Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In some way, shape or form, the Bug bounty scope needs documented scope. On Immunefi, this typically labels contracts or websites in scope and assets at risk. So, what happens when the company writes a new contract but it is not put on the scope list? Well, the contract is no longer in scope!

To me, this is really dumb. Obviously, you want to define what you pay out for. At the same time, shouldn't it just be that there are customer funds at risk? Funds at risk is funds at risk. If whitehats find a bug and don't feel they can get paid out, they may cross over to the dark side.

This new Primacy of Impact is meant to get rid of this. We didn't mention that contract in scope yet you can steal millions worth of assets? Yep, we'll pay out for that! This rule is trying to prevent programs from not paying out for bugs but feeling the bug is bad enough to warrant a fix. If there are funds are risk, then a pay out should occur.

In the DeFi space, where million dollar hacks happen regularly, it makes sense to have this rule. I think it's a good step forward for security.