OPS· G7· 2026-06-10· NEW FINDING: COMPOSITE IDENTITY TOKEN THEFT VIA setup_script (CVSS 8.4 HIGH) · 6 GITLAB REPORTS TOTAL

58 campaigns hunting smart contract bugs. Here's what it actually paid.

I built a pipeline that audits DeFi protocols on its own, then ran it hard. 58 campaigns, 673K lines of code, $11B in total value across the targets. It works, and it finds real bugs. After all of that the realized smart contract payout sits at $0, with expected value across every open submission landing somewhere near $16K to $24K, none of it banked yet. The reason isn't the tech. Stable, audited code mostly hands you duplicates of bugs that paid researchers already filed, and by the time you show up the fix has shipped. This site is the open record of that grind. Every campaign, every cost, and the few findings still live. If you want the honest economics of systematic white hat work before you commit a year to it, start here.

Live Portfolio · 15 Active Submissions · 4 Channels · 6 GitLab Reports Total · NEW: setup_script Token Theft (CVSS 8.4)
Last update 2026-06-10 · G7: NEW FINDING (CVSS 8.4 setup_script token theft) · CI Expert Agent KILLED (chat-only) · 3 prior reports awaiting response
[x] REJECTED Submitted 2026-05-28 · Rejected 2026-05-29
yRoboTreasury · Factory.call()
Sherlock #30 · Privilege Escalation · High
Rejected: "All governance roles in Yearn code are trusted." Operator = trusted governance role despite being a separate 2-of-4 multisig with 0 signer overlap. The vulnerability was real (PoC: 100K DAI stolen) but excluded by policy. $250 USDC stake refunded.
$250
Refunded
$0
EV
0%
P(accept)
·
Rejected
● REPORT READY Found Jun 10 (G7) · Report written · Pending email to security@gitlab.com
GitLab · Composite Identity Token Theft via setup_script
Email to security@gitlab.com · High (8.4) · Maintainer steals victim's OAuth token via agent-config.yml
REPORT READY · PENDING EMAIL. 3-chain exploit: (1) Attacker (Maintainer) adds malicious setup_script to .gitlab/duo/agent-config.yml with curl exfiltration of $GITLAB_OAUTH_TOKEN. (2) Victim triggers ANY Duo workflow (Fix Pipeline, Code Review, Developer, etc.). (3) setup_script executes OUTSIDE SRT sandbox with access to victim's composite identity token (1hr lifetime, instance-wide scope). Root causes: setup_script runs before sandbox boundary in start_workflow_service.rb, tokens exposed as CI env vars (5 variable names), no content validation in JSON schema or config parser. Affects ALL 8 foundational flows with pre_approved_agent_privileges. Deterministic exploit · no LLM behavior dependency.
High 8.4
CVSS
$3K–$7.5K
EV (50%)
50%
P(bounty)
Pending
Email
SUBMITTED Emailed Jun 10 via Gmail · security@gitlab.com · Prior Jun 3 Mail.app attempt FAILED (SMTP auth:none)
GitLab · MCP OAuth Dynamic Registration + Scope Abuse
Email to security@gitlab.com · High (7.1) · Unauthenticated OAuth App → Confidential Issue + Pipeline Deletion
EMAILED VIA GMAIL (Jun 10). Prior Jun 3 attempt via Mail.app was NEVER DELIVERED (SMTP auth:none on smtp.gmail.com). Re-sent via Gmail web on Jun 10 · confirmed in Gmail Sent folder. H1 submission blocked by Signal Requirement. Full attack chain: (1) unauthenticated POST /oauth/register creates OAuth app (2) cloud metadata IP 169.254.169.254 accepted as redirect URI (3) PKCE flow completes to MCP-scoped token (4) token reads confidential issues with secrets from 2 projects (5) pipeline deletion HTTP 204 (6) issue creation HTTP 201. Note: unauthenticated registration is intended per RFC 7591; the bugs are: cloud metadata redirect acceptance, inadequate consent warnings, overly broad MCP scope for unverified dynamic apps.
High 7.1
CVSS
$2.5K–$5K
EV (45%)
45%
P(bounty)
Gmail
Jun 10
SUBMITTED Emailed Jun 10 via Gmail · security@gitlab.com · Confirmed in Sent
GitLab · MCP Server SSRF via OAuth token_endpoint + IDOR
Email to security@gitlab.com · Medium (5.4-6.9) · OAuth2 gem bypasses Gitlab::HTTP SSRF protections + cross-org access
EMAILED VIA GMAIL (Jun 10). Two bugs in MCP Server OAuth flow: (1) SSRF: CallbackService passes attacker-controlled token_endpoint from OAuth metadata to OAuth2::Client (Faraday), bypassing Gitlab::HTTP/UrlBlocker SSRF protections. Also confirmed in RefreshTokenService (same pattern). Requires admin/org_owner to create MCP server. (2) IDOR: McpServer.find(params[:id]) in mcp_connectors_auth_controller uses global find without org scoping · any org user can interact with other orgs' MCP servers. Awaiting response.
Med 5.4-6.9
CVSS
$750–$1.5K
EV (50%)
50%
P(bounty)
Gmail
Jun 10
● RESUBMITTED Closed N/A Jun 2 · Resubmitted Jun 2 · Follow-up posted Jun 10
GitLab #3755172 · Privilege Escalation via Custom AI Agent
HackerOne · High (8.8) · Unsanitized System Prompt + Auto-Approved Max Privileges
FOLLOW-UP POSTED (Jun 10). Report closed N/A by h1_analyst_vegeta (Jun 2) with boilerplate "missing PoC." Resubmitted same day with 32 screenshots + video + evidence report · 8 days no response. Follow-up comment posted Jun 10 emphasizing all requested artifacts were already provided, requesting reopen for GitLab technical review. 5-step attack chain proven on GitLab EE 19.0.1: (1) injected system prompt stored with zero sanitization, (2) agent enabled in UI, (3) all 6 agent privileges pre-approved (headless), (4) composite identity token issued with user:1 scope, (5) malicious OAuth app created with api+sudo+admin_mode scopes. CVE-verified NOVEL. Next: Request Mediation if no response by Jun 13.
High 8.8
CVSS
$5,790
EV (40%)
40%
P(bounty)
Pending
Review
● RESUBMITTED Closed N/A Jun 2 · Resubmitted Jun 2 · Follow-up posted Jun 10
GitLab #3755989 · Stored XSS via .html_safe
HackerOne · High (7.3) · AI-Generated Vulnerability Resolution MR
FOLLOW-UP POSTED (Jun 10). Report closed N/A by h1_analyst_vegeta (Jun 2) with identical boilerplate "missing PoC." Resubmitted same day with full evidence (screenshots 24-26 showing XSS payload in MR, raw API response confirming unsanitized storage) · 8 days no response. Follow-up comment posted Jun 10 emphasizing `.html_safe` on AI-generated content removes Rails primary XSS defense. CVE-verified NOVEL. Next: Request Mediation if no response by Jun 13.
High 7.3
CVSS
$1,974
EV (30%)
30%
P(bounty)
Pending
Review
● 9 SUBMISSIONS 2026-05-09 to 05-18 · user: theluckystrike
Huntr AI/ML Portfolio · 5 Bounty-Eligible
AI/ML Security · GGUF $4K + Keras $4K + ExecuTorch $1.5K + PMML $1.5K + Keras Lambda $1K
5 bounty-eligible: GGUF memory exhaustion ($4K), Keras safe_mode bypass ($4K), ExecuTorch integer overflow ($1.5K), PMML RCE via exec() ($1.5K), Keras Lambda RCE ($750-$1050). 4 at $0 bounty: LocalAI SSTI, NLTK SSRF, Aim RCE, KServe cmd injection.
9
Reports
$11.75K – $12K
EV (5 bounty)
33%
Hist. Hit Rate
~30d
Est. Timeline
◔ JUDGING 2026-05-13 · 19d ago
K2 TP-6 · claim_all_rewards
C4 Audit · Phantom Reward · Medium · $135K pool
balance_snapshot phantom reward extraction. Separate from V12 OOS finding. Contest ended May 27. C4 platform operational (NOT shut down). Awaiting judging.
·
Stake
$250 – $500
EV
35%
P(valid M)
~41d
→ Jul 12
✕ DEAD 2026-05-14 · Confirmed dead May 28
Renegade · Auth Bypass
C4 Bounty · DEAD · 79/79 rejected
C4 shut down May 13. 79/79 submissions ALL rejected as unsatisfactory/insufficient. Repo frozen 38 days since April 20. Our May 14 submission was never processed. $25 lost.
$25
Lost
$0
EV
0%
P(accept)
·
Dead
Portfolio EV $22.8K – $25.3K
Confirmed Earnings $0
Capital At Risk $0 (refunded)
DeepSeek Balance $12.21
15
Active Submissions
$0
Confirmed Earnings
$16K–$24K
Honest EV (4 channels)
4
Channels Active (H1+Huntr+C4+Email)
77K+
Raw Findings Processed
58
Campaigns Complete
$11B+
TVL Scanned (PM1 + SY Farm)
56+18
Protocols + Wrappers Killed

01 Conversion Funnel 77K Raw → 0 Escalated

01
77,000+
Raw Findings
02
43+
PM1 Candidates
03
10
Gate-Checked
04
5
Submitted
05
0
Escalated
CONVERSION 0.000%  ·  58 CAMPAIGNS · 77K+ FINDINGS · 5 SC SUBMITTED + 3 GitLab EMAILED · 0 PAID

02 Cumulative Spend vs. Confirmed Earnings C7 → C58 · ALL CAMPAIGNS

USD · Cumulative
DeepSeek + Opus model spend (excl. $490 compute)
$0 $50 $100 $150 $175 C10 C15 C20 C25 C30 C35 C40 C45 C48 C51 C54 C27–C28 · 40 Opus agents $70 spent · 0 payable findings C35 · final Opus push $70 · 0 payable · STOP OPUS SCANNING C49-C54 · sentinel + long tail $0.50 spend · ALL TIERS EXHAUSTED
Cumulative spend ($176) Confirmed earnings ($0)
Model Spend
$175.35
Compute
$490
Confirmed Earnings
$0.00
Live EV Range
$13K – $19K

03Active Alerts2026-06-03

H1 signal block, MCP OAuth emailed directly (Jun 3). HackerOne blocked the submission on the Signal Requirement. "You have exhausted all your trial reports." The prior N/A closures (#3755172, #3755989) tanked the Signal score. The H1 form was 100% filled (title, body, CVSS 7.1, weakness CWE-862, 5 files uploaded to S3) but the modal rejected the submit. The workaround was to email the full report directly to security@gitlab.com. GitLab's security page explicitly accepts email reports. H1 Support got contacted in parallel for credit restoration. One catch: the trial license expires Jul 2, and H1 trial reports regenerate in 30 days, on Jul 3. One day too late. Email was the only viable path.
GitLab PoC complete (Jun 2). Both exploits ran end to end on GitLab EE 19.0.1 Docker. On #3755172, the full 5-step chain fired: injected system prompt → agent enabled → 6 privileges pre-approved → composite identity token (user:1 scope) → malicious OAuth app (api+sudo+admin_mode, trusted=true). On #3755989, merge request 1 was created with an XSS payload via .html_safe, and the raw API confirms <script> stored unsanitized. 32 screenshots, video, and Rails console output. Ready to resubmit.
H1 GitLab both resubmitted (Jun 3). Both reports (#3755172 + #3755989) went back with full local Docker PoC evidence, 36+ screenshots, a video recording, and an evidence report. GitLab EE 19.0.1 (Docker, self-managed) with Ultimate trial plus Duo Enterprise. The 5-step agent injection chain and the stored XSS via .html_safe both showed live. Awaiting H1 analyst re-review. Combined EV: $7,764.
Portfolio audit (Jun 1). Full submission inventory via AppleScript browser scrape turned up 12 active submissions across 3 platforms. HackerOne GitLab: 2 reports (#3755172 High 8.8 passed preliminary review, #3755989 High 7.3 awaiting triage). Huntr: 9 submissions, 5 bounty-eligible up to $12K (GGUF $4K, Keras safe_mode $4K, ExecuTorch $1.5K, PMML $1.5K, Keras Lambda $1K). K2 C4 is judging ($135K pool, C4 platform operational). Portfolio EV revised to $20K-$35.5K, up from $250-$500 when only K2 was tracked.
C54 all tiers exhausted (May 31). The long tail thesis is disproven. 278 Immunefi programs → 33 ($10K-$100K) → 1 survivor (MUX v3, $100K) → 2826 lines read closely → ALL fund-flow role-gated → 0 findings. Top tier (fortress, C46), mid tier (3-30 audits, C48-C51), long tail (stale/audited, C54), every targeting strategy is now exhausted. Only remaining vector: genuinely new 0-audit protocol launches. Pipeline status is complete. Sentinels run $0.50/week on autopilot.
C53 sentinel and API validation (May 31). 258 repos, 7 sol hits, all speed-killed. The "0 audit" hot targets were all fortress: LayerZero (15+), Spark (16+), Kamino (18+), Chainlink (50+). The Immunefi API audit field is 100% unreliable across 10+ protocols. Immunefi Q1 2026: $7.87M paid (228% up). Sherlock ARC-41 ($155K) was a 2024 contest, not 2026, so it got removed (C56).
C51 composability scan dead (May 30). The cross-protocol composability pivot ran Fluid ($500K, 15+ oracle files read, 7+ audits → KILL), 0x Settler ($1M, 9 audits, 5-6 firms → KILL), Gearbox ($200K, 30 audits = most audited in pipeline history → KILL). C50 sourcing agents underreported audit counts 100%: Fluid "1 audit" = 7+, 0x "no audits" = 9, Gearbox unreported = 30. The lesson stands. Composability is a valid attack angle but every top target is fortress-tier, and sourcing-agent audit-count claims are completely unreliable.
C49 PM1 kills (May 30). Hooker.vy (Curve burners): production deploy.py uses COMPLETE foreplay calldata and the EVM ignores appended data, so it's not exploitable. ConvexCore.sol: arbitrary .call() gated by onlyOperator, Cardinal Rule 9. Morpho Midnight: minimal scope, all known patterns. 3/3 killed.
C48 dead (May 30). 40 agents, 2 targets, 786 raw findings, 9/9 PM1 kills, $0.59 cost. Ostium Protocol ($200K, Arbitrum): 4/4 killed, it uses Chainlink Data Streams (not AggregatorV3) and all callbacks check price ≤ 0. Silo Finance v3 ($100K, Sonic): 5/5 killed, onFlashLoan has lender validation, certora/mutants/ contaminated 3 findings, GeneralSwapModule is stateless by design. FP Rules #33-34 added (CHAINLINK_DATA_STREAMS_NOT_AGGREGATOR + CERTORA_MUTANT_CONTAMINATION). certora/ and mutations/ added to skip_dirs. The methodology is conclusively disproven across 54 campaigns and 77K+ findings with zero payable results.
yRoboTreasury rejected (May 29). "All governance roles in Yearn code are trusted." The operator counted as a trusted governance role despite being a separate 2-of-4 multisig with 0 signer overlap. The vulnerability was real (PoC: 100K DAI) but excluded by policy. $250 USDC refunded. The lesson: the "trusted role" exclusion is universal across mature DeFi bounties. Cardinal Rule 5 is needed, a finding must not involve any named role acting maliciously.
C46 close read. Sky ($10M) and Stargate ($10M) are a permanent kill. $10M bounties are fortress-tier. Target queue empty.
K2 TP-6 C4 Medium submitted. claim_all_rewards balance_snapshot phantom reward extraction. Contest ended May 27. Awaiting judging. EV: $250-$500.
Renegade is dead. C4 shut down May 13. 79/79 submissions all rejected as unsatisfactory or insufficient quality. Repo frozen 38 days since April 20. Our May 14 submission was never processed. $25 lost.
C45 platform status. 0 new programs across all platforms (14+ day drought). Immunefi 279, Sherlock 31, Cantina 10. The C4-to-Immunefi migration is confirmed but there are 0 new 0-audit targets. Kelp DAO CCIP contracts aren't in bounty scope yet (post-$292M exploit, migrating to Chainlink CCIP).
C42: yRoboTreasury plus Veda deep analysis ($0). Factory.call() Critical found. Veda uint128 truncation killed (unreachable, vault-favorable). Phoenix permanent kill ($0 TVL). SmarDex kill (7 audits). 23 kills in C41-C42 combined.
Immunefi API audit count is useless. C40-C41 verified it: Ondo (API: 1, real: 21), Felix (API: 0, real: 17+), Gains (API: 0, real: 10+), Nucleus (API: 0, real: 18+). Always verify manually.

04Submission Portfolio14 Active · 20 Dead

TargetPlatformSeverityStatusEV
yRoboTreasury Factory.call() Sherlock #30 High REJECTED ("all governance roles trusted", $250 refunded) $0
GitLab #3755172 · Priv Escalation via AI Agent HackerOne High (8.8) RESUBMITTED Jun 3 $5,790 (40%)
GitLab #3755989 · Stored XSS via .html_safe HackerOne High (7.3) RESUBMITTED Jun 3 $1,974 (30%)
GitLab MCP OAuth Dynamic Registration Email → security@gitlab.com High (7.1) EMAILED Jun 3 $2.5K–$5K (45%)
GitLab MCP SSRF + IDOR Email → security@gitlab.com (Gmail) Medium (5.4-6.9) EMAILED Jun 3 $750–$1.5K (50%)
GGUF Memory Exhaustion Huntr High PENDING up to $4,000
Keras safe_mode Bypass Huntr High PENDING up to $4,000
ExecuTorch Integer Overflow Huntr Medium PENDING up to $1,500
PMML RCE via exec() Huntr Critical PENDING up to $1,500
Keras Lambda RCE Huntr Critical PENDING $750–$1,050
LocalAI SSTI Huntr · $0 BOUNTY $0
NLTK SSRF Bypass Huntr · $0 BOUNTY $0
Aim RCE Huntr · $0 BOUNTY $0
KServe Command Injection Huntr · $0 BOUNTY $0
K2 TP-6 claim_all_rewards C4 Audit Medium JUDGING ($135K pool, C4 operational) $250–$500
Renegade Auth Bypass C4 Bounty · DEAD (79/79 rejected, C4 shut down, $25 lost) $0
TermMax UUPS Immunefi Critical (claimed) DEAD (~5%) ~$0
Moonwell CompositeOEV C4 → Immunefi Medium (x2) UNTRIGGERED $0
Midas RWA adapters Sherlock #122 · 114→0 FP $0
MachFi BandOracle Sherlock #43 High REJECTED (5 reasons, $250 refunded) $0
Inverse Combined · Med-High ON-CHAIN FIXED $0
USX rebalanceBySwapping Email High OOS (scope excl.) $0
Berachain tx.origin Immunefi Medium DUPLICATE $0
Enzyme Onyx (C27) Immunefi $200K · 20 agents → 0 $0
Yearn V3 (C28) Immunefi $200K · 20 agents → 0 $0
Ostium Protocol (C48) Immunefi $200K · 786→0 (Data Streams ≠ AggregatorV3, 9/9 PM1 killed) $0
Silo Finance v3 (C48) Immunefi $100K · 786→0 (certora mutant contamination, 9/9 PM1 killed) $0
Pinto Protocol (C29) Sherlock #221 · 70→0 FP $0
Yearn V3 Strategies (C31) Sherlock #30 · 32→0 FP $0

05Mandatory 11-Point Submission GateC24 Final · zero exceptions

  • All audit reports downloaded and opened
  • Bug class keywords searched in every report
  • Affected function name searched in every report
  • Known issues list checked on bounty page
  • PM2 prior-audit index cross-referenced
  • Contract address confirmed in scope table
  • Scope exclusions checked (no relevant exclusion)
  • Prior submission count checked (if platform shows)
  • On-chain verification completed (if applicable)
  • Forge PoC passes (if applicable)
  • ON-CHAIN BYTECODE matches source (C24, Inverse had stale GitHub)

ALL 11 boxes must pass. No exceptions. Berachain: checks 1-3 skipped. Inverse: check 11 would have caught stale repo. MachFi: TVL check needed.

06Rule 9: Privileged Role Escalation = $0HARD KILL · Confirmed 4x

If the attack requires ANY named role, the finding pays $0. Always. Everywhere.

Named roles: operator, keeper, manager, guardian, strategist, relayer, bot, sequencer, facilitator, ward, planner, governance admin.

It does not matter that: roles have different trust levels, multisigs have different signer counts, the escalation was clearly unintended, or the code separates the roles explicitly. Bounty programs trust ALL privileged roles equally.

The only question: "Can a random EOA with zero protocol permissions steal funds in one transaction?"

If the answer starts with "first, the operator..." → $0.

TargetRoleRejection Reason
yRoboTreasuryOperator"All governance roles in Yearn code are trusted"
TermMaxImplementation ownerOwnership = no impact (design decision)
BerachainTrusted rolesDesign decision, trusted roles (5 prior duplicates)
MachFiOracle providerOracle provider is trusted

