Foundry has recently released a new tool, and it's a lifesaver 🚀🛠️
`forge clone <address>`
This will download all the code and dependencies you need to run a live contract of your choice!
One great method that can improve your learning is a feedback form 📝.
It helped me WIN my first
@code4rena
contest back in November 🏆
And it helped me get a chance to work with
@GuardianAudits
, auditing some of the biggest names in crypto 💼.
This isn't a technique to do
I wish someone had told me this back when I was starting:
❗️ Good auditors work 5x, if not 10x, harder than you
❗️ You can be either good at Twitter or good at auditing
❗️ It takes more time than you expect
❗️ Learn as much as you can from each audit
❗️ Posting proof of
Here is a great article, not for auditing, but
about focus and learning faster.
"Give me six hours to chop down a tree and I will spend the first four sharpening the axe" - Lincoln
What I've learned from doing a million-dollar contest
🥳 The
@cantinaxyz
results for
@Blast_L2
are out! 🥳
From doing the contest and analyzing the findings, I can help you make a lot of 💰 money 💰 by sharing the lessons I've learned. Feel free to use these tips for
How did I end my year?
My 9 months of full-time web3 security earned me:
- ~20k
- ~25 H
- ~20 M
The stats are not amazing. I am in the lower half of the competitive space, however, progress is still progress, no matter how small😉.
Yesterday I talked with my grandpa, his eyes were full of disappointment.
I don't have a job.
I don't make money.
I don't study at a collage.
I don't have a girlfriend.
Yet I had nothing to say, he was right and I need to prove myself.
Motivation is not always nice talks.
If it's hard for you, it's hard for everybody.
Don't quit. The closer you get to the end, the less competition there is.
This is advice that I learned in c4, that applies to everything.
How to Reflect on Your Mistakes
Even though I got 6th place 😕in the recent Teller contest in
@sherlockdefi
(which is quite good, considering I spent < 20 hours 😄)
I still reviewed the full report and everything I missed. This review led me to find one critical thing about
My friends was here yesterday watching me audit for hour and a half. His reaction was, "Man I thought hackers are cool, you just sit here looking at the screen😕".
How Merkle trees work🧐?
Seemingly complex, but they are quite easy to understand🕵️♂️!
Below you can see a simple pattern resembling a tree. The "root" of this tree is 5xd3, and everything else is called a "leaf."
Every leaf is computed with a keccak256 hash (here I use smaller
Best thing I found out that helped me get multiple mediums🕵️♂️:
I have a notebook with "1 sentence exploit" where I just described the exploit shortly.
Every audit I read it once or twice. Every time I find something I put it inside✏️.
Don't trust your brain to remember
You know the basic ERC20 bugs, but do you know the rare ones too?
❗️ MKR name and symbol are in bytes - most developers call .name and assign it to a string.
❗️ Some ERC20s have 2 addresses (like TUSD) - be creative, this opens many doors.
❗️ C tokens (e.g., cUSDC, cUSDT) have
How Bridges Bridge:
Part 1 - Lock and Mint
Most likely you know that bridges transfer assets cross chain, but did you know how this happens🤔?
Lock and mint bridges, as the name suggests, firstly lock the original asset in a "bank" contract on the first chain and mint the
Yesterday, I was out with my friends and some girls. As always, the girls asked me what I do for work. I told them, "I hack big internet banks, before there is money in them."
The chicks didn't even know what crypto was. What should I have said? 😆
The hard easy bugs and how YOU can spot them
Let me tell you, there are some "hard" bugs that YOU miss audit after audit that are actually really easy to find.
Here are 2 easy-to-spot mathematical bugs 🤓 that were rare in my last
@sherlockdefi
contest.
Why are they rare?
If a smart contract can make approvals, but are not able to remove them, this is major vulnerability, even if the approved contracts are big trusted one. Look what happened to sushiSwap😱.
Next time auditing look how the contract handles approvals👀
A really good way to break bridges🕵️♂️ is to look for inconsistencies between sides. This can be:
1⃣ One side can be paused while the other not.
2⃣ One side can accept only EOA TX while the other can do both contract and EOAs.
3⃣ One side has slippage protection and the other
Survivorship bias is what brings so many people into web3 and what makes them quit so fast.
We only hear about the people that made it big (rightfully so), as no one knows or cares about the ones that worked hard but didn't make it.
If you are thinking about quitting...
Improve your sleep, or lose to those who do
For as long as I can remember, I’ve had sleeping problems, and I bet many of you struggle with them too.
I’m writing this tweet to save you months, if not years, of suffering from the terrible mental state caused by lack of sleep.
Another vulnerability by the legend
@IAm0x52
:
Merkle tree leaves of 64 bytes hash cause storage collision with the internal nodes😱.
Merkle trees should only be used to store 32 byte leaves and no more.
This is a sure high for you, well if you find it next time😉
Careful with enums🕵️♂️!
If an enum is not set, it will pick as default, the first value that is used in it😱. This is a potential vulnerability since if we try to use it on a variable that is not set, it will pick "ACTIVE," although the variable does not exist.
If the protocol you are auditing🕵️♂️ is interacting with AAVE V3, then check this:
One critical vulnerability detail that most projects miss😱 is related to different types of collateral and borrowing assets. Easy HIGH is especially when these types of assets are mixed together.
Sandwiching oracle updates🕵️♂️
Hard to prevent and you can report it on almost every contest that uses Chainlink.
Bellow you would see how that's done😉!
How Bridges Bridge 🚧🤔💭?
Most likely you know that bