Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Epsiode 1: deadrosesxyz
771 Plays4 months ago
riptide & deadrosesxyz discuss hunting for bugs on the blockchain including techniques, secrets and tools of the trade, integrating LLMs into your workflow, getting paid, traits of a bounty hunter, and how bulgarian teenagers are taking over the space
Recommended
Transcript
Creating a Podcast for Bounty Hunters
Inspiring Beginnings in Bug Hunting
00:00:01
Justus Hanna
one thing I noticed about you is, I mean, obviously we met in person in Bulgaria based Bulgaria, which was awesome. Did, uh, that was great to meet all the, all the Bulgarian auditors, bug hunters. That was cool.
00:00:16
Justus Hanna
but you are not going to give away any personal info. You don't want me to, but you're much younger than me and you're already like dominating in this space, which is, which is awesome, dude. And I'd love to see it. And just like, you know, give me, give me a brief kind of like, why the hell did you start doing this? Did you have any
Transitioning from University to Full-Time Bug Hunting
00:00:36
Justus Hanna
info sec background or, you know, why, why'd you, what, what, what made you interested other than seeing big bounties posted?
00:00:43
jordan
yeah, sure. So it was pretty much, I was back in high school, like last year in high school, and like I had a friend of mine who started doing other things. And like, all of a sudden, like he was that guy who was just doing this weird thing. And all of a sudden he comes and he said, like, I just made 3k during the weekend. And I'm like, holy, that's an insane amount.
00:01:04
jordan
Like, mind minder we're back in high school, so like making $3,000 for the weekend in high school was absolutely insane.
00:01:12
Justus Hanna
Yeah.
00:01:13
jordan
And so I was like, okay, like if this guy ah ah really spent a few months and now he's making such money, maybe so how can I do it? And so the plan back then was that I was going to go in university like in the fall.
00:01:26
jordan
And the game plan was that I learned this to a very brief extent. I started doing contests maybe every now and then, a big bounty, and just get a few hundred dollars a week, something like that. And so I started doing it. And I noticed all about just having like a side hustle while I'm in university.
00:01:46
jordan
But it like grew so fast. and like He started making this absurd money. And I was like, holy, just the the ceiling is so high. And I just had made my first a few hundred dollars, maybe like 1.5K or something like that.
00:02:00
jordan
And I was like, OK, screw university. I'm going to go all in. this is This is the thing I want to do. So I was already enrolled in university. Alex said, sure, I'm not going. I'm just going to stay home.
00:02:12
jordan
And yeah.
00:02:12
Justus Hanna
And what, what were you enrolled for?
00:02:12
jordan
that it
00:02:14
Justus Hanna
What, what subject?
00:02:15
jordan
international business it was basically like this is this is the the subject you choose when you don't know what to choose it's like just the universe I think everybody does like yeah no no no I mean I was just I just graduated high school so like you know I wasn't working anything I was still living with my parents and like
00:02:24
Justus Hanna
Right. That's true. And what were you making? Like, like, did you have a part time job?
00:02:39
jordan
the The moment I graduated, like the very next day, the first day I went full-time security researcher, I just you know decided this is the thing. This is
The Financial Landscape for Bug Hunters in Bulgaria
00:02:46
jordan
what I'm going to make my money from. like I had saved, I don't know, like $12K. Nothing significant. I just moved out and I was like, okay, and now I really have to do it. like i was you know If I commit so much to it, it cannot just not to work out. like It has to work out. And so eventually it did.
00:03:03
jordan
But, uh, yeah, this is very briefly a story the like the good, the good, the good thing is that I kind of like gamified it. I just saw it is as a game and I'm like a person who has played like many video games and I just, I was just like, okay, now I just have to do this and that.
00:03:15
jordan
And like, all of a sudden next month I'm doing 5k 10k and it's just like, it doesn't feel real. Like, because, uh, like, yeah, just to give like some background, like I'm from Bulgaria, like an average salary here would be less than $1k a month.
00:03:22
Justus Hanna
It doesn't, it doesn't.
00:03:30
Justus Hanna
Oh my God.
00:03:31
jordan
Yeah.
00:03:32
Justus Hanna
It's amazing.
00:03:33
jordan
and so
00:03:33
Justus Hanna
And what, what is, what is like your rent? Like what's a, what's a typical rent you'd pay at your age? Like your other, your buddies or something.
00:03:40
jordan
Yeah. I mean, my friends pay like three, $400 rent. Like, I mean, some of them might get an even better deal to pay like $250, but like that's the normal rent.
00:03:48
Justus Hanna
oh My god, it's this this is the biggest arbitrage ever you live in Bulgaria and you make a million bucks a year You can't not love that man, oh my god
00:03:50
jordan
Yeah.
00:04:01
jordan
Yeah, Bulgaria is awesome, like seriously. the The thing is, that like if you if you've been in Bulgaria and you've asked somebody about Bulgaria, everybody has been taught Bulgaria is a bad country, it's not good, stuff like that, but like you come to realize it's an amazing country.
00:04:18
jordan
like
Learning Programming and the Role of Solidity
00:04:19
jordan
You can live pretty cheaply, you can do any remote work, like the taxes are really low, we have 10% income tax, that's it.
00:04:22
Justus Hanna
Mm hmm.
00:04:26
jordan
Man, it's it's a miracle. so Yeah, I mean like when I started making like more than 5k a month I was literally like a king in Bulgaria like that's a really high salary here
00:04:38
Justus Hanna
Oh my God. And the G Wagon and the bald head and the women follow. I saw what happens. I love it, man. Dude, that's, that's cool. And so you had no like tech background at all. I mean, you know, I'm i'm a different generation, but I mean, growing up, you know, were you like, I grew up building computers, no internet, you know, like deep into that kind of stuff. Did you.
00:05:01
Justus Hanna
Were you kind of hands on with tech or like like what was you have to have some? ah ah Because an average user I look at I categorize people As users are power users and users are everyone now everyone's swiping and they don't know how the machine works But then you have power users who you know, mostly men when they dig in they're interested in And they dive in and they know how the tech works.
00:05:23
Justus Hanna
you know How did you kind of, cause you can't just pick up solidity and say, Oh, I'm just going to do it because you have to know, you have to know how to open a ah ah command line, which 99% of the people use computers don't.
00:05:34
Justus Hanna
So what was, what was, you had to have some like a Genesis of this whole, you know, some sort of tech background.
00:05:40
jordan
Yeah, yeah, yeah. So like two or three years prior to starting with Solidity, I had taken a Bulgarian course, which was like a year long, like learning JavaScript.
00:05:53
jordan
So like I have like really, really brief understanding of JavaScript and stuff like that.
00:05:58
Justus Hanna
That's a good salinity background, JavaScript.
00:05:58
jordan
I mean, yeah, yeah. I mean, I used to have like, I tried writing something in JavaScript like recently and I've completely forgotten on it. And then like I can't realize that the thing that I have learned in a year was probably something you could learn in like maybe like a month and a half too, like with a good pace.
00:06:16
jordan
So yeah, it's very, very brief understanding. And ah ah also, like we we learned the basics in school. like it's just i mean You pretty much end up with knowing how to do for loops, and that's it.
00:06:30
Justus Hanna
Mm hmm.
00:06:31
jordan
But yeah, so that is this is a tech background I have. like Obviously, nothing significant. I don't really count it. But in case somebody wants to count it, sure.
00:06:38
Justus Hanna
No, that's interesting. I mean, cause JavaScript but like that, dude, that's the background for c solidity. If you had learned, I don't know. I mean, there's so many different languages, but, uh, I think JavaScript is like, like that was kind of my background too. And it just felt like,
Earning Recognition and the Mindset of Bounty Hunting
00:06:53
Justus Hanna
wow, this you know, solidity is not as hard as I, it's not like, you know, learning C or C plus plus, which is, is a lot different. Uh, but yes, literally falls right in. So that's, that's interesting to hear.
00:07:05
jordan
Yeah, the syntax.
00:07:05
Justus Hanna
So what, what about, like, all right. So I just looked at the immune file leaderboard, which, you know, a caveat here, this is not the greatest hacker ever. If you're on the leaderboard, like it's cool. Like you, you get, notoriety just because of their reach. And, and, but as you've probably seen, just like I have, like there's a lot of bugs that get reported outside their platform, especially you know, direct to to project bugs or different platforms. But I kind of like it as a, as a marker, you know, just to look, just to look and see who's on top, whatever. And you're on there, obviously I'm on there. But what was like, like, remind me, what was your biggest bug? Like, what was the bug where everyone found out like, Oh yeah, dead roses. Who is this guy?
00:07:54
jordan
I mean, honestly, I didn't have like a one bug too. So like everybody here, okay, this guy's this crazy new up and coming auditor bug bounty hunter or whatever. It was pretty much just a very good streak of like finding 10 bucks in 10 weeks. So this is because this was a moment where I was started like posting like every bug bounty I got on on Twitter.
00:08:17
jordan
And I posted one. And five days go by, I post another one. Then a week and a half later, I post two confirmed books in the same day. Everybody was like, OK, how does that guy keep on doing that? And just when we go back in time, before these big bounties, I was pretty much no one in the space. So people didn't know about me. And yeah, just this consistency. I made around 100k in 2 and 1.5 months from immunify.
00:08:47
jordan
It was amazing. like Everybody was like, OK, these guys, the new best thought bug bounty hunter, I guess. Although there's many more better people than me who just don't post about it. But yeah, I was just being loud on Twitter.
00:09:02
Justus Hanna
But that, dude, that's a good strategy. Get a little following. You gotta get a little, a little volume out there. But what, like, what do you think? Cause you started doing the bounties, right? Or did you start doing contests?
00:09:13
jordan
I started contests.
00:09:15
jordan
yeah i mean
00:09:15
Justus Hanna
Okay.
00:09:16
Justus Hanna
So you said you wanted to make some serious cash and and you saw these bounties and is that what pulled you away from the contest?
00:09:16
jordan
so
00:09:23
jordan
Oh no, actually like I had this idea in mind that bounties were just expert level thing where you had to be like the best of the best. Like you have to be elite to do them. And so I was just sticking to contests and you go back in time like to September last year, I mean, 2023.
00:09:43
jordan
And there was no contest, ah ah zero contest for like two weeks. And I was like, okay, I i need to do some work. What do I do? And so I decided to do immunify. And this was the best thing that came to mind, honestly. Like I had no expectations. I was like sure, because I was i was only hearing these stories from like hundred proof and like other bounty hunters. And they were just all saying.
00:10:03
jordan
Oh yeah, the life of a bounty hunter, you find a bug once and then like six months, you don't find anything. It's very discouraging, but like, you know, you got to keep pushing through and stuff like that. And I was like, man, I'm going to look for a two months, probably find nothing.
00:10:14
jordan
Like I'm no, in no way I'm on their level. And so I started looking at these bounties and like two days go, two days go by and I found a medium, a very simple bug, but like it was a medium.
00:10:25
jordan
They paid out $3,000, which is absolutely insane to me.
00:10:29
Justus Hanna
Mm hmm.
00:10:30
jordan
And I was like, all right, you know what? If I find one bug I can't find more of them. So it was this mindset like I just gotta to keep it rolling I just have to keep pushing and so I started doing like more or bounties and And the funny thing is I found a project which was like but something like a project which I was very interested in and I just opened it and I sent it to my friend George and ah Like, you know what? I'm going to dig in this bounty. and It has a max bounty of 100,000. I'm going to get it. You know what? And he's like, sure. And he just sends me that they're audited by SpiritBit. And I don't tell him this but like in my mind. I'm like, OK, I'm just going to ditch that program. There is no way I'm going to find a bug in it. And he just messages me. Don't tell me you're going to back out from this, huh?
00:11:20
jordan
Are you going to let some random firm's reputation just drive you away from the big bounty? I'm like, fuck, now I really got to do it.
00:11:29
Justus Hanna
That's, that's the, that's the attitude in the mindset. I love that. And so that, so you, so spirit, but they took the L and you found a ah ah nice juicy bounty.
00:11:33
jordan
Yeah.
00:11:39
jordan
Yeah, a 40K bounty. That was a first like and like the moment they just marked it as confirmed.
00:11:40
Justus Hanna
Oh.
00:11:45
jordan
Man, I was shaking. like you know Like the last months I had met like five 10k and all of a sudden I found a 40k bounty. It was mind-boggling.
00:11:56
Justus Hanna
Yeah, that, that hits different. That's, uh, it's just like, you know, you're waiting to, you get those immune fire emails and you're like, whoa, but hold on. It confirmed it. And that's a big chunk of magical internet money, you know, just showing up like, like, yeah, that like tell me about that feeling.
00:12:09
jordan
Oh yeah.
00:12:14
Justus Hanna
You know, you, you get that, you get the email and you know, it's confirmed. Like, what do you, what do you feel at that moment?
00:12:21
jordan
Man, like I just really wanted to, like I was literally sort of just jumping around, I was going crazy, and I just wanted to tell everybody, but like I'm a guy like, I believe, like okay, let's wait for the actual payout to happen, um and I don't want to jinx it.
00:12:32
Justus Hanna
Yeah.
00:12:34
jordan
But I really wanted to tell everybody, and the thing is that, because it was an immunified program which was partially funded by optimism, like they paid out half of the amount.
00:12:46
jordan
And so actually had to go to undergo KYC for optimism, which involved a lot of communication back and forth. There were errors on their side. So I was constantly getting emails for a new immunified message. And like every time I opened my email, I saw a message from this report. I was like, fuck, they're going downgraded. I was like,
00:13:05
jordan
very sure that the new messages were not going to pay you out. This is a lot of
Exploring Tools and Methods in Bug Hunting
00:13:08
jordan
very defining like stuff like that. and It's very, very stressful until the moment like I received an email with like, your payment has gone through. Congrats on that.
00:13:19
Justus Hanna
Oh, yeah. ah ah Yeah, it's hard to describe that feeling. And that's that's like one of the things with auditing versus bug hunting. It's like it's so cool. Like, yeah, I mean, you have you're down in the depths in bug hunting, find nothing, you feel like pieces of shit. You see like trail of bits or spear bit or.
00:13:38
Justus Hanna
Otters sick what and you're like, dude, I'm not finding anything. They must have looked three weeks for auditors. You know, oh, how am I going to find anything? But then like you get these highs, like these payouts and you're like, oh shit. Yeah. Yeah. What's up now? You didn't look at this. Yeah.
00:13:56
jordan
like to get it my bit back to this point. like The thing is that, honestly, that may sound a bit as alpha to him somebody. But it kind of works in reverse way from what I've seen. like Everybody just drives away from protocols, which are audited by the tier one famous firm system like that. But like the thing is that so many people are driven away that at the end of the day, so few people look at like like the actual code base post-deployment.
00:14:21
jordan
And so it's kind of like a very, very good EV to look at these color bases, especially because usually the protocols, which can afford a spear bit audit, they can afford a very good big bounty, like amount. So not only like you get like a protocol, which offers up to $200,000 bounty, but they also have like very few eyes who have looked to look to it. So like, sure, just go ahead and dive into it.
00:14:47
Justus Hanna
Yeah, I agree. And I posted that in the past where I say people say, where should I start? And I say, honestly, start with the most complex project that you could find that you don't understand because people shy away from it, just like the big name audits. And it's like, that's where no one's looking. And that's where you're going to find the most bugs usually. And the most complex, hard hitting bugs when you take the time and just, just know that you could do it like anyone else. You just need to put the time in.
00:15:17
jordan
Exactly man, exactly. like
00:15:19
Justus Hanna
Yeah. Yeah. That's trippy, man. Um, and so like, I want to, I want to, I want your, your take on something else because, uh, this has been a new, you know, a new, a new tool for me, um, on with the LLMs. So I'll use, I've integrated Claude into my workflow, as I'm sure a lot of other guys have.
00:15:40
Justus Hanna
And it's, you know, ah ah obviously everyone's got to find a different use for these things, but there's no, there's no shying away from the fact that like, these are here to stay and they're only going to improve. you know, quickly, my take on it is I use it for, creating tests and it creates tests, uh, just so much faster. I can, I can run through ideas so much quicker and POCM so much quicker than I could in the past.
00:16:08
Justus Hanna
And, uh, obviously the problem is, as everyone's probably experienced, it's like, you have to double check everything that it grinds out because it could pass, but it's like, wait a minute. This is testing. This is missing something. And then, you know, this bug is not legit. Uh, but I'm curious, you know, about LLMs, how, how you're using them. Are they in your workflow and and kind of, you know, ups and downs to using them? What are your thoughts?
00:16:33
jordan
You know, now that you said all of that, I feel kind of stupid because like, I'll never even thought about using KLM's right tests. And this does sound like a very good use case. but yeah, I'm honestly not too much using LMs in any day-to-day activities.
00:16:48
jordan
Uh, like the last thing I use it for was like, I was trying to learn Cosmos SDK and like it very good explains go stuff and like Cosmos stuff.
00:16:56
Justus Hanna
Mm-hmm Yeah
00:16:56
jordan
So that's a very good use case. I definitely say it's a good use case, but yeah, as I said, like you have to very, very careful that the LM is not hallucinating and just made up stuff. But yeah, as far as tooling, like I've said, I'm like, I don't like using candy tooling, man. I'm just like, it's kind of weird because like I'm the new generation, but I i like to be an old school guy. So this is really weird.
00:17:20
Justus Hanna
Oh, I think, I think that's the right way to look at it because, you know, this, these can make you lazy too. Cause I, I fell victim to it when it first came out. I was like, uh, you know, a, a Claude find me the critical bugs in here. And it started, I was like, what can I use this thing? And it starts telling me all this shit. And I'm like, whoa, this is, this is fucking amazing. Right.
00:17:42
Justus Hanna
And then I i wasted like a whole afternoon you know talking with it and and all the leads end up being just bullshit. I'm like, okay, I see what's happening. like This is like talking to that friend who just convinces you that he knows everything. And then in reality, you're like, oh shit, this is just a complete waste of my time.
00:18:04
Justus Hanna
And, uh, but you know, it's an eye opener and you have to suss out these tools to see like, well, how, how can I make this useful to me? And I think, you know, for all bounty hunters, like POCs just take a long fucking time.
00:18:17
jordan
Yeah.
00:18:18
Justus Hanna
especially like if you go hard hat to foundry, stuff like that.
00:18:21
Justus Hanna
And, and these just, uh, really the tests are, are just such a fucking time saver, man. That's big alpha drop on this podcast, but, uh, it's, you don't use them that much.
00:18:31
jordan
To be honest, it's still pretty good when you're a bounty hunter because like you can just fork stuff like from mainnet and just
00:18:32
Justus Hanna
That's interesting.
00:18:42
jordan
Directly called I'm like is it happens relatively quickly like I don't know like if you've just had a full hard-hat codebase and have to convert it into a Foundry code base, which is not deployed like it's very very very weird though So like this is one thing like which is better when body hunting like legitimately like in some contests I've done when like the code base is just full hard hat I just want to tell them like can you please just deploy it and test it so I can actually run this Well you do oh shit
00:19:07
Justus Hanna
i I love Hard Hat. I don't know what you're talking about. Yeah, it' I started on Hard Hat. I started on Hard Hat. It took me a while to learn Foundry, but now I know both. And yeah I think it's good to know everything, to be honest.
00:19:16
jordan
No.
00:19:19
jordan
Oh, yeah, yeah, sure. I mean, is it for me, it's just like being like a bit stubborn, like it's irrational to just say like, I just like hard hat, like, I don't know.
00:19:24
Justus Hanna
Yeah.
00:19:28
jordan
Like, it doesn't happen too often. So it's not that big of a problem. But but honestly, I have declined private audits and private engagements simply because they do not integrate with Foundry.
00:19:39
jordan
I'm like, okay, I'm not going to use that.
00:19:40
Justus Hanna
Oh my God.
00:19:40
jordan
Yeah.
00:19:43
Justus Hanna
Yeah, I see some projects that actually have both, which is, which, you know, I'm not a dev man. So I just look at it and I'm like, okay, why, why do you have both? But sometimes that's out there too. So I just try to work with whatever, whatever, you know, sometimes I don't know if you've done this too is like,
00:19:59
Justus Hanna
i've like I really don't care where I POC, I'll take things and and I'll load it up in remix outside the project. I test on chain, off chain, just on a napkin one time I found a bug. he felt like i I don't care, I'll find the bugs.
00:20:18
Justus Hanna
Yeah, just, uh, so what about like, if, um, you know, if you want to share anything else, like your, like, what are you using for tools? platforms, anything like that, that, uh, like what's your, what's your auditing stack?
00:20:31
jordan
like This has been the funniest thing like which I told in a previous podcast. I just ought to think it helped. I'm used to it. like and know sabotmo and I but it's just like what I got used to the first time, and I just use only it.
00:20:49
jordan
you know, sometimes I'll have to write a POC. So that's when I actually you do cloning, or if it's for a big bounty, I just live fork. But yeah, I don't use too much tooling, honestly. Like, I see on the timeline, so many people just constantly being like, oh, how could he stop supporting EVM.start and stuff like that and stuff like this. And I'm like, why do you use that? Like, what use case do you have? like I'm pretty confident in saying that like you know I've been in the space for quite not not like not too long, but I've been there for two years.
00:21:21
jordan
I believe I've seen a lot, and I've never had to use any of these tooling. Do you guys actually
Strategies and Challenges in Bug Hunting
00:21:27
jordan
need that, or is it just like you know you find it fun to do so, you find it like something satisfying so you do it, although it's not needed?
00:21:35
Justus Hanna
Are you talking about my tweet? I was actually one of the ones complaining about it.
00:21:37
jordan
No, no.
00:21:39
Justus Hanna
I was like, hey, this EVM storage site is down. Sim.explore, something like that. Dude, it's it's useful. like before So before these, and these just made it easier.
00:21:50
Justus Hanna
right So you know I started, before there were any courses or any of these things, so I was using, I'd use Slither and just output a storage map. And just, that was the best case thing you could do. But sometimes that's, it's a pain in the ass to get it configured. And it just takes more time. So these online tools came out, like one of them was Sim Explorer, EVM storage. And it just makes it easy. So if you want to check, like say something is just not that clear on some of the storage patterns. And some of these contracts, like the way these guys structure their storage can be confusing.
00:22:27
Justus Hanna
And you may not know you may want to know like, okay, ah you like what is the value of this slot here? And it just provides great interface to kind of pull everything all at once because you know there's bugs that you hunt that they don't have a public GitHub and they just have a contract on a chain. And so, okay, well, I can't run tests. I'm not going to build all the tests out. I just want to check the storage on this because I'm curious if You know, this is, you know, there's a collision here or whatever. And so that, I guess that's, that's the appeal to a lot of guys to use those kinds of tools.
00:23:02
jordan
Yeah, I guess I just haven't been in such situation where like I'm actually have to look for collisions. Yeah, they're just about what do you hunt on. So yeah, maybe it's maybe just go to different types of projects.
00:23:11
Justus Hanna
Yeah.
00:23:15
Justus Hanna
Yeah. Like that's in my motto on my Twitter is deep in your storage slots because, because on, uh, I mean, that's how I found the arbitrary thing was like, it was, I checked the storage slot before anything else and it was uninitialized and that's what made me dig deeper.
00:23:19
jordan
Yeah.
00:23:30
Justus Hanna
So it's like, uh, I found one with wormhole with that too. so I don't know. It's just, it's just like another angle, I guess, you know, you never know, That brings me to another topic like when you when you're looking for bugs, are you just looking do you just go on? Immune fire or or a platform and say okay, what are the bounties and then go from there?
00:23:51
jordan
I mean, I first started like just going to random projects on Defy Llama, and just going to random projects, choosing the enemy, and going for bugs. like If you actually do that, especially for, let's say, protocols under a million TVO, which was the one I started with because there was still no voice, you would find an insane amount of bugs.
00:24:07
Justus Hanna
Hmm
00:24:11
jordan
like Literally, yeah you can probably average out like five bugs a day, not even exaggerating.
00:24:19
Justus Hanna
Good luck getting paid.
00:24:20
jordan
Yeah. And then it's a fun moment comes. I'm like, you know, you actually, even most of these guys, they don't have like a bug bounty program. First of all, like, even if they do, it's probably just a discord support ticket and you have to open them.
00:24:33
Justus Hanna
Yeah. Yeah.
00:24:34
jordan
And, uh, yeah, like, like probably the amount of, like, I probably got just got paid for, let's say three boundaries after out of 20. And like, I just got extremely low boat, but like, there's nothing you can do about it.
00:24:48
Justus Hanna
three out of 20.
00:24:49
jordan
But I mean, yeah i'm like that
00:24:51
Justus Hanna
Oh my God.
00:24:52
jordan
yeah and
00:24:53
Justus Hanna
Yeah, that that sounds typical.
00:24:53
jordan
and like
00:24:54
Justus Hanna
Chinese projects or you don't know where they're based.
00:24:54
jordan
and the
00:24:57
Justus Hanna
Yeah, they don't care.
00:24:59
jordan
I mean, i mean you I'm even surprised I got the 3K because I went to that project and like just they had ah ah they had a big bounty structure in their docks. And like it said something along the lines of 20K per high, 5K per medium, something like that. And I just found three highs and I went to submit them. And I was like, OK, it is too good to be sure. like There is no way there is so easy highs. And I got paid 60K for that. Although that project was like,
00:25:27
jordan
probably at a million tv or something like that and and yeah i just admitted them and it was a lot of ghosting like they replied very very slow they didn't take it seriously obviously they were like okay you know the the contracts are running it's all fine there's no problem you're just kind of making making up stuff uh but yeah they went to confirm the bugs a month went by and they were like okay it's payday and they paid me like 5k for the 3 bucks which is you know mean it's not that bad but like when you set the expectations higher when you know how much you've helped them it kind of sucks yeah yeah exactly just they don't want me just to ping them more and more
00:26:00
Justus Hanna
They gave you some money to go away. Stop bothering us.
00:26:07
Justus Hanna
Was that your your longest delay, like a month waiting to get paid?
00:26:11
jordan
Oh no, no, no, no, I've had longer. But I mean, I just had a pretty weird situation where I just reported a bug to a protocol which was shutting down. So, I mean, they were in the process of shutting down. They wanted to rebrand and start as a new protocol. In the last few days, I submitted that bug. And, you know, they had a lot of other stuff going on their mind, so that's completely understandable. But they still wanted to pay me out.
00:26:37
jordan
So I think it took them like a month and a half or two just to just start a payment and they and also wanted to make it vesting. So it also had to vest for like, I believe two months.
00:26:48
Justus Hanna
Hmm. Hmm.
00:26:51
jordan
So, you know, that was a pretty long wait for the payday. But I mean, um was too surprised they paid out because like usually if the protocol is going to shut down, they're just not going to care about any stuff.
00:26:59
Justus Hanna
Yeah.
00:27:00
jordan
But they were they were they were acting in good faith. You know, the funny thing is that they rebounded the protocol and they went for an audit with the same bug not fixed and I reported it once again and got another 10k or 15k for it which is absolutely ridiculous.
00:27:16
Justus Hanna
That's funny. I wonder, uh, that that's, that actually, you go ahead.
00:27:21
jordan
I think that's that's the bug you've actually read about, I believe. I mean, I have like only one bug right up on my portfolio published. And I remember I had sent it to you like a year ago or something like that.
00:27:32
jordan
That's the bug. It was a like somewhat complex bug with like a voting guess scroll code basis. We're headed to do some manipulation and stuff like that, but it was pretty interesting. I was pretty.
00:27:41
Justus Hanna
Yeah. Cause you, you did a a tweet thread on that, on some of the VE stuff.
00:27:43
jordan
Yeah, yeah. Yeah, I really love them, man.
00:27:46
Justus Hanna
Yeah. I like that area, man, because that's, it's, it's such a used in copied contract that I don't think a lot of devs understand a lot of this stuff that's forked or deployed.
00:27:57
Justus Hanna
And, there's little nuance there that yeah, you could find, you could find things you just don't know.
00:28:04
jordan
Yeah, like it's it's a pretty good target like for multiple reasons. You look at it and like the project when it's going to a launch, it's marketed as this novel thing and like it it gets insane funding. So, okay, first thing first, now this project has a lot of TVL and has but it's very old funded.
00:28:22
jordan
At the same time, the original code base, the Solidly Fork is very, very poorly written. written like The original has so many bugs in it, and the devs don't know about it, so they just copy and paste the bugs.
00:28:30
Justus Hanna
Mm hmm.
00:28:34
jordan
Even the newer versions still introduce many, many bugs. You add on top of that, that it is fairly complex. And devs have no idea what they're doing. And it's just a very, very good target for bug bounties.
00:28:46
jordan
And that's, in fact, what I actually did when I started doing bug bounties.
00:28:52
jordan
After some time, I just realized, OK, I'm just going to hunt for such projects. And I have, like me, I think I believe I have six bounties or seven bounties from such projects. So yeah,
00:29:01
Justus Hanna
All from VE contracts.
00:29:04
jordan
from the contracts, yeah.
00:29:06
Justus Hanna
yeah So I've heard that, I mean, some guys like to do this is where they just like, they'll, they'll do that and then find just one, one area and just focus on that and then just try to scope that through, you know, different ways of filtering and searching the chain.
00:29:22
Justus Hanna
And just looking only at those bugs. And I've, I've heard some guys have some really good success doing that. so is that, is that has been pretty much your whole approach or do you kind of like, once you found that kind of zone where you're like, Hey, look, there's bugs here. This is all I'm going to focus on. Or do you also go outside of that?
00:29:40
jordan
I mean, that's what I started with. But like the thing is that there is only so few projects which are like that, especially if you look at all the projects which have a big bounty and have like a significant TVO. So like it's a very good way to make some quick cash. But you can probably go over all of these projects in two or three weeks. And that's it. You just have to move to something new. You'd have to.
00:30:04
jordan
go out of your comfort zone and just start looking at something else. And so that's what I did. Then I was just like immediately we' like, OK, sure. Now I got to find something else. But I didn't find anything too interesting to just like stick to a certain category. and I was like, you know what? I want to be good. So I'm just going to look at anything and everything. And like I was just going to reunify this random sorting and just picking a random project going through and anything and everything I could get my hands on.
00:30:31
Justus Hanna
And do you find that, like, like now I know you're doing more contests. You're doing your own private audits. You're an Ellis art spear bit. Do you still do hunting on the side or you just don't have time for it?
00:30:44
jordan
I usually don't have too much time for it, like now, recently. I started to doing a bit of big boundaries. I mean, it's just more or less, I was just interested in a certain area. and like I don't have like any engagements for now, so I just felt like, sure, might as well just explore that area, see how different protocols have integrated it. And yeah, managed to find a couple of boundaries. Matter of fact, like I have to just see what's going on with them.
00:31:11
Justus Hanna
And is that, is that, is that exploring on immune fire?
00:31:11
jordan
but
00:31:14
Justus Hanna
or you You just came across some contracts.
00:31:16
jordan
Oh, no, no, no, I just opened defile llama once again. and But this time it was just, it was not that much in terms of bug bounties, but like just running for bounties. But it was an area I'm interested in how different protocols, whether they're different approaches, how did they do it? Are they actually secure? You know, because
00:31:35
jordan
If you look at it from auditing perspective, usually there's you know some variables which are which are out of scope for the audit. You don't look what on the what the admins are going to set these parameters. So if you find a vulnerability based on certain parameters, it's not valid in audits. And so I've audited such protocols. And so I've skipped this part. And I was just wondering, OK, what if these protocols what of these variables are set to some actually and normal but parameters, some bad values, I mean.