07Financial Accounting58 campaigns · ongoing

Spend
Model costs (DeepSeek + Opus)$176
Compute (Claude Code)$490
Deposits staked$525
  Sherlock #30 yRobo$250
  Sherlock #43 MachFi$250
  C4 Renegade$25
Total invested~$791
Returns
Confirmed payouts$0
Deposits refunded$500
  yRobo $250 + MachFi $250
Deposits lost$25
  Renegade (C4 shut down)
Pending EV (Huntr + K2 + GitLab)$13K–$19K
Net loss (excl. refunds)-$291
Recent Events Timelinearchive · 43 entries · expand
2026-06-10 · G7: SETUP_SCRIPT TOKEN THEFT (CVSS 8.4 HIGH · NEW FINDING)
SESSION 4 BETA-ONLY CLOSE READ. 1 CONFIRMED FINDING. Priority 2 (Custom Flow cross-user execution) produced CVSS 8.4 High: Composite Identity Token Theft via agent-config.yml setup_script. Three root causes: (1) setup_script runs OUTSIDE SRT sandbox in start_workflow_service.rb commands() method. (2) Composite identity OAuth token exposed as CI env var ($GITLAB_OAUTH_TOKEN + 4 aliases). (3) No content validation in JSON schema or config.rb parser. Affects ALL 8 foundational flows (Code Review, Fix Pipeline, Developer, SAST FP, etc.). Token lifetime 1hr, instance-wide scope with user:{victim_id}. Deterministic · no LLM dependency. Priority 1 (CI Expert Agent prompt injection): KILLED · CI Expert is a chat-only agent (id:6, no CI workload), output sanitized by FinalAnswerParser, standard indirect prompt injection = not novel for bounty. Report: SETUP-SCRIPT-TOKEN-THEFT-REPORT.md. Pending email to security@gitlab.com.
2026-06-10 · G6/C58: GITLAB 19.0 CLOSE READ (0 new findings)
SYSTEMATIC AUDIT of 70 new EE features across GitLab 18.10/18.11/19.0. Seven leads investigated, all killed. (1) search_helper.rb XSS → CVE-2026-5297 (8.7), already patched. (2) Agent output XSS → CVE-2026-6073 (8.7), same class as our H1 #3755989. (3) PAT scope bypass → CVE-2026-1322 (6.8), already fixed. (4) Banzai sanitizer XSS → CVE-2026-6335 (5.4). (5) VR SSRF → CVE-2026-7471 (3.5). (6) Secrets Management → CLEAN (proper authorize directives + JWT). (7) Compliance External Controls → CLEAN (HMAC + secure_compare + nonce). Also audited: Orbit MCP (well-gated), VR upstreams/test (addressable_url validation), MCP Semantic Search (read-only). METHODOLOGY VALIDATED: 5/7 leads matched real CVEs, proving we're targeting the right code. Docker instance lost to daemon crash. 6 unaudited targets remain: CI Expert Agent prompt injection, Custom Flow cross-user exec, Fine-grained PAT 25% gap, GLQL injection, MCP header injection, email template XSS.
2026-06-10 · G5: GMAIL EMAIL FIX + H1 FOLLOW-UPS
CRITICAL DISCOVERY: Mail.app SMTP auth:none on smtp.gmail.com:465 · ALL prior emails to security@gitlab.com (Jun 3 MCP OAuth + Jun 10 SSRF+IDOR) were NEVER DELIVERED. AppleScript send returned true but messages silently dropped. Fixed: both reports re-sent via Gmail web interface, confirmed in Gmail Sent folder. H1 #3755172 + #3755989: both still closed N/A (8 days, no response to resubmission). Follow-up comments posted on both reports requesting reopen for technical review. Next: Request Mediation on H1 if no response by Jun 13.
2026-06-10 · G4/C58: SSRF+IDOR EMAILED + Sentinel ($0)
GitLab MCP SSRF+IDOR report emailed to security@gitlab.com (initially via Mail.app, later re-sent via Gmail). ALL 3 GitLab MCP findings now submitted. C58 sentinel: 0 new Immunefi programs (30-day drought since May 11, 270 active bounties down from 278). Sherlock ARC-41 $155K launched today but Leo/non-EVM (KILL). Cantina Morpho Midnight $400K ending in 2 days, KYC (KILL). Exploit intel: Humanity Protocol $36M (compromised laptop → 3/6 Gnosis Safe keys), Ambient Finance $110K (unknown), AFI $480K (vault drain). H1 GitLab reports: 8 days pending, no response to resubmission.
2026-06-04 · G3/C57: GraphQL Authorization Audit + Sentinel ($0)
SYSTEMATIC GRAPHQL AUDIT: 120+ EE mutations audited, 0 missing authorization. All use direct authorize directives, inherited base class auth, or service-layer Ability.allowed() checks. ai_workflows scope analysis: 30+ APIs accept tokens with write access to issues/MRs/branches/commits/vulnerability_flags · broad but each endpoint enforces own auth. RefreshTokenService confirmed same SSRF pattern as Finding 2 (additional evidence). IDOR in MCP controller re-confirmed. Live tests with Guest/Developer tokens: all access controls working. Key insight: core GitLab features = fortress, new MCP/Duo features = gaps exist. Report: GRAPHQL-AUTHZ-AUDIT.md. C57 sentinel: 0 new targets, Euler v2 $1.25M was 2024 (removed), EulerSwap CTF $500K fortress (6 audits).
2026-06-03 · G2/C56: MCP OAuth EMAILED + Sentinel ($0)
MCP OAuth Dynamic Registration report (High 7.1) emailed to security@gitlab.com. H1 submission BLOCKED by Signal Requirement · trial reports exhausted from N/A closures. H1 form was 100% filled (title, CVSS 7.1, CWE-862, 5 files uploaded to S3). H1 Support ticket filed for credit restoration. Trial license expires Jul 2, H1 credits regenerate Jul 3 · email was the only viable path. H1 #3755172 + #3755989 resubmitted with full evidence. C56 Quick Sentinel: commit monitor TIMEOUT, platform sweep (0 new contests, Euler v2 Cantina $1.25M active but fortress), 4 exploits ~$9M+ (Gnosis Pay, Gravity Bridge, Alephium, TesseraDAO), ARC-41 was 2024 (removed).
2026-06-03 · G1/C55: GitLab MCP OAuth Discovery + PoC ($0)
NEW FINDING: MCP OAuth Dynamic Client Registration (RFC 7591) · unauthenticated app registration + MCP scope grants 17 tools including confidential issue access + pipeline deletion. Full E2E PKCE flow verified: register → PKCE → authorize → exchange → exploit. Cloud metadata IPs (169.254.169.254) accepted as redirect URIs. 3 bugs: (1) redirect URI accepts internal IPs (2) MCP scope overly broad for unverified apps (3) consent screen lacks adequate warnings. Python PoC script + asciinema terminal recording captured. Also discovered: SSRF via OAuth2 gem (token_endpoint bypasses Gitlab::HTTP) + IDOR in MCP server lookup (global find without org scoping). GitLab EE 19.0.1 Docker.
2026-05-31 · C54: THE LONG TAIL ($0, manual close read)
LONG TAIL THESIS DISPROVEN. 278 Immunefi programs filtered to 33 ($10K-$100K, GitHub, no KYC). 12 non-EVM killed (StarkNet, Algorand, Fuel, Cosmos, etc). 6 audit-comp killed. 5/11 EVM programs stale 2-4 years (DEAD). 5/11 over-audited (Synthetix 5+, Orderly 17, Harvest 4+, DODO 8+, Nexus 6+). 1 survivor: MUX v3 ($100K, 1 Guardian audit). 2826 lines across 8 files read closely: Swapper.sol no AC but zero-balance between txs, SusdcOracleL2.sol staleness scope-excluded, Delegator.sol delegatecall safe, CollateralPool/FacetOpen/FacetClose all onlyCore/onlyOrderBook. ALL fund-flow paths role-gated. 0 findings. Small bounties ≠ less audited. ALL TIERS NOW EXHAUSTED.
2026-05-31 · C53: Sentinel Run #2 ($0, 258 repos)
258 repos (60 programs, 7d lookback, $50K+). 7 repos with .sol changes · ALL speed-killed (governance-gated, audit fixes, vendor refactor). "0 audit" hot target validation: ALL FALSE. LayerZero API:0 actual:15+ (8 firms), Spark API:0 actual:16+ (ChainSecurity x12), Kamino API:0 actual:18+ (AND Rust/Solana), Chainlink API:0 actual:50+, Enzyme API:0 actual:50+, Lombard API:0 actual:15. Morpho Midnight ($400K Cantina): 2 prior audits + Certora FV + 241 subs day 1 = fortress. Platform intel: Immunefi Q1 2026 $7.87M paid (228% up), C4 confirmed dead, Sherlock ARC-41 ($155K) was 2024 contest (removed C56).
2026-05-30 · C52: First Commit Sentinel Run ($0.50)
NEW METHODOLOGY DEPLOYED: commit monitoring. 202 repos (40 programs, 14d lookback). 9 repos with .sol changes. 2 read closely: Optimism (3 commits · governance-gated access control, not fund-flow), Lido CSM (4 commits · audit fix backports, no new attack surface). Sentinel validated as sourcing tool ($0.50/run vs $70 Opus scan). 0 exploitable findings, but the methodology is correct · infosec_us_team pattern confirmed. Pipeline enters SENTINEL MODE.
2026-05-30 · C51: Cross-Protocol Composability Scan ($0, manual PM1)
Fluid oracle deep read (15+ files): No Chainlink staleness check (design choice, 7+ prior audits). FluidCappedRate APR limiting blocks ERC4626 donation. DEX oracle reads from Liquidity layer (not manipulable). GenericOracle hop-chaining is correct. 0 exploitable findings. 0x Settler ($1M): 9 audits, 5-6 firms, Permit2 pattern · arbitrary calldata is BY DESIGN. Gearbox ($200K): 30 audits, $3M security spend · most audited target in pipeline history. ERC4626 adapter covered by 4 ChainSecurity audits. ALL KILLED. Sourcing agents underreported audit counts 100%.
2026-05-30 · C50: Daily Intel + Composability Angle ($0, 6 agents)
NEW METHODOLOGY: cross-protocol composability scan · bugs that exist BETWEEN protocols, not within them. 3 exploit classes confirmed: ERC4626 donation ($270M+), calldata injection in routers ($45M+), oracle cross-heartbeat ($17M+). 13 targets identified. Top 3 promoted: Fluid ($500K, "1 audit"), 0x Settler ($1M, "no audits"), Gearbox ($100K+). All 3 killed in C51 · sourcing agents completely wrong on audit counts. 51% of bounties include integration code in scope.
2026-05-30 · C49: Manual PM1 Kills ($0)
Hooker.vy (Curve burners): deploy.py line 86 shows foreplay = bridger.bridge.prepare_calldata(TARGET, FEE_DEST, 2**256-1, MIN_AMOUNT) · ALL 4 args hardcoded. Production uses EMPTY_HOOK_INPUT. EVM ignores extra bytes after valid ABI-encoded fixed-size params. NOT EXPLOITABLE. ConvexCore.sol: execute(address,bytes) gated by onlyOperator · Cardinal Rule 9 instant kill. Morpho Midnight: minimal scope, all known patterns. 3/3 killed.
2026-05-30 · C48: 40-Agent Parallel Scan ($0.59, 40 agents)
BOTH TARGETS DEAD. 9/9 PM1 KILLED. Ostium Protocol ($200K, Arbitrum, 0 audits): 20 agents, 43 files, $0.15. 409 raw findings, 365 post-triage. PM1: 4/4 killed · uses Chainlink Data Streams (IVerifierProxy.verify), NOT AggregatorV3. All 5 callbacks check price ≤ 0. "Staleness" handled by maxOrderAgeSeconds, not standard Chainlink patterns. Silo Finance v3 ($100K, Sonic, 1 audit): 20 agents, 200 files, $0.43. 377 raw findings, 283 post-triage. PM1: 5/5 killed · onFlashLoan has _txFlashloanTarget == msg.sender check (line 158), 3/5 findings were certora/mutants/ contamination (P1-P5 suffix files = intentional bugs for formal verification), GeneralSwapModule is stateless by design. FP Rule #33 (CHAINLINK_DATA_STREAMS_NOT_AGGREGATOR) + FP Rule #34 (CERTORA_MUTANT_CONTAMINATION) added. certora/ + mutations/ + deploy/ added to skip_dirs. Config v2.3.0. DeepSeek balance: $12.21. METHODOLOGY CONCLUSIVELY DISPROVEN: 48 campaigns, 77K+ findings, $0 paid on audited protocols.
2026-05-29 · yRoboTreasury REJECTED by Sherlock
"All governance roles in Yearn code are trusted." Operator = governance role. The vulnerability was real (PoC: 100K DAI stolen via Factory.call() raw_call escalation) but excluded by bounty policy. $250 USDC stake refunded to Polygon. This confirms Rule 9: privileged role escalation is always $0, regardless of trust level separation, multisig differences, or code intent. Same kill signal as Sky (C46), MachFi, TermMax, Berachain. Pipeline anchor submission dead. Only K2 TP-6 remains active ($250-$500 EV).
2026-05-28 · C46: Close read of Sky + Stargate (20 Opus agents, $0)
BOTH KILLED. Sky Protocol ($10M): PERMANENT KILL · Primacy of Rules excludes allocator contracts from 216 in-scope assets, ALL privileged roles trusted per bounty, no generic exec(address,bytes) pattern (typed interfaces only), 7 ChainSecurity audits in 2026, Swapper callee is by-design with rate limits. Stargate V2 ($10M): KILL · approve-then-revoke + nonReentrant blocks Aperture drain pattern, hash chain bus integrity, onlyPlanner credit messaging, no arbitrary call/exec, 2 audits. $10M bounties = fortress-tier defense-in-depth. Target queue EXHAUSTED.
2026-05-28 · C45: Edge-scan recon (4 parallel agents, $0)
2 TIER 1 LEADS IDENTIFIED via periphery trust-boundary methodology. Sky Protocol Launch Agents ($10M Immunefi) - Feb 2026 Allocator Vault deployments via governance postdate all ChainSecurity/Cantina audits, proxy spell call() forwarding = exact yRoboTreasury pattern. Stargate V2 OFTWrapper ($10M Immunefi) - updated May 28, OFTWrapper/CreditMessaging not in main 15-contract scope table, audit coverage unclear. TIER 2: Aave Migration Helper ($1M), Compound USDS Bulker ($1M). Kelp DAO CCIP MONITOR (post-$292M exploit, new contracts not in scope yet). 2026 exploit trend confirmed: $17M+ calldata injection in periphery routers. 0 new programs across all platforms (14+ day drought). Renegade confirmed DEAD (79/79 rejected on C4, $25 lost).
2026-05-28 · C44: Sentinel sweep (all 3 platforms, $0)
0 new programs. Immunefi 279 (down 3 from 282). Sherlock 31 bounties, 0 new. Cantina 10, all fortress. Market drought 14+ days since last new launch. yRobo confirmed JUDGING on Sherlock. Renegade investigated: 79/79 submissions rejected, repo frozen since April 20, C4 shut down May 13.
2026-05-28 · C43: yRoboTreasury SUBMITTED + K2 Medium SUBMITTED
FIRST SUBMISSION PASSING ALL 4 CARDINAL RULES. Factory.call() privilege escalation: operator (2-of-4, 0xABCDEF) gains full auction governance via unrestricted raw_call. Mainnet fork PoC: 100K DAI stolen in 3 TXs. $250 staked on Sherlock #30. K2 C4: claim_all_rewards phantom reward extraction. K2 flash helper KILLED (dust-level bad debt).
2026-05-27 · C42: Deep Code Analysis ($0, 15 agents)
yRoboTreasury Factory.call() CRITICAL FOUND. 0-audit Vyper contracts in Sherlock #30 scope. Operator raw_call collapses management/operator trust separation. USDT auction live at 0x861fE4... with Factory as governance (verified on-chain). Veda YieldStreaming: uint128 truncation KILLED (Certora FV already flagged, unreachable). Phoenix PERMANENT KILL ($0 TVL, 2yr dormant). SmarDex KILL (7 audits). Ern KILL (3 audits + dead bounty). Twyne KILL (12 audits). Enzyme Blue KILL (saturated).
2026-05-22 · C41: PM2 EXPLOIT-DRIVEN SCANNING ($3, 20 agents)
0 FINDINGS. BOTH EXPLOIT PATTERNS DEAD FOR EVM. Cetus $223M integer overflow: scanned 6 repos (Algebra/QuickSwap, Trader Joe V2, iZiSwap, Maverick V2, Aerodrome CL, Trader Joe pow()). All use 512-bit Remco Bloemen mulDiv or correct a*b/a==b overflow checks. Cetus bug was Move-specific (wrong bitmask in checked_shlw). EVM immune: Solidity 0.8+ checked arithmetic + 512-bit mulDiv + division guards. KelpDAO $290M DVN: NOT a code bug · infrastructure/OPSEC (1-of-1 DVN + compromised RPC). LayerZero BBP excludes OApp misconfiguration. Background agents swept all LZ-integrated bounties (70 files, 17 protocols). Best code-level target: Nucleus ($500K, already queued). Only Solana targets (Raydium $505K, Orca $500K) have Cetus-analog risk. FP Rule #35 added: CETUS_OVERFLOW_PATTERN.
2026-05-21 · C40: TIER 2 SPEED-KILL (20 agents, $0)
14/14 TARGETS KILLED. 7 tier 2 speed-kills: Ondo (21 audits, $3.7B TVL), Flux (4 audits, dead protocol NXDOMAIN), Fluid V2 (12+ audits, Certora FV), Lido V3 (120+ audits, most-audited in DeFi), NUVA (2 audits, below floor), Floe Labs (1 audit + known bug), EigenLayer (5+ audits, no AVS in scope). Then 3 more speed-kills: Felix (5 firms: Dedaub, Coinspect, ChainSecurity, Recon, Three Sigma), Gains Network (8 CertiK audits), Folks Finance (15 reports by 7 firms), Veda Ink (15+11 same BoringVault, KYC). Immunefi API "0 audits" wrong on 100% of checks. Platforms: 0 new Immunefi/Sherlock/Cantina programs. Exploit intel: Verus bridge May 18 (~5,400 ETH), Cetus $223M integer overflow. Kelp DAO CCIP not in scope yet. C4→Immunefi migration in progress. QUEUE EMPTY.
2026-05-20 · C39: FULL PLATFORM SWEEP (21 agents, $0)
16 PROTOCOLS KILLED, 7 NEW TARGETS DISCOVERED. Killed: Flying Tulip (6+ audits, on Sherlock not Cantina), Vesper (3 items all onlyKeeper OOS), Football.Fun (no permissionless exploit), Enzyme Onyx (CLOSED), Usual Labs (14 audits), Rocket Pool (15+ audits), Morpho (25-34 audits), Pendle (archived), Ethena (no new contracts), Axelar (saturated), Spark (21 audits on MainnetController). Discovered: Fira UZR ($7.5M Sherlock, killed next day · 6 audits), Hyperlane TRON ($2.5M, killed · not in scope), Nucleus ($500K, killed · 11 audits/Boring Vault). MachFi Sherlock rejection processed: 5 reasons, FP rules #33-34 added. $250 deposit refunded.
2026-05-23 · PM1 DAY 5: PENDLE ($250K Immunefi, $1.546B TVL)
0 FUND-IMPACT FINDINGS. First target with custom permissionless AMM math (not role-gated). Read 7 core contracts (1,673 LoC): MarketMathCore, PendleMarketV7, PendleYieldToken, InterestManagerYT, PYIndex, SYUtils, PMath. AMM rounding verified: favors pool (assetToSyUp for payments, assetToSy for receipts). Monotonic pyIndex ratchet (MAX with stored) prevents flash loan manipulation. Internal accounting (not balanceOf) + MINIMUM_LIQUIDITY + skim() prevents donation. Per-user interest index blocks retroactive YT yield claims. nonReentrant on ALL 6 market functions. 770 DeepSeek findings (prior scan) · ALL KILLED including wrong H (first depositor inflation). 6+ auditors + 87 Cantina submissions. Cost: $0.
2026-05-22 · PM1 DAY 4: ETHENA ($3M Immunefi, $5.38B TVL)
0 FUND-IMPACT FINDINGS. 5 contracts (1,170 LoC): EthenaMinting, StakedUSDe, StakedUSDeV2, USDeSilo, StakingRewardsDistributor. MINTER_ROLE gates all minting. MIN_SHARES=1e18 + 8hr vesting defends ERC4626. Cooldown only affects msg.sender. Domain separator includes chainId. 40 DeepSeek findings triaged · all killed. 12 prior audits. Cost: $0.
2026-05-21 · PM1 DAY 3: SPARKLEND ($5M Immunefi, $3B+ TVL)
0 FUND-IMPACT FINDINGS. 10 Spark-specific contracts (1,000 LoC): SSR oracles, SparkVault, rate sources. MakerDAO DSR pattern (chi-based share pricing) = donation-immune. SSRAuthOracle has 5 independent validation checks. CappedFallbackRateSource OOG protection (err.length > 0). May 14 scope update was administrative (Avalanche expansion). Cost: $0.
2026-05-20 · PM1 DAY 2: LOMBARD FINANCE ($250K Immunefi, $1B+ TVL)
0 FUND-IMPACT FINDINGS. 10 contracts (2,800 LoC): NativeLBTC, Consortium, AssetRouter, BasculeV3, StakedLBTC, StakedLBTCOracle, Mailbox, BridgeTokenAdapter, BridgeV2. Every fund flow consortium-gated (weighted multisig). Bascule drawbridge adds independent deposit verification. Simple 1:1 ERC20 (not vault). No permissionless attack path. Cost: $0.
2026-05-22 · DAY 5: DODO + RESONATE + ICHI FUND-FLOW REVIEWS
3 targets reviewed, 0 findings, all KILLED.
DODO ContractV2 ($100K, PMM AMM): 3,500 LoC. PMM math battle-tested 5yr, 1001 locked shares, OR flash loan guard. V3 bounty DEAD (404).
Resonate ($100K, yield-splitting FNFTs): 4,500 LoC. C13 S-01 (MasterChef harvest zero slippage) TRIPLE-KILLED: adapters OOS + BBP classifies MEV slippage as Low + 4 prior audits excluded. In-scope adapters are passive ERC4626 wrappers (no harvest functions). Core protocol well-guarded.
Ichi oneToken ($50K, NOT $150K): 1,500 LoC. Simple mint/redeem stablecoin. Governance-heavy (most actions onlyOwner). Oracle manipulation excluded per BBP. No reentrancy guard but no exploitable path. Payouts via 6-month Sablier.
PM1-SUBMISSION-GATE-V2 rules saved. 8 permanent rules from TermMax ($765+ cost). Cost: $0.
2026-05-21 · PM2 DAY 3: QUEUE OPTIMIZATION
7 KILLS, 3 PROMOTES, SPARKLEND DELTA. Killed: Threshold, Harvest, WePiggy, Orderly, Avail, ALEX (Clarity), Vesu (Cairo). Active queue: DODO ($500K PMM) → Resonate ($100K FNFTs) → Ichi ($150K vaults). Conditional: Rocket Pool, Spark (PM1). Spark delta: 40+ custom contracts (~5K LoC), PSM3 + ALM Controller + Vaults. Euler v2 Cantina: FALSE POSITIVE. CodeHawks: SKIP. Cost: $0.00.
2026-05-19 · FUND-IMPACT STRATEGY DEPLOYED
NEW STRATEGY: Daily manual fund-flow reviews. Inverted process: identify 3-5 fund-flow functions per protocol, read manually, targeted DeepSeek only if suspicious. Day 1: MUX mux3-protocol ($100K) · 2,000 LoC read, 0 fund-impact. Day 2: Lombard · multisig-gated KILL. Cost: $0.
2026-05-19 · PM1 HONEST ASSESSMENT
$0 CONFIRMED AFTER 38 CAMPAIGNS. Renegade EV corrected: $2K-$4K (was $15K-$50K). TermMax: effectively $0. Moonwell: untriggered $0. Honest combined EV: $2K-$4K. Total investment: $175 + $490 compute. See PIPELINE-NEXT-STEPS.md.
2026-05-19 (C36–C38 / PM2 Day 3 · 36 agents, 3 sprints, $0)
36 AGENTS, $0 COST, 3 SPRINTS. C36: Yearn V3 CLOSED (6/6 Mediums KILLED). C37: Gearbox Securitize KILL + Hyperbridge DEFERRED. C38: Pinto KILL (18 audits) + Silo Sonic KILL (24 audits, Certora FV). TIER 1 QUEUE EMPTY. 11 targets resolved. MONITOR MODE.
2026-05-18 (C34 / Full Pipeline Scan + PM1 Support)
19 AGENTS, 4 SCANS, 5 RECON · $0 COST. PM1: GammaSwap refType 3 = PERMANENT KILL (triple-gated owner-only). Gearbox = NOT DEPLOYED (monitor BCR). G-01 = KILL (spec documents as intentional). DeFi Saver ($350K): 65 files, 0 survivors · code quality too high (6 audits = institutional security culture). ZetaChain ($100K): F-05 ERC20Custody _disableInitializers + F-01 _resetApproval CONDITIONAL. Impermax ($100K): KILL (scope mismatch). Variational ($100K): KILL (off-chain derivatives). Recon: 0x KILL (9 audits), Veda KILL (14 audits), Enzyme CCIP RE-SCAN warranted. New queue: Enzyme CCIP #1, ZetaChain F-05 #2.
2026-05-18 (C33 / Gearbox + GammaSwap Scan)
PM1 MANUAL SCAN SESSION: Gearbox Securitize adapter (715 LoC, 6 contracts) · Finding G-01: liquidator overvalues redeemers via getCurrentRedemptionValue() vs getRedemptionAmount() mismatch when NAV increases. Low-Med, $400 EV. GammaSwap Vaults (14 vault contracts) · thin override layer on audited core. BLOCKED: refType 3 access control in v1-core determines if findings are Critical or KILL. DeFi Saver assessed: $271M TVL, $350K max, 4-year audit gap, assigned future Slot 3. Total cost: $0 (PM1 manual read only).
2026-05-18 (C35 / Maximum Throughput)
C35 DEAD · $70 OPUS, 0 PAYABLE: 20 Opus agents. ZetaChain F-05 on-chain verified (init slot=0x00 on 6 chains) BUT onlyProxy (OZ v5.0.2) blocks upgradeToAndCall · KILLED (same as TermMax). SPARK-01 code diff real BUT useAuction=true default · KILLED (swap loop unreachable). Enzyme CCIP 0 survivors (ChainSecurity). 6 Yearn Mediums unverified. FP Rule #32 (UUPS_ONLYPROXY_V5) added. Recon: Aave V4/Lido/dYdX/Cork/Spark all KILLED. C27+C28+C35 Opus total: $210, 0 payable. STOP OPUS SCANNING.
2026-05-18 (C32 / 20-Agent Full Recon)
10 NEW TARGETS ACQUIRED: 20 parallel recon agents swept Immunefi (284), Sherlock (32), Cantina (54), HackenProof, DeFiLlama, GitHub, Solodit. TOP: Gearbox Securitize adapter ($200K, 0-audit, proven vuln class), GammaSwap vaults ($40K, 11 new contracts, 0 audit), Veda BoringVault ($1M, $3.5B TVL), DeFi Saver ($350K, 0 listed), ZetaChain ($100K, post-exploit). Post-audit-delta: 0x Settler ($1M, 8 new adapters), Enzyme CCIP ($200K, 3 new contracts), Spark Oracle ($5M). Emerging chains: Monad Kuru DEX, Ink Nado ($500K). C4 migration wave: 9 programs in transit. 5 new FP rules from contest data.
2026-05-18 16:00 -MEDIATION FILED
TERMMAX #78216 MEDIATION SUBMITTED. Free standard tier (3+ week queue). 4/5 requests remaining. Arguments: CVE-2021-41264 + codebase inconsistency (6/8 have _disableInitializers) + irreversible on-chain state change. Conceded onlyProxy blocks upgrade path. Requested Medium re-evaluation. OZ forum posts weaken our case (staff say onlyProxy is primary fix). ~25% success probability.
2026-05-18 12:00 · ANCHOR REJECTED
TERMMAX #78216 CLOSED AS INVALID. EvanMusk (TermMax): "best-practice hardening item." onlyProxy blocks upgradeToAndCall on implementation (OZ v5). Our PoC Step 5 would revert. Steps 1-4 (init + ownership) valid but no direct fund impact.
2026-05-18 · FLYING TULIP KILLED
FLYING TULIP DEEP EVALUATION: DEFINITIVE KILL. Manual code read of all 7 contracts (PutManager, ftYieldWrapper, FlyingTulipOracle, pFT, ftACL, CircuitBreaker, 6 strategies). Sherlock #1223: 1,704 submissions by hundreds of wardens, ZERO valid M/H. Our C7 scan: 425 findings, 100% FP. Math.mulDiv everywhere, nonReentrant on all externals. 1,648 NSLOC. $250 deposit = negative EV. Score: -4 (threshold +3).
2026-05-18 (C31 / PM2 Day 2)
YEARN V3 STRATEGIES 32→0: Sherlock #30 ($200K). 9 strategy types (AaveV3, CompoundV3, Spark, Gearbox, Sturdy, Across, stETH, USDSFarmer, SkyCumpounder). 5.2K LoC, 10 DeepSeek agents, $0.018. ZERO overlap with C28 Immunefi. Thin wrappers (5-15 lines custom). Bounty excludes zero-slippage MEV. Cantina: Cork SKIP (4+ audits), Kinetiq SKIP (8 audits). Flying Tulip CONDITIONAL ($1M, 1 audit, $250 deposit).
2026-05-17 (C30 / Platform Expansion)
CANTINA ADDED: 52 bounties, $49.6M rewards. Cork Protocol ($100K) + Kinetiq ($5M) actionable. AuditOne/HackerOne/Self-hosted all SKIP. Solodit: 8 prompt updates + 4 FP rules identified. Yearn V3 Sherlock strategy scope RE-IDENTIFIED as TOP PRIORITY.
2026-05-17 (C29 / PM2 Day 1)
PINTO 70→0: PM2 Day 1. Upgraded from KILL (volume 769x). 10 agents, 20 files, $0.049. Dual-lock reentrancy (nonReentrant + nonReentrantFarm + _beanstalkCall swap), EMA pump oracles, Diamond AC patterns. 0 survivors. HOLD.
2026-05-17 (C28)
YEARN V3 DEAD: $200K Immunefi. 20 Opus agents across 4 repos (21.6K LoC, 41 contracts). VaultV3.vy (Vyper) + TokenizedStrategy + periphery. All HIGH findings admin/keeper-gated (OOS). Auction partial-take + BaseConvertor shares/want = design choices. Post-audit diff v3.0.1→v3.0.4 (~5K lines) but core architecture sound. ~$35 cost.
2026-05-17 (C27)
ENZYME ONYX DEAD: $200K Immunefi. 20 Opus agents, Sulu V2 lending engine. ~60+ raw findings, 0 survivors. Solid onlyOwner/Comptroller access control. Well-architected protocol. ~$35 cost.
2026-05-17 (C26)
MIDAS RWA SCAN: $500K Sherlock #122. 10 DeepSeek agents, 25 files. 114 findings → 0 survivors. Adapters too thin (28-95 lines). $0.037 spent.
2026-05-17 (C26)
SENTINEL: 0 new programs, 0 active contests across all 7 platforms. Moonwell still on C4 (not Immunefi). KAST killed (Solana).
2026-05-16 (C25)
MOONWELL 2 NOVEL FINDINGS: ChainlinkCompositeOEVWrapper missing _resolveRawFeed() (C4 #130 class in different contract) + approve→forceApprove (HAL-05 not ported). Manual code review, $0 cost.
2026-05-16 (C24)
PORTFOLIO COLLAPSE: Inverse ON-CHAIN FIXED (stale repo). MachFi DEAD ($10K TVL). USX OOS (file-level scope). Queue: TermMax only.
2026-05-16 (C24)
MOONWELL ACQUIRED: TIER 1 target. 4x exploited ($4.8M), OEV wrappers, MIP-X56 fix May 15, $250K bounty (C4→Immunefi).
2026-05-16 18:18
Berachain #78377 CLOSED as duplicate (35 min). 5 prior reports. 23-hour slot wasted.
2026-05-15
TermMax UUPS #78216 ESCALATED. 6 subscribers. SLA May 29. ANCHOR.
2026-05-14
Renegade auth bypass submitted to C4 ($25 deposit).
2026-05-13
Code4rena announces shutdown (final July 12). Immunefi absorbing all programs.

