| ID | Title | Severity | Rating | Confidence | Verification | Status |
|---|---|---|---|---|---|---|
| S-02 | HyperliquidUsdcOracle ETH_INDEX=4 is DYDX, not ETH | CRITICAL | 10/10 | 99% | Mainnet API, precompile, docs | DISCLOSING |
| S-04 | RedstoneOracle ms/s staleness check bypass | HIGH | 9/10 | 95% | Redstone source code confirmed | DISCLOSING |
| S-01 | AggV3Oracle missing non-positive price check | MEDIUM | 8/10 | 99% | Forge PoC 6/6 PASS | DISCLOSING |
| S-03 | Hyperliquid oracles zero price DoS | MEDIUM | 7/10 | 90% | Code review | HELD |
| S-05 | SuperPool paused pool removal | MEDIUM | 6/10 | 80% | Code review | HELD |
20 agents audited 22 contracts (~5,135 LoC). 250+ raw findings narrowed to 5 submittable. 3 verification agents upgraded S-02 to Critical and S-04 to High.
6 of 6 tests pass. Zero price silent acceptance and negative price panic both confirmed. The AggV3Oracle pattern gap against sister contracts is proven.
Hyperliquid mainnet API shows index 4 = DYDX ($0.15), index 1 = ETH ($2,269). That's a 15,127x overvaluation. Rating moved from 7/10 to 10/10.
4 SC-prefixed submission files created, with AppleScript automation for Chrome. The call was to submit 3 and hold 2.
Sherlock #37 returns null on every field. We scanned 310 IDs and found zero Sentiment matches. The bounty was removed sometime between March and May 2026.
Five-channel outreach to the Sentiment team. Email, GitHub Advisory, Discord, Telegram, and Twitter. No details shared yet. We're asking for a secure channel first.
| 1. | Verify the bounty is live before doing verification work. We spent $3-5 on verification agents for a bounty that was already dead. Check API status first. |
| 2. | Verification agents still earn their keep. S-02 went from 7/10 to 10/10 Critical. S-04 went from 50% to 95% confidence. Cost was $3-4. Always deploy for findings rated 6 or higher. |
| 3. | Post-audit oracle contracts stay prime targets. 4 of 5 findings came from 6 contracts (~558 LoC) added after all audits. |
| 4. | Always keep a disclosure fallback. Bounty platforms can pull programs at any time. Direct team contact preserves the finding value. |
| 5. | Fix DeepSeek routing before Campaign 7. 1.67M tokens on Opus ran ~$35 against ~$2 on DeepSeek Flash. That's 17.5x cost overhead. |
| Dimension | Score | Notes |
|---|---|---|
| Finding quality | 9.5/10 | Best of all 6 campaigns. S-02 is the single best finding so far. |
| Verification rigor | 9/10 | Mainnet API, forge PoC, source code analysis |
| Target selection | 7/10 | Right protocol, wrong timing |
| Bounty verification | 1/10 | Didn't check before spending. One API call costs $0 and 30 seconds. |
| Cost efficiency | 3/10 | $35 on Opus, should be $2 on DeepSeek Flash |
| Monetization outcome | 3/10 | $0 confirmed, $1.5K-$4K hoped |
| Disclosure execution | 7/10 | 8 messages across 4 channels, all automated |
| Pipeline learning | 8/10 | CHECK 0, verification protocol, DeepSeek routing fix |
| OVERALL | 6/10 | Elite findings, broken process |
| Confirmed earnings to date | $0 |
| Submissions awaiting judgment | 2 (K2 + Renegade) |
| Findings in disclosure limbo | 3 (Sentiment) |
| Targets correctly killed | 2 (GMTrade + CapyFi) |
| Total compute spent | ~$95 (should be ~$15 with DS routing) |
| Total deposits at risk | $25 (Renegade USDC) |
| DeepSeek budget wasted | $29.95 of $34.97 |
| Best realistic outcome | $15K-$25K |
| Expected outcome (0.3x) | $4K-$8K |
| Worst realistic outcome | -$120 |
Where it stands. The pipeline produces genuine security findings, and that part is proven. Whether those findings turn into money is still unproven. Everything rides on the Renegade and Sentiment responses over the next 2 to 4 weeks.