide knowledge of the basics in many fields, then a very deep knowledge of a select few areas.

3. Idk, a lot! Upwards of 20 for sure.


Congrats on your skills, enjoy not having to work on things you aren’t passionate about.


1. For the 2nd issue you found, was the amount you redeemed after being paid really up to $2m USD?

2. From your other comments elsewhere in this thread, it sounds like you are a full-time bounty hunter, correct?


1. Yes, they sent me 2,000,000 USDC.

2. Well, I'm currently not employed full time and I do spend a lot of time bounty hunting. But I mix it in with other things as well, like competitive security reviews on https://sherlock.xyz or https://cantina.xyz and private contracted security reviews.


> .. . and private contracted security reviews.

How you find those? Or this type of work finds you based on your activity on competitive security review sites?


Typically networking. I spent some time working at a reputable firm in this space as well.

One way to do this is to show some chops on the competition sites and then move to one of the organized freelance firms like Spearbit or yAudit. In doing all of these things you'll inevitably meet more people, build a specialty, get some reputation, etc.


What are you doing with all that dough?


Did you have to specify that it was a critical bug or haggle with them? On the immunefi site, their max bounty is set at $1M but you clearly got 2x that.


The project changed to a 1 million dollar bounty after usmannk's report on May 18th..

There's an unofficial project that tracks bounty programs, you can see the change here: https://github.com/infosec-us-team/Immunefi-Bug-Bounty-Progr...


This one was actually USDC! Regulated, unmagic, dollar-backed beans.


$8,333 monthly on a 5% return. Congrats!


congrats. take your mama out for a nice dinner. get some flowers as well you know she deserves it


this data would leave you thinking valencia st is worse off than soma


why does the hardware addressability reasoning hold for RAM but not SSDs?


NAND flash is... weird. The old generation of SLC and MLC flash actually had more than the binary size, with the extra being used for error correction and wear leveling information. Newer MLC has larger "spare area", but is sufficiently unreliable that SSDs tend to round down the binary size to a decimal number and use the difference for replacing bad blocks as they wear out and fail.

TLC flash has a capacity that's actually a multiple of 3 times a power of 2, with an additional spare area. I believe a "128GB" TLC SSD might have somewhere around 150GB of writable bits.


Your computer does not have a problem with non-existing LBAs. The SSD controller might not like missing raw flash addresses, but that's abstracted away from the user perspective anyway, even if for no other reason than the FTL.


But spinning hard drive and SSDs are not working at the byte level, but at a power of two block. 512B to 4kiB usually.

You purchase a number of those blocks, and the total amount of byte is a power of two.

The filesystem then stores everything in it's own blocks, composed of one or more disk/SSD blocks.

Files on disk therefore consume a number of blocks, making their storage usage a power of two (the real size can by anything of course).

And you might as well align blocks to memory pages when buffering/reading/writing the filesystem. Since you must align memory access for performances with CPU cache, RAM is loaded/stored itself in blocks of 256 or 512 bits those days (yes reading one byte from RAM will rapatriate that much) etc.

That's a lot of power or two (you could argue power of 12 [4kiB]) designed everywhere.


> Technologists describe their systems as having “uptime” and measure it in “nines”, such as “We have five nines of uptime”, which means that a system has 99.999% uptime or, equivalently, about five minutes of downtime per year. Five nines is admirable in many circumstances and would be considered _disastrously_ below expectations for e.g. Google Search.

This seems wrong? 5 9s is probably a reasonable benchmark or even unattained goal for Google Search, right?


Five nines is about six minutes of downtime a year.

Google search fails for me perhaps about that.

Now to get five nines for Google a bunch of parts below it have to be more redundant and reliable.


My favorite set of Google 9s is that Google Cloud Storage offers 11 9s (99.999999999%) of durability. The availability SLO is 99.95% though.

https://cloud.google.com/storage/docs/availability-durabilit...

https://cloud.google.com/storage/sla


Hmm that durability means that after some period of time, all your data is gone.

Could be once a year lol


You do realize that durability and availability are different properties of a system, right?


Isn’t that explicitly what they’re pointing out?


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: