원클릭으로
bounty-loop
Autonomous Immunefi + Cantina hunt loop until a novel finding hits submit_now. Human gate for external post.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Autonomous Immunefi + Cantina hunt loop until a novel finding hits submit_now. Human gate for external post.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Practitioner-elevated asset tracing patterns from SlowMist Crypto-Asset-Tracing-Handbook. Provides canonical property tables for obfuscation patterns (peel chains, mixers, bridge hops), address behavior clustering/risk profiling, cross-chain reconstruction workflows. Hard-first on behavioral + flow invariants. Integrates with codegraph-x-ray, deep-dive-handoff, and bounty forensics. Includes reference implementation for mixer deposit/withdrawal clustering. Trigger: alpha-miner on tracing handbook or similar.
Drop-in skill adapted from Glider query engine for static analysis, taint tracking, CFG/DFG traversal in bug bounty. Supports lazy reference loading, creativity layer for audited targets, integrates with bounty-loop. EVM priority with Solana compatibility.
Use for mining validator/runtime/cache/storage-key coherence bugs in blockchain clients, VMs, program loaders, bridge runtimes, and execution harnesses. Hard-first on stale cache, recycled identifier, partial flush, epoch/generation drift, mempool/order-dependent runtime state, and storage-key confusion. Trigger on runtime cache invariant, stale cache bug, VM storage confusion, client cache coherence, Aptos-style hijack, validator-local state, epoch-boundary bug, or when alpha-miner extracts runtime/client exploit engineering.
Cross-references a graphified target codebase (codegraph-x-ray output) against the local AuditVault corpus to surface structurally analogous historical vulnerabilities. Run after codegraph-x-ray has completed and produced invariants.md and property_candidates.md. Produces ranked pattern-match hits with per-finding graph anchor evidence. Pattern matches are advisory signals only — never evidence of exploitability and never a substitute for live reproduction or submission-gate validation.
Combines structured codegraph intelligence with rigorous invariant synthesis. Enforces high-quality usage of codegraph to identify the Primary Target Subsystem, then applies ordered structural invariant discovery with strict verification gates. Produces categorized invariants and high-quality property candidates ready for ultrafuzz-discovery. Trigger on codegraph-x-ray, x-ray with codegraph, invariant synthesis, primary subsystem invariants.
Optional accelerator and scaffolder for ultrafuzz-discovery. Brings parallel specialized invariant discovery agents, automated harness/handler scaffolding, coverage-driven refinement loops, property tagging, and reproducible test generation helpers from high-quality EVM fuzz patterns. Designed to speed up property fan-in and executable attempts phases while preserving NSS rigor, fresh-context pass@k, adjudication, and Crucible usage. Trigger on fuzz-scaffolder, accelerate invariant discovery, generate fuzz harness, scaffold handlers.
| name | bounty-loop |
| description | Autonomous Immunefi + Cantina hunt loop until a novel finding hits submit_now. Human gate for external post. |
Sub-skill of HIPIF (hipif skill) — used in chain steps depth_wormhole, depth_kamino, and hunt_rotation. Daily cron runs the full HIPIF chain, not this skill alone.
Closed outer loop: unified scan → pick uninvestigated target → full pipeline → score → repeat until submit_now qualifies or queue exhausts.
Orchestrates NSS CLI only. Never bypass validation gates or post to Immunefi/Cantina without human approval.
submit_now)All must be true (engine + compute_bounty_score):
submission_recommendation == submit_nowevidence_grade >= 4reproduction_tier in fork_reproduced | solana_validatorcatalog_analogue == falsedeployed_viable == truefork_evidence.balance_verified == true (novel findings; catalogue anchors exempt)candidate_schema_version >= 4, target_pinned, source_ref.commit, entrypoint selector/discriminator, candidate-specific reproduction artifact, measured non-fee impactsolana_evidence.harness_mode == live_executed with probe_executed + measured balance delta — fixture/deploy-only blocked (klend_require_live in kamino_klend.json). Validator clones mainnet lending market + USDC/SOL reserves/vaults (sources/kamino/klend_accounts.json; marker CLONED_DATA_ACCOUNTS). Fee-only CPI (live_deploy_verified, MEASURED_DELTA_LAMPORTS:0) is not submittable.wormhole_triage.json with live fork targets and semantic bridge candidates. Governance/pause smoke or triage_surface_verified without token/native delta, bridge accounting violation, or bounded TVS is not submittable.On qualify: writes data/security_results/loop/submission_alert.json (schema v2), sets human_gate_pending in state, stops the loop. Export lands in bounty/submittable/ only when qualifies_for_submission() passes. Alert Kate — follow skill operator-submit; do not post externally without approval.
cd /home/kt/projects/rtp/night-shift-security
git pull --ff-only
# .env: ALCHEMY_API_KEY, ETHEREUM_RPC_URL, SOLANA_MAINNET_RPC_URL (validator clone depth)
hermes/scripts/nss-bounty-loop.sh --iterations 1 --refresh-scan
Or with Hermes proposals for the picked target:
# After hypothesis-expansion for loop target slug:
.venv/bin/python -m night_shift_security.cli.main \
--proposals data/security_results/hermes_proposals/latest.json \
bounty loop --target <slug> --iterations 1
hermes/scripts/nss-bounty-loop.sh --trials 30 --iterations 1 --refresh-scan
Runs 30 independent attempts on the same picked slug before advancing queue. Not for daily cron (cost).
hermes/scripts/nss-bounty-loop.sh --iterations 3 --min-bounty 250000
State: data/security_results/loop/state.json (saturated slugs, run history, submission queue).
cat data/security_results/loop/submission_alert.json
ls data/security_results/bounty/submittable/
.venv/bin/python -m night_shift_security.cli.main platform diff
If submit_ready: hard stop — human gate for Immunefi/Cantina post (skill operator-submit). Research-only findings stay in bounty/research/.
Each tick runs deterministic recursive self-improvement inline:
knowledge/improvement_ledger.jsonl — append-only action logloop/refinement_hints.json — top refinement target for parametric proposalscooldown_overrides, scan_boost_slugs, refinement_queueStandalone analysis: skill recursive-improvement or improve CLI.
Required after every loop invocation. Follow lab-notebook skill:
best_recommendation, saturated slugs updated?CLONED_DATA_ACCOUNTS, PROBE_ACCOUNTS, HARNESS_MODE, MEASURED_DELTA_LAMPORTSBRIDGE_PAUSE_AUTH in forge logsPrograms where all findings are catalog_analogue with no submit candidates get added to saturated_slugs and skipped. Seed list includes kamino, raydium, orca, marinade, wormhole, euler.
operator-checkpoint before context rollover if mid-investigation.DELTA_WEI in forge output for task verifier (threshold 0.1 ETH default).--refresh-scan runs full scan --platform all (slow); cron uses it daily; ad-hoc can omit if bounty_scan/latest.json is fresh.ETHEREUM_RPC_URL (or FOUNDRY_FORK_URL) for fork configs; without RPC, loop falls back to shoestring base.--proposals is a global CLI flag (before bounty loop).--target <slug> with any forced proposal file; target/config mismatch fails before validation.shoestring_only / polish_validator — not submit_now. Loop keeps hunting novel surface.pauser() getter bubbling — pauser roles read from ERC-7201 storage in triage tests; mainnet roles may be unassigned (0x0).investigate subcommand remains Immunefi-only; bounty loop uses program_registry for Cantina + Immunefi.nss-hipif-chain daily 04:00 runs this skill inside the HIPIF subgoal chain (agent + OAuth). Emergency no-agent fallback: nss-bounty-loop-cron.sh.legacy.