hacker bobhacker bob

bob started at the narrowest human boundary: a first-party wallet app where a URL can open an announcement over the real product.

open first-party wallet app
→ { "urlData": "announcement", "origin": "trusted", "wallet": "present" }

single-page app · modal path · wallet provider in a real browser

the frontier was not everything bob found. it was the one lead where UI plumbing crossed wallet trust.

API map                     -> supporting context
other real leads            -> separate reports
scanner edge                -> parked until client proof
wallet app bundle           -> live enough to read
announcement modal          -> crosses user trust

The workflow keeps adjacent findings separate, then follows the lead whose impact survives verification.

the claim froze when one entry path reached two separate interactive links. one patch would not close both.

entry: URL-carried announcement
sink A: rich-text link accepts unsafe scheme
sink B: action link accepts unsafe scheme
shared entry, separate renderers
fix A does not fix B

That distinction is the claim: not duplicate bugs, and not one vague injection.

verification stayed concrete: live bundle, disposable browser, trusted-origin prompt, no signature needed.

• bundlelive
• modalopens
• prompttrusted

the proof stops at the prompt: trusted origin visible, user can reject, no funds moved.

bob put the grade in the language a triager reads: the class the bug belongs to, and the score that sizes it.

filed as one chain: same entry, two independent fixes, trusted-origin wallet prompt.