08Expected Value · Honest Assessment2026-06-10 · Full Portfolio

SubmissionPlatformP(accept)EVStatus
[*] GitLab MCP OAuth Dynamic RegEmail → security@gitlab.com45%$2.5K–$5KEMAILED VIA GMAIL (Jun 10). Prior Jun 3 Mail.app attempt FAILED (SMTP auth:none). Re-sent via Gmail, confirmed in Sent. CVSS 7.1. Awaiting response.
[*] GitLab MCP SSRF + IDOREmail → security@gitlab.com50%$750–$1.5KEMAILED VIA GMAIL (Jun 10). Confirmed in Gmail Sent. SSRF: OAuth2 gem bypasses Gitlab::HTTP. IDOR: global McpServer.find. Awaiting response.
GitLab #3755172 Priv EscalationHackerOne40%$5,790Closed N/A Jun 2. Resubmitted Jun 2 (32 screenshots + video). FOLLOW-UP POSTED Jun 10. Request Mediation Jun 13.
GitLab #3755989 Stored XSSHackerOne30%$1,974Closed N/A Jun 2. Resubmitted Jun 2. FOLLOW-UP POSTED Jun 10. Request Mediation Jun 13.
GGUF Memory ExhaustionHuntr33%up to $4KPENDING. May 18.
Keras safe_mode BypassHuntr33%up to $4KPENDING. May 12.
ExecuTorch Integer OverflowHuntr33%up to $1.5KPENDING. May 18.
PMML RCE via exec()Huntr33%up to $1.5KPENDING. May 18.
Keras Lambda RCEHuntr33%$750–$1,050PENDING. May 11.
LocalAI SSTIHuntr · $0$0 bounty program
NLTK SSRFHuntr · $0$0 bounty program
Aim RCEHuntr · $0$0 bounty program
KServe Cmd InjectionHuntr · $0$0 bounty program
K2 TP-6 claim_all_rewardsC435% M / 65% reject$250–$500JUDGING. Contest ended May 27. $135K pool. C4 operational.
yRoboTreasury Factory.call()Sherlock #300% (rejected)$0REJECTED May 29: "All governance roles trusted." $250 refunded.
Renegade AuthC40%$0DEAD. 79/79 rejected. Repo frozen 38 days. $25 lost.
TermMax UUPSImmunefi~5%~$0DEAD. Mediation rejected. onlyProxy blocks upgrade.
Moonwell CompositeOEV (x2)C4 → Immunefi0% (untriggered)$0NOT MIGRATED. C4 dead. Months away.
Midas RWASherlock #1220%$0114→0 FP
MachFi BandOracleSherlock0%$0REJECTED: 5 reasons (OOS + Critical-only + stale-price invalid + trusted oracle + dead protocol). $250 refunded.
Inverse Combined -0%$0ON-CHAIN FIXED
USX -0%$0OOS
Berachain -0%$0DUPLICATE
Enzyme Onyx (C27)Immunefi0%$00 SURVIVORS
Yearn V3 (C28)Immunefi0%$00 SURVIVORS
Pinto (C29)Sherlock #2210%$070→0 FP
Ostium Protocol (C48)Immunefi $200K0%$0409→0 (Data Streams ≠ AggregatorV3, 4/4 PM1 killed)
Silo Finance v3 (C48)Immunefi $100K0%$0377→0 (certora mutant contamination, 5/5 PM1 killed)
Fluid Oracle (C51)Immunefi $500K0%$015+ files read, 7+ audits, no Chainlink staleness = design choice, CappedRate blocks ERC4626
0x Settler (C51)Immunefi $1M0%$09 audit reports, 5-6 firms. Arbitrary calldata = BY DESIGN (Permit2). Fortress.
Gearbox ERC4626 (C51)Immunefi $200K0%$030 audits, $3M security spend. Most audited protocol in pipeline history.
Optimism (C52)Immunefi $2M0%$0Sentinel: 3 commits, all governance-gated. Fortress.
Lido CSM (C52)Immunefi $250K0%$0Sentinel: 4 commits, audit fixes only. No delta.
7 Sentinel Hits (C53)Various0%$0258 repos scanned, 7 sol hits. All governance-gated or audit fixes. API "0 audit" = ALL false.
MUX v3 (C54)Immunefi $100K0%$0Long tail sole survivor (278→33→1). 2826 lines read closely. All fund-flow role-gated. 0 findings.
Yearn V3 Strategies (C31)Sherlock #300%$032→0 FP (DeepSeek)
ZetaChain ERC20Custody (C35)HackenProof0%$0KILLED: onlyProxy (OZ v5.0.2)
Yearn SPARK-01 (C35)Sherlock #300%$0KILLED: useAuction=true default
Yearn CompV3/Gearbox/LST batch (C35→C36)Sherlock #300%$0C36: ALL 6 KILLED (fund-impact + Critical-only)
FULL PORTFOLIO (Jun 10): 15 active submissions across 4 channels. GitLab ×6 reports (3 emailed, 2 H1, 1 pending email). NEW: setup_script token theft CVSS 8.4. Huntr AI/ML ($8K-$9K), GitLab ×6 ($8K-$15K), K2 C4 ($131). SC pipeline $0 paid across 58 campaigns.$16K–$24K
Critical Lessons & Post-Mortemsarchive · C24 → G7 · expand
C24 failure modes (3):
1. Source ≠ Chain (Inverse): GitHub repo can be STALE. Team fixed on-chain March 2025, never pushed. On-chain bytecode is ground truth.
2. Dead protocol = dead bounty (MachFi): $10K TVL = functionally abandoned. Cannot pay bounties. TVL check mandatory.
3. File-level scope exclusions (USX): selected: false in Sherlock scope = explicitly OOS. Must check scope YAML, not just contract list.
C25 breakthrough:
4. Fix propagation gaps = gold mine: MIP-X56 fix applied to ChainlinkOEVWrapper but NOT propagated to ChainlinkCompositeOEVWrapper. Same class as C4 #130 (8 paid findings) in a different contract. Post-audit fix code is itself an attack surface.
5. Manual review > DeepSeek for novel bugs: Both Moonwell findings found via manual code diff, not pipeline. DeepSeek cannot detect "missing function call" patterns · it only flags what exists, not what's absent.
C26 efficiency lesson:
6. High file count ≠ high attack surface: Midas had 394 "unaudited" files but they were 28-95 line thin adapter wrappers. 114 DeepSeek findings, 0 survivors. Low complexity code = massive FP rate, zero real bugs.
7. Immunefi "0 audits" is unreliable: Starknet ($145K CodeHawks), Ostium (6-8), Lista (49 reports). Always verify manually.

Total pipeline failures: 5 · CapyFi (caught), Berachain (duplicate), Inverse (on-chain fixed), MachFi (dead TVL), USX (OOS). The 11-point gate covers all known modes.
C27–C28 target selection lesson:
8. $200K+ bounties are impenetrable fortresses: Both Enzyme Onyx (C27) and Yearn V3 (C28) deployed 20 Opus agents each (~$70 total), audited 30K+ LoC combined. Result: 0 submittable findings. High-bounty protocols have mature architectures, tight access control (onlyOwner/Comptroller/keeper patterns), and multiple prior audits. Admin-gated periphery findings are always OOS on Immunefi.
9. Vyper + Solidity mixed codebases (Yearn V3): VaultV3.vy has @nonreentrant("lock") on all 7 state-mutating functions + manual total_idle/total_debt tracking. Architecture prevents entire classes of attacks (donation, reentrancy, inflation).
10. ROI calculation: C27+C28 spent ~$70 on 2 dead targets. Need to route Opus-tier audits to higher-probability targets (0-1 audit protocols with custom DeFi logic, NOT battle-tested vaults).
C29 (PM2 Day 1) · Pinto insight:
11. Beanstalk-fork dual-lock reentrancy is FP-proof: nonReentrant + nonReentrantFarm + _beanstalkCall() swap pattern (temporarily clears reentrantStatus for Farm delegatecalls, facet re-locks immediately). DeepSeek cannot reason about this pattern at all.
12. EMA pump oracles defeat flash loan FPs: readInstantaneousReserves() reads from geometric-mean EMA, NOT raw spot reserves. DeepSeek confuses these every time.
13. Volume increase ≠ attack surface increase: Pinto volume 769x but codebase unchanged. High volume + inherited audits + mature architecture = still 0 survivors.
C30 (Platform Expansion) · Coverage lesson:
14. Cantina was a major blind spot: 52 bounties worth $49.6M that we weren't monitoring. Anti-spam deposits ($5-$100) are NOT slashable. Cork Protocol ($100K, no deposit) = immediately scannable.
15. Same bounty, different scope = different results: Yearn V3 on Immunefi (C28) = vault core. Yearn V3 on Sherlock #30 = strategy contracts "NOT externally audited". Must check all platforms per target.
16. Platform map is 3+2: Immunefi + Sherlock + Cantina for scanning. HackenProof + Solodit for monitoring. AuditOne/HackerOne/Self-hosted/C4/CodeHawks/Hats = all dead ends for pipeline.
C32 (2026-05-18) -TermMax REJECTION POST-MORTEM:
20. onlyProxy kills UUPS findings on OZ v5+: In OZ ≥4.3.2, upgradeToAndCall has onlyProxy modifier. Calling it directly on implementation ALWAYS reverts (address(this) == __self). Attacker can initialize impl + become owner but CANNOT upgrade the proxy. The "complete protocol takeover" claim was WRONG. PoC Step 5 was never actually compiled/run.
21. PoC must be executed, not just written: The Forge PoC existed only inline in the submission markdown. It was never saved as a test file, never compiled, never run. If we had run it, Step 5 would have reverted and we would have caught the onlyProxy issue BEFORE submission.
22. Defense-in-depth findings are near-zero EV on Immunefi: Immunefi severity system requires concrete impact (fund theft, freezing, governance manipulation). "Attacker owns implementation storage" has no downstream impact when onlyProxy prevents escalation. CVE + inconsistency arguments are strong in security research but weak on bounty platforms that pay for exploits, not patterns.
23. Add to Submission Gate: Check 12 = onlyProxy/notDelegated on upgradeToAndCall. For ANY UUPS finding, verify that the upgrade function can actually be called on the implementation. If onlyProxy is present, downgrade from Critical to Low/Informational.
C31 (PM2 Day 2) -Yearn V3 strategies + Cantina:
17. "0 audits" on strategy contracts is misleading: Strategies inherit ALL security from audited BaseStrategy/TokenizedStrategy v3.0.2 (ChainSecurity, Statemind, yAcademy). Custom code is 5-15 lines per strategy (_deployFunds, _freeFunds, _harvestAndReport). Not enough surface for complex bugs.
18. Bounty exclusions can kill entire finding categories: Sherlock Yearn excludes "MEV from sandwich attacks with zero minimum output" -this kills ALL swap-related findings across all 9 strategies. Must read exclusions BEFORE scanning.
19. Cantina is all blue-chip: Every Cantina bounty is a fortress-tier protocol with 4+ audits. Cork (4+ audits, $12M exploited, formal verification), Kinetiq (8 audits, 4 elite firms). Platform NOT suited for 0-2 audit targeting. Only Immunefi + Sherlock produce viable targets.
C32 (20-Agent Recon) -Strategy evolution:
24. Post-audit-delta is the new 0-audit: When the 0-audit pool is exhausted, target established protocols adding NEW unaudited code. Gearbox Securitize adapter (0-audit RWA code on audited base), 0x Settler (8 new DEX adapters post-Jan audit), Enzyme CCIP (3 new contracts May 15), Spark xchain Oracle (LayerZero forwarder May 13). The gap between audits is the attack surface.
25. Post-exploit targets have proven attack surfaces: ZetaChain ($334K exploit Apr 2026 + dismissed prior report), Impermax ($300K hack Apr 2025), Silo Finance ($545K exploit Jun 2025). Protocols that have been exploited once are more likely to have residual bugs in adjacent code.
26. Emerging EVM chains = less competition: Monad ($392M TVL), MegaETH ($708M TVL), Ink chain. Fewer auditors targeting newer chains means higher residual bug probability. But verify EVM compatibility and bounty maturity first.
C35 (Maximum Throughput) -COST LESSON:
30. UUPS onlyProxy (OZ v5+) kills ALL _disableInitializers findings. FP Rule #32. TermMax ($0) + ZetaChain ($0) = same pattern. Attacker initializes but CANNOT upgrade. Only pre-OZ-4.3.2 UUPS are exploitable.
31. "Code diff is real" ≠ "exploitable". SPARK-01 is a genuine divergence. But useAuction=true default = dead code. Check full execution path, not just diff.
32. STOP OPUS SCANNING. C27+C28+C35 = $210 Opus, 0 payable. DeepSeek C7-C34 = $32, also 0 payable but 6.5x cheaper. Manual reads ($0) found both Moonwell findings (only confirmed payable in pipeline). Opus for scanning is negative ROI.

C33 (Gearbox + GammaSwap Scan):
27. EV threshold post-TermMax: $1K minimum. A submission costs 3-5 hours (PoC + writeup + monitoring + potential mediation). At $400 EV ($1K * 40%), that's $80-130/hr opportunity cost. After TermMax ($0 on a genuinely novel finding with on-chain proof), Low findings on Immunefi are not worth the submission overhead. Only submit Medium+ with >$1K EV.
28. Thin wrapper code = audited base protection. Gearbox Securitize (715 LoC) and GammaSwap Vaults (14 contracts) are both thin layers on heavily-audited bases (30 audits and 8 audits respectively). The attack surface in override layers is inherently smaller. Prioritize code that implements novel logic, not code that delegates to audited infrastructure.
29. Dependency access control is the critical question for wrapper code. GammaSwap vaults' entire security model hinges on who can set refType 3 in v1-core. Always identify the single decision point that makes a wrapper finding Critical vs KILL before investing scan time.

C36 (Yearn Closure + Queue Triage):
33. Check payout tiers BEFORE triage. Sherlock #30 = Critical-only. All 6 Yearn Mediums were DOA regardless of code validity. Would have saved C35's $70 Opus if known earlier.
34. Fund-impact filter is lethal. "Can attacker steal with single unauthorized tx?" killed 6/6 findings in <2 hours. Admin-gated + keeper-gated + sub-dust = instant KILL.
35. Thin wrapper = auto-kill. Yearn strategies (C31 32→0) + 0x Settler adapters (C36 KILL) + Midas adapters (C26 114→0). Routing code around audited bases produces 0 survivors. Pattern confirmed across 3 independent tests.
36. C4 shutdown creates urgency. Code4rena closes July 12. Renegade ($2K-$4K honest) is the only live EV item and it's time-gated.

PM1 Final Assessment (C38 Post-Mortem):
37. Optimistic EV projections cause bad decisions. Renegade at "$15K-$50K" justified spending $70 on Opus scanning (C35). Honest EV is $2K-$4K. TermMax at "$0-$2K" should have been $0 after mediation rejection. Inflated portfolio EV = wasted budget.
38. Manual reads ($0) outperformed 20-agent Opus ($70). Both Moonwell findings came from manual code diff. DeepSeek ($32 total) found real bugs but 0 survived the submission gate. Opus ($140 total) found 0 anything. The tool that costs nothing works best.
39. The market is the bottleneck, not the scanner. Pipeline found 8+ real bugs across 8 protocols. But: audit count kills 95% of targets, fund-impact filter kills 80% of findings, duplicate/prior-audit kills the rest. The scanner works. The addressable market is near-zero for automated bounty hunting.
40. Confirmed payouts: $0. Honest remaining EV: $2K-$4K. Total spend: $665+. ROI: negative. The pipeline is a technical success and a financial failure. Pivot recommended.

C49-C51 (2026-05-30) · Composability Pivot:
45. Cross-protocol composability is a valid attack THEORY but all top targets are fortress-tier. C50 identified 3 confirmed exploit classes ($315M+ real losses): ERC4626 donation, calldata injection in routers, oracle cross-heartbeat. 13 targets scored. But C51 PM1 killed all top 3: Fluid (7+), 0x (9), Gearbox (30 audits).
46. Sourcing agents underreport audit counts 100% of the time. C50 composability scan reported: Fluid "1 audit" (actual: 7+ from 4 firms), 0x "no audits" (actual: 9 from 5-6 firms), Gearbox unreported (actual: 30, $3M security). Immunefi API AND agent-sourced data are BOTH unreliable. Manual GitHub /audits + Google verification is the ONLY reliable method.
47. Gearbox = most audited protocol in pipeline history (30 audits). ERC4626 adapter specifically covered by 4 ChainSecurity audits. Zero production exploits in 3+ years. That sets the ceiling of what "fortress-tier" means.
48. Manual code reads remain highest-value operation. Fluid oracle deep read (15+ files, 0 cost) definitively established: no Chainlink staleness = design choice (rely on UniV3 TWAP + CappedRate). DEX oracle reads Liquidity layer accounting, not raw balances. No automated scanner would have reached this conclusion.
49. Confirmed payouts: $0 across 51 campaigns. Total spend: $791. ROI: deeply negative. K2 TP-6 ($250-$500 EV) is the only remaining active submission. Composability pivot confirmed: valid angle, fortress targets.

