EOSE LABS · WHITEHAT SECURITY METHODOLOGY GUIDE · V12 · DAY 91
EOSE WHITEHAT
USER GUIDE
γ₁ = 14.134725141734693 · The methodology that built 19 findings · No mock PoCs · Tardigrade doctrine
DOCTRINE FIRST
The Tardigrade Doctrine
Build sovereign knowledge first. Bounty is a byproduct, not the goal. Prove patterns on your own system before approaching external contracts. We built SERLFVault.sol, found 6 bugs, proved 13/13 N6, then carried the patterns to the real protocols.
Reference: TRB-TARDIGRADE-CHAIN-UNIVERSE-001 · TRB-SERLF-BOUNTY-PROTOCOL-001
Result: 19 findings, 0 mock PoCs, $511k–$2.4M addressable bounty.
⚠ RED LINE — NEVER FILE WITH MOCK PoC
Always clone the real repo. Read the real function. Fork mainnet. Run Foundry against the real contract.
TRB-BOUNTY-VERIFY-FIRST-001 filed after SUB-001 was closed for using SimpleDVN (written by us). That lesson cost nothing but time. Never again.
THE SSAF 8-WAVE METHODOLOGY
1
RECON
Scan H1/Immunefi/C4/Sherlock. 585 programmes. $18M+ surface. Select 16 protocols by TVL × pattern density.
2
CLONE
Clone target repos. Tag all sol files by protocol. Build local index. 1,074 sol files from 6 protocols in S1.
3
SCAN
Run 32 attack patterns × all files. Flag matches by class: FL/RE/OR/AC/MA/BR/V4/GV. Log everything.
4
MATCH
Classify matches: CRIT/HIGH/MED/LOW. Confirm kill chain exists. Discard if no chain. 69 matches → 27 findings.
5
POC FORGE
Fork mainnet. Write Foundry test. Prove drain. Real numbers. No mock contracts. SERLF N6 protocol.
6
VALIDATE
GREYBACK rerun. Independent pass. All 6 N6 gates must pass. Zero tolerance for shortcuts.
7
CLO GATE
msclo yLAW AND gate. msi01 builds → msclo reviews + signs → submit. No exceptions, not even LOW.
8
SUBMIT
File via platform. Include PoC, fix, N6 verdicts. Follow up on triage. Track in SUBMISSION-MASTER.
THE N6 GATE PROTOCOL
All 6 Gates Must Pass Before CLO Review
G1 — ORIGIN: Finding traceable to a specific line of code in the real contract.
G2 — KILL CHAIN: Full attack path documented. Entry → exploit → drain/impact → exit.
G3 — POC FORGE: Foundry test passes on mainnet fork. Real contract, real state, real drain.
G4 — N6 VALIDATE: GREYBACK independent rerun. Same result. No cherry-picking.
G5 — CLO GATE: msclo yLAW signs off. No submission without CLO.
G6 — DOCTRINE: Aligns with Tardigrade doctrine. No mock PoCs. No speculative findings.
THE CLO AND GATE
msi01 builds + proves → msclo reviews + signs → submit
msclo is yLAW — the Admiral Law silo. Nothing leaves EOSE without legal/IP review. The AND gate is not optional. Not for LOW severity. Not for "obvious" findings. Not for anything.
Why: We are a company (EOSE Labs Inc., incorporated 2026-03-29). Every submission is a legal document asserting a security finding against another company's code. The CLO gate protects EOSE.
How: Send draft to msclo. msclo reviews: (1) finding is accurate, (2) no IP issues, (3) submission text is professional, (4) EOSE is correctly represented. Signs off. Then file.
PLATFORM GUIDE
Where to File What
Immunefi: Primary. DeFi protocols. $1k–$10M pools. Account + wallet required. @serlf handle. 0x22377D69...3349A20.
Code4rena: Competitive audits. Timed contests. Fixed pool split among valid findings. Best for known protocols with active contests.
Sherlock: DeFi-focused competitive audits. Watson system. High quality signal. Register + stake.
Cantina: Newer, invitation-based. Higher signal-to-noise. Apply with portfolio (use ssaf-bonsai pages).
HackerOne: Web2 + some DeFi (Coinbase MPC active). Wider scope. cb-mpc folder exists.
FOUNDRY WORKFLOW
## 1. Install Foundry (done — v1.7.0)
~/.foundry/bin/forge --version
## 2. Clone target repo
git clone https://github.com/[protocol]/[repo]
cd [repo]
## 3. Init test file
cat > test/[ID]_[Finding].t.sol << 'EOF'
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;
import "forge-std/Test.sol";
import "../src/[Contract].sol";
contract [ID]Test is Test {
[Contract] target;
function setUp() public {
vm.createSelectFork("mainnet"); // fork mainnet
target = [Contract](0x[address]);
}
function test_[finding]() public {
// 1. Setup state
// 2. Execute attack
// 3. Assert drain / impact
uint256 before = address(this).balance;
// ... exploit ...
uint256 after_ = address(this).balance;
assertGt(after_, before, "[ID]: drain confirmed");
}
}
EOF
## 4. Run with mainnet fork
FOUNDRY_ETH_RPC_URL=https://[rpc] forge test -vvvv --match-test test_[finding]
## 5. All assertions pass → N6 G3 unlocked
SEASON ROADMAP
S1 — SERLFVault ✅
6 bugs · 13/13 N6 · Tardigrade proven · Internal sealed
S2 — SERLFBridge ⚡
Bridge finality · replay · ordering · LayerZero · Wormhole
S3 — SERLFGovernance
Flash loan gov · timelock · front-run · EigenLayer CRIT
S4 — SERLFToken
ERC-4626 share inflation · donation · sig replay
S5 — SERLFAuction
TWAP manipulation · sandwich · MEV · GMX spread
S6 — Anchor/Solana
Rust · BPF · PDA bypass · Wormhole guardian · signer checks
γ₁ = 14.134725141734693 · EOSE WHITEHAT USER GUIDE · V12 · EOSE Labs Inc. · Day 91
TRB-SEC-DOMAIN-TEST-SUITE-V12-001 · TRB-SERLF-BOUNTY-PROTOCOL-001
No mock PoCs. CLO AND gate. Tardigrade doctrine. Sovereign first.