It's about a compiler bug in C++ that had downstream effects in the compiler for Solidity, which is a language for developing smart contracts. Yes, every compiler can have bugs, even ones not relating to smart contracts, but that doesn't seem like a very convincing argument that we should be using compilers for more things rather than boring regular code that isn't considered to be contractual.
Segfaults are the lucky case when you run into undefined behavior. The unlucky case is that you just get a program doing something different than what you intended without any clear indication that something went wrong.
dont you find all the string parsing and manipulation to be quite painful in Swift? I tried to do AoC in Swift before and that put me off a lot. I liked doing little functional one liners but a week from now the parsing burden will be too high.
I program everyday in Swift. I attempted AoC for the first time in Swift last year and gave up after about a week or so for this exact reason and switched to python for the remainder. I don't want to struggle with the awkward string API to do things other languages can do in a line.
The answer to this question is out there, but the reports are not published yet.
I caution readers to not make rash judgements on their skill like this though. These bugs are really hard to find, and it was a minor miracle that I noticed these ones at all. I actually had a whole list of critical bugs in this codebase ready to report before the V2 upgrade was merged to master (which would put it in scope for a bounty). However the auditors managed to find every single bug on my list. I only noticed the ones that eventually made it here later, by a stroke of luck, and after I had already spent a ton of time looking at this codebase without noticing them.
did you try other things like try to get employed by the team, or consider submitting an altruistic pull request? or was the bug bounty the adequate incentive from the getgo
Projects are free to change their terms and the page you link has been updated since I submitted my reports. The maximum was lowered to $1M and payment currency changed from USDC to SEI.
What sort of crime are you envisioning that exploiting this would fall under? It's not always fraud to satisfy a poorly written contract, although that is commonly the case.
It was advertised in advance, but the real gamble is on if they'll pay. If you go to my other blogpost linked in OP, you can see a case where I was owed 500k and paid 60k.
You're right though that it's a lot of risk. It's not something that most of the leaderboard works full time on, though some of us do. The immunefi homepage has a list of all the bounties on offer.
It's up there but not singularly so. Twice there have been $10M! You can see the leaderboard where the majority of crypto bounties are represented here (https://immunefi.com/leaderboard/) but you have to search around for the actual reports.
