Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Epsiode 17 - lonelysloth
268 Plays7 days ago
riptide & lonelysloth discuss how it feels hitting 7 figure bounty payouts, how to find obscure bugs that no one is looking for, why bounty hunters find bugs auditors miss, ZK bugs and things to look for, approach to learning new complex subjects, what motivates a lonelysloth, what planet he actually comes from, and much, much, more ...
Recommended
Transcript
Introduction and Sponsor Shoutout
00:00:07
riptide
Welcome back to Bounty Hunters Life on the Blockchain because we live on the blockchain and my guest today I'll introduce shortly definitely lives on the blockchain and elsewhere.
00:00:20
riptide
ah But first let's give a shout out to Recon getrecon.xyz forward slash Riptide I love dropping recon. Recon is, they handle the invariant testing.
00:00:34
riptide
They are the kings of it. With Centrifuge, Liquitee, and Badger, ah these guys, if you want to to get fuzzing done on your project, you want some pros to do it,
00:00:46
riptide
reach out to to Alex, getrecon.xyz forward slash Riptide. They'll give you five grand off for a new customer on your invariant testing engagement.
00:00:56
riptide
um You're not really serious about security unless you you get some fuzzing done. You've got to fuzz. It's amazing what he'll post and just show you how you can, you could break something that you thought was unbreakable when you fuzz it. So check it out.
00:01:13
riptide
um Next up, if you want to get started or if you want to learn some new skills, go to rareskills.io forward slash Riptide. Get 10% off one of their boot camps.
00:01:24
riptide
They Solidity, ZK, Rust, UDESWAP v3, all that stuff. So really good resource. I highly recommend it. Jeff knows what he's doing over there, runs a great project.
00:01:35
riptide
So if you're the kind of guy that doesn't learn on his own and you like just to be in that structured setup, sign up for a bootcamp and they take you A to Z through all these all these pieces of tech. So check it out.
00:01:49
riptide
Okay, ah so our
Guest Introduction - Lonely Sloth
00:01:51
riptide
guest today needs no introduction. Welcome, Mr. Lonely Sloth.
00:01:57
LonelySloth
Hello.
00:01:59
riptide
Humble Sloth. How you doing, man?
00:02:02
LonelySloth
I'm doing great, thank you.
00:02:05
riptide
Dude, who who are you, man? I mean,
Journey into Bug Bounty Hunting
00:02:08
riptide
Like you came out of nowhere, but then I i did some research on you and you've been you've been in this game a long time in the security game. Am I right?
00:02:16
LonelySloth
Yeah, yeah, quite a few years.
00:02:18
riptide
and Quite a few.
00:02:19
LonelySloth
ah Since my first bounty was 2019. thousand nineteen ah That was before Unify launched all the other platforms, all the contests and and stuff.
00:02:35
LonelySloth
It was actually to HackerOne. It was pretty much the only place. um And
00:02:45
riptide
This is maker, right?
00:02:46
LonelySloth
yeah, no, actually before that, there were a few other projects. It was smaller stuff. um And ah the first bounty I got was, I think, I don't remember the exact number, but it was was nice. It was like a few thousand, like 5,000, 3,000, something like that. and And I thought I was really lucky getting that first one because i that was my first submission.
00:03:16
LonelySloth
was really, really lucky. And I thought, whoa, this works. And after that, even when I got multiple reports closed and stuff, at look I know this works.
00:03:29
LonelySloth
I know they pay eventually.
00:03:30
riptide
Mm-hmm.
00:03:31
LonelySloth
Someone pays. And later that same year, Maker did their bounty, which was kind of... Normally bug bounties are for main ad stuff, production stuff.
00:03:48
LonelySloth
They did one before they launched ah the multi-collateral DAI. So this was very interesting, in a sense, a little bit like today's contests, but it was really bounties. It was a fixed them amount per book category.
00:04:06
riptide
And was this on a platform or was this independent?
00:04:06
LonelySloth
And yeah, hacker one. 2019.
00:04:10
riptide
HackerOne, okay, so six so this was 2019. This is before ImmuneFi.
00:04:13
LonelySloth
so i Yeah, way before.
00:04:15
riptide
Yeah.
00:04:17
LonelySloth
ah And then i found one high, two criticals. ah The most important one got me fifty k which was absolutely amazing.
00:04:31
riptide
That's huge. That's a huge amount.
00:04:32
LonelySloth
I mean... ah It's still a great amount today. At the time, i think it was like, I'm not even sure Web2 ever paid something like that.
00:04:43
LonelySloth
And I think at least publicly known, it was the largest bounty for Web3.
00:04:49
riptide
Mm-hmm.
00:04:49
LonelySloth
And I was covered by CoinDesk, I think. It was huge. And quite literally changed my life. right It was ah lot of money for me.
00:05:02
LonelySloth
ah And yeah, and then after that, I was decided that I would not... This was not a one-off thing. Oh, this was a nice year.
00:05:13
LonelySloth
i had so a good time.
00:05:14
riptide
but so did Did that give you your that gave you your exit from from like normal life?
00:05:15
LonelySloth
and
00:05:19
LonelySloth
No, not yet.
00:05:21
riptide
Not yet. Not yet. Okay.
00:05:22
LonelySloth
Not yet.
00:05:23
riptide
That gave you the confidence.
00:05:23
LonelySloth
And then there was... It gave me the confidence. But at the same time, I was always kind of... Okay, but where's the next... payout coming from because there weren't that many projects with bug bounties and there was not enough for a full-time job.
00:05:34
riptide
Okay.
00:05:45
LonelySloth
ah i I did get a few others and then i started getting some private audits ah I had no idea how to charge for it, so probably charge very low, ah very low prices, price tag for that.
00:06:00
riptide
Mm-hmm.
00:06:05
LonelySloth
And that was not enough for for a full-time job. And then there was 2020, and I don't know, it all dried out.
00:06:15
LonelySloth
There weren't many, and I thought, maybe I'll go to Web 2. ah I had some success. But I think the whole year of 2020, I got like 15K from
Turning Points and Full-Time Commitment
00:06:30
LonelySloth
Web2.
00:06:30
LonelySloth
It was good.
00:06:32
riptide
But you you had quite a few bugs, web two bugs. I'm just looking at your hacker one profile, but they just don't pay.
00:06:36
LonelySloth
Yeah, yeah, quite a few.
00:06:39
LonelySloth
they they They pay very low in general.
00:06:41
riptide
Yeah.
00:06:43
LonelySloth
And I had a Web2 also, some Web2 bugs in Web3 projects in 2020. and But yeah, it was and it was all like COVID and everything was weird.
00:07:01
LonelySloth
There was nothing in mood to be career change. I was just happy I was alive. I still had a job and stuff like that. And then January 2021, I think, I got an email from some people i had never heard of.
00:07:18
LonelySloth
And they said, oh we're starting this new bug bounty platform. We found your name on a Coindesk story about MakerBug. ah What do you think?
00:07:31
LonelySloth
You just take a look at this list of projects, go to their GitHub, and then send us an email with your findings. And I was 100% sure they were scammers.
00:07:42
LonelySloth
But yeah, I was thinking, what the hell? Let me try it. And then I found a bug. I got my first payout of Immunify in February, I think.
00:07:58
LonelySloth
I think I was the first. I think that was the first Immunify bounty, if I'm not mistaken.
00:08:03
riptide
Was this Zapper?
00:08:06
LonelySloth
No, it was BadgerDAO.
00:08:08
riptide
um Okay, Badger.
00:08:10
LonelySloth
And it was... Very nice one as well. um At the time, it was classified as critical. If it were today, it would be probably not even a medium, but that was a different time.
00:08:23
riptide
ah Why is that?
00:08:26
LonelySloth
It was more of like a map stuff, ah minor extractable value, sandwich attacks.
00:08:32
riptide
Okay. Unheard of back then. Yeah.
00:08:36
LonelySloth
Yeah, it was very new stuff back then.
00:08:39
riptide
but Like a contract, not not having a slippage in there, something like that.
00:08:44
LonelySloth
Yeah, more like you could steal... all the rewards for yourself by sandwiching the transaction but something like that.
00:08:52
riptide
Okay.
00:08:54
LonelySloth
ah But I think, don't remember very well. It's been a long time. It's been five years, right? Four years. ah And then, yeah, yeah then and then I found another one.
00:09:09
LonelySloth
And then I looked at my bank account and most of my money was coming from Immunify. And yeah.
00:09:15
riptide
like, what the fuck am I doing? This is it.
00:09:17
LonelySloth
Yeah.
00:09:18
riptide
like found the path.
00:09:19
LonelySloth
so What I'm doing 40 hours a week or more, more often more than than that. ah Sometimes 1 a.m. fixing stuff in production.
00:09:32
LonelySloth
What am I doing? Let's just go for it. And now I have a little bit of savings from those few bucks. And if everything goes south, I just...
00:09:47
LonelySloth
come back and beg for a job. So,
00:09:51
riptide
And what kind of cushion did you have? Not in money terms, but runway did he like 12 months.
00:09:55
LonelySloth
ah, that, no, no, no, like three months.
00:09:59
riptide
Not even three months.
00:10:01
LonelySloth
Yeah.
00:10:01
riptide
Okay, shit.
00:10:02
LonelySloth
Yeah,
00:10:02
riptide
That's confidence.
00:10:05
LonelySloth
yeah but but, but, you know, that, that there was something else that, uh, was really good was, uh, at the time Unify had the White Hat scholarship and, uh,
00:10:13
riptide
I did that too. Yeah.
00:10:15
LonelySloth
I'm not sure. Maybe I started that. Because but back then, like it was small. And I would sometimes just chat with Mitchell. And he was like, why do you still have a job? Why don't you quit and just work for me?
00:10:33
LonelySloth
I don't know, man. I don't want to go one day and and not having enough to pay rent. and But why do you need it? If you pay me a salary... and maybe a little bit lower than what they pay me today.
00:10:48
LonelySloth
and And then you can ah have it back on on the bounces or something. Just guarantee me for a few months that I have a salary. and And he said, well, we've got yourself a deal. Yeah. and and then And then I quit my job and and started running full time. And of course, I made a lot of more money than the salary I negotiated.
00:11:11
riptide
Did you pay Mitchell back?
00:11:12
LonelySloth
ah Sorry?
00:11:14
riptide
Did you pay Mitchell back?
00:11:16
LonelySloth
Yeah, yeah, yeah. ah
00:11:18
riptide
So you started the white hat scholarship program, which is a great program.
00:11:21
LonelySloth
I'm not entirely sure, maybe.
00:11:22
riptide
That's fantastic. fantastic Let's put it on you. I think you started it. Mitchell gave you a sales call.
00:11:26
LonelySloth
Okay, I started.
00:11:27
riptide
He gave you a sales call. That's how, this is how he started immune fight calling the Googling hackers and trying to find people.
00:11:33
LonelySloth
Exactly.
00:11:34
riptide
He found you and then you started the white hat program. That's pretty awesome, man.
00:11:40
LonelySloth
And then this, that thread 21 was fantastic.
00:11:40
riptide
That's very cool.
00:11:43
LonelySloth
Like, it was... It was the golden age in some ways. I mean, i could find like stuff that today would be caught by first time SR in a contest that pays a total of 5,000. And I could catch it. like Contract was deployed.
00:12:08
LonelySloth
i got it. I submitted. I
Navigating Challenges and Industry Evolution
00:12:10
LonelySloth
got confirmation in two hours. And I was paid $20,000.
00:12:13
riptide
and and and that And at that time, solidity was, was it at 0.7?
00:12:14
LonelySloth
That was that's amazing
00:12:20
riptide
Do you remember?
00:12:23
LonelySloth
i
00:12:23
riptide
do you remember
00:12:25
LonelySloth
I think 0.8 had just came out.
00:12:28
riptide
okay
00:12:28
LonelySloth
Very few contacts were 0.8. lots.
00:12:30
riptide
So, yeah, there was still the the overflow bugs in the wild.
00:12:34
LonelySloth
yeah like Lots of overflow bugs.
00:12:34
riptide
Yeah.
00:12:37
LonelySloth
Lots of basic reentrancy stuff. ah Yeah, it was all solidity. There was nothing else.
00:12:44
riptide
Mm-hmm.
00:12:45
LonelySloth
were There were no like blockchain bug bounties. Everything was so easy. ah And it was amazing. I had my first couple six-figure bounties later that year.
00:12:59
riptide
Mm-hmm.
00:13:01
LonelySloth
Yeah, I felt so absurdly rich. And ah like it was kind of, no, at some point it was...
00:13:12
LonelySloth
Okay, now that's my life. that's It's going to be that easy. And I'm going to go that for the rest of my life. I'm going to get really, really rich. rich And 2022 was not like that.
00:13:25
riptide
You got brought down back to earth.
00:13:27
LonelySloth
Yeah, I mean, it was a great year. I mean, I got considerably more than what used to be my salary. But it was not that easy. I had to grind a lot and learn a lot of new stuff.
00:13:41
LonelySloth
um And then started the blockchain projects. ah there were But the thing that really got me was the two 10 million ah bounties that weren't me.
00:13:58
riptide
Oh, yeah.
00:13:58
LonelySloth
And then there was this massive crypto crash.
00:13:59
riptide
That got everyone.
00:14:02
LonelySloth
And I thought, fuck. I just lost my chance. That's it. I missed it. Those 10 million bucks, that was it. I could have like made retirement money, and I didn't.
00:14:17
LonelySloth
And I spent a lot of money. And now, yeah, now I'm screwed.
00:14:22
riptide
Hmm.
00:14:22
LonelySloth
No. But I kept going. I was not going back for a job back. And I was still making more than at my previous job. And then 2023 was amazing.
00:14:34
LonelySloth
I found a bunch of ZK stuff. And Transition Force is pretty good as well. And this year is going pretty good so far,
00:14:44
riptide
just Just kind of good, yeah.
00:14:45
LonelySloth
ah especially this one bug. ah And yeah I think. But it's every year is different. Every year is different. You have to learn new stuff.
00:14:57
LonelySloth
It's, yeah. you You never know exactly how it's it's going to go. you you find six-figure bounty, and then ah you spend months not finding anything, and then you get it to 20,000, and you think, oh, that's my life now?
00:15:12
riptide
Yeah.
00:15:14
LonelySloth
no you don't know. And then you find a two-million. It's crazy. it's It's a crazy life.
00:15:22
riptide
It is crazy.
00:15:22
LonelySloth
Yeah.
00:15:23
riptide
It's so there's so many ups and downs. It's so like what what was your what was your biggest down like how did you ever get that moment where you just said that's it man I i suck.
00:15:33
riptide
I can't find shit like you're dead end after dead end for weeks.
00:15:38
LonelySloth
Oh, I spent a few times, ah I spent like three months with Autobot.
00:15:43
riptide
How'd you feel?
00:15:46
LonelySloth
I don't know, that it depends a little bit. If my last payout before that was like multiple six figures, I usually feel pretty good. I'm like, okay. It's just, yeah, I could take some time off anyway and stuff like that.
00:16:03
LonelySloth
But if I'd been just grinding and getting smaller payouts and then several months without the payout. And then if you or if you like that, that's it.
00:16:15
LonelySloth
That was it. It was a nice run. ah But that's it.
00:16:20
riptide
and all That always comes back.
00:16:21
LonelySloth
I'm not going to find another one.
00:16:22
riptide
Yeah. yeah I'm telling you, this this happens to me. I think that it must happen to everyone where you you get on a streak and I see it. And the guys I talked to on the podcast and you see it on Twitter, people start, they they hit something.
00:16:36
riptide
And then like, let's talk white hat mage, right? He was killing it. And maybe he had a great, you know, bug that, that he had found a multiple protocols or else he just, he just was hitting Sometimes you're just on fire and then he'll just universal rearrange.
00:16:50
LonelySloth
yeah
00:16:54
riptide
And then he'll just have a lull, a lull in, in hunting operations. And then the next guy's going to come up and then boom, he's going to be on fire. And it's like, it's just, are you ready to ride the rollercoaster?
00:17:08
LonelySloth
Exactly. It's a roller coaster, which is kind of crazy within years, because you you have a life, right? You you need to know ah I mean, there are people who just, I don't know, like there's like this meme, like people making six figure bounties and still living with the just a ah bottle of beer and some pizza in the fridge or something like that. And then they spend all the money. and But no, I try actually to have like a fairly normal life.
00:17:39
LonelySloth
And then how much can I spend a year? don't know. And then I have to kind of guess. But I mean, I was used to having a salary. There's bunch of professions that are like that.
00:17:50
LonelySloth
Like if you work in real estate, maybe there's a slow year. You make half.
00:17:57
LonelySloth
That's just part of this profession, right? It is what it is.
00:18:02
riptide
Yeah.
00:18:03
LonelySloth
ah But yeah, I think the worst is when you've been a long time without finding bugs. And then you find a bug. And then you don't get paid. That's like, that's like, I just say like kicking when you you're down.
00:18:13
riptide
Oh, that's bad.
00:18:19
LonelySloth
Like, and then if you fuck this shit, a few times I thought like, no, I'm not gonna do this again.
00:18:19
riptide
Yeah.
00:18:29
LonelySloth
This is too hard. i mean, emotionally, like you spend months, you find something, you know, it's great. You know, it's for you. And you think this is it. This is gonna be a million dollars.
00:18:43
LonelySloth
And then you don't get paid anything. ah You get better
Bug Identification Techniques
00:18:48
LonelySloth
at identifying what will actually get paid and managing your expectations.
00:18:56
LonelySloth
But yeah, it's still hard when it happens.
00:19:00
riptide
Where do you think that field is right now? Like you were, you're describing solidity, you know, back then where it's kind of easy pickings. I think cause there weren't many of you and like, you know, during that time, I'm, I'm just getting into it. I'm D5 DJ.
00:19:17
riptide
So I don't even know how to read a contract. So now Solidity is more popular. You have so many more resources. You have LLMs. You have all these things. Where do you see that being now? Do you do you see that as as like ZK, not as easy pickings, but but the place where you're going to get the best kind of bang for your buck ah researching?
00:19:38
LonelySloth
it's it's hard it's It's always changing as a moving target. So to be honest, ZK I think was a bit like that 2023.
00:19:47
LonelySloth
ah when I had ah three really big bounties, six-figure bounties in ZK.
00:19:52
riptide
Mm-hmm. Mm-hmm.
00:19:55
LonelySloth
And then I have a few good bounties in 2024, and then didn't have any ZK. I mean, I had all other bounties, any ZK bounties. And then the Solana one that was huge, but quite an outlier.
00:20:12
LonelySloth
ah There aren't that many bounties ah bug bounties, bug bounty programs for ZK that pay top money.
00:20:23
LonelySloth
ah One thing that happens is the rollups, most of them are actually permission. So you you can basically never make the top bounty with as is a ZK bug because there's always ah it would always require a malicious sequencer or or something like that.
00:20:37
riptide
yeah
00:20:46
riptide
So they could wiggle out of it.
00:20:46
LonelySloth
and
00:20:47
riptide
Yeah. Cause we, we run the sequencer and yeah.
00:20:48
LonelySloth
Yeah. Yeah. So, and it's understandable. ah A lot of stuff, sometimes it's just bad faith actors, love but often it's understandable. I mean, they are, ah they're looking after their investors' interests, their community, there right? They can just hand millions of dollars like that.
00:21:12
riptide
No one, no one is going to just hand you that no fucking way.
00:21:14
LonelySloth
Exactly.
00:21:15
riptide
The bounty that you got paid, these seven figure bounties are tough to get period.
00:21:21
LonelySloth
Yeah.
00:21:22
LonelySloth
And it's understandable because if if there is a permissioned thing in the way, it reduces quite a lot of the chance that ah this will get exploited.
00:21:35
LonelySloth
um The one that wasn't permissioned at all was Aztec. And I did get a ah very high bounty from them. it was
00:21:46
LonelySloth
$450,000.
00:21:48
riptide
i think yeah
00:21:49
LonelySloth
But to honest, if I had started six months earlier, one year earlier, maybe you'd have made another million dollars out of it.
00:21:49
riptide
yeah
00:22:04
riptide
Mm-hmm.
00:22:05
LonelySloth
Because, for example, STAC was just like... TVL was just going down at this point. And then TVL was like... Almost 5 million, they offer 450 and that's it.
00:22:19
LonelySloth
But if DVL was 10 million, maybe make a million dollars. and Maybe it would make more money with the other ones. So, but we'll never know.
00:22:30
LonelySloth
Maybe there will be...
00:22:32
riptide
do you Do you know what happened with Aztec?
00:22:32
LonelySloth
I...
00:22:35
riptide
Wasn't it suspicious? Like it was, they had some great tech, apparently, and then they just kind of shut down. And I heard it was because of some governmental factors or something like that.
00:22:42
LonelySloth
i
00:22:47
riptide
But they just said, you know what, we built all this and we're just shutting it down.
00:22:51
LonelySloth
Yeah, I don't know. I think I don't have any information ah i or on this. I only talked to them but about getting paid.
00:23:03
LonelySloth
But um I would guess it has something to do with all this TornadoCache stuff. And later, yeah, TornadoCache had a ah bug bounty, and i was...
00:23:11
riptide
flag.
00:23:17
LonelySloth
ah trying to find bugs in it at some point. And then I thought, oh, God. Thank God I didn't find the bounty. Thank God I didn't find the bug.
00:23:25
riptide
your flag
00:23:27
LonelySloth
And then I stopped. I deleted this from my computer and whatever. I don't want to touch the stuff. Right? Yeah,
00:23:34
riptide
Yeah.
00:23:36
riptide
But like your most your motivation on this, it's not, i like and this is my my question to you because um I was browsing your GitHub and I saw you put this thing breaking Noster and it was this censorship resistant alternative to Twitter.
00:23:37
LonelySloth
yeah this is crazy.
00:23:49
LonelySloth
Yeah.
00:23:52
riptide
And I briefly heard about that and I'm i'm looking at your write up and it's it's really long and you took a lot of time to go into this. And I'm thinking, who who does this? Who is this guy? You even put citations in here.
00:24:07
riptide
What were you aiming to do? Like, why did you do this? Just out of pure interest?
00:24:13
LonelySloth
ah Yeah, out of pure interest, I was... intrigued by Noster. and And I thought, yeah, we live in this world with lots of censorship and stuff.
00:24:25
LonelySloth
And maybe this is important. ah But then I started looking into it, and I realized this is not really censorship resistant, or at least not much more than other stuff that we already have.
00:24:38
riptide
Mm-hmm.
00:24:38
LonelySloth
ah Like, the internet is, in some sense, censorship resistant. Like, you can ah have your own computer and run stuff. ah And if people know your IP, they can go and find you and you have Tor and stuff like that.
00:24:55
LonelySloth
and But there was lots of hype around it, especially in Bitcoiner community more. i used to be like read a lot of bit Bitcoin. I actually got into crypto mostly in Bitcoin.
00:25:10
LonelySloth
And then I started looking at other stuff.
00:25:11
riptide
but Let's just put out you had ah you had a humble PR ah merged into to Bitcoin.
00:25:12
LonelySloth
ah
00:25:17
LonelySloth
Yeah, I have a PR.
00:25:18
riptide
A few understand.
00:25:21
LonelySloth
Sorry?
00:25:22
riptide
and i say if you understand, man, that's that's ah not ah an easy thing to get done.
00:25:27
LonelySloth
Yeah, it's...
00:25:27
riptide
Like this is when you have your morning coffee, you quickly submit a PR to Bitcoin, no big deal, it's accepted, $2 million dollar bounty.
00:25:31
LonelySloth
Oh, no, no. It's not like that. It is actually a lot of work ah to get those. And I was...
00:25:40
riptide
Absolutely.
00:25:41
LonelySloth
But but it was it was very interesting in terms of learning. i learned a lot. ah And it was actually around tests for vulnerabilities. So that was kind of my path of understanding those things and ah getting more into deep technical stuff.
00:26:03
LonelySloth
And to be honest, smart contracts were not the thing that attracted me most. I... What attracted me to smart computers at first was really that, oh my God, it's so easy to get it wrong, right?
00:26:18
riptide
Right.
00:26:18
LonelySloth
Because when you look at Bitcoin Core, and they did have some very serious bugs. They don't have bounty, as far as I know.
00:26:29
riptide
right
00:26:29
LonelySloth
ah But it's another level, right? There's so many people reviewing it. And then months of discussions for every PR. And yeah, so, and even then you'll get bugs.
00:26:44
LonelySloth
And then Solidity, like someone just creates a wallet, lots of people start using it. And then there's just one function there that's missing permission or something.
Blockchain Security Intricacies
00:26:56
LonelySloth
And then someone goes in there and freezes hundreds millions of dollars.
00:27:01
LonelySloth
but That was crazy. And I thought, yeah, that's that's a good click. market to but to look for vulnerabilities. I was thinking Bitcoin card is too hard. and after After getting those PR merged, I started thinking, it's a lot of trouble. It's not going to get me money.
00:27:22
LonelySloth
ah Maybe one day I'll be a developer in some company or something. That that was my original thought. ah But this smart content, I think they they need people to look into that.
00:27:33
riptide
They need the sloth. They need the sloth over there.
00:27:35
LonelySloth
They need, yeah.
00:27:35
riptide
They do. Have you ever looked at some of the Bitcoin staking protocols? Like, was it Babylon?
00:27:41
LonelySloth
Yeah.
00:27:42
riptide
It's it's like 5 billion staked. I think it runs on, think on Cosmos.
00:27:47
LonelySloth
It's Cosmos. And yeah, I did.
00:27:48
riptide
They have some contracts too.
00:27:50
LonelySloth
And I saw a recent bug and I was like, oh my God, I could easily have found that. Easily, it's an understanding, but I could have found that. I was looking at that. I didn't find it.
00:28:01
riptide
But what happened? Luck wasn't there that day.
00:28:03
LonelySloth
ah It was something. and no, they they were exploited. was a bug bounty. I was just, oh that was my bug. I feel like that sometimes, but at the same time, it's always interesting because then you get to learn something, right?
00:28:19
riptide
Yeah.
00:28:19
LonelySloth
And then maybe you find the next one. ah
00:28:22
riptide
Yeah.
00:28:22
LonelySloth
Many of my bugs were like that. i just, someone posted a write-up, I looked at the write-up, and then it was my entry point to some project or some technology. And then from that, I got digging, and eventually I find something different.
00:28:38
LonelySloth
um But yeah, I took a look, and there is stacks, right?
00:28:44
riptide
Stacks, yep.
00:28:44
LonelySloth
ah
00:28:45
riptide
i've I've heard from some people that it's there there was quite a few bugs in there.
00:28:46
LonelySloth
and
00:28:51
LonelySloth
Yeah, i well, I did some digging there. I'm not sure what I can talk about.
00:28:58
riptide
Whatever you want.
00:29:00
LonelySloth
But I mean, from from my side. But so...
00:29:06
LonelySloth
Yeah, I do. I like the that stuff. And I like Cosmos. i These days, I think... but The thing is, it's it's always changing.
00:29:19
LonelySloth
and But it's at the same time, it's always getting more complex.
00:29:24
riptide
Yeah.
00:29:24
LonelySloth
Even smart contracts, that low-hanging fruit might be hard to find today. But then you have... huge code bases interacting with huge code bases across chains and just like a sea of complexity.
00:29:42
riptide
yeah
00:29:42
LonelySloth
And that's where stuff starts to happen, right? that that's That's where you start find bugs because it's too complex for the developers looking and and Often the developer is looking at one part.
00:30:00
LonelySloth
He's developing one part, right? Or they are developing one part. And and
00:30:06
LonelySloth
even them don't see the whole sometimes. And if you just keep digging and trying different things and asking questions, sometimes youll get
00:30:17
LonelySloth
ah you find some complexity that's not exactly how they assumed it to be. And then there's a bug. ah
00:30:25
riptide
That's a good viewpoint I didn't think about is if you have ah a very complex project and then you have, I didn't think about that where you might have different development teams internally, and they might really not understand fully what they're interacting with.
00:30:34
LonelySloth
Yeah.
00:30:39
riptide
That is a very interesting angle.
00:30:42
LonelySloth
it Usually there are some people that understand the whole of it, ah but they don't have infinite time or 100 eyes.
00:30:53
riptide
Yeah.
00:30:54
LonelySloth
They're just two eyes per person still.
00:30:54
riptide
Yeah. Yep.
00:30:57
LonelySloth
So they they they can't look at everything and they miss things. And everyone misses things. ah like the $10 million Warhol bug.
00:31:08
LonelySloth
ah Lots of people could have found that, right?
00:31:10
riptide
ye
00:31:11
LonelySloth
It was just one person was really fast ah and found it before everyone else submitted and ah got it fixed.
00:31:22
LonelySloth
Thankfully, it was not another hundreds of millions of dollars lost. It was just $10 million paid to someone. And yeah, so think
00:31:31
riptide
Yeah, a lot of this is right place, right time, but with skill.
00:31:34
LonelySloth
Yeah, I think there are two two kinds of... There is this, I'm going to find what everybody's looking for, but i am so good, or I am so lucky, or I am so fast that I'm going to find this before.
00:31:49
LonelySloth
Or I'm just going to look at so many different places that I'm going to find lots of this stuff. ah And the other is you know what?
00:32:02
LonelySloth
let's look for what nobody's looking for. And what's that? That changes all the time. because And then you have a write-up. And then everybody starts looking for that thing.
00:32:10
riptide
Mm-hmm. Mm-hmm.
00:32:12
LonelySloth
And so it's always a moving target. And that's kind of why you never know how it's going to be next year. ah These days, I don't hunt a lot in Solidity. I did have one Solidity bounty last year.
00:32:29
LonelySloth
I do some Solidity
Exploration Strategies in Bounty Hunting
00:32:32
LonelySloth
private audits. ah I still take a look. i Every now and then I take a look at this multimillion dollar bounty projects. But yeah, I haven't found multimillion dollar Solidity bugs yet.
00:32:49
riptide
yeah
00:32:51
LonelySloth
But maybe you'll find next week.
00:32:51
riptide
ah
00:32:52
LonelySloth
I don't know.
00:32:52
riptide
i wonder I wonder if there's like a chart, someone made a chart where it has like most popular bugs, you know, ah okay, this this time it was re-entrancy and something like that, and then that drops off.
00:33:03
riptide
And then, like you said, someone does a write-up, okay, this one, everyone chases this type of bug. I wonder if there's something that we could look at to see like which bugs were popular at at what what part of the timeline there.
00:33:16
LonelySloth
I think someone does that. i think I saw an ex post about that at some point. um
00:33:24
riptide
Yeah, probably. it's But yeah, you got to be you have to be looking for what no one's looking for. And how do you do that? What's your secret, Mr. Sloth? How do you how do you hunt, man? How do you how do you say, hey you know what? I'm going to ignore all these patterns. It's all memorized.
00:33:39
riptide
But what are you looking for that no one else is looking for? How do you and you how do you kind of approach that?
00:33:42
LonelySloth
ah So I try to look for the stuff everybody's looking for too. But what I do is I try like to follow kind of my curiosity because if it's something I don't understand, it's like if I look at something and, well, when first I'm acting a target, I look for something that has complexity, ah has potential for a good payout, and
00:34:14
LonelySloth
But especially it has comp complexity, even if the maximum payout isn't that huge, if it's 100K.
00:34:16
riptide
Mm-hmm.
00:34:23
LonelySloth
ah But six figures. ah But then I start looking. I don't understand this. Why don't I understand this? And it's like, I don't know, like a niche or something. I have to to understand it.
00:34:40
LonelySloth
Why? No, I can't like just accept. i don't understand this. I will understand this. And then I'll go and spend a lot of time. And often I'll see those ghost bugs.
00:34:54
LonelySloth
i see I don't fully understand this. And I look at this and I think, this is wrong. This is so wrong. This is a million-dollar bug. I'm just seeing it right now. And then I go understand it. And I say, no, that is perfectly correct.
00:35:07
riptide
You call them ghost bugs. Yeah, like that.
00:35:11
LonelySloth
and That was perfectly correct. But then I understand a bunch of stuff and that opens the doors to finding something that but potentially is not a ghost. Everything like kind of starts like like this. You see something and, oh my God, this is so good.
00:35:27
riptide
Yeah.
00:35:27
LonelySloth
and And I think this like faith and maybe even, I don't know, that that crazy rational but but belief that you look at something, this is a bug. Those guys,
00:35:40
LonelySloth
Come on, guys, don't do that. You just missed here. You didn't check the sander or something. And then you go and find, no, they are checking this somewhere else, of course.
00:35:53
riptide
Yeah.
00:35:53
LonelySloth
They would not make something this stupid and and ah with a million dollar bounty.
00:35:58
riptide
do you do you Do you look at the code and then do you kind of do you verify you go do you go to the tests afterwards to say hey did they check for it there.
00:36:08
LonelySloth
Sometimes, yeah. Often, I mean, if I am if i think there is there there there is something, I will go look for tests.
00:36:12
riptide
Right. Right.
00:36:17
LonelySloth
and But I will mostly not even trust their tests because what if they wrote their test wrong, right? And I'll just try to test myself or at least understand better and see if there's a check somewhere else in the code.
00:36:25
riptide
right
00:36:32
LonelySloth
yeah and And sometimes I will double check low-level stuff And I will also get like, sometimes I don't remember stuff and I say, oh what if the EVM does this and that?
00:36:47
LonelySloth
And I just don't remember.
00:36:49
riptide
Yeah,
00:36:49
LonelySloth
i What was that? And then I double check for the 10th time.
00:36:57
LonelySloth
But that's good because that makes you look at stuff, right?
00:36:59
riptide
yeah
00:37:00
LonelySloth
ah
00:37:00
riptide
yeah
00:37:01
LonelySloth
ah Sometimes I think you have to forget stuff to kind look with fresh eyes and then If you just keep looking at the same thing or keep doing, you you start to think you know stuff and and your brain just skips over it and then it's like, oh, this is just the normal stuff.
00:37:18
riptide
Mm-hmm. Mm-hmm. Mm-hmm.
00:37:22
LonelySloth
I know how this works. Which is what developers do, right? ah Because they have to write code and they are looking at the same code base all the time. And then they look at function and they think they know how it works.
00:37:36
LonelySloth
Because they look at it so many times. And then your brain stops thinking critically. And you have to go for a long walk, maybe work on something else. And maybe give it a couple months, and then you come back.
00:37:49
LonelySloth
And you think, oh, my God, I forgot everything about this. It's so much waste of time. But then when you are relearning, you sometimes find stuff. Yeah.
00:38:00
riptide
You know what i'm what I'm not noticing that much anymore is the optimizer bugs. Like you were making me think when the devs go in there and they refactor it to optimize it for gas. And there was there were some obvious bugs that people were introducing.
00:38:13
riptide
I think that class is gone now. Like people have wised up.
00:38:17
LonelySloth
I don't know. i think i think there there might still be because lots of stuff is... Well, there are entire projects that are basically optimizing for ES.
00:38:29
LonelySloth
In a sense, roll-ups are just that.
00:38:33
riptide
Mm-hmm. Mm-hmm.
00:38:34
LonelySloth
ah And yeah, there's there's lots of... There's a lot of development just for optimizing ES. and lots of optimizations.
00:38:46
LonelySloth
And when I was in Web 2, I was always told, like, there's saying for some famous software engineer, I don't remember who, ah early optimization is the mother of all evils or something like that.
00:39:05
LonelySloth
And yeah, there's just so much bugs. vulnerabilities in lab two Web 2, Web 3 that are introduced because of optimizations. Because when you're optim...
00:39:16
riptide
Because you're you're making it you're making a trade-off.
00:39:18
LonelySloth
Yeah, and you are getting rid of... When you optimize stuff, you are using whatever assumptions to the most extreme level.
00:39:30
LonelySloth
Like, I know this is not zero, so I'm not going to check again.
00:39:31
riptide
and
00:39:36
riptide
Right.
00:39:37
LonelySloth
Stuff like that, right? and And then maybe it was not necessarily checked elsewhere or you think it's not zero, but maybe it is in some circumstances.
00:39:47
riptide
David Price- Or maybe you could you could flip it to zero through some sort of memory load or some strange case yeah.
00:39:49
LonelySloth
And then...
00:39:53
LonelySloth
Exactly. and And it goes in all kinds of stuff. ah ah For example, the Solanenberg was actually an optimization bug.
00:40:04
riptide
Really.
00:40:05
LonelySloth
ah Technically, I said it was a Fiat Shamir stuff, and technically it's not, but I won't go into that level of detail.
00:40:16
LonelySloth
It's just the general cryptographic protocol was correctly implemented, but you had to do a bunch of calculations on elliptic curves, ah just of expensive.
00:40:18
riptide
Mm-hmm.
00:40:28
LonelySloth
And then to simplify, you do something that lots of lots of implementations do. ah which is batching those calculations, you try to check three, four equations.
00:40:42
LonelySloth
And then you just multiply each one by a random number and sum all of it. And if the result is zero, all of them are zero because it's random. So ah that's the only way you can. if You can only be sure the result of zero if all the components are zero ah because it's random.
00:41:03
LonelySloth
ah But what if it's not really random? And that was the
Optimization and Security Vulnerabilities
00:41:09
LonelySloth
bug. It was not really random. The attacker could know it beforehand because it used a hash to calculate it.
00:41:17
LonelySloth
And the hash was not properly generated. And the attacker could know it before the attacker generated the proof. And then even though the entire cryptographic protocol and up to this point, this optimization, everything was perfect,
00:41:33
LonelySloth
the attacker could just fake a proof and do whatever they wanted.
00:41:39
riptide
but because they knew the hash was not properly generated, right?
00:41:42
riptide
Because it was it was missing, I forget, those two points, they they omitted that.
00:41:42
LonelySloth
Yeah.
00:41:46
LonelySloth
Yeah.
00:41:48
LonelySloth
Because when you're doing this, like ah using for generating like a ah random for optimization, you just you have to include everything. Usually when you are generating a random for proof,
00:42:03
LonelySloth
you can't include the very last part of the proof because the prover has to use the random number in the proof. But when you're doing to optimize calculations, everything the ah the prover sends you must be in the the generation of the random number, the hashing.
00:42:24
LonelySloth
Because otherwise, because the whole point is they can't absolutely know what the random number is before.
00:42:32
LonelySloth
so And to be honest, that's common. That's that actually my third bug. ah No, my second bug in that kind of optimization, ah or which has a very devastating result, which is it will accept whatever proof.
00:42:52
LonelySloth
So you can do whatever you want, and this is the ZK system will verify and think it's all good. ah
00:43:01
riptide
I feel like there was a similar one that I saw with one of the JavaScript ah snark libraries that was, I have to look at it again, but it it it omitted one step from the hash, from the hashing process and that exposed, yeah.
00:43:17
LonelySloth
Yeah.
00:43:19
riptide
I have to look at it again.
00:43:21
LonelySloth
That's actually a very large class of bugs, and it's well known, and it's been around. There's ah write-ups about that.
00:43:31
LonelySloth
there there are There's a series, I think, by Trey of Bits explaining that sort of thing. the The thing is, it's usually so mixed with um math and and lots of code.
00:43:47
LonelySloth
And the code for that kind of stuff usually isn't super clear.
00:43:49
riptide
Mm-hmm.
00:43:52
LonelySloth
And each project has its own. ah So, and different languages, completely different libraries. So it's not an easy read.
00:44:04
LonelySloth
you You have to get acquainted with it for a bit before you you find it. I mean, this one I identified and and was able to test relatively quickly ah because ah just just the second one almost exactly like that and the third one in this general category of not using all the values in the hash.
00:44:28
LonelySloth
So at this point, it was pretty good at spotting that. But yeah, I don't know.
00:44:36
riptide
Yeah, it's it's like it's like a simple bug, relatively simple, but nested, but you have to understand the whole thing to really spot it.
00:44:42
LonelySloth
Yeah. Yeah. it's
00:44:45
riptide
Yeah.
00:44:46
LonelySloth
It's usually like that. The mistake itself is usually simple. I recently, in a private audit, I can't, I don't think I can say exactly details of what it was, but there was a critical code that was ah variable. There were two constants defined with different capitalization and the wrong constant was used.
00:45:13
riptide
That's attention to detail right there to catch that.
00:45:13
LonelySloth
yeah but And, but I didn't catch it by reading the code. I caught it because I was testing something else and I only caught it in dynamic testing.
00:45:25
riptide
OK.
00:45:25
LonelySloth
And something went wrong. I didn't understand a lot. And then it took me a long time, hours. It was an audit that they can't spend like months looking for stuff.
00:45:36
LonelySloth
But I, and then I realized, oh my God, there are two constants that are the same. And one was an old set of constants that was still there in the code base, was not used anymore.
00:45:50
LonelySloth
was just there just to confuse the developers.
00:45:55
riptide
The deprecated variable.
00:45:55
LonelySloth
It was a malicious constant left there. Maybe it was a malicious actor that submitted a PR. I don't know.
00:46:04
riptide
Who knows? Who knows? There's so many things to to trip you up and and to just to trip on these little trap doors.
00:46:06
LonelySloth
Who knows? Yeah.
00:46:10
LonelySloth
yeah
00:46:13
riptide
ah Hey, I wanted to ask you something that I saw you retweet and I thought it was really, it was very kind of ambiguous. So infosec. US, that team.
00:46:24
riptide
And they they tweeted this, that there's a type of critical bug that contests and private audits can't find, only black hats and bug bounty hunters.
00:46:25
LonelySloth
yeah
00:46:32
riptide
And they're talking about ah to analyze the live blockchain state and all that. And my first thought was like, you know, is this like dynamic arrays, the overflowing and overriding storage slots? Like, what are they what are they looking at? And I was curious if you had a take on it.
00:46:49
LonelySloth
No, I didn't look exactly at this bug. I just, the general idea, ah Yeah, I think there's stuff because ah audits um have defined the scope and a small ah time span, a short time span.
00:47:07
LonelySloth
And you you can't really look at everything. You try, depending on the the scope and and the time location, to look at the larger environment.
00:47:19
LonelySloth
ah But in real life, things just start getting used differently. And then you have tiny modifications deployed.
00:47:24
riptide
Mm-hmm.
00:47:28
LonelySloth
And even when the context is mutable, and then you have integration with something else that starts using it. So it things have a life of their own. and ah You can't predict exactly ah all the interactions and ah all the configurations and everything.
00:47:51
LonelySloth
ah So, yeah. So that's, for example, the very simple thing that's, it's not very common anymore, but ah the initialization bug that ah you just have some implementation code that's delegated from a proxy and then you don't initialize it, and then you can initialize it and self-destruct, and and everything's frozen.
00:48:18
riptide
Yeah.
00:48:19
LonelySloth
ah it's miss It's a misconfiguration, right?
00:48:19
riptide
Yeah. Never see that anymore. Sadly.
00:48:23
LonelySloth
Yeah.
00:48:24
riptide
and Yeah.
00:48:25
LonelySloth
It's a misconfiguration that...
00:48:25
riptide
Right. ah in In the audit, it would, it would pass. You say, okay, no problem. This will be fine.
00:48:29
LonelySloth
Yeah. I mean, if you are auditing the deployment script, which sometimes happens, not always, maybe you would catch it, ah but...
00:48:42
LonelySloth
Assuming there is ah an actual deployment script, like complete for deploying the all the thing and checking, which is not always the case. And it was not it wasn't always the case in the past.
00:48:56
LonelySloth
It was uncommon
Strategic Advice for Bounty Hunters
00:48:57
LonelySloth
to have very structured deployment process.
00:49:01
riptide
Mm-hmm.
00:49:01
LonelySloth
ah But yeah, ah a lot of stuff is like that. and And sometimes the book's just there waiting for years.
00:49:12
riptide
Yeah, i would I would say a great tactic would be for an audit firm because I don't see them auditing deployment scripts that often. But to just do the audit and then say, hey, you know do your soft launch or something. And then how about you relook it over a week after they've been deployed?
00:49:29
riptide
just Just check everything out. Just double check everything that that nothing's fucked up. They didn't grant roles to the wrong people. or You never fucking know. I mean, i think I'd love to see that in space.
00:49:41
LonelySloth
Yeah, I think so. And another thing that I think is interesting is the ah
00:49:49
LonelySloth
CTF sort of contest or bounty. ah It's live.
00:49:55
riptide
Mm-hmm.
00:49:55
LonelySloth
It has actual funds.
00:49:55
riptide
Mm-hmm.
00:49:57
LonelySloth
And you can just go there and and get funds. If you report, then it's OK. You can keep the funds for a little while. ah which kind of validates the deployment too.
00:50:12
LonelySloth
right But again, just the initial deployment, if there's any changing configurations or new integrations afterwards, and then you can't do this sort of thing anymore. ah ah But there's always black hats to look for that.
00:50:29
riptide
Absolutely. ah ah like Hey, I totally forgot to, we should do an alpha drop and throw this in here. um Did you prep any? um I'm gonna have to think of one just off the wall.
00:50:40
LonelySloth
Oh my gosh.
00:50:42
riptide
I'll give you some some leeway time. All right, so I'm gonna drop one because I just thought of one because I was having a conversation. with my friends over at layer zero. And i was dig like, I don't know if you do this, but I go back into protocols.
00:50:55
riptide
Like once I pick up a code base, it just kind of sits there and I do random, I have a cron job that get pools and I'll just keep going back every now and then just to see if I missed anything.
00:51:07
riptide
And if you're familiar with Layer 0 or anyone, any listener is, they have this security model and these DVNs. And anyone can run the DVNs, but mostly everyone chooses this security stack where you have ah you know one out of two DVNs. And they have a certain amount of signers. And they they verify the transactions. An executor calls it, blah, blah, blah. blah um And I noticed with the DVNs, I was poking around and looking on chain to see who the signers were.
00:51:33
riptide
And the the security assumptions are are not that clearly laid out to to devs ah versus what what layer is zero. And I'm not dogging and the guys. think they made a great product.
00:51:45
riptide
But the security assumptions, um most people who use DVN, who use layer zero, they plug it in and they're not checking the signers. I did a poll on X to find out. They're not checking the signers on the DVN to make sure they're not the same.
00:51:59
riptide
Because if they are the same, say you have three DVNs and two DVNs have to sign off. Well, if you have the same signer, there's no unique identifier between the two. They do it cross chain.
00:52:11
riptide
They use vid to to check cross chain so you can't do cross chain replay stuff. But on the same chain, they just completely omitted that and it never came up in any audit, any of these things. So if you have DVN1 sign, has signer A.
00:52:26
riptide
ah and they sign off, the executor could just replay that signer on DVNB if it has the same signer. And then, well, you've only really had one sign off on it, even though it's the same signer. You're supposed to have the actual DVN sign off. So if anyone could do anything with that bug, I have no idea. But that's something I noted in the past couple days. so I'll just share that to give you time for that for that alpha drop I know you're thinking about, Mr. Sloth.
00:52:52
LonelySloth
Yeah, so on that note, this is something that I do. ah
00:53:00
LonelySloth
i kind of i write down. i have notes. It's just a text file I keep appending to. And write on it like 100 times a day. like i have I think of something, and I write there.
00:53:15
LonelySloth
and I have those things that are almost bugs mapped in different places. ah And as long as it's not exploitable, sometimes I i think ah maybe you should report it because it's, you know what, this is kind of a bug, ah but it's not a vulnerability. And if I report, I will not get paid and they will not fix.
00:53:39
LonelySloth
So what's the point? So I just collect those informations and sometimes Very rarely, but sometimes and then like I can find how to exploit it or i see something very similar somewhere else.
00:53:55
LonelySloth
ah and And of course, for some projects, for the projects I am paying most attention, I watch their GitHub and I see ah for some projects, I review every single PR.
00:54:00
riptide
Thank you.
00:54:09
LonelySloth
ah So I'm pretty much like a part of a dev team, just The only thing is I only get paid when I find stuff. But ah for some projects, I review every single PR.
00:54:23
LonelySloth
ah Yeah, some projects I review every governance proposal ah and and stuff like that. So I think
00:54:35
LonelySloth
i think the most important thing is, and maybe that's the alpha, is
00:54:42
riptide
that's a good That's a good technique.
00:54:42
LonelySloth
like Like try to fully understand the the thing and and like ah like you're part of a project and not like just part of a project. Like you're responsible for it, right? you know Every change in the code, you you you look, get to this point where you understand.
00:55:08
LonelySloth
And if someone is trying to change some part of a system, you'll you can take a look and and and ah quickly realize the implications and try to get to this point in one project and then try to get this point in another one.
00:55:25
LonelySloth
and And then ah don't overburden yourself with like being an unfaid developer for everyone, but
00:55:33
riptide
A dev on commission.
00:55:35
LonelySloth
ah Yeah. But try to put yourself in in that position. So if there's anything you don't understand, understand it. And think of like, ah what if those were my funds and stuff like that? know ah Because then you start ah being paranoid with small changes and you see what what's wrong with them.
00:56:03
riptide
Mm-hmm.
00:56:03
LonelySloth
ah A funny story is recently, this has happened to me multiple times. I watch PRs and then you you watch the PR lifecycle and then the dev uploads the first version of the code and you take a quick look and, oh, this is so vulnerable.
00:56:24
LonelySloth
This is so stealing TVL. Oh my God, this is awesome. I'm rich. I'm going to make millions of dollars. And then the PR sits there for a long time.
00:56:39
LonelySloth
And then someone's reveal and they, oh, it looks good to me. And oh, I'm going to make a million dollars here.
00:56:45
riptide
Oh shit, yeah.
00:56:47
LonelySloth
And then another one looks good to me. And then it sits there for a couple of weeks. And then suddenly they fix the bug and merge. And then, oh, crap.
00:56:58
LonelySloth
OK. But sometimes they don't. Sometimes they merge. And a few times I had the POC ready. ah When they clicked release on that vulnerable code, I had the POC ready. I copy, pasted, and submitted like minutes the bug report, and I got paid.
00:57:20
LonelySloth
ah Most often, they will fix it before. and Sometimes there are auditors looking at the PRs to paid auditors, but so they will catch it.
00:57:30
riptide
So you you didn't even wait until it went on chain. You just said as soon as put it on.
00:57:33
LonelySloth
No. Well, this will depend a little bit.
00:57:35
riptide
Okay.
00:57:39
LonelySloth
I think the most, ah sometimes this is like, I keep thinking, what should I do? um Because if it is live on chain, then maybe your payout will be bigger.
00:57:51
LonelySloth
If you wait for it to have more TVL, maybe your payout will be bigger. On the other hand, maybe it will be exploited. Your payout will be zero and the project will tank.
00:58:01
riptide
Mm-hmm.
00:58:01
LonelySloth
And there's all the stuff you learn in the project is worth nothing. ah So I think the most responsible thing is to report as soon as possible.
00:58:13
LonelySloth
However, ah if you have a ah good expectation of ah getting paid. I don't recommend working for free. ah I think eventually you'll have to to report, but especially if you've been burned in the project, then why bother?
00:58:33
riptide
Mm-hmm.
00:58:33
LonelySloth
ah
Community and Personal Reflections
00:58:35
LonelySloth
But then in in some cases, it it doesn't matter because it's not like still TVL. It's a lower impact bug. Maybe it's still a critical or something, but it's It's going to pay not 10% of funds at risk. It's going to pay something smaller, but it's still a nice payout. And then you can just submit it as soon as it's in scope.
00:58:57
LonelySloth
And then it depends on the on the scope rules. Sometimes wherever is is in a release, ah branch is in scope. Sometimes that's not clear. um yeah
00:59:10
riptide
Yeah, I've seen I've seen but i posted a tweet on this, I think a year ago about that. Should I wait you know to see if it gets deployed or wait for TVL? And ah the response was half and half. People were like, no, wait, no, no, no report immediately.
00:59:21
riptide
So I agree. A lot of it depends. And I've seen guys not get paid out on the GitHub ones because the guy said, hey, no, no, no, we weren't going to deploy that. You know, they can make an excuse they want to just, you know, blow you off.
00:59:33
LonelySloth
Yeah.
00:59:34
riptide
But yeah, it's up to you.
00:59:35
LonelySloth
I mean, if it is in a released code, I mean, this one was blockchain. ah So typically you get a release and it's tagged as release.
00:59:46
LonelySloth
And then you start talking to the community and people upgrade and stuff like that. ah So there's a little bit of time, but it's clearly... ah during deployment, right?
00:59:58
riptide
It's out there. Yeah.
00:59:59
LonelySloth
It's out there.
00:59:59
riptide
Yeah.
01:00:00
LonelySloth
It's really the production the domain, I think.
01:00:04
riptide
And that that's a big save.
01:00:04
LonelySloth
ah
01:00:05
riptide
Yeah. If you say, hey this is going out to release. People are going to upgrade their nodes. And you're like, whoa, whoa, whoa. Hold on. you know I got this ahead of time. I think that's totally valid.
01:00:15
LonelySloth
Yeah. and but But yeah, well, back in 2019, I watched one for a year.
01:00:25
riptide
Lonely sloth watching from the tree.
01:00:27
LonelySloth
And then it got fixed the last minute. And I was so depressed because it was going to be like a huge payout.
01:00:30
riptide
ah
01:00:33
LonelySloth
And yeah.
01:00:35
riptide
ah The universe rugged you.