C52-C54 (2026-05-30/31) · Sentinel + Long Tail:
50. Commit sentinel works as sourcing tool but produces 0 exploitable findings. C52: 202 repos, 9 hits, 2 read closely (Optimism, Lido CSM) · all commits were governance-gated or audit fixes. C53: 258 repos, 7 hits, all speed-killed. The methodology is valid (infosec_us_team pattern) but requires MANUAL code expertise, not automated scanning.
51. Immunefi API audit count is 100% unreliable · confirmed across 10+ protocols. LayerZero (API:0, real:15+), Spark (API:0, real:16+), Kamino (API:0, real:18+), Orderly (API:2, real:17), Enzyme (API:0, real:50+), Lombard (API:0, real:15). NEVER use API audit field for targeting decisions.
52. Long tail thesis ($10K-$100K programs) is DISPROVEN. 278 Immunefi programs filtered to 33 ($10K-$100K, GitHub, no KYC) → 12 non-EVM killed → 6 audit-comp killed → 5 stale DEAD → 5 over-audited KILL → 1 survivor (MUX v3, $100K). 2826 lines read closely across 8 files. ALL fund-flow paths role-gated. Small bounties do NOT mean less audited.
53. All three targeting strategies are now exhausted. Top tier (fortress · C46), mid tier (audited · C48-C51), long tail (stale/audited · C54). Only remaining vector: genuinely new 0-audit protocol launches.
54. Confirmed payouts: $0 across 54 campaigns. Total spend: $791. ROI: deeply negative. Portfolio (Jun 2): 10 active submissions across 2 platforms ($12K-$12.5K EV). HackerOne GitLab CLOSED N/A Jun 2 (resubmittable). SC is 2% of portfolio EV. Revenue is in AI/ML (Huntr), not SC bounties.
55. [warning] THE PIPELINE FINDS REAL BUGS. THE BOTTLENECK IS SPEED. C58 GitLab 19.0: 5/7 leads matched published CVEs (CVE-2026-5297 search XSS 8.7, CVE-2026-6073 agent XSS 8.7, CVE-2026-1322 PAT bypass 6.8, CVE-2026-6335 Banzai XSS 5.4, CVE-2026-7471 VR SSRF 3.5). We independently found the same bugs as GitLab's security team and paid researchers. We're just arriving after the fix ships. This changes everything: the methodology is CORRECT, but auditing stable features = guaranteed duplicates.
56. [warning] TARGET BETA/EXPERIMENT FEATURES ONLY. Published CVEs only exist for features that shipped in stable releases and were reported months ago. Beta features haven't gone through that cycle · ZERO CVE history = ZERO prior researchers = we CAN be first. CI Expert Agent (Beta), Custom Flows (agent-config.yml), Fine-grained PATs (Beta) · all under-reviewed, all have proven CVE patterns in adjacent stable code. Stop auditing stable features. Go where no researcher has been.
57. Prompt injection is our proven bug class. H1 #3755172 (MCP agent prompt injection) + CVE-2026-6073 (Duo Agent output XSS 8.7) confirm AI agent prompt injection is the highest-value attack surface in GitLab. CI Expert Agent (Beta) reads repo content and generates executable .gitlab-ci.yml · same pattern, same bug class, zero prior reports. Priority 1 for Session 4.
58. [warning] BETA-ONLY STRATEGY VALIDATED IN ONE SESSION. G7 Session 4: targeted ONLY beta features (CI Expert Agent + Custom Flows). Custom Flow close read found CVSS 8.4 setup_script token theft in ~2 hours of focused code review. CI Expert killed (chat-only, no execution path · standard indirect prompt injection). The key insight: DETERMINISTIC bugs (unsandboxed script + exposed tokens) are higher-value than LLM-dependent bugs (prompt injection). Always trace the execution boundary: where does untrusted input meet privileged context WITHOUT going through an LLM? That's where the real bugs live. Strategy: beta features + execution boundary analysis = confirmed high-severity findings.
C39-C40 (2026-05-20/21) -API Audit Count is Completely Useless:
41. Immunefi API "0 audits" is wrong 100% of the time on established protocols. C40 verified: Ondo (API: 1, real: 21), Lido (API: 1, real: 120+), Flux (API: 0, real: 4), Fluid (API: 0, real: 12+), Felix (API: 0, real: 5), Gains (API: 0, real: 8), Folks (API: 0, real: 15). C39: DeFi Saver (API: 0, real: 6). NEVER trust the API field. Always verify via GitHub /audit folder + Google "protocol audit report".
42. Speed-kill triage is the correct approach. 5 minutes per target via web search kills 100% of fortress protocols. 13/13 C40 targets died in triage. No scanning, no agents, no cost. The manual audit-count check is the single most valuable pipeline operation.
43. Protocol death = deposit refund opportunity. MachFi died and Sherlock refunded $250 anyway. Always ask for refunds on dead protocol submissions.
44. Exploit-driven scanning is dead for EVM. C41: Cetus $223M overflow pattern scanned 6 CL DEX repos · ALL use 512-bit Remco Bloemen mulDiv (battle-tested 3+ years). KelpDAO $290M = infrastructure/OPSEC, not code. Solidity 0.8+ checked arithmetic + mulDiv + a*b/a==b guards = 3 independent defense layers. Only Solana/Move have Cetus-analog risk. EVM AMMs are immune to this exploit class. $3 spent, 0 findings. FP Rule #35.
MachFi Sherlock Rejection · 5 Lessons (Each One Expensive)
Submitted: BandOracle staleness check missing. Rejected: 5 independent reasons. $250 deposit refunded (protocol died). May 2026.
Lesson 1: Check the scope FILE LIST, not just the protocol name.
BandOracle.sol was not in the scope table. The pipeline checked that MachFi had a bounty and that oracle contracts existed, but never verified that THIS SPECIFIC FILE was listed on the scope page. Gate check #6 (contract in scope table) would have caught this in 60 seconds.
Lesson 2: Read the bounty program's severity restrictions.
MachFi's program was Critical-only. The finding was Medium at best. Even if BandOracle had been in scope, a Medium finding on a Critical-only program pays $0. Check what severities are accepted before writing the submission.
Lesson 3: Read the PLATFORM's validity criteria, not just the program's.
Sherlock's judging guidelines explicitly say: "Stale prices and Chainlink round completeness recommendations are invalid." The finding was literally a stale price recommendation. A platform-level kill rule that applies to every Sherlock submission. The pipeline didn't know this rule existed.
Lesson 4: "Trusted oracle provider" kills the entire finding class.
The program description said price feed oracles are trusted to submit prices on time. If the oracle provider is trusted, any bug that requires the oracle to fail is out of scope. This kills staleness findings, freshness findings, and liveness findings on any program that trusts its oracle providers. Most programs do.
Lesson 5: Protocol death doesn't mean deposit death.
MachFi shut down. The $250 deposit looked lost. But Sherlock refunded it anyway because the protocol died, not because the submission was valid. That beats expectations. Always ask for the refund even when rejected.
THE META-LESSON:
The MachFi submission was the pipeline's second submission ever (after TermMax). It was filed before the 11-point gate existed. Every single rejection reason would have been caught by the gate. The $250 deposit was at risk for 6 days because 5 minutes of pre-submission checking wasn't done. The gate exists now specifically because of TermMax and MachFi. Don't skip it. Ever.
New FP Rules from MachFi:
FP #33: Oracle provider bugs = OOS universally. If program trusts oracle providers, all oracle-failure findings are dead.
FP #34: Stale price checks are INVALID per Sherlock judging guidelines. Platform-level kill · applies to ALL Sherlock submissions.

09Monitor ScheduleEffective 2026-05-31 · ALL TIERS EXHAUSTED

Daily (1.5-2 hours)
30 min: Sentinel check (responses, new programs)
1 hour: ONE protocol fund-flow review
30 min (if found): Targeted DeepSeek + forge PoC
Weekly (Monday, 10 min)
Immunefi API: new programs >$50K
Sherlock: new contests/bounties
HackenProof: post-exploit bounties
Review & reprioritize target queue
Target Queue (Post-C54 · ALL TIERS EXHAUSTED)
C54 KILL (Long Tail):
MUX v3 ($100K) · Sole survivor from 278→33→1 filter chain. 1 Guardian audit + ~700 lines post-audit delta. 2826 lines across 8 files read closely: Swapper.sol (no AC but zero balance between txs), SusdcOracleL2.sol (staleness, scope excluded), Delegator.sol (delegatecall safe), CollateralPool/FacetOpen/FacetClose (all onlyCore/onlyOrderBook). ALL fund-flow paths role-gated. 0 findings.

C53 KILLS (Sentinel Run):
258 repos (60 programs), 7 sol hits · all governance-gated changes, audit fixes, or vendor refactor. "0 audit" hot targets ALL verified as fortress: LayerZero (15+), Spark (16+), Kamino (18+), Chainlink (50+). Enzyme (50+), Lombard (15).

C52 KILLS (First Sentinel):
Optimism · 3 commits, all governance-gated. Lido CSM · 4 commits, audit fixes only.

CONDITIONAL (MONITOR):
Kelp DAO CCIP (MONITOR) - post-$292M exploit, migrating to Chainlink CCIP, new contracts NOT in scope yet

C54 CONCLUSION · All Tiers Exhausted:
Top tier ($1M+): fortress defense-in-depth (C46 Sky+Stargate)
Mid tier ($100K-$1M): 3-30 audits per protocol (C48-C51)
Long tail ($10K-$100K): same audit coverage + stale code + illiquid token payouts (C54)
Only vector remaining: genuinely new 0-audit protocol launches on Immunefi/Sherlock.

60+ PROTOCOLS KILLED across 58 campaigns. ALL TIERS EXHAUSTED. Monitor mode active.
Monthly Triggers
  • JUNE 15: Hyperbridge -KILLED (14 vulns found/patched, $50K HackenProof, low EV)
  • yRoboTreasury Sherlock #30 · REJECTED May 29. "All governance roles trusted." $250 refunded.
  • [ok] EMAILED VIA GMAIL: GitLab MCP OAuth Dynamic Reg - CVSS 7.1 High. Sent Jun 10 via Gmail (prior Jun 3 Mail.app attempt FAILED · SMTP auth:none). Confirmed in Gmail Sent. AWAITING RESPONSE.
  • [ok] EMAILED VIA GMAIL: GitLab MCP SSRF + IDOR - CVSS 5.4-6.9 Medium. Sent Jun 10 via Gmail. Confirmed in Gmail Sent. AWAITING RESPONSE.
  • HACKERONE: GitLab #3755172 - Priv Escalation via AI Agent (High 8.8). Closed N/A Jun 2. Resubmitted Jun 2 (32 screenshots + video). FOLLOW-UP COMMENT POSTED Jun 10. Request Mediation if no response by Jun 13.
  • HACKERONE: GitLab #3755989 - Stored XSS via .html_safe (High 7.3). Closed N/A Jun 2. Resubmitted Jun 2. FOLLOW-UP COMMENT POSTED Jun 10. Request Mediation if no response by Jun 13.
  • HUNTR: 5 bounty-eligible - GGUF ($4K) + Keras safe_mode ($4K) + ExecuTorch ($1.5K) + PMML ($1.5K) + Keras Lambda ($1K). EV $8K-$9K. Payout Jun 25.
  • JUDGING: K2 TP-6 C4 - claim_all_rewards Medium. Contest ended May 27. $135K pool. EV $131.
  • [ok] NEW FINDING: setup_script Token Theft (CVSS 8.4 High) - G7 Session 4 close read. Maintainer steals composite identity token via unsandboxed setup_script. Report written. PENDING EMAIL to security@gitlab.com.
  • CI Expert Agent prompt injection · KILLED: chat-only agent, no execution path, standard indirect prompt injection
  • JULY 12: C4 final shutdown - Renegade DEAD (79/79 rejected, $25 lost)
  • JULY 17: TermMax mediation -effectively $0
  • Moonwell -KILLED (CompositeOEV exploited $1.78M Feb 2026, patched by Halborn)
  • Gearbox Securitize -KILLED (adapter doesn't exist)
  • New bounty monitoring -Immunefi/Sherlock weekly sweep for 0-audit launches (only remaining pipeline activity)
G7 COMPLETE (Jun 10). SESSION 4 BETA-ONLY CLOSE READ. 1 CONFIRMED FINDING. Composite Identity Token Theft via setup_script (CVSS 8.4 High). CI Expert Agent KILLED (chat-only, no execution path). Total GitLab reports: 6 (3 emailed, 2 H1, 1 pending email). G6: 70 features audited, 5/7 leads matched CVEs. Methodology pivot: BETA features only → immediate payoff in G7. 15 active submissions across 4 channels. SC pipeline MONITOR ($0 SC payouts, 58 campaigns). Full portfolio EV: $16K-$24K (Huntr $8K-$9K + GitLab ×6 $8K-$15K + K2 $131).
Campaign Historyarchive · C7 → C58 + G1-G7 · 59 rows
CampaignDateTargetsFindingsCostPromotedKey Hits
C705-14135,384$2.4617 -
C805-1541,709$0.951 -
C905-1562,363$0.955USX 9/10, OKX 8/10, Midas 8/10
C1005-1571,528$0.611Inverse 7/10
C1105-15101,890$0.819Inverse 7x, Sector Finance 8/10
C1205-15103,201$1.568TermMax 10/10, GammaSwap 8/10, Twyne 7/10
C1305-15113,631$1.552Ostium 7/10, Resonate 7/10
C1405-159311$0.172Redstone pattern
C1505-155810$0.855Belong signature gaps
C1605-15465$0.007Berachain 3, Phoenix 4
C1705-15 - -$0.0012Pattern exhaustion
C1805-155311,055$6.288Inverse || vs && CONFIRMED
C1905-153114,192$8.0310Reserve $10M, Pendle $2M
C2005-16206,669$4.934Deep verify: Pendle, Reserve, Alchemix, Lista
C2105-16265893$2.430Family scan, 0 new findings
C2205-1639957$0.070Micro-blitz, pattern exhausted
C2305-16Submission gate + verification sessionGate: 7/10 killed
C2405-1620 -$0.000Inverse/USX/MachFi KILLED. Moonwell acquired.
C2505-1612$0.002Moonwell CompositeOEV x2 NOVEL
C2605-171114$0.040Midas 114→0 FP. Sentinel: 0 new.
C2705-17160+~$350Enzyme Onyx: 20 Opus agents, 0 survivors. Sulu V2 solid AC.
C2805-17180+~$350Yearn V3: 20 Opus agents, 21.6K LoC, 4 repos. All HIGH admin-gated OOS.
C2905-17170$0.050PM2 Day 1: Pinto 70→0. Dual-lock reentrancy + EMA pump.
C3005-1710 platforms -$0.000Platform expansion: Cantina added (52 bounties). Cork/Kinetiq/Yearn V3 Sherlock targets. Solodit 12 improvements.
C3105-18132$0.020PM2 Day 2: Yearn V3 strategies 32→0. 9 types, 5.2K LoC. Cantina all SKIP. Flying Tulip CONDITIONAL.
C3205-1820 agents -$0.00020-agent full recon: 10 new targets. Gearbox Securitize #1. Post-audit-delta validated. 5 new FP rules. Emerging chains intel.
C3305-18PM1 Manual715+~1500$0.002Gearbox Securitize: G-01 liquidator NAV overvaluation (Low-Med, $400 EV). GammaSwap Vaults: blocked on v1-core refType 3 access control. DeFi Saver: scoped for future PM2. Manual code read, 0 DeepSeek spent.
C3405-1819 agents80+$0.000PM1: GammaSwap KILL (protocol-only), Gearbox NOT DEPLOYED, G-01 KILL (spec doc). DeFi Saver ($350K) 0 surv. ZetaChain ($100K) 2 CONDITIONAL. Impermax/Variational KILLED. Enzyme CCIP re-scan queued.
C3505-1820 agents80+~$700ZetaChain KILLED (onlyProxy OZ v5.0.2). SPARK-01 KILLED (useAuction=true). Enzyme CCIP 0 surv. 6 Yearn Mediums unverified. $70 Opus, 0 payable. STOP OPUS SCANNING.
C3605-1919 agents -$0.000PM2 Day 3: Yearn V3 CLOSED (6/6 Mediums KILLED · fund-impact + Sherlock Critical-only). C32 queue: 3 KILLED (GammaSwap, DeFi Saver, 0x Settler), 2 CONDITIONAL (Silo, Variational). New: Hyperbridge #1. C4 closes June 30 → Renegade TIME-GATED.
C3705-1910 agents -$0.000Gearbox Securitize: NOT DEPLOYED + 20 hypotheses tested, 0 fund-impact survivors. PERMANENT KILL. Hyperbridge: strong signal but GATE FAIL (14 prior audit findings, reports not public). DEFERRED TO JULY. Renegade deadline corrected: July 12 (not June 30). C4→Immunefi migration confirmed.
C3805-197 agents -$0.000Pinto: KILL (phantom Sherlock #221, 18 audits, C29 70→0). Silo Sonic: KILL (24 audit engagements, 0 fund-impact across leveraged + core, Certora FV, 36 known-issues). TIER 1 QUEUE EMPTY. MONITOR MODE.
C3905-2021 agents -$0.000Full platform sweep: 16 protocols killed (Flying Tulip, Vesper, Football.Fun, Enzyme Onyx, Usual Labs, Rocket Pool, Morpho, Pendle, Ethena, Axelar, Spark + 5 more). 7 new targets discovered. MachFi rejection processed (5 reasons, FP #33-34). Fira/Hyperlane/Nucleus speed-killed next day.
C4005-2120 agents -$0.000Tier 2 speed-kill: 14/14 KILLED. Ondo (21), Flux (dead+4), Fluid (12+), Lido (120+), NUVA (2), Floe (1+known bug), EigenLayer (5+), Felix (5 firms), Gains (8 CertiK), Folks (15), Veda Ink (15+11 same BoringVault). API "0 audits" wrong 100%. QUEUE EMPTY.
C4105-2220 agents0~$3.000PM2 Exploit-Driven Scanning: Cetus $223M overflow pattern → 6 repos scanned, ALL SAFE (512-bit mulDiv). KelpDAO $290M DVN → infrastructure not code, LZ BBP excludes OApp misconfig. Both exploit classes dead for EVM. FP Rule #35: CETUS_OVERFLOW_PATTERN.
C4205-2715 agents -$0.001Deep code analysis: yRoboTreasury Factory.call() CRITICAL privilege escalation FOUND (raw_call gives operator full auction governance). Veda uint128 truncation KILLED (unreachable). Phoenix KILL ($0 TVL). SmarDex KILL (7 audits). 23 kills in C41-C42.
C4505-284 agents -$0.002 TIER 1Edge-scan recon: Sky Protocol Launch Agents ($10M, proxy spell call() forwarding, Feb 2026 deployments postdate audits). Stargate V2 OFTWrapper ($10M, not in main scope table, audit gap). Kelp DAO CCIP MONITOR. 2026 exploit trend: $17M+ calldata injection in periphery routers. Renegade confirmed DEAD.
C4405-28Sentinel -$0.000Sentinel sweep: Immunefi 279 (down 3), Sherlock 31, Cantina 10. 0 new programs. 14+ day drought. yRobo JUDGING confirmed.
C4305-28Manual + K2 -$0.001yRoboTreasury SUBMITTED (Sherlock #30, $250 staked). First submission passing all 4 Cardinal Rules. K2 TP-6 submitted.
C4405-28Sentinel -$0.000Sentinel sweep: 0 new programs (14+ day drought). Renegade confirmed DEAD (79/79 rejected). yRobo JUDGING confirmed.
C4505-284 agents -$0.002 leadsEdge-scan recon: Sky Protocol ($10M) + Stargate V2 OFTWrapper ($10M) identified as TIER 1 leads via periphery trust-boundary methodology.
C4605-2820 Opus -$0.000Close read: Sky PERMANENT KILL (Primacy of Rules, all roles trusted, no exec pattern, 7 CS audits 2026). Stargate KILL (approve-revoke+nonReentrant, hash chain, onlyPlanner, 2 audits). $10M bounties = fortress-tier. Queue EMPTY.
C4805-3040 agents786$0.590Ostium ($200K): 4/4 PM1 killed · Data Streams ≠ AggregatorV3. Silo v3 ($100K): 5/5 killed · certora mutant contamination. 9/9 total kills. FP Rules #33-34.
C4905-30Manual PM1 -$0.000Hooker.vy KILL (production foreplay = complete calldata, EVM ignores appended data). ConvexCore KILL (onlyOperator, Rule 9). Morpho Midnight KILL (minimal scope). 3/3 manual code reads.
C5005-306 agents -$0.003 leadsNEW: cross-protocol composability scan. 3 exploit classes ($315M+ real exploits): ERC4626 donation, calldata injection, oracle cross-heartbeat. 13 targets identified. Top 3: Fluid ($500K), 0x Settler ($1M), Gearbox ($200K). Sourcing agents claimed low audit counts · ALL WRONG.
C5105-30Manual PM1 -$0.000Fluid: 15+ oracle files read, 7+ audits (PeckShield, Statemind x3, MixBytes x3, Cantina) → KILL. 0x Settler: 9 audits, Permit2 arbitrary calldata BY DESIGN → KILL. Gearbox: 30 audits, $3M security = most audited ever → KILL. Sourcing agents 100% wrong on audit counts.
C5205-30Sentinel -$0.500FIRST SENTINEL RUN. 202 repos (40 programs, 14d lookback). 9 .sol hits. 2 read closely: Optimism (3 commits, governance-gated), Lido CSM (4 commits, audit fixes). Methodology validated as sourcing tool.
C5305-31Sentinel -$0.000258 repos (60 programs, 7d lookback). 7 sol hits, ALL speed-killed. "0 audit" hot targets ALL verified fortress: LayerZero (15+), Spark (16+), Kamino (18+), Chainlink (50+). Immunefi API 100% unreliable. Platform intel: Morpho Midnight fortress (2 audits + Certora + 241 subs day 1).
C5405-31Long Tail -$0.000LONG TAIL DISPROVEN. 278 Immunefi → 33 ($10K-$100K, GitHub, no KYC) → 12 non-EVM killed → 6 audit-comp killed → 5 stale DEAD → 1 survivor: MUX v3 ($100K). 2826 lines across 8 files read closely. ALL fund-flow role-gated (onlyOwner/onlyCore/onlyOrderBook). 0 findings. ALL TIERS EXHAUSTED.
C5506-034 agents202$0.120FULL SWEEP: Sentinel (202 repos, 8 hot, ALL killed · fortress/role-gated/non-runtime). Platform sweep (0 new programs). Exploit intel (4 new patterns, TrustedVolumes P1). C4 migration (0 migrated). Morpho Midnight marginal. STRATEGIC PIVOT TO GITLAB.
G106-036 agents -~$0.303GitLab security research session 1. The attack surface was the MCP feature area (19.x). 3 agents (GraphQL auth, html_safe XSS, CI/CD secrets) + 2 agents (SSRF, new features) + manual verification. Three new findings landed. (1) MCP OAuth Dynamic Reg: unauth app creation + cloud metadata redirect + confidential issue access + pipeline deletion, CVSS 7.1 HIGH, full E2E PKCE PoC verified. (2) SSRF via MCP Server OAuth token_endpoint: OAuth2 gem bypasses Gitlab::HTTP, CVSS 6.9. (3) IDOR in MCP OAuth Controller: global McpServer.find without org scoping, CVSS 5.4. Automated Python PoC + asciinema recording. FIRST GITLAB FINDING WITH END-TO-END EXPLOIT COMPLETION.
Totals: 55 SC campaigns + 1 GitLab session • 930+ SC targets • 77,000+ SC findings • $32.52 DeepSeek + ~$140 Opus • 5 SC submitted • 1 escalated • $0 confirmed SC payouts. Full portfolio (Jun 3): GitLab H1 ×5 reports ($10K-$14K EV), Huntr 5 pending ($8K-$9K EV), K2 judging ($131 EV). Total invested: $795. SC pipeline: AUTOPILOT. PRIMARY FOCUS: GITLAB SECURITY RESEARCH. 3 NEW FINDINGS READY TO SUBMIT.

10Platform StatusMay 31, 2026

PlatformProgramsStatusNotes
Immunefi279DOMINANTQ1 2026: $7.87M paid (228% up). API "0 audit" field 100% unreliable (verified 10+ protocols). C54: long tail ($10K-$100K) mapped · 33 programs, all exhausted. 0 new launches (18+ day drought).
Sherlock31 bountiesACTIVEyRobo REJECTED on #30 ($250 refunded). ARC-41 ($155K) was 2024 contest (removed C56). NOW accepts High (not just Critical).
Cantina10 bountiesALL FORTRESSEuler v2 Code Audit ($1.25M, May 20–Jun 17) ACTIVE but fortress. Morpho Midnight ($400K): 2 prior audits + Certora FV + 241 subs day 1. All fortress-tier. 0 actionable.
HackenProof200+SATURATED0 new. High submission counts (355-519). Skip.
Solodit50K+ findingsREFERENCEPattern database. 8 prompt updates + 4 FP rules identified (C30).
Code4rena -DEAD (Jul 12)Shutdown May 13. Migration to Immunefi confirmed. 79/79 submissions on Renegade ALL rejected.
CodeHawks -DORMANTNo new contests since Q1 2026.
Hats Finance -DEADCeased Dec 31, 2025.
DeepSeek False Positive Taxonomyarchive · 21 confirmed FP patterns
#PatternExample Kill
1Hallucinated functions0x Settler cleanup() doesn't exist
2Hallucinated missing modifiersEthena, Avail, Fluid · all have AC
3Test vs production confusionMorpho Certora test rig
4Inverts correct mathLombard PMM decimals
5Proxy confusionPancakeSwap not upgradeable
6Design-as-bugStakeStone stablecoin deviation
7Cross-contract blindnessDoesn't trace validation across contracts
8OZ ReentrancyGuard misunderstandingPer-function vs global
9Oracle confusion (Pyth vs Chainlink)Confuses price feed types
10delegatecall context blindnessDeFi Saver, Orderly
11Internal functions flagged as missing ACMUX: 6 kills
12Inheritance chain blindnessRoyco _disableInitializers in base
13OZ AccessManaged not recognizedrestricted modifier
14L2 sequencer hallucination (#1 FP)Confuses ERC4626 with Chainlink
15Quotes modifier while reporting it missingAspida: 13/15 FPs
16Can't trace library functionsPendle PMath.Uint() has require
17Misreads role-gated functionsLista BOT-role + lender validation
18UUPS onlyProxy blindnessTermMax: claimed impl takeover but onlyProxy blocks upgradeToAndCall
32UUPS_ONLYPROXY_V5 (CRITICAL)TermMax + ZetaChain: OZ v5+ onlyProxy blocks ALL impl upgrades. Init-only = $0.
33Oracle provider bugs = OOSMachFi: if program trusts oracle providers, ALL oracle-failure findings are dead (staleness, freshness, liveness).
34Stale price checks INVALID (Sherlock)MachFi: Sherlock judging guidelines explicitly say stale prices + round completeness = invalid. Platform-level kill on ALL Sherlock subs.
35CETUS_OVERFLOW_PATTERN (EVM)C41: Custom CL math overflow findings on EVM protocols using FullMath.mulDiv or 512-bit Remco Bloemen = FALSE POSITIVE. Cetus bug was Move-specific (wrong bitmask in checked_shlw). EVM has 3 defense layers: Solidity 0.8+ checked arithmetic + 512-bit mulDiv + a*b/a==b guards. All 6 scanned repos SAFE.

Lessons & Pipeline Ideas

PM1 Fund-Impact Reviews (Days 1-5) • 28 Protocols • $11B+ TVL • 0 Findings

Defense taxonomy, what kills each attack class

Every protocol reviewed has ONE OR MORE of these. If a target has 3+, it's a near-certain KILL.

Defense PatternKills These AttacksProtocols Using ItDetection Time
Role-Gated Fund FlowsAll permissionless attacks (mint, redeem, bridge)Lombard (consortium), Ethena (MINTER_ROLE), MUX5 min · check if mint/redeem has onlyRole
Monotonic Index RatchetFlash loan manipulation, oracle sandwichingPendle (pyIndex MAX), Spark (chi only increases)10 min · check if exchange rate can decrease
Internal AccountingDonation attacks, direct transfer manipulationPendle (_storage.totalPt/Sy), Ethena (unvested tracking)5 min · check if totalAssets uses balanceOf vs internal var
Time-Based Rate Accumulator (DSR)ERC4626 inflation, share manipulationSpark (chi/rho/vsr), MakerDAO DSR5 min · check if share price derives from time vs balanceOf
MIN_SHARES / MINIMUM_LIQUIDITYFirst depositor inflation, share roundingEthena (1e18), Pendle (1000), Uniswap V2 pattern2 min · check constructor or first-deposit logic
Vesting PeriodFlash-loan reward extraction, frontrunningEthena (8hr linear vesting), Pendle (per-user index)5 min · check if rewards are instantly claimable
nonReentrant on ALL externalsReentrancy, flash swap exploitationPendle (6/6 functions), Ethena, Yearn V3 (@nonreentrant)2 min · grep for nonReentrant coverage
Post-Callback Balance ChecksFlash swap underpaymentPendle (PT balance after callback), Uniswap V3 pattern5 min · check what happens after callback
Cooldown / TimelockInstant withdrawal MEV, governance flash loansEthena (7-90 day cooldown), Spark (delay patterns)2 min · check if withdrawal is instant
Per-User Interest IndexRetroactive yield claims, double-claimingPendle (userInterest[user].index), Ethena (cooldown mapping)5 min · check what happens on first interaction

PM1 Fund-Impact Review Results (Days 1-5)

DayTargetMax BountyTVLLoC ReadContractsFindingsKill ReasonCost
SprintPinto$100K$0000$0 TVL, dead protocol$0
SprintSilo Finance$100K$6M00016 audits + formal verification$0
Day 2Lombard Finance$250K$1B+2,800100Consortium multisig gates everything$0
Day 3Sparklend$5M$3B+1,000100DSR chi-pattern, admin-only delta$0
Day 4Ethena$3M$5.38B1,17050Gated mint, MIN_SHARES, 8hr vesting$0
Day 5Pendle$250K$1.546B1,67370Correct AMM math, monotonic index$0
SY FarmPendle SY Wrappers (18)$250K -~2,50018080% oracle rates, pyIndex ratchet$0
TOTAL$8.95M$11B+~9,143500$0 cost

8 Cardinal Rules (Post-TermMax, Permanent)

R1: PoC must complete full attack on unmodified mainnet fork. Modified contracts or custom mocks = KILL.
R2: Immunefi pays for fund impact ONLY. "They should fix this" = $0. Needs: theft, permanent freeze, or protocol insolvency.
R3: Escalation is NOT validation. Immunefi escalation = triager asking project, NOT confirming severity.
R4: "They'll fix it" is worth $0. Design improvements, best practices, theoretical risks with no exploit path = unpaid.
R5: Codebase inconsistency is NOT impact. Source vs deployed mismatch, unused code, naming errors = $0 unless enables theft.
R6: Submit at severity PoC demonstrates. Don't claim Critical if PoC shows Medium.
R7: Check onlyProxy before any UUPS finding. FP Rule #32: _disableInitializers() + onlyProxy = no uninitialized impl exploit.
R8: Mediation is negative EV on best-practice findings. Don't waste 23hr slot on findings that are "correct but not impactful."

Q1-Q4 Pre-Submission Checklist

Q1: Permissionless Single-TX Theft?
Can an unauthorized user steal funds or break protocol state with a single transaction?
NO = KILL
Q2: Unmodified Mainnet Fork PoC?
Does the PoC complete on an unmodified mainnet fork with real deployed contracts?
NO = KILL
Q3: Known Issue?
Is this in any prior audit, contest, or submission?
YES = KILL
Q4: Minimum EV?
Minimum realistic payout x probability ≥ $1K?
BELOW = KILL

Pipeline Iteration Ideas

IDEA 1: Invert Target Selection
Stop scanning top-10 DeFi protocols ($250K-$5M bounties). They're top-10 BECAUSE their code is fortress-grade. Instead target:
• Fresh Immunefi listings <30 days old with <2 audits and >$10M TVL
• Post-exploit protocols that added new code to fix the exploit (adjacent bugs likely)
• Protocols with recent major version upgrades (V2→V3, V3→V4) where new math is untested
• Cross-chain deployments where mainnet code was ported to L2 with different assumptions
IDEA 2: Speed-Kill Protocol
Days 1-5 showed that 80% of the review time is CONFIRMING defenses, not finding bugs. Build a 5-minute triage checklist:
1. grep -r "onlyRole\|onlyOwner\|onlyAdmin" *.sol · if mint/redeem are gated: INSTANT KILL
2. grep -r "balanceOf.*totalSupply\|totalAssets.*balanceOf" *.sol · if totalAssets uses balanceOf: INVESTIGATE
3. grep -r "exchangeRate\|getRate\|convertToAssets" *.sol · if rate can decrease: INVESTIGATE
4. grep -r "nonReentrant" *.sol | wc -l vs total external functions · gaps = INVESTIGATE
Kill in 5 min instead of 60 min. Only read closely the 10% that pass the speed filter.
IDEA 3: SY Wrapper Farm -TESTED & DISPROVEN
Day 1 results: 18/230 wrappers reviewed. 0 findings. Thesis disproven.
• 80% of wrappers use oracle/admin rates -NOT manipulable by flash loan
• pyIndex monotonic ratchet + doCacheIndexSameBlock provides core-level defense for ALL wrappers
• Only 2 wrappers use custom vault share pricing (InfraredBGT, sAPE) -both have MINIMUM_LIQUIDITY
• Curve virtual price reentrancy is KNOWN and DOCUMENTED by Pendle team
• Actual probability: ~0.1%/wrapper (not 1-2%). Expected findings in 230: ~0.2
Verdict: Pendle team reviews all wrapper PRs. Consistent template adherence. Not worth continuing.
STATUS: KILLED. Do not revisit.
IDEA 4: Novel Protocol Categories
Every protocol reviewed uses patterns from Aave/MakerDAO/Uniswap. These are battle-tested. Target protocols doing genuinely NEW things:
• Intent-based protocols (UniswapX, CoW Protocol forks) · novel order execution
• Restaking (EigenLayer network) · novel slashing conditions
• Points/airdrop protocols · novel tokenomics with economic attacks
• RWA bridges (Centrifuge, Backed) · novel collateral types with oracle edge cases
• AI agent protocols (Autonolas, Morpheus) · novel execution models
The key: if you can't map the protocol to an existing DeFi pattern, the math is more likely to have bugs.
IDEA 5: DeepSeek Finding Priority Ranker
770 DeepSeek findings on Pendle, 40 on Ethena · ALL killed. The bottleneck is triage. Build a priority ranker:
• Score based on: (1) does it touch fund-flow functions? (2) does it survive known FP patterns? (3) is it about math/accounting vs admin/governance?
• Auto-kill: access control on admin functions, fee-on-transfer on whitelisted assets, first-depositor with MIN_SHARES, UUPS with onlyProxy
• Promote: rounding that favors user in swap math, exchange rate readable in same block, missing balance check after external call
• Target: reduce 770 findings → 5 candidates in <10 min (currently takes 30+ min manual triage)
THE UNCOMFORTABLE TRUTH (CONFIRMED C54 · FINAL)
54 campaigns, 180+ protocols, $11B+ TVL, 77K+ findings, $176 model spend. Result: $0 confirmed SC earnings.

Every targeting strategy has been tested and exhausted:
• Automated DeepSeek scanning: 48 campaigns, 77K+ findings, 0 payable (C7-C48)
• Manual Opus close reads: $140 Opus, 0 payable (C27-C28, C35, C46)
• Composability pivot: valid theory, all targets fortress-tier (C49-C51)
• Commit sentinel: 460+ repos, 16 hits, 0 exploitable (C52-C53)
• Long tail ($10K-$100K): 278 programs → 33 filtered → 1 survivor → 0 findings (C54)

The pipeline is COMPLETE, not failed. It built: 34 FP rules, 9 cardinal rules, defense taxonomy, 2 automated sentinels ($0.50/week), and definitively mapped the entire Immunefi/Sherlock/Cantina market. The correct next step is monitor mode, sentinels run weekly, activate ONLY on genuinely new 0-audit launches.

What actually makes money (UPDATED Jun 1 · full portfolio audit):
1. HackerOne GitLab (2 reports): CLOSED N/A (Jun 2). Both rejected by h1_analyst_vegeta · template rejection, no local PoC. Resubmittable with GDK/Docker instance. Current EV: $0.
2. Huntr AI/ML (9 submissions): $11.75K-$12K EV. 5 bounty-eligible (GGUF $4K, Keras $4K, ExecuTorch $1.5K, PMML $1.5K, Keras $1K). 33% historical hit rate. 40x better EV/effort than SC bounties.
3. BLN: confirmed $160/month recurring revenue
4. K2 C4: $250-$500 EV. JUDGING. $135K pool. C4 operational.

Combined portfolio: $12K-$12.5K EV across 10 active submissions. SC is 2% of portfolio EV. H1 GitLab CLOSED N/A (resubmittable).

Protocol Defense Heat Map (PM1 Days 1-5)

DefenseLombardSparkEthenaPendle
Role-Gated Mint/RedeemYESN/AYESNO
Monotonic Index/RateN/AYES (chi)N/AYES (pyIndex)
Internal AccountingYESYESbalance-vestYES
MIN_SHARES/LIQUIDITYN/A (no vault)N/A (DSR)1e181000
Vesting/CooldownN/AN/A8hr vest + 7-90d coolper-user index
nonReentrant CoverageN/AN/AYES6/6
Multi-Sig/ConsortiumYES (weighted)N/AN/AN/A
Prior Audit Count12+10+126+
Defenses Active4/73/75/76/7

Every protocol has 3+ defenses active. If speed-kill triage shows 3+ defenses in first 5 minutes: KILL immediately. Only investigate protocols with ≤2 defenses.

DeepSeek Kill Statistics (PM1 Days 1-5)

77K+
Total DeepSeek Findings Triaged
0
Survived Fund-Impact Filter
100%
Kill Rate (54 campaigns)
$36
DeepSeek Cost (Total)
Top FP Categories (auto-kill candidates)
FP PatternCountAuto-Kill Rule
Admin/role-gated function flagged as vulnerable~200If function has onlyRole/onlyOwner: auto-kill
Fee-on-transfer on admin-controlled asset list~50If asset whitelist is admin-only: auto-kill
First depositor with MIN_SHARES defense~30If MIN_SHARES ≥ 1e15: auto-kill
Flash loan on gated function~40If target function requires role: auto-kill
Slippage/sandwich on standard ERC4626~30Known issue on all bounty programs: auto-kill
External integration concern (Balancer rate, etc.)~25If affects external protocol, not in-scope: auto-kill
UUPS with onlyProxy (OZ v5+)~15FP Rule #32: auto-kill
Donation to balanceOf-based totalAssets~20If internal accounting or MIN_SHARES: auto-kill
Cross-chain replay without checking chainId~10Verify domain separator includes chainId: usually wrong
Dust-level rounding (1 wei per 1e18)~50If rounding favors protocol: auto-kill
Chainlink Data Streams ≠ AggregatorV3 (C48)11FP #33: IVerifierProxy.verify is NOT latestRoundData. Auto-kill staleness checks.
Certora mutant contamination (C48)74FP #34: certora/mutants/ = intentional bugs. Skip dirs added.

Strategic intelligence and leaderboard analysis

Immunefi Top 20 • Sherlock Top 10 • Bug Taxonomy • Market Restructuring • 2026-05-24
PIVOT: Contest Farming + Sentinel Monitoring
THE PIPELINE HAS BEEN HUNTING IN THE WRONG TERRITORY. Top earners don't audit fortress protocols. They either find infrastructure bugs in L1/L2 chains ($1M-$10M payouts) or grind volume on fresh/updated programs ($17K-$60K avg per report). Contest specialists earn $35K/contest with 62% win rates. Our 51-campaign, $0-finding streak confirms: DeepSeek scanning on audited protocols is conclusively disproven. C51 composability pivot: valid theory but ALL top targets fortress-tier (Gearbox = 30 audits).
94%
Programs with 1+ Critical (5yr+)
$135M
C4→Immunefi Migration
536
Immunefi Programs Tracked
$1.25M
Next Contest (Euler v2 Cantina)
62%
0x52 Win Rate (39 contests)
3
Replicable Strategy Paths

Immunefi leaderboard, two archetypes

Archetype 1: Whale Hunters (NOT Our Market)
RankHandleReportsEarningsAvg/Report
1Barracuda31727$14.4M$2,063K
2RetailDdene29462$10.0M$5,010K
3PwningEth8$8.0M$1,000K
8ily23$3.0M$1,010K
13saurik1$2.0M$2,000K
14thec00n1$2.0M$2,000K
19x60512$1.5M$750K
20notdeghost2$1.5M$750K
Profile: 1-8 reports, $750K-$5M avg. L1/L2 chains, bridges, consensus.
Known bugs: Wormhole uninitialized proxy ($10M), Aurora infinite spend ($6M), Optimism money duplication ($2M), Moonbeam AC bypass ($1M)
Requires deep L1/EVM/Rust/Go expertise. NOT our current capability.
Archetype 2: Volume Grinders (OUR Market)
RankHandleReportsEarningsAvg/Report
5LonelySloth60$3.6M$60K
4GothicShanon8923816$4.2M$261K
9MajorExcitement17$2.7M$158K
12nnez64$1.7M$27K
15infosec_us_team70$1.2M$18K
16WhiteHatMage16$1.6M$103K
17k1319$1.6M$82K
18bpop2329344$1.4M$33K
Profile: 16-70 reports, $17K-$60K avg. Monitor scope changes. Target fresh programs.
infosec_us_team's edge: Maintains GitHub tracker monitoring ALL Immunefi program changes. Scope change → immediate attack. REPLICABLE.
THIS is our addressable market.

Sherlock leaderboard, contest specialists

0x52: The Model (Rank #1 Sherlock)
$1.35M
Total Earnings
62%
Win Rate
39+
Contests
$35K
Avg/Contest
ContestFindingsEarningsRank
Centrifuge V3.16 High$148,5171st
Index2H, 2M$78,4641st
KyberSwap2M$60,6841st
Arcadia2H$42,4001st
UXD Protocol6H, 4M$42,7201st
MakerDAO Endgame -$40,6278th
Hubble Exchange3H, 4M$32,4011st
Strategy: Participates in EVERY contest. DeFi lending/vaults/yield specialist. Finds MULTIPLE bugs per contest. Volume + consistency + quality.
Other Top Sherlock Earners
HandleEarnings$/Day
0x52$1.15M$2,537
xiaoming90$961K$2,497
panprog$556K$2,612
0x73696d616f$510K$1,892
IllIllI$468K$2,945
Key insight: Top 5 Sherlock earners average $2,497/active day. 0x52's 62% first-place rate across 39 contests proves consistency beats luck.

What Bugs Actually Get Paid

Critical ($100K-$10M) -Infrastructure
1. Uninitialized/misconfigured proxies -$10M
2. Chain-level money duplication -$2M
3. Bridge message spoofing -$1M
4. Consensus bypasses -$2M
5. Access control on chain infra -$1M
High ($25K-$500K) -DeFi Logic
1. Rounding/precision in complex math -$250K
2. Collateral/debt accounting errors -$1M
3. Insufficient input validation -$1.1M
4. Logic errors in new features -$25K-$100K
5. Cross-contract interaction bugs -$25K-$100K
Medium ($5K-$25K) -Edge Cases
1. Fee-on-transfer handling gaps
2. Liquidation edge cases
3. Oracle staleness/manipulation
4. Reentrancy in reward distribution
5. Edge cases at protocol boundaries
KEY PATTERN: Bugs are found in NEW or UPDATED code -not in battle-tested core contracts, not in fortress protocols with 6+ audits. In new features, scope updates, integrations, fresh deployments.

Market restructuring after Code4rena shut down

C4
SHUTTING DOWN
May 13, 2026
Zellic acquisition → wind-down
$135M
Bounties Migrating to Immunefi
Implications for our pipeline:
• Immunefi becomes even more dominant -single platform to monitor
• Fresh program migrations = fresh scope = opportunity -sentinel trigger
• Contest model may be adopted by Immunefi -watch for announcements
• Competition increases on Sherlock/Cantina -wardens consolidating
The 94% Stat (Immunefi's own data):
“Among bug bounty programs active for 5+ years, 93.9% have received at least one confirmed critical.”
“Roughly half of all active programs surface at least one critical per year.”

The bugs ARE there. We've been looking in the wrong place (fortress protocols) instead of the right place (fresh code, scope updates, contests).

Active Opportunities (as of 2026-06-10)

Active Submissions (14 total)
PlatformReportsEVStatus
HackerOne2 (resubmitted)$7,764RESUBMITTED Jun 3 (H1 blocked by Signal for new reports)
Email → GitLab2 (emailed)$3.25K–$6.5KMCP OAuth (High 7.1) emailed Jun 3 + SSRF+IDOR (Med 5.4-6.9) emailed Jun 10
Huntr9 (5 bounty)$8K–$9KAll pending (85-day avg triage)
C41$131K2 judging (EV: 35% × $375)
Sherlock · $0ARC-41 was 2024 (removed). yRobo rejected.
User: theluckystrike on HackerOne + Huntr. AI/ML + AppSec = 40x better EV than SC.
Fresh Immunefi Programs (Sentinel)
ProgramMax BountyStatus
Aster$200KNEW
Onre$100KNEW
Nuva -NEW
KAST$50KNEW
EdgeX$10KNEW
Enzyme-Onyx$200KSCOPE UPDATED
Alchemix-1 -SCOPE UPDATED
Source: infosec-us-team/Immunefi-Bug-Bounty-Programs-Unofficial (cloned to data/immunefi-tracker/)
Top Immunefi Programs by Max Bounty (Scope-Change Monitoring)
LayerZero ($15M)Stargate ($10M)Sky ($10M)Reserve ($10M) • USDT0 ($6M) • Sparklend ($5M) • GMX ($5M) • Ethena ($3M) • Chainlink ($3M) • Morpho ($2.5M) • Aster ($200K, FRESH)
536 programs tracked. 40+ at $100K+. Alert on: new programs, scope updates, unpaused programs.

Strategic recommendations across three paths

Highest EV -Immediate
Path 1: Contest Farming
Model: 0x52
• Participate in EVERY Sherlock/Cantina contest
• Target DeFi lending/vault/yield contests
• Goal: 2-5 real bugs per contest
• Expected: $10K-$50K/contest, 2-4/month
Aleo ARC-41 ($155K) was 2024 contest · REMOVED (C56)
Why us: 100% FP kill rate = fewer but better submissions. Fresh unaudited code. Guaranteed prize pool. Structured judging.
Background -Ongoing
Path 2: Sentinel Monitor
Model: infosec_us_team
• Monitor Immunefi tracker (cloned)
• Alert: new programs, scope updates, unpaused
• Trigger: immediate review of NEW code only
• Target: <2 audits AND >$10M TVL
• Expected: $17K-$60K/accepted report
Why us: Automated monitoring. Only reviews changed code. C4 migration influx. 5-min speed-kill triage.
Long-term -Highest Ceiling
Path 3: Chain Infrastructure
Model: PwningEth
• Study L1/L2 consensus, EVM internals, bridges
• Target: newer L1s, L2s, bridge implementations
• Expected: $100K-$10M per critical
• Requires: Rust, Go, consensus expertise ramp
Priority: Path 1 > Path 2 > Path 3. Chain infra is the long game after contest/sentinel skills are proven.

Immediate Actions

  • Clone infosec_us_team's Immunefi tracker -data/immunefi-tracker/ (536 programs)
  • Analyze Immunefi + Sherlock leaderboards -two archetypes + contest model identified
  • Identify fresh Immunefi listings -Aster ($200K), Onre ($100K), KAST ($50K)
  • Confirm C4 shutdown -May 13, 2026. $135M migrating. July 12 final deadline.
  • Register for Aleo ARC-41 Sherlock contest · was 2024 contest, NOT 2026 (C56 verified)
  • Set up automated sentinel monitoring on tracker repo
  • Review Aster ($200K fresh listing) -immediate candidate
  • Monitor C4→Immunefi migration for fresh scopes
SENTINEL· C52–C54· 2026-05-31

Commit Sentinel · Monitor the Diff

The diff between last-audit-commit and HEAD is the attack surface. Top earner infosec_us_team ($1.24M, 70 reports) monitors COMMITS, not programs. This tab tracks the methodology, tooling, and results of continuous commit monitoring across high-bounty Immunefi programs.
The pivot 54 campaigns scanning whole codebases produced $0. Top earners don't scan, they watch for changes. New commits = unaudited code = attack surface. Every line added after the last audit report is a line no auditor has reviewed. That's the one edge that holds up against fortress-tier programs with 5+ audits.
258+
Repos Monitored (C52–C53)
16
Repos with Sol Changes
3
Read closely (Optimism, Lido, MUX)
$0.50
Total Cost
60
Programs Tracked (≥$50K)
7d
Lookback Window

How The Sentinel Works

Phase 1 · Scan
github-commit-monitor.py fetches top N Immunefi programs (≥$100K bounty) via public API. Extracts GitHub repo URLs from assets + programOverview. Uses gh api (authenticated, 5000 req/hr) to check each repo for commits in the last 14 days. Filters for .sol / .vy file changes, excludes test/mock/script/deploy dirs.
~10 min per run • ~$0 cost • Weekly cadence
Phase 2 · Triage
Speed-kill each repo with sol changes:
• How many lines changed?
• Are changes in fund-flow functions?
• Do changes touch math, access control, or external calls?
• Is the changed file in bounty scope?
• Was change made AFTER last known audit?
Kill: config, deploy scripts, test-only, audit fixes with full coverage.
~5 min per repo • Agent-assisted • Parallel
Phase 3 · Verify
For surviving diffs, apply Cardinal Rules:
1. Permissionless theft by EOA?
2. Mainnet fork PoC possible?
3. Not a known/audited issue?
4. EV > $1K?
5. No trusted-role requirement?
If all 5 pass → clone, read, PoC, submit.
Deep read • Full submission gate • PM1 standard

C52 results, first sentinel run (2026-05-30)

# Program Bounty Repo Sol Commits Files Changed Verdict
1 Optimism $2,000,000 ethereum-optimism/optimism 3 SuperPermissionedDisputeGame, initializer fix KILL · governance-gated
2 Lido CSM $2,000,000 lidofinance/community-staking-module 4 FeeSplits, BondLock, MetaRegistry, Allocator KILL · 3x independent kill
3 Compound $1,000,000 compound-finance/* 1 Config/deploy SKIP
4 MakerDAO $1,000,000 makerdao/* 2 Interface refactor SKIP
5 Aave $1,000,000 aave/* 1 Test updates SKIP
6-9 4 additional repos · minor test/config/deploy changes only SKIP

Optimism close read ($2M), 3 commits

fa9974a2
OZ v5 Initializer Detection Fix
Defensive hardening for OpenZeppelin v5 initializer detection. Not exploitable by external EOA. Already protected by governance deployment flow.
bd4e855e
SuperPermissionedDisputeGame Rewrite
Complete architectural change from interactive dispute to "proposer-asserts, guardian-blacklists" model. Uses tx.origin for auth. All roles = designated/governance. No permissionless vector.
c8a40770
Concrete to Interface Refactor
Type-system refactor replacing concrete imports with interfaces. Zero behavioral change. Zero security impact.
VERDICT: All changes gated by governance/designated roles. No permissionless attack surface. PERMANENT KILL.

Lido CSM close read ($2M), 4 commits, 19 files

Lead: FeeSplits _unsafeDecreasePendingSharesToSplit
Removed safety clamp (shares > current ? current : shares) from subtraction. LIDO.transferShares() calls happen BEFORE the decrease in a loop · classic CEI violation pattern. Initial hypothesis: reentrancy via stETH callback could corrupt pendingSharesToSplit.
Kill, 3x independent 1. stETH transferShares() = pure storage writes, NO callbacks, NO ERC777 hooks
2. FeeSplits is v3, NOT deployed on mainnet (bounty: "only deployed contracts")
3. The rename was Statemind auditor's recommendation (PR #797 = "Audit fixes")
Other Commits
BondLock isLockExpired: Real audit bug · until==0 (no lock) returned true (expired). Now fixed. Confirmed Statemind finding.

MetaRegistry: unchecked arithmetic in weight sum + storage migration (array→mapping). Audit fix.

DepositAllocatorGreedy: Quantization fix for deposit allocation. Audit fix.
VERDICT: stETH has zero callback mechanism. Code not deployed. Already audited (9 CSM audits, 4 firms). PERMANENT KILL.

Why commit monitoring still wins

C52 produced 0 findings, but the methodology is validated:

1. Sourcing works. The sentinel correctly identified the 2 most interesting repos (Optimism and Lido CSM) out of 202. Both had real code changes in security-critical contracts. The triage pipeline correctly filtered 193 repos with no sol changes and speed-killed 7 with trivial changes.

2. The kill reasons are structural, not methodological. Optimism diffs were governance-gated (Cardinal Rule 5). Lido diffs were undeployed v3 code (scope exclusion). These kills apply to any researcher, not just this pipeline.

3. The edge compounds over time. One run = one snapshot. Weekly runs accumulate coverage. The profitable scenario: a $500K+ bounty program ships a new feature (not audit fixes) that touches fund-flow math. This WILL happen · the question is when. The sentinel catches it on day 1, before competing researchers notice.

4. Cost is near-zero. $0.50 per run vs $70 for a 20-agent Opus scan. The sentinel is 140x more capital-efficient. It can run weekly indefinitely at negligible cost.

Tooling

github-commit-monitor.py
Location: data/github-commit-monitor.py
Dependencies: gh CLI (authenticated)
Immunefi API: public bounties endpoint
Rate limit: 1.2s between GitHub API calls
Output: COMMIT-MONITOR-RESULTS.json

Usage:
python3 github-commit-monitor.py \
  --days 14 --min-bounty 100000 --top 40
Sentinel Schedule
Weekly (Sundays): Full scan, 40 programs, 14d lookback
On new bounty: First commit scan within 24h
On hit: Deep diff triage within 1h

Trigger phrase:
"run sentinel" → execute monitor + triage

Cost per year: ~$26 (52 weeks × $0.50)

What Would Trigger a Real Find

SignalExampleWhy It Matters
New contract file added vault/NewStrategy.sol, adapters/GearboxV4.sol Entirely unaudited code. Highest signal.
Math function modified calculateRewards(), computeShares(), getRate() Arithmetic bugs = direct fund impact. DeepSeek's sweet spot.
New external call added address(newProtocol).call(...) Cross-protocol composability = integration bugs. Under-audited.
Access control change Modifier removed, new role added, onlyOwner → public Permission changes = escalation surface.
Audit fix commits "fix: audit findings", "fix: statemind batch 1" Low signal · code reviewed by auditors. But watch for incomplete fixes.
Test/deploy/config only hardhat.config.js, test/Mock.sol, scripts/deploy.ts Zero signal. Instant skip.

Sentinel Run Log

RunDateProgramsReposSol HitsClose ReadFindingsCost
C52 2026-05-30 40 202 9 2 (Optimism, Lido CSM) 0 $0.50
C53 2026-05-31 60 258 7 0 (all speed-killed) 0 $0.00
C54 2026-05-31 33 (long tail) · · 1 (MUX v3, 2826 lines) 0 $0.00
Table updates with each sentinel run. First profitable find expected within 3-6 months of weekly monitoring.
GITLAB· RESUBMISSION· 2026-06-02

GitLab H1 Resubmission

Both HackerOne GitLab reports (#3755172 + #3755989) were closed N/A on Jun 2 by h1_analyst_vegeta · format rejection only, not technical merit. Patch verification confirmed both findings are NOVEL (not covered by existing CVE patches). Local Docker instance deployed, SaaS trial active, PoC scripts prepared. Combined resubmission EV: $7,764 weighted. Marginal EV/hr: $923–$1,385 (highest-value task available).
$7,764
Combined Resub EV (weighted)
$14,470
#3755172 Bounty (CVSS 8.8)
$6,580
#3755989 Bounty (CVSS 7.3)
NOVEL
Patch Verification (both)
19.0.1-ee
Docker Instance Version
Jul 2
Trial Expiry

01Rejection AnalysisFORMAT, NOT MERIT

REJECTION TEMPLATE (both reports identical):
"We were unable to validate this vulnerability. In order to effectively validate this vulnerability, we ask that you provide supporting materials, such as a working Proof of Concept (PoC), screenshots, video, or detailed reproduction steps. For this program’s scope, please make sure to provide these artifacts from a local GitLab installation."

Key insight h1_analyst_vegeta used a TEMPLATE response. Zero engagement with the technical content. That's a triage-level format gate, not a security assessment. Both reports had detailed writeups with code references, CWE mappings, and impact analysis, but no screenshot or video from a running instance.
Aspect#3755172 (Agent Injection)#3755989 (SAST XSS)
Report IDH1 #3755172H1 #3755989
CVSS8.8 (High)7.3 (High)
Bounty Range$5,000–$15,000$5,000–$15,000
Calculated Bounty$14,470 (linear interp)$6,580 (linear interp)
CWECWE-1426 (Prompt Injection)CWE-79 (Stored XSS)
Attack VectorCustom Agent → System Prompt Injection → Headless Auto-Approve → skip_authorization OAuth → Composite Identity EscalationSAST Finding → AI Vulnerability Resolution → .html_safe Rendering → Stored XSS in MR
Rejection ReasonNo local PoC artifactsNo local PoC artifacts
Technical MeritNot challengedNot challenged
CVE OverlapNOVEL · CVE-2026-1868 is AI Gateway Python SSTI (different service, different CWE)LIKELY NOVEL · CVE-2026-6073 is chat output XSS (different rendering pipeline)
P(accept)40%30%
Weighted EV$5,790$1,974

02CVE Patch VerificationALL PATCHES ANALYZED

CVECVSSWhat It PatchesOverlap with Our Findings?Verdict
CVE-2026-1868 9.9 Jinja2 SSTI in AI Gateway Python service (ai_gateway/prompts/base.py). Template injection in Flow definitions. NO · Python AI Gateway, not Rails monolith. CWE-1336 (SSTI) vs our CWE-1426 (Prompt Injection). Different service, different language, different code paths. CLEAR
CVE-2026-4868 8.2 Identity resolution first_human_owner fallback in vulnerability workflow workers. Changed 7 Rails files. PARTIAL · Same domain (Duo identity) but different attack: they fixed user resolution, we target OAuth skip_authorization + composite identity token creation. Different functions, different code paths. PARTIAL
CVE-2026-6073 8.7 Duo Agent chat output rendering XSS. Fixed in chat UI rendering. MAYBE · Same bug class (XSS) but different rendering pipeline. Our finding targets vulnerability resolution MR content via .html_safe, not chat output. Risk of being grouped together. RISK
CVE-2026-5296 4.3 Developer-role API authorization bypass for Duo Workflows. NO · Access control bypass, not headless mode auto-approval. Headless auto-approval is documented as expected behavior (BY DESIGN). Different mechanism entirely. CLEAR
Bottom line #3755172 is NOVEL with HIGH confidence (different service + different CWE + different language). #3755989 is LIKELY NOVEL with MEDIUM-HIGH confidence (same bug class but different rendering pipeline; risk of being grouped with CVE-2026-6073).

03Infrastructure StatusLIVE

ComponentStatusDetails
Docker GitLab EE RUNNING v19.0.1-ee at localhost:8929 · Puma, Sidekiq, PostgreSQL, Redis, Gitaly, Nginx all UP
CI Runner ONLINE Docker executor, registered and picking up jobs
SAST Pipeline COMPLETED semgrep-sast: success. Vulnerable test code scanned. Pipeline #1 passed.
Test Project CREATED Project #1 (security-test-repo) with Python command injection + path traversal test code
SaaS Ultimate Trial ACTIVE lipmichal-group on gitlab.com · Ultimate trial expires Jul 2, 2026. Duo Agent Platform visible.
Self-Managed License MISSING Customers Portal shows “no purchases.” SaaS trial does not include self-managed activation code. Need separate self-managed trial registration.
Duo Features BLOCKED Settings show duo_features_enabled=true but no license = features non-functional. Vulnerability API returns 403.
PoC Scripts PREPARED poc-3755172-agent-injection.sh + poc-3755989-sast-xss.sh + setup-gitlab.sh ready at ~/gitlab-security-test/

04Resubmission PlanTWO-TRACK

Track A · SaaS (Ready Now)
Use gitlab.com SaaS trial (lipmichal-group) to demo both exploit chains directly on production.

Pros Everything works now. Duo Agent Platform visible. More impactful, it proves the vuln exists on production.
Cons H1 specifically asked for “local GitLab installation” artifacts.
Status: READY • Est: 2–4 hours
Track B · Self-Managed Docker
Get self-managed trial activation code and demo on Docker instance at localhost:8929.

Pros Exactly what H1 requested. Full control. Reproducible.
Cons Blocked on self-managed license. Need to register separately at about.gitlab.com/free-trial/?hosted=self-managed.
Status: BLOCKED on license • Est: 4–6 hours once unblocked
Recommended Do BOTH. SaaS PoC first (ready now, proves production impact), then self-managed PoC when the license arrives (satisfies H1’s “local installation” requirement). Submit with both sets of evidence.

05Bounty CalculationGITLAB PAY STRUCTURE

SeverityCVSS RangeBounty RangeOur CVSSCalculated Bounty
Critical9.0–10.0$15,000–$35,000 · ·
High7.0–8.9$5,000–$15,000 8.8 (#3755172)$14,470
High7.0–8.9$5,000–$15,000 7.3 (#3755989)$6,580
Medium4.0–6.9$1,000–$5,000 · ·
Low0.1–3.9$100–$1,000 · ·
Formula: linear interpolation within CVSS range. CVSS 8.8: $5K + (8.8-7.0)/(8.9-7.0) × ($15K-$5K) = $14,470. CVSS 7.3: $5K + (7.3-7.0)/(8.9-7.0) × ($15K-$5K) = $6,580.
Combined raw: $21,050. Weighted EV (40% + 30%): $7,764. GitLab paid $1.72M on H1 in 2024 (440 reports, avg $3,900).

06TimelineJUN 2 → JUN 9

DateEventStatus
May 22#3755172 submitted to HackerOneCLOSED N/A Jun 2
May 23#3755989 submitted to HackerOneCLOSED N/A Jun 2
Jun 2-3Local Docker PoC built (GitLab EE 19.0.1, Ultimate trial, Duo Enterprise)COMPLETE
Jun 3#3755172 resubmitted with 36 screenshots + video + evidence reportPENDING REVIEW
Jun 3#3755989 resubmitted with 40 evidence filesPENDING REVIEW
Jun 2 AMBoth reports closed by h1_analyst_vegetaFORMAT REJECTION
Jun 2 PMCVE patch verification (5 agents)BOTH NOVEL ✓
Jun 2 PMDocker GitLab 19.0.1-ee deployedRUNNING ✓
Jun 2 PMCI Runner + SAST pipelineCOMPLETED ✓
Jun 2 PMSaaS Ultimate trial activatedACTIVE (Jul 2 expiry) ✓
Jun 2 PMSelf-managed licenseMISSING · customers portal empty
Jun 2–3Record SaaS PoCs (Track A)NEXT
Jun 3–5Get self-managed license + Docker PoCs (Track B)PENDING
Jun 5–9Resubmit both reports with dual evidencePLANNED

07PM1 submission playbookPERMANENT SoP • NO EXCEPTIONS

THE LESSON THAT COST 12+ HOURS: Two submissions. Both technically sound. Both closed N/A. Not because the findings were wrong · because the EVIDENCE didn’t show what the maintainer cares about. We submitted source code analysis + DB storage proof. They wanted video of the exploit FIRING with IMPACT visible in the browser. These are completely different things. “This code could be exploited” ≠ “I just exploited it. Watch.”
THE 10/10 PoC STANDARD
A PoC is 10/10 when the maintainer can watch a 2-minute video and see the FULL chain from start to finish, ending with DEMONSTRATED IMPACT.
BAD ENDINGS → N/A
  • “Payload stored in database” · so what?
  • “Vulnerable code path is reachable” · prove it fires
  • “AI unreachable but code is confirmed” · not my problem
  • “Source code shows .html_safe” · show me the XSS
GOOD ENDINGS → TRIAGED
  • Alert box fires in victim’s browser
  • Attacker’s token has admin scope
  • Victim’s cookies sent to attacker.example.com
  • Attacker can read private repo via stolen token
  • Attacker has shell access on CI runner
The LAST FRAME of your video must show the impact. If you can’t produce that frame, the PoC is incomplete and submission will be closed.
THE CHECKLIST · Execute in order, every time
PHASE 1: BEFORE WRITING A SINGLE WORD (2–4 hours)
1. Set up local instance of the target product. GitLab: Docker EE + Ultimate trial + Duo trial. NEVER submit based on source code reading alone.
2. Get ALL required features working locally. Enable every feature flag. Verify API endpoints respond (not 401/403). Verify AI/ML/backend connects. If a feature doesn’t work: FIX IT or STOP. Do not submit with “this feature was unreachable.”
3. Execute the FULL exploit chain end-to-end. Every step must complete without errors. The final step must produce visible impact. If any step fails: debug until it works or KILL. Record terminal, browser, AND network tab.
4. Capture the impact artifact. XSS: alert() or cookie exfil. RCE: command output. Priv esc: admin panel. Auth bypass: protected data. SSRF: internal response. This artifact IS the entire submission. Everything else is context.
PHASE 2: RECORDING THE PoC (1–2 hours)
5. Clean environment reset. Start from fresh state (new project, new user). Reviewer must see setup is not pre-rigged.
6. Record continuous video (OBS or QuickTime). 1080p minimum, 30fps. Show browser URL bar at all times. Show terminal commands being typed. No cuts. No edits. Continuous recording. Maintainers distrust edited videos.
7. Record EACH step with a visible pause. Type command / click button. Wait 2–3 seconds showing result. Move to next step. Reviewer scrubs quickly · give them time to see each state change.
8. End on the impact. Last 10 seconds: the exploit result. Hold for 5 seconds minimum. The maintainer scrubs to this frame FIRST.
9. Take individual screenshots of each step. One per step, clearly labeled: step-01-create-user.png, step-02-inject-payload.png, step-03-trigger-execution.png, step-04-impact-visible.png.
PHASE 3: WRITING THE REPORT (1 hour)
10. Structure for a 30-second scan. Maintainers read in this order: (a) Title · state the IMPACT not mechanism. (b) Impact section · what can attacker DO? (c) Video link · they click immediately. (d) Steps to reproduce · numbered, one action each. (e) Root cause · supporting evidence, not main argument.
11. Differentiate from known CVEs. List every related CVE. “CVE-XXXX-YYYY fixes [X]. Our finding targets [Y]. Different file, different CWE, different mechanism.” Include file-by-file comparison table.
12. State severity with evidence. Don’t just claim CVSS 8.8. Show calculator inputs: AV:N, AC:L, Impact:H. Let them verify.
PHASE 4: PRE-SUBMISSION GATE (15 minutes) · HARD STOP
13. Watch your own video with fresh eyes. Does it make sense without reading the report? Can you see impact in last 10 seconds? Is URL bar visible throughout? Any errors or failures visible?
14. Answer these 5 questions. ALL must be YES.
Q1: Does the video show the exploit completing?
Q2: Does the final frame show demonstrated impact?
Q3: Is every step reproducible from the written steps?
Q4: Is this finding distinct from all published CVEs?
Q5: Would a maintainer who watches only the video understand what’s wrong and why it matters?
If ANY answer is NO: do not submit. Fix it first.
15. Platform-specific requirements. GitLab: local GDK or Docker REQUIRED. HackerOne: video upload directly (not YouTube). Evidence < 250MB total. Screenshots: PNG, clearly labeled.
PHASE 5: POST-SUBMISSION (ongoing)
16. Track response timeline. GitLab avg: 1hr initial, 2–4 weeks validation. If “needs more info”: respond within 48 hours. If N/A: read reason carefully · is it fixable?
17. Never follow up unprompted. Don’t add comments asking for status. Don’t ping analysts. Wait for their response.
18. If closed N/A, assess resubmission value. Format rejection: fix format, resubmit. Technical rejection: finding is dead. Duplicate: finding is dead. “Intended behavior”: probably dead · argue only if the CHAIN of intended behaviors creates unintended impact.
THE TITLE FORMULA
[Impact verb] + [what’s affected] + via [mechanism]
BAD: “Missing sanitization in system_prompt field”
GOOD: “Account takeover via OAuth token theft through custom AI agent prompt injection”
BAD: “Unsafe .html_safe usage in ERB template”
GOOD: “Stored XSS in merge request description via unsanitized AI vulnerability resolution output”
Never lead with the mechanism. Lead with what the attacker achieves. Impact first, mechanism second.
WHAT EACH PLATFORM’S MAINTAINER CARES ABOUT
GitLab (HackerOne)
  • Local instance reproduction (Docker/GDK)
  • Video showing complete chain
  • CVE differentiation
  • They downgrade aggressively. Over-document impact.
Immunefi
  • Mainnet fork PoC (forge test passing)
  • Fund impact in dollars
  • The project decides, not Immunefi
  • Escalation means nothing
Sherlock
  • Scope table compliance (exact file listed)
  • Severity restrictions (Critical-only programs)
  • Platform validity criteria (stale price = invalid)
  • $250 deposit at risk
Huntr
  • Reproduction steps that work
  • Clear vulnerability class (RCE > DoS > Info leak)
  • 85-day average triage. Patience required.
  • Palo Alto backing = payments reliable
COST OF GETTING IT WRONG
TermMax, right finding, incomplete PoC. $0.
MachFi, right finding, wrong scope. $0.
Berachain, right finding, duplicate. $0.
yRoboTreasury, right finding, right PoC, trusted role. $0.
GitLab ×2, right findings, wrong evidence format. $0 (so far).
Every $0 came from the same root cause: the submission didn’t meet the PLATFORM’S requirements, even though the FINDING was technically valid.

The finding is 50% of the work. The submission is the other 50%. Skip either half and you earn $0.
SAVE THIS. EXECUTE IT EVERY TIME. NO SHORTCUTS.