00:32:05
jordan
And so
Focus on Vulnerability Reporting
00:32:05
jordan
we just want to see how the different particles implemented. And in the power of fact, like a lot of them are very vulnerable. And so now I have some work to do.
00:32:13
Justus Hanna
Surprise, surprise.
00:32:13
jordan
But yeah.
00:32:16
Justus Hanna
I actually like to do that where, uh, I'll look at an audit report sometimes and just see like what's out of scope, what's in scope, and then immediately go to what was out of scope.
00:32:16
jordan
And it.
00:32:25
Justus Hanna
Just see like, okay, what, why is this out of scope? You know, you didn't have time budget or is it literally, you know, not important. And usually it's budget and time.
00:32:36
jordan
Oh, yeah, of course.
00:32:39
jordan
You have to understand that these protocols, they don't really care that much about being secure. They care about being secure enough. And so like the thing is that it' even if they have like a vulnerability and like in their code,
00:32:48
Justus Hanna
Mmhmm.
00:32:53
jordan
They care if it's like, you know, whether it's an exploit or it just like the system doesn't work because like if the system doesn't work, that's a very, very big problem. But like, if there's an exploit, which only a very sophisticated bad actor can, you know, do it, they can pretty safely go to, don't know, like eight figure TVO without any worries, like most of the times. So.
00:33:16
Justus Hanna
I agree with that. i yeah that's That's kind of what I was selling to on the side, like you know people with DM up for audits meme, but I don't do the audits on the side. i do I called them security reviews because I thought a lot of the stuff you see in audits, I thought it was just,
00:33:32
Justus Hanna
a bit much. you know yeah If they can't find anything, they'll put some, here's some gas optimization, here's some lows. It's like, you know okay, great. But mine was like, hey, here's the deal. Basically, I have a targeted bounty hunt on your protocol and I'm only going to find or say anything about highs and criticals. like I want protocol busting bugs. If loser loses user loses funds, protocol loses funds,
00:33:57
Justus Hanna
uh counterparty loses funds okay that's that's an issue or if i could destroy it or something like that other than that who cares i can hit my eyes and and most devs are like yeah we want to get to market we want to make sure this is secure enough like you say but it's like to catch every single thing lows and i was like okay man uh i thought this was kind of cool and and i've got good feedback on it people like it So you know you incentivize per critical that you find and maybe a small base fee, but it's yeah it's kind of different than and kind of the auto model, which I think is fun.
00:34:31
jordan
You know, I have a pretty mixed feeling about this, just submitting highs and criticals and stuff like that. Like, like a few moments back, I used to completely agree with you. It was like, sure, it only matters if the bug is important, if it can actually get user funds. But then I had like a, I found a,
00:34:49
jordan
I'd say a very complex bug, which I was really proud of. It really made my way. And it was a very interesting bug, like re-entrancy in a very, very specific way. And I was like, OK, nice. I found it. like Absolutely insane bug. Jane is a protocol. All good. And it comes to the time that I should make a recommendation for how they fix it. And the fixes, they just add a non-reentrant modifier.
00:35:17
jordan
which, you know, is absolutely very, very, very simple. And like any novice auditor who just went through the code base would have made that suggestion. They would just make a suggestion.
00:35:27
Justus Hanna
Mhm.
00:35:27
jordan
You know, allows a very defining, just add non-new engine guards on all your functions. And so like, okay, sure. Did I bring any more value than an advice writer who would have just read that?
00:35:39
jordan
Yeah, sure. He wouldn't mark it as a critical. He would mark it as a low. But at the end of the day, the same impact is prevented.
00:35:45
jordan
So that's where it really made me wonder what side am I on. And so true this, I'm not sure. I'm not too sure. I don't take any strong stance on either side.
00:35:55
jordan
you know
00:35:57
Justus Hanna
That's a good point.
00:35:57
jordan
just
00:35:58
Justus Hanna
I didn't think about that. Um, they do do that a lot just, just to cover your basis. Hey, do this, do this, do this. But then, you know, you being able to dive deep and explain like legit why you need it is much more valuable.
00:36:13
Justus Hanna
And like you need guys doing that because what happens is like, okay. And I've seen this happen actually is you'll see an audit report. That'll say that, OK, add non reentrant. The first audit, they add all that stuff. And then eventually, the the inner optimizer comes out in the dev. And he says, hey, why do we have this here? We could save some gas. And they go through it. And it's so if they don't have justification, they'll just say, oh, look safe. No reentrance here. But if they don't have justification, I've seen bugs. So they open it back up. And then, OK, boom, now you you opened up a critical to your own code. And you have no clue why.
Navigating Payment Challenges in Bounty Hunting
00:36:50
Justus Hanna
Why it happened you were just trying to save gas
00:36:54
jordan
Yeah, but I mean, this would be just a situation where like it's entirely the devs fault and like it's not up to the auditor to inform the dev to not do it. Like it's just getting good devs and like they should know when should they go for optimizations and when they should not. Well, like at the same time, optimizations are a very, very, very tricky situation because like you never really know how much more should you optimize. Like, you know, you kind of sacrifice security.
00:37:23
jordan
and readability of your code, which basically is future security for a few bucks for the, actually, sometimes it's not just a few bucks. It's a lot of funds for some users, but like, you know, it's a very, very hard trade off to do. Like you just have to play God and be like, okay, sure. I'm just gonna choose how much they value security and how much they value gas costs.
00:37:43
Justus Hanna
Yeah, yeah, exactly. and And there's so much, there's so much nuance to that too, because how many projects have you seen where they swap out the devs and the debt or there's too many deaths. And so you don't know who's doing what and why they're doing it and you can get chaos inside. And then you see changes to the code base where you're like, what are you doing? And, uh, I don't think they know sometimes because they don't know the full history or,
00:38:09
Justus Hanna
Yeah, it's, it's really important. Like you said, you really need good devs. And I think, I think there are a lot of them out there. Me and you both know a lot of projects that are, you could just look at the code and you're like, Oh yeah, these guys are legit. Like they know what's up. And then other projects completely stand out. Like, Oh my God, this is, this is just a matter of time before they make a big mistake.
00:38:33
jordan
Yeah, like seeing those projects and like, I don't know if you've been that situation, like just go and like the whole code is a mess. Like here, you're like, you know, you have to find a bug in it.
00:38:44
jordan
And like the most demoralizing thing is like when you've been looking so long at this code, which is so obviously written so poorly, but it ends up with no bugs.
00:38:45
Justus Hanna
Yeah.
00:38:53
jordan
You just kind of feel like, okay, am I actually good at this?
00:38:56
Justus Hanna
Yeah. It's like, it's like they, they entice you with, with the, yeah, come on in and then you look, it's gotta be something, you know, spelling error, you name it no matter what. And it's like, no, it's rock solid. Like fuck.
00:39:10
Justus Hanna
Yeah. Uh, so let me ask you this too, is what about, I dunno if you've had, you've obviously had projects that won't pay. Uh, this is always a great topic, uh, with our industry is like, okay, you found this, this mega critical and you end up getting paid, you know, a grand for like, you know, 10 million at risk or something like that. And not like an arguable bug, but like, Hey, look, we can make this happen right here.
00:39:39
Justus Hanna
Uh, what are your thoughts on that? Like where we're at? Do you think it's improved? Do you think like the zero knowledge bug reports, will fix it? Like, you know, what do you think about this about bounty hunters getting paid?
00:39:52
jordan
I don't think like we have that big of a problem. Like, you know, I believe it's a pretty good situation. Uh, I like, for example, like if we leave out the default alumni guys, and we just, uh, look at the immunify situation, I believe I've been paid out like every time. Like, yeah, I've been a low boat a few times, but like generally I've been paid out every time, which is really good.
00:40:14
jordan
I believe that too much noise gets on like on the on the cases where somebody doesn't get paid out. And like if you go just look at on Twitter, you have a very, very, very wrong expectation of what the reality is. I also like very much see it as we're getting paid really well. So this is just part of the game. like when you When you sign up to do that, you know that, OK, you're going to get lowball. You're going to get sometimes not paid. This is just part of the game.