01:00:37
LonelySloth
Yeah. And that's.
01:00:38
riptide
Well, Mr. Slott, let's do some questions because I got a lot of feedback if you're cool with that.
01:00:42
LonelySloth
Sure.
01:00:45
riptide
And want to start with the funniest one. This guy from the Discord, New Op Dam, he says, why did you choose this planet? Because you see so you see some potential in us and want to analyze our behavior.
01:00:59
riptide
And to not get bored, you decided to interact with our current technologies. And meanwhile, you made some millions of dollars.
01:01:07
riptide
You're viewed. Did you ever, you know, it's like you're a superstar. Like anyone who's on this immune fight leaderboard, you know, shout out to Mitchell is a great idea. It's like you're a nerd superstar and guys see it. Guys are like, oh my God.
01:01:22
riptide
And guys like you, you're hitting million dollar bounties. They're like, what the fuck? Who is this guy? Like, what do you even say to this?
01:01:30
LonelySloth
and This is this kind of crazy. I mean, this whole like kind of celebrity life.
01:01:37
riptide
It's crazy.
01:01:38
LonelySloth
It's crazy. It's kind of weird because I know i go in my life and my dear life nobody knows shit about this. it just My friends, it's just, what do you do? I work with cybersecurity and that's it.
01:01:49
LonelySloth
Oh, nice. so you Yeah. you Good. Good for you.
01:01:54
riptide
Well, at some point, at some point you, you decided to up your profile because you used to be Lou cash dev. And then you're like, you know what I need?
01:02:00
LonelySloth
Yeah, so,
01:02:02
riptide
What's this, what's this identity you came up with?
01:02:04
LonelySloth
oh, this is basically, at some point Immunify, had an idea that was just my email, and then Immunify at some point decided that people should get ah proper usernames, codenames, or whatever, and then they randomly generated for everyone, and and then you can change.
01:02:25
LonelySloth
And mine was Lonely Slot1234 something, some random number. And I thought, oh, this is funny. and But this number looks weird. So I just removed the numbers and and that's it.
01:02:37
LonelySloth
And then I became Lonely Slot. And after a while,
01:02:40
riptide
Your whole persona now is is lonely sloth.
01:02:42
LonelySloth
yeah
01:02:43
riptide
Totally random.
01:02:45
LonelySloth
And after a while, they were they launched something in, I don't remember what. And they said, oh, please share on Twitter. And I said, I don't have a Twitter.
01:02:58
LonelySloth
Okay, then let's create a Twitter. And then I created LonelessLot Twitter slash X persona. And that's it. And that's the start of LonelessLot. And then I went to some AI and generated some pictures because, oh, I generated a picture of a hacker called LonelessLot.
01:03:16
LonelySloth
And then, of course, it's a Sloth wearing a hoodie. Yeah.
01:03:22
riptide
I love it, man. I think, I think the community loves it too. It's you're, you're somehow created this.
01:03:26
LonelySloth
It's funny.
01:03:27
riptide
Yeah. It's fucking funny.
01:03:29
LonelySloth
And I have a collection slots now.
01:03:29
riptide
Uh,
01:03:32
LonelySloth
slots now
01:03:33
riptide
course. All right. Next one here is from this guy called Chibum. He says, ah you're one of the few found bugs in ZK. um Do you specifically target such bugs? If so, how?
01:03:46
riptide
And how do you think the industry is getting better? um And those should be harder to find in the future regarding ZK bugs?
01:03:54
LonelySloth
ah So I do specifically target those. Maybe not as much right now as I used to back in 2023, earlier 2024.
01:04:04
riptide
Thank you.
01:04:04
LonelySloth
ah Just because i was explaining, there aren't that many bug bounty programs that would pay ah seven figures or whatever.
01:04:16
LonelySloth
So i I do look for that, but not as much. I think it's not like the hottest thing right now, but maybe it will be again. i don't know.
01:04:29
LonelySloth
It's just, I think it's super interesting. So, and and as a technology, I think it's going find lots of ah use cases, even outside of DeFi or crypto.
01:04:41
riptide
Yeah.
01:04:46
LonelySloth
ah I think it's an amazing tech. So I think it's something very interesting to learn.
01:04:52
riptide
yeah
01:04:52
LonelySloth
And you should always try to learn things that you find interesting because you're going to be looking at that shit for hours and hours and hours.
01:05:00
riptide
Yeah, ah is okay what once was theoretical and just on a white paper, I think back in the 70s, is now in practice being used.
01:05:01
LonelySloth
so
01:05:05
LonelySloth
Yeah.
01:05:09
riptide
And it is cool. You got to have that curiosity or else you just won't do it.
01:05:12
LonelySloth
Yeah.
01:05:15
riptide
All right, we got a question from AV says, how does Mr. Sloth approach learning a new topic and the ZK, Russ, etc. Do you read the docs experiment? How do you start searching for bugs with regard to like the whole new subject matter that you're learning?
01:05:30
LonelySloth
So my, I first look, the code is the starting point and the end point always. ah So sometimes I will start looking into technology because of a write-up and it gives just some level explanation and then understand stand a little bit and that's enough to start looking at the code and understanding something.
01:05:55
LonelySloth
And then I would just look at one piece of code and try to understand it. and Then I'll have a bunch of questions and I will Google around and look at more code and maybe look at documentation.
01:06:03
riptide
Thank you.
01:06:07
LonelySloth
and ah For ZK, there weren't that many great resources back then, back in 2023. ah So I looked at lots of code. It probably took me like a couple months of full-time research into a single ZK code base before I could even feel like I could find something that classified as a bug.
01:06:35
LonelySloth
But these days, there are lots of resources. ah so But my approach is is basically I look at the code because then you find stuff, you and you understand stuff that isn't even in documentation or maybe it's wrong in documentation.
01:06:53
LonelySloth
so ah yeah, the the sort of truth is always the code and and that must be the starting and and the end point. And you look at other stuff to help you understand the code, but that's how I approach it.
01:07:06
riptide
ah Do you have any favorite tools that you're using? Like, I think you mentioned you were using LLMs to kind of help you understand things, which I think a lot of people do now. is that Is that become part of your workflow?
01:07:16
LonelySloth
Yeah, it has become sort of part. Sometimes I get pissed at the LLM and I don't know if I'm wasting my time with them ah because the general ideas, it usually gets right.
01:07:31
LonelySloth
Simple POCs or simple scripts, it usually is good at generating. When you ask for very specific details, often it will just hallucinate whatever sounds more plausible.
01:07:45
riptide
um
01:07:46
LonelySloth
And ah just affirm that with 100% certainty. This is like that. And even argue with you if you try to convince it otherwise.
01:07:57
riptide
yeah
01:07:57
LonelySloth
So, and and then there's this other thing that's, well, as hacker as our sort of guy, I just end up spending a lot of time trying to break the LLM and trying to convince it of weird stuff and run. And it's, yeah, it's it's kind of waste of time.
01:08:17
LonelySloth
but Or just amazed at what it's doing and trying to understand, right?
01:08:18
riptide
Yeah, definitely.
01:08:22
riptide
yeah
01:08:23
LonelySloth
But for general questions and questions, Writing simple scripts, simple POCs, getting started with something, it's really, really good. it It really speeds things up.
01:08:37
LonelySloth
yeah
01:08:37
riptide
yeah definitely
01:08:37
LonelySloth
Yesterday, I did several iterations of a script, and I could have written it myself. I would have taken a couple hours, at least.
01:08:48
LonelySloth
And the probably would be too lazy to do that. would just, oh, no. I would just check manually, whatever. And it generated for me in 15 minutes several iterations.
01:08:57
riptide
Yeah.
01:08:58
LonelySloth
So ah
01:09:01
riptide
Yeah. Great tool to use. Great, great definite tool to add to the workflow. Even if it pisses you off and it takes iterations, it's still, it's still a time saver for the most part.
01:09:07
LonelySloth
yeah.
01:09:10
LonelySloth
But you can never completely trust That's the the important thing.
01:09:13
riptide
No.
01:09:14
LonelySloth
Just like you can't trust the developers, you can't trust the documentation, you can't trust the LLM.
01:09:19
riptide
That's right. Or comments. Yeah.
01:09:21
LonelySloth
Yeah.
01:09:21
riptide
Don't listen to them. All right. We we have another one. We have quite a few. I'll prune some of these. M5143R, he's got a bunch. So I'll just ask a few of these. um but this this So how do your big wins feel after you've had so many? Like what is, you know, in bounty hunting, that's your highs and lows. And you just got a ah big high. And how How does it feel? Does it still still hit the right receptors?
01:09:50
LonelySloth
ah It's weird. It's different ah throughout the years. ah The first six-figure bounty felt absolutely amazing. I felt like, yeah, that's it.
01:10:05
LonelySloth
I'm rich now. I have all the money I want. I will never spend that much money. And of course I spent it.
01:10:11
riptide
And then you hit the club and then it was gone.
01:10:14
LonelySloth
And you buy a ticket and you book a hotel and you go to restaurant and then you see the bill. And then it's actually very easy to spend money.
01:10:23
riptide
Mm-hmm. Mm-hmm.
01:10:23
LonelySloth
ah But, ah and then, and and more than that, you feel like super validated, right? Because it's, well, that's, that's for you.
01:10:34
LonelySloth
People don't give that sort of money for nothing. I did something important, valuable, hard to do, and that's why I got paid. and ah And then you would go through a low, and and then when you find another one, it's like, oh, okay.
01:10:52
LonelySloth
Yeah, I'm still the guy. I can do that. and But this last one, I didn't feel that much as excited as I thought about but the money.
01:11:04
LonelySloth
I... i For starters, I am very, very skeptical at this point because I was burned so many times.
01:11:12
riptide
Yep. Yep.
01:11:13
LonelySloth
So I don't believe the money is there until I see it. they They might say, I'm going to pay you a billion dollars. I don't believe it.
01:11:21
riptide
no yeah
01:11:21
LonelySloth
I got to say a thousand dollars. I don't believe it until I'm actually paid. And sometimes I kind of like try to desensitize myself, not to get too excited because shit happens.
01:11:35
LonelySloth
ah
Advice for Aspiring Bounty Hunters
01:11:37
LonelySloth
But what was more exciting and was more interesting was just the the technical achievement and the recognition, because this one got me a level of recognition and ah lots of people ah asking questions and liking my my posts and retweeting and stuff like that.
01:11:58
LonelySloth
And yeah, it felt different. And I wasn't very sociable, i mean, online for a long time. and when I found other stuff. And this time, I i actually now i actually know a few SRs that I actually talked to.
01:12:15
LonelySloth
So they all went and to congratulate me. and It's a very nice sensation, right? it was It was a ah great feeling of like, I'm doing something important here. It's more than the the money itself. Yeah.
01:12:30
riptide
Yeah, ah you yeah you're you're more public now. you You're joining that the SR community.
01:12:34
LonelySloth
yeah
01:12:36
riptide
Just waiting to see you in the Discord, by the way, where we all talk about you all the time.
01:12:43
riptide
But yeah, that's that's cool. it's It's good to see you out more public, man.
01:12:48
LonelySloth
Yeah, it's it's good to be there. I mean, I was very like shy and reluctant to start being more public. But yeah, I'm happy ah I'm doing this.
01:13:03
LonelySloth
It's like that. it it feels like war. no You feel less less lonely.
01:13:09
riptide
Yeah, yeah.
01:13:09
LonelySloth
ah ah It's nice. It's nice getting this recognition. and and
01:13:15
riptide
Yeah, it feels good. It feels good.
01:13:17
LonelySloth
I love the big payout as well. I just want to be clear. I love money. i And I think money is a great thing. And I think everybody should like money and work for it. But yeah.
01:13:29
riptide
And let me throw a quick a quick analogy. for So if anyone hasn't hit a big bug yet, so what he's talking about, like you got to just pretend the money's not there, just play it cool. This is like, because it's all guys listening, right? So this is when you go out with that hot chick and she's like a 10 out of 10, but you can't show your cards.
01:13:48
riptide
So you got to just play it cool. You can't think about what's going to happen later that night. You just play it cool. Don't think about the final event. Just play cool, play it cool until, you know, the clothes are off.
01:14:00
riptide
Then you can think about the same thing.
01:14:03
LonelySloth
Yeah, but but it's hard. it's and and i think it's harder because and sometimes it's a very long time, right? Sometimes it's months.
01:14:11
riptide
Yeah.
01:14:13
LonelySloth
and And it's her life. it's it's like It's like a very hot chick if you are completely in love with her because it's something that's going to be...
01:14:24
riptide
You're obsessed.
01:14:25
LonelySloth
You're obsessed because it's going to be important in your life, right?
01:14:28
riptide
Yeah.
01:14:29
LonelySloth
ah Maybe today if it's like 10K, I'm not obsessed with it. I will just forget about it. And and then I get paid. If it's 100K, 500K, million dollars, it's it's impossible. you You keep thinking about that. You try to control yourself, but you think,
01:14:46
LonelySloth
And if it's paid in tokens, and then you keep looking at private token. And ah yeah, it's you can't ignore it.
01:14:52
riptide
You can't ignore it.
01:14:55
LonelySloth
you try You try to focus on other things in life, but it's hard. it's It's a good problem to have. But like,
01:15:02
riptide
That's a good prompt. you had this You had this great quote on your HackerOne profile. It was the Latin phrase and it translated to stronger from wounds.
01:15:14
LonelySloth
yeah yeah, I use that.
01:15:14
riptide
i love I love that.
01:15:15
LonelySloth
i think I used that for my, like, I tried to use that for my username, I think. I thought of starting a company with the name.
01:15:25
LonelySloth
and then I
01:15:27
riptide
After getting getting rugged so many times, wounding you, you're getting stronger.
01:15:28
LonelySloth
but i Then I completely forgot about it. I never use that phrase again. which and My HackerOne profile was very inactive for a long time. And yeah, after Immunify, I never looked back.
01:15:42
LonelySloth
And then only recently, I submitted a field there.
01:15:45
riptide
Yeah. All right. So, so, um, you know, a lot of these questions center around the same kind of topic and it's the same thing that, that I get reached out to on and what's in the discord.
01:15:57
riptide
It's new guys coming in and they're ambitious and everyone kind of has the same thing. Like they, they might listen to this podcast cause they want to know like your secret and everyone's secret. Like how the fuck is this guy dominating the space? Um,
01:16:11
riptide
And everyone's got a different approach. And, you know, i I don't think you have any any big secret other than being curious and and just being dedicated and sticking to it and reading the code.
01:16:25
riptide
ah But what do you think? Because these are all centering around like, you know, what do you see the potential for noobs to get up in here?
01:16:29
LonelySloth
I
01:16:32
riptide
and And like, you know, how do you how do you get after it? and And like, you know what I mean?
01:16:37
LonelySloth
mean, yeah I think lots of that is like when you buy a book about, i don't know, ah Steve Jobs, Elon Musk, or Warren Buffett, and if how do I get rich and successful and start a big company or do things like this guy?
01:16:52
riptide
Bye.
01:16:54
LonelySloth
And there are lessons there, but I'm not comparing myself to them. I'm not saying I'm on that level. I mean, is ah you look at someone that's successful and The reality is if you try to copy that, it's not going to be exactly the same.
01:17:13
LonelySloth
You kind of have to find your way. But at the same time, i think the most important thing in whatever you're trying to do in your life, anything, is consistent effort.
01:17:24
LonelySloth
Just keep doing it and ah try very hard and try very hard to again and again and again and again and again and again and again.
01:17:24
riptide
Mm-hmm. Mm-hmm.
01:17:30
LonelySloth
again hi I've been working and being software for couple decades and like I didn't expect to have that success like this late in my life i ah so it's it's not like at the same time there are people who just started and and and doing amazing ah so that's it if it doesn't work first time try the second, try the third, fourth try intentionally try to learn what you did that
01:18:05
LonelySloth
Not like kicking yourself, but like just learning stuff. not Not, oh my God, I did all wrong. No, just ah what can I do different?
01:18:14
riptide
Agreed. Agreed.
01:18:16
LonelySloth
Is there a different way I can try? ah But I think consistent effort is the key pretty much everything, like any sort of success in any field.
01:18:25
riptide
agreed
01:18:27
riptide
agreed
01:18:28
LonelySloth
It's more important than natural born talent or even luck. You always need a little bit of luck. ah But if you try enough times, luck becomes much easier.
01:18:42
riptide
Yeah. And, and in this, in this day and age of five second attention spans and swiping and everything's quick and fast money, I'll tell you this, nothing good comes easy.
01:18:53
riptide
Nothing worth doing is going to come easy.
01:18:54
LonelySloth
Yeah.
01:18:56
riptide
There's outliers, of course. However, just expect to put the work in. If you put the work in, I'm confident you'll see results. So I'm talking about.
01:19:09
LonelySloth
Yeah, that's that's pretty much it.
01:19:11
riptide
Yeah. Well, big Mr. Sloth, we are we are deep in an hour and 20 minutes. You're the longest guest so far.
01:19:20
LonelySloth
Oh my gosh.
Conclusion and Community Invitation
01:19:22
LonelySloth
Because I'm a sloth, I'm very sloth.
01:19:22
riptide
Let's...
01:19:24
riptide
oh it was ah it was a pleasure having you on, man.
01:19:25
LonelySloth
ah I need my time.
01:19:27
riptide
it was This is great. This is a very sought after pod. So we'll see if you could beat the ah the viewer metrics. My other top guy was my first guest, Dead Roses. And I i think he he got all the Bulgarians to to watch the video all at once. So he pumped up the stats.
01:19:43
riptide
Who knows, man? But hey, thank you for coming on. It's been a pleasure.
01:19:46
LonelySloth
Thank you.
01:19:47
riptide
ah Everyone check out um ah the Linktree, Bounty Hunters, Discord, all the deals. Get reconed at XYZ4 slash Riptide. Rare skills. Get some skills up in there.
01:19:58
riptide
And we will see you next time on the blockchain.