03:27:13 <usagirabbit> hello! i was wondering what the hackerone bounties are, the reporting document links to a old page thats now a dead link which has the bounty pool amount (1500 xmr in apr 2025 was the last snapshot, wow) and i was wondering if there was like a new forum or anything for it
03:27:39 <usagirabbit> https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md
03:28:19 <usagirabbit> luigi1111 i'd figure you'd know as your one of the security contacts :)
04:07:54 <usagirabbit> anyone here?
04:11:53 <br-m> <rottenwheel:unredacted.org> usagirabbit yeah, apparently...
04:14:49 <luigi1111> The hackerone fund is more or less just case by case. A few xmr up to like 100+ depending on severity
04:16:43 <usagirabbit> i see thanks for letting me know
04:16:49 <usagirabbit> i reported a high severity :)
04:27:22 <BoBeR182> usagirabbit: what did you find?
04:27:26 <BoBeR182> high level?
04:27:33 <BoBeR182> RCE? or protocol issue
04:30:45 <usagirabbit> BoBeR182 im not too sure im supposed to disclose it, but its not a rce which would be critical :)
04:31:22 <BoBeR182> is it remotely exploitable
04:31:25 <usagirabbit> wdym
04:31:30 <BoBeR182> I'll shutdown my node until a patch comes out
04:31:35 <usagirabbit> oh noo
04:31:37 <usagirabbit> its not that scary
04:31:39 <usagirabbit> well
04:31:43 <usagirabbit> it involves nodes yes
04:31:44 <usagirabbit> but
04:31:45 <usagirabbit> yeah
04:31:50 <usagirabbit> im not gonna disclose more than that
04:31:55 <BoBeR182> so shutdown my node or not?
04:32:00 <usagirabbit> dont
04:32:05 <usagirabbit> it took me a while to discover it lmao
04:32:07 <usagirabbit> u should be sage
04:32:09 <usagirabbit> safe*
04:32:11 <BoBeR182> sounds like something an attacker would say
04:32:16 <usagirabbit> LOL
04:32:23 <usagirabbit> dont worry
04:32:26 <BoBeR182> there's agencies working 24/8 to compromise xmr
04:32:32 <usagirabbit> Im Totally Not State SponsoredTM
04:32:33 <BoBeR182> if you as a single user figured it out...
04:32:51 <usagirabbit> i submitted it to hackerone responsibly
04:32:59 <usagirabbit> im not a threat actor i swear!1!!!!!11
04:33:14 <usagirabbit> however i did use ai to look for potential weaknesses
04:33:21 <usagirabbit> (disclosed on the report, dont worry!)
04:33:26 <usagirabbit> so yeah
04:33:41 <usagirabbit> i just got like gpt 5.4 to scrape the entire codebase and look for stuff that could be high/critical
04:33:51 <usagirabbit> so far i havent found a critical yet, but only time will tell
04:33:55 <BoBeR182> were you able to reproduce it independently
04:34:00 <BoBeR182> or is it just theoretical
04:34:04 <BoBeR182> and a hallucination?
04:34:09 <usagirabbit> yes
04:34:14 <usagirabbit> i reproduced it independently
04:34:16 <BoBeR182> GPTslop has ruined many bug bounty programs
04:34:20 <usagirabbit> LOL
04:34:38 <usagirabbit> welp
04:34:41 <BoBeR182> did you offer a patch to fix it+?
04:34:43 <usagirabbit> yes
04:34:49 <BoBeR182> that is awesome!
04:34:59 <usagirabbit> well not really a patch
04:35:07 <BoBeR182> well go make one
04:35:08 <usagirabbit> i just told them what they could do to patch it
04:35:11 <BoBeR182> that would actually help
04:35:14 <BoBeR182> you should open the PR
04:35:16 <usagirabbit> it has a PoC and everything too
04:35:19 <usagirabbit> im not gonna open the pr cuz
04:35:24 <usagirabbit> i dont want it exposed
04:35:24 <usagirabbit> YET
04:35:27 <usagirabbit> it could take down uh
04:35:31 <usagirabbit> some nodes
04:35:34 <usagirabbit> forcefully
04:35:39 <BoBeR182> you can mark sensitive PRs
04:35:42 <BoBeR182> those exist in github
04:35:44 <usagirabbit> does it private it?
04:35:45 <usagirabbit> ahh
04:35:45 <BoBeR182> sounds like DoS
04:35:50 <usagirabbit> dang it!
04:35:52 <usagirabbit> ya figured it out LOL
04:36:06 <BoBeR182> that could be used to deanonymize certain actors
04:36:16 <BoBeR182> is it a memory corruption that can be DoS leading to RCE
04:36:26 <usagirabbit> uuhhhh
04:36:27 <usagirabbit> no
04:36:30 <usagirabbit> no code injection
04:37:01 <usagirabbit> the closest thing i can get into about it thats somewhat nontechnical is a ram leak
04:37:07 <usagirabbit> a threat actor can crash likee
04:37:09 <usagirabbit> a shit ton of nodes
04:37:13 <usagirabbit> esp if they are state sponsored
04:37:48 <usagirabbit> i think gpt 5.4 found another high/critical
04:38:20 <usagirabbit> but its kinda weird
04:38:38 <usagirabbit> its related to multisig
04:40:08 <usagirabbit> the first bug i found on monero is exactly CVSS 3 score 7.5!
04:53:25 <br-m> <ufo808:matrix.org> There was multisig issue before
04:53:44 <br-m> <ufo808:matrix.org> It was fixed
04:54:06 <usagirabbit> ahh
04:54:08 <usagirabbit> when?
04:54:14 <usagirabbit> yesterday?
04:54:20 <br-m> <ufo808:matrix.org> And I think I already saw some monero DoS on hackerone before, like multiple of them
04:54:28 <br-m> <ufo808:matrix.org> usagirabbit: Years ago
04:54:33 <usagirabbit> oh
04:54:36 <usagirabbit> years ago?
04:54:40 <usagirabbit> no these are recent
04:54:41 <usagirabbit> unpatched
04:54:44 <usagirabbit> ive tested them
04:54:49 <br-m> <ufo808:matrix.org> @ufo808:matrix.org: But maybe I’m trippin balls
04:54:55 <usagirabbit> no ur right
04:55:03 <usagirabbit> i have the latest repo
04:55:06 <usagirabbit> for monero
04:55:07 <usagirabbit> from the github
04:55:09 <usagirabbit> it works
04:55:40 <br-m> <ufo808:matrix.org> Interesting
04:55:51 <usagirabbit> a state actor can like
04:55:58 <usagirabbit> nuke a shit ton of nodes
04:56:03 <usagirabbit> if they are in the right place
04:56:08 <usagirabbit> so if they do a sustained attack of this
04:56:12 <usagirabbit> it can be basically wraps
04:56:13 <usagirabbit> soo
04:56:56 <usagirabbit> and i found another dos
04:56:57 <usagirabbit> omfl
04:57:41 <br-m> <ufo808:matrix.org> Can you nuke spy nodes then? Thanks
04:57:48 <usagirabbit> i cant uhh
04:57:50 <usagirabbit> select them
04:57:53 <usagirabbit> its kinda indiscriminate
04:57:54 <usagirabbit> LOL
05:01:27 <usagirabbit> uhm
05:01:30 <usagirabbit> i think i found another one
05:01:32 <usagirabbit> Rough CVSS: 8.6 High
05:01:36 <usagirabbit> ih wait
05:01:43 <usagirabbit> i found the one i already reported
05:01:44 <usagirabbit> LOOOOOOOOL
05:01:49 <usagirabbit> profound stupidity
05:01:53 <plowsof> the good thing about spamming this chat is that you would have disclosed the vuln already and not eligible for reward
05:01:58 <usagirabbit> ?
05:01:59 <usagirabbit> wat
05:02:13 <usagirabbit> ohh
05:02:17 <usagirabbit> about the one im looking for
05:02:18 <usagirabbit> LOL
05:02:19 <usagirabbit> nah
05:02:21 <usagirabbit> if i found one
05:02:25 <usagirabbit> ill just say ill found one
05:02:34 <usagirabbit> i wont go into detail abt it if its that bad
05:02:40 <plowsof> your report is "gpt 5.4 to scrape the entire codebase and look for stuff that could be high/critical" 
05:02:45 <plowsof> lol
05:02:53 <usagirabbit> 😭😭
05:02:55 <usagirabbit> i mean
05:02:57 <usagirabbit> ur not wrong
05:05:19 <plowsof> you're welcome 
05:07:59 <usagirabbit> broo
05:08:02 <usagirabbit> im using copilot write
05:08:10 <usagirabbit> dude
05:08:13 <usagirabbit> im genuinely fried
05:08:17 <usagirabbit> i just wrote right as write
05:08:23 <plowsof> yeah stop spamming 
05:08:26 <usagirabbit> its 12 am😭💔
05:08:50 <usagirabbit> gpt 5.4 keeps stopping
05:08:58 <usagirabbit> #OPENAIISLYINGABOUTMULTIHOURCODEXRUNS
05:19:10 <usagirabbit> hes back
05:19:19 <usagirabbit> the nsa killed him and he ressurected
05:20:46 <BoBeR182> did you DoS me
05:21:00 <usagirabbit> yes i did bober
05:21:04 <usagirabbit> i work for the nsa
05:21:11 <usagirabbit> #rced #itswrapsforyou
05:21:24 <usagirabbit> (joke obviously)
05:42:36 <Guest17> hello
05:57:58 <br-m> <kiersten5821:matrix.org> dos is high?
06:01:17 <br-m> <ravfx:xmr.mx> dos=high,umb
06:04:44 <br-m> <kiersten5821:matrix.org> umb meaning?
06:05:42 <br-m> <ravfx:xmr.mx> Upper High Memory
06:05:51 <br-m> <ravfx:xmr.mx> oh non, Upper Memory Block... I think
06:08:12 <br-m> <kiersten5821:matrix.org> and what does that mean
06:08:46 <br-m> <ravfx:xmr.mx> You too young
06:08:47 <br-m> <kiersten5821:matrix.org> feel like you're trolling me
06:08:50 <br-m> <kiersten5821:matrix.org> but i dont get it
06:09:10 <br-m> <kiersten5821:matrix.org> 😔
06:11:39 <br-m> <ravfx:xmr.mx> Back in the days, one would ideally want to load dos in HIGH and the left over in the UMB, that and as much drivers as possible.
06:11:39 <br-m> <ravfx:xmr.mx> The UMB where block of memory that could be freed Between A0000-FFFFF, usually between C8000-EFFFF.
06:11:39 <br-m> <ravfx:xmr.mx> Doing so would free conventional memory (the first 640K). So DOS games that need a lot of it would have enough memory
06:12:43 <br-m> <ravfx:xmr.mx> Things like QEMM would allow remapping the BIOS out of F0000-FFFFF, adding an extra 64KB
18:01:24 <waks> On my node I'm getting error "Transaction not found in pool" every minute or so. Is that cause for concern?
19:03:52 <br-m> <ofrnxmr:xmr.mx> Are you mining?
19:21:06 <waks> Yeah, with p2pool connected to my node
19:28:56 <br-m> <ofrnxmr:xmr.mx> Other p2pool peers are mining blocks that have txs that youe node doesnt have
19:29:34 <br-m> <ofrnxmr:xmr.mx> Your node tries to broadcast them hut shows that error because your node is missing txs that are in the submitted block
19:37:42 <waks> What would cause that happen? Is that normal? Am I not syncing fast enough or something?
19:44:56 <br-m> <ofrnxmr:xmr.mx> Selfish mining of txs
20:06:07 <waks> So it's other nodes that are causing that to appear?
20:30:56 <br-m> <omurad:matrix.org> Yes
20:58:57 <br-m> <ofrnxmr:xmr.mx> Its p2pool peer's node that are causing it to appear*
20:59:17 <br-m> <ofrnxmr:xmr.mx> Not nodes that your node is directly connected to