00:40:41
jordan
you That's life. Just continue doing it. Like when you go in the long term, it's still a very good decision to be a bounty hunter. So, you know, try not to be too petty about it. Like, you know, there's going to be a case where maybe they deny you 1 million bounty. And like being angry would be, would not just be petty, but like it would be just understandable. But as I said, life goes on.
00:41:04
Justus Hanna
Yeah, that's a good point, man. I mean, yeah, you you kind of win some, you lose some and some you win where you didn't expect to win. So those might make up for some of the losses. Uh, I want to ask if you've ever had the experience, which I don't think they've solved is like something we could post it on a platform.
00:41:22
Justus Hanna
Uh, this happened to me, I think twice now on immune five and you submit, you know, a high finding, whatever. And projects like, okay. Yeah. Yeah. Oh yeah. And they don't pay you for it. And then they just, they just lengthen it out. So they'll, they'll post up and they get all these submissions and then they fix all the bugs. And then it just goes to me and father goes to everyone. They fix all this, all the submissions.
00:41:48
Justus Hanna
And then they just get kicked off the protocol. And then they're like, Hey, we just got a free bounty hunt on our project. Screw these guys.
00:41:56
jordan
I mean, I haven't been in such a situation where like, yeah, that that just does happen sometimes. Like, it's it's good to remember like that this is not the norm. This does not happen often. And andm like, this is also illegal. So is is pretty it's a good thing to remember. Like, this is not something to expect usually.
00:42:14
jordan
But yeah, mean unfortunately, man, you're going to get screwed over. Whatever you do, sometimes you get screwed over. That's that's life. like You do a private audit sometimes using the the client as good. And like there's no worries for them paying later. And they just don't pay. Stuff happens, man. As I said, like we' we're all blessed in a pretty good situation. So the the good thing that you can do, that which just depends entirely on you, is just like keep your mental peace. Just keep going. like always do the right thing, like, you know, life's gonna be good. No need to worry about anything.
00:42:49
Justus Hanna
if Well, here's the new the new thing. If you get screwed over by a protocol, you just ah ah well we'll send it to a North Korean contact and they'll target your shit and just try to hack you.
00:42:59
jordan
Yeah.
00:43:00
Justus Hanna
yeah you're ah You're right, man. It's just yeah ups big ups and downs in this industry. so what about What about like the mindset, you know, tell me, tell me what you think the difference is between auditing and bounty hunting. Like if you're doing either one full time, do you think they compliment each other? Do you think that some people are naturally drawn to one versus the other? And like, uh, give me your thoughts around that.
00:43:27
jordan
yeah so for the most part like the mindset is the same like you have to go in and break the code like there are some differences like you know which inevitably happens but like in contests it's it's a bit easier in audits i mean it's a bit easier for bullshit issues to slip through and like just make them seem as they're like very very significant but the good thing about bug bounties is that you know It's only the legit stuff gets paid out. like You need to actually show them this thing is exploitable, user reference gets lost. like che Here's a test case to show us a million drain. like This is what you have to prove them. Otherwise, you're just not going to get paid. So yeah, in this in this aspect, like big boundaries are a better represent reality.
00:44:14
jordan
But yeah.
00:44:14
Justus Hanna
Yeah, yeah.
00:44:16
jordan
the The other ah ah good thing about mountains, which maybe like just can drive some people to it, is the they're actually big amounts. but like you know we're and We're naturally, like as humans, we tend to prefer, let's say, getting one million once a year, like ah rather than getting 80K.
00:44:34
jordan
every month. like And I mean, we prefer it in the sense of like we get more dopamine, to guess lets see it feels better, like it's better. like Obviously, like when you get other factors in, such as like you know you let's say you have a family, you have somebody to look after, you have bills to pay stuff like that, you'd prefer a stable income over that. But like if you're
Targeting Protocols and Professionalism
00:44:50
jordan
just for the true, if you're good financially, you're going to get driven more to bounties for sure.
00:44:56
Justus Hanna
Yeah. Yeah. I agree with that. Cause you could do the, I mean, either one is hard work, but one is like, you could do 20 K a week from audits. If you're booked solid and you can make, you know, ah ah seven figures a year versus you find that one bug, you know, that it's like, Oh yeah. But then that's the other thing. If you get screwed on that one bug, you know, you're rightly pissed off. Cause that's, you know, you're all your, all your eggs in that basket. If you haven't diversified a bit.
00:45:26
jordan
Oh yeah, but but I mean, there's a lot of like game theory on choosing the right protocol.
00:45:27
Justus Hanna
Yeah.
00:45:30
jordan
Like you'd usually have a pretty good understanding of like which protocol is acting good faith and in which the ones, you know, low boiling can just disprove anything and stuff like that.
00:45:41
jordan
If you go to like the number, the past reports and the feedback and you know the team, you, you could avoid most of these situations pretty well.
00:45:50
Justus Hanna
Yeah. I'd say for the most part, I think that's correct. I've dealt with some big protocols that you know weren't as ah ah receptive as as I thought they'd be. And I've dealt with ah ah total anons that were gregarious. They were just just so forward about the project and and the safety of it and were just You know, I get paid a bounty in minutes and there's no there's no bureaucracy. There's nothing I over telegram I think those are the best ones to deal with but unfortunately like a new project like you don't even know sometimes I don't know the guys that I'm dealing with because Like yeah they talk about the curve Mafia or llamas or you know all these different people and I met some of them behind the scenes Where they're behind a lot of big projects and they'll just go under different aliases and and you don't know who you're dealing with
00:46:43
Justus Hanna
but a lot of these guys are really good and they have you know they have that they know the game and they have their principles and they do pay out. The scammers are also there too, but the guys that I've dealt with have all been pretty solid, like on the anonymous side versus, I mean, I've had some some good deals with with the big companies too, but I guess it's surprising, just human nature, dealing with totally anonymous pizza slices or whatever. in it They're just like, yeah, man, thanks. Here's the money. Let us know if you if you want to do a full review.
00:47:19
jordan
Yeah, I mean, like maybe it's just some small clarification. like yeah A big protocol doesn't necessarily mean they're acting in good faith. Unfortunately, I can name a few of the really big names in the space. We're just like you know kind of big heads.
00:47:34
jordan
um just They just don't like paying it out. They just like to disprove anything. But I think it actually goes a lot of to this, like the administration part and the in the protocol, you know, where where you have like the funding guys behind it and you, you know, they're really gonna get pissed if there is a critical in your book and like, like, you know, I could see that.
00:47:54
jordan
It's a pretty, it's a pretty shitty thing to think about because like, you know, if the guy is going to get fired, if they have, if there's a high or a critical in the code base, you know, I'd completely understand him if if he tries to low bow me for the sake of his life.
00:48:03
Justus Hanna
Mhmm.
00:48:09
jordan
So it's it's a game you can't win.
00:48:13
Justus Hanna
Yeah, the, the dev ego too, on the flip side of that, like would they just, they just don't want to admit that they're wrong, which is fucking ridiculous. Like you should be humble about your code. We're all going to make mistakes and you should really say, Hey, thanks for finding it. obviously I mean, I know some bounty hunters, especially like when you're new, you can come off a bit rough, like, Hey, look, man, I've, you know, just,
00:48:37
Justus Hanna
just, I think you should always come off very cordial, very professional and say, Hey, listen, you know, just keep it all professional. That way no
Contributions and Demographics in Web3 Security
00:48:46
Justus Hanna
egos get harmed and, and hopefully you get a good outcome.
00:48:51
jordan
Oh yeah, for sure. like Just being respectful we will get you a long way. I've always like tried to not push too much for like hard payouts for this exact reason. like you know I know that these guys... like They're good. I'm going to act in a good way. I expect them to just be cooperative and I'm going to have them more. They see this as a long-term game where it's not just one bug bounty and everybody goes a separate way. We're all in this for a longer time. It'll be good if we just cooperate with each other and help each other. Nobody just gets his ego hurt and just goes out of his way to ban the other guy as the bad guy.
00:49:31
Justus Hanna
Yeah, yeah. To be honest, a little story, the first bug that I got paid on, a now defunct project, but I got paid that thousand bucks, I think on the first one. And my bug report, when I found it, I was like, Oh yeah. And I was like, I don't know what I said at this report, but I was like, Oh, you know, it sure wouldn't be good if, if you got hacked with this. I was referencing like some other security problem they had and just, just going way too in depth. And I think I had a bit of an ego on it and men, they fired back and they were just pissed off and.
00:50:06
Justus Hanna
And then I learned after that, I think, okay, this is, this is stupid. Let's just, just keep the ego out of it. I'm just going to respond like a robot, whatever. Here's the facts. Totally objective. Rock and roll. That's it. And that is, that has been a great approach going forward. And I wish I would have known that upfront.
00:50:24
jordan
Yeah, for sure. Like, everybody listening they just should know that in advance. Like, don't be a pain in the ass, like, nobody likes that.
00:50:30
Justus Hanna
Yeah, yeah. Yeah, cool, man. Anything else you'd like to you'd like to get off your chest about about anything dude with the the ecosystem, fucking crypto, Twitter, hacking the blockchain, Bulgarian mafia.
00:50:48
jordan
Yeah, the Bulgarian mafia is just growing larger and larger. Listen to me, you should all be scared. We're coming for you.
00:50:55
Justus Hanna
Oh, fuck. I knew it. Does Paschoff have a high rise in, uh, in Sofia right now with his, his head on the building?
00:50:57
jordan
but like
00:51:01
jordan
yeah like the Yeah, he's Yeah, he's the king of the city, you know. everybody good you Everywhere you go, you just see a Jew. I can represent him.
00:51:09
Justus Hanna
I love who's so who's the youngest auditor or bug hunter that you know of. I met who, did I don't know who I met. forgot his name at the dinner. He was 16, right?
00:51:21
jordan
yeah yeah chris i mean 17 but yeah i mean man he's doing a bit of everything like literally he just does private art he does it he just like you know he really likes to just give his own and like do a lot of stuff and just print money like
00:51:24
Justus Hanna
Fucking this guy, man, just uses 100% of his brain, just dominating. And he's competing or what's he doing?
00:51:47
jordan
like imagining his situation like before he turn turns 80 and he's already like very very very well financially and this is like one of the really good guys so yeah and it's like i think we're you're just gonna see more and more i believe like it's a matter of time you know these clickbait youtubers just switch from drop shipping to web tree security and like of the 15 year 15 years old like who have nothing to do but like just do oddest 10 hours a day
00:52:08
Justus Hanna
Oh fuck.
00:52:14
jordan
Oh, like, just done
Impact of LLMs and Work Ethic in the Industry
00:52:15
jordan
three energy drinks in four hours of sleep. Like, it's all over for us.
00:52:18
Justus Hanna
Dude, oh, I know. I feel like that is dangerous big time. I feel like, uh, I feel like there's, there's kind of some things that'll be happening though is, you know, I ah read some, someone's tweet on, he was talking to a younger guy and they, I don't know if this is real or not, but then the guy said that he was pausing, like his brain was catching up, you know, mid conversation. And he says, you know, you're right. and He's like, yeah, I'm just so used to chat GPT finishing my thoughts for me.
00:52:46
Justus Hanna
that i have to kind of think about what i'm saying in real life and it so i'm thinking about the usage of llm's and and clod and all these things and and how the new guys must be more reliant on these things in their everyday life like every new generation they're deeper into the tech than the last one and how that will present more uh more opportunities and more bugs and stuff like that because I know a lot of devs now are using LLMs for coding. And if you know is I've used a bunch of these LLMs for auditing, it's like, man, they fuck up a lot. And so for the code, like if you just say, hey, write me this function and make it secure, I think it's very easy to drop the ball and just think, we're good to go.
00:53:32
Justus Hanna
Or you know Claude said, were we have no bugs. you know We're good to go. And I think rather than securing everything, I think it's going to open up. yeah Humans will just get complacent. that's how That's how we are. And it'll open up more and more bugs and more opportunities for everyone. at the same time, they'll also get better on each side. So it's going to be interesting to to kind of see how this space develops.
00:53:55
jordan
Yeah, for sure. Like it's pretty weird combination because at the same time, like the newer generation gets so much more technology and tools to use. But like, I don't know the way we grow is like, we're not used to working. We're not used to doing anything And but so it's it's a very, very weird thing because at the same time, like the next generation should be like 10 times better than you. But they're just lazy. And what happens is that you just get a very weird distribution, you know, where like you have like in the two.
00:54:30
jordan
than two sides like very very different people like you know you have some which are like a hundred times better than you and at the same time next to you you know you have these people who are just they're blazed and they don't know how to use the tooling like they're not really competition and so it's really interesting which side is going to be like consists of more people like are just like it's just everybody's just going to go out of their way like actually You know, not the lazy work 10 hours a day. And like you just started using the tooling, right. And just going to put this in like out of business. I don't know. and will tell
00:55:03
Justus Hanna
I think you get the same cream of the crop rising because you know, myself growing up pre-internet and then dial up and then everything like that, you know, it used to be really hard to do whatever. And you said, okay, man, I have to go find this book or source this out. I got to put in the legwork.
00:55:23
Justus Hanna
and fast forward to today where you have like cursor and you have all these things that basically do it for you but you still have to lift a finger to do it and it event like humans adapt to this laziness kind of like what you're saying is and they just say oh well You know hot I have to use cursor for like 30 minutes to make a full a full suite It's like dude that would have taken ages like you wouldn't even had the skill but had to outsource it learn Whatever new languages and now it's incredibly easy and yet still it's the same thing. It's like if I put Anything right on your plate People will just get lazier and lazier and they expect to be easier and easier and so I think like in our industry
00:56:09
Justus Hanna
You'll have like those, I mean, what did they do for the lows and info on a coterie and everything? Someone developed, what is it, LightChaser?
00:56:18
jordan
Yep.
00:56:19
Justus Hanna
Like where they find all these things automatically. And it's like, okay, if so if you're willing to put in no effort, look, you've already been automated. You know, you just can't find shit.
00:56:29
jordan
Yeah, so what you're saying is you believe that we're going to get forced to not be lazy?
00:56:33
Justus Hanna
That's right. That's right. Well, if you're, if you're lazy, you become mediocre and you become like everyone else. And I think there's no room for you and you're, you're not actually trying hard. If you work hard at anything, I think you'll become successful. It's just about putting the time into it.
00:56:50
Justus Hanna
You didn't get to where you're at. You know, we let's congratulate you right now. A million bucks. You're fucking crazy over a year. Like doing this, doing web through security. I guarantee you, you didn't sit on your ass and they just paid you that for doing nothing. You worked your fucking ass off.
00:57:07
jordan
That's right, yeah.
00:57:08
Justus Hanna
Yeah. And, and the people that aren't getting paid aren't fucking working hard enough. They're not in there six, seven days a week going hard. And that's, that's, is what it is. I mean, you know, I know you have two brain cells. I have one, you know, we're we're far left of the curve, but we just show up every day.
00:57:27
Justus Hanna
I think to be honest, man, that is the, that's the key, uh, differentiator is showing up every single day and just going at it and trying your best. And that, that beats any sort of natural gifts. in my mind, I don't know about you.
00:57:44
jordan
All right. So do you, do you believe that anybody, like literally you could take any person and as long as they're consistent, they could, they could get to death level.
00:57:55
Justus Hanna
Not any person, no.
00:57:57
jordan
Oh, that's pretty interesting. Like, do you believe in talent?
00:57:59
Justus Hanna
Not anybody. I do believe in talent. I believe that, you know, there's there's one of you and there's one of me. And if I were, uh, cause I could talk, you know, me and you both could talk to different friends and say, Hey, you know, here's what you got to do. And even if they had the drive to do it.
00:58:17
Justus Hanna
I think they just they wouldn't get to the same level so there is natural talent but I'm just saying like there's natural talent and then there's the the wherewithal to just see it through and get up there every day because there's plenty of guys like you and me who might have the same talent level IQ level but they don't have the work ethic.
00:58:41
jordan
yeah mean just sir oh I don't like completely agree with everything because I'm not a person who really believes in talent. like for me let's see just It's ah all hard work. like You could have some sort of head start based on previous experiences you've had. but like I wouldn't consider that talent. Still, you've done some work in the past which has some impact on what you do now.
00:59:03
jordan
to like because I look at it like now I have like quite a few people I know who have started doing this web tree security thing and It's a very very very clear who are the guys who? Actually have work ethic who show up every day and who do this do this consistently and and you actually see their results in like everybody's just doing absolutely insane like compared for like Bulgarian standards like the only people who have not done well are the ones who are lazy and have not put in the work and like You could, and all of these people come from very, very different backgrounds. Like, you know, somewhere older, younger, kind of like a but bad school, good high school, stuff like that. Everybody has a different background and it all comes comes down to not what you've done before, but like, can you actually work eight hours a day, every day? And I don't know, it's pretty clear. Like you could take any person, like.
00:59:54
jordan
Maybe there's like very, very, very, very few exceptions who are like probably have like just some other problem. Like none of them talk about these people, but for any regular person, you take him, you show him the information. You let him work eight hours a day. Like if he can actually do that, I think not just be, I think in front of the computer, the guy's going to get a, going to become a beast. Like
Motivation and Cultural Differences in Work Ethic
01:00:14
jordan
that's what it takes now.
01:00:16
Justus Hanna
That's interesting. I like that take. If, if you said to your girlfriend, Hey, here's an auditing path. Here's the path, the web through security. Could she do it?
01:00:27
jordan
1000%. Like if she wants to do it.
01:00:29
Justus Hanna
No shit. Bulgarian women made differently.
01:00:34
jordan
ah be like If you ask her, like she's gonna be like, hell no, but I'm more than 1000% sure. like You put your mind to it, you can do it. like It's pretty pretty weird because when I have this conversation with different people, like all of the people who agree with me are like usually people who are fairly successful and the only ones who disagree are ones who have not like achieved anything.
01:00:56
jordan
like that, like that successful. So it's pretty good distinction like the ones who actually believe themselves are the ones succeeding. The opposite is also true.
01:01:05
Justus Hanna
I would say that the hardest part of doing this and doing anything is just, I mean, I like doing this, but like for anybody who wants to do it is like first getting up the learning curve because you feel like an idiot initially, especially if you have limited background, like what the fuck is this? Like why, what are these errors? Like, how does this mean? Uh, but then, yeah, once, once you get going and just showing up every day is really tough for anybody, man. Like,
01:01:34
Justus Hanna
That's why employees are they stay employees because they're in the motion and they just keep working. They get paid versus more people owning businesses or entrepreneurs. You have to motivate yourself. Your boss isn't going to call you. And this is, this is very entrepreneurial.
01:01:52
Justus Hanna
especially bounty hunting versus auditing or anyone because you're not reporting to a project, you're not reporting to anybody. Your name's not on a contest, you don't have to show up. It's just like you just do it and look every day or or you kind of you won't succeed.
01:02:08
Justus Hanna
So I agree with you on that. Like it's definitely a huge part is just finding people that have the motivation to actually actually do something, which is hard to find. I think, I think the Bulgarians built differently, man. If you, if you took a sample from like, you know, where I'm at around me right now, which is in Florida. Uh, and I, I grabbed some people off the street. I just don't think they would, I don't know if they'd show up and say, yeah, I'm going to go hard every day on this. I just don't fucking think so.
01:02:37
jordan
Yeah, maybe it's like something in the mentality, like the difference, like, and oh yeah, no worries.
01:02:40
Justus Hanna
something in the water over there steroids
01:02:42
jordan
Yeah. Oh yeah.
01:02:45
jordan
You know, like it's pretty, it's pretty funny. like in In the high school I graduated, we now have, I believe, six security researchers, auditors, who are making like really good money. And this is the sample size of like our high school. with like not It's not like American high schools. We have 500 students at at one time like across all grades.
01:03:08
jordan
and like we have like six or seven researchers from that same school who are doing this and then you do that like you understand like how many how few people are there in the whole world like what an anomaly is this and then i talk with with zach with obrond and he's like he says like man i can't even find a single person to do this in the state where i live it's crazy
01:03:29
Justus Hanna
Really? but And that's different, too, because here, like in America, everyone's focused on, I don't even know what, influencing or just stupid shit. Like, look at me, it's all image-based. Or else if they look at tech, they they talk about web2 for the most part I see. But I think with where your area is, it's like you've spread the word enough.
01:03:53
Justus Hanna
where it's like, Hey, look at this viable career option for you. You could be here. You don't have to move. Uh, you just need to sit in front of your computer and go hard. And God, that's, I mean, how appealing is that to a young kid? Like I would have been all over this in high school. Hell yeah. You
Concluding Insights on Web3 Security
01:04:11
Justus Hanna
offer me that kind of money and and I just have to be on my computer. Yes. Sign me up.
01:04:15
jordan
Yeah, I mean I've also said this is so much about mentality because like everybody is just like oh You heard about that fucktart like he all of a sudden he starts making so much money if he's thinking better than me I can do better than him and there's that mentality that's like nobody can be better and you just have to outperform everybody just like, you know, it's Where everybody here is like a bit born with like God complex and that's if somebody else can do it You can do it too. So I guess that's that's the difference in Bulgaria, man
01:04:42
Justus Hanna
Yeah, that's the, but so all right. Let's, let's ask about how many it's all men, right?
01:04:49
jordan
Yeah.
01:04:50
Justus Hanna
Of course. How many women do you think are in the web three security space?
01:04:55
jordan
You know, it's a pretty tricky question. I believe that most of the women in the space are just going a-non, like ah it's another ally. It's not just not like in reality, probably like five or six, something like that.
01:05:03
Justus Hanna
What percentage do you think though are actually women?
01:05:10
jordan
Maybe like.
01:05:10
Justus Hanna
Get the fuck out.
01:05:12
Justus Hanna
I think less than one. I think there's men, the there's more men like pretending to be women than they're actually women.
01:05:23
Justus Hanna
I just think it's it's not a it's not an attractive thing for them. Maybe if they're really ugly, I don't know.
01:05:30
jordan
no
01:05:31
Justus Hanna
I don' i don't know why a woman would do this.
01:05:34
jordan
I don't know like maybe I mean you know they just you're ah you're a woman you you want to get that new Chanel bag and like what do you do you got to make your money like you know you you go to a man's place and like all of a sudden he talks about the web pre-security and how you should start doing it too like might as well
01:05:41
Justus Hanna
You're going to go, you're going to go talk to a Bulgarian auditor. That's what you're going to do.
01:05:55
Justus Hanna
Oh shit. Who knows? All right, man. Let's, that's an hour. Uh, that's pretty awesome, dude. This is the first podcast of bounty hunters life on the blockchain.
01:06:07
Justus Hanna
where we interview the top bounty hunters in crypto to discover their secrets, to finding live bugs and making money. How does that sound? Does that sound good?
01:06:16
jordan
Yeah, pretty good, yeah.
01:06:18
Justus Hanna
We'll see, man. Hey, if you have anyone who ah you want to refer for the podcast, like i'm just I want to target just you know guys that are doing primarily bounty hunting or have found some good bugs like yeah know that are familiar with with the industry rather than like guys that do just straight up audits. yeah know Judging from your pace, you're going to be disqualified for any future shows, man. You better get back in the contracts. But if you have anyone, man, just refer them over. I'd love to probably get them on.
01:06:50
jordan
Oh yeah, for sure. I have some a few people in mind who would definitely love to hear them.
01:06:54
Justus Hanna
Cool, cool. I can't just have all Bulgarians too. I'm going to have to diversify. But yeah, man, let me know. But hey, I appreciate you coming on man and taking the time. It was great to to meet you in person and then, and have you on this, this podcast.
01:07:09
jordan
I mean, thank you so much for having me, man. It was an honor, a pleasure. like Absolutely amazing, man. Thank you.
01:07:15
Justus Hanna
Yeah. All right, man. Take it easy. Thanks.
01:07:18
jordan
Thank you. Bye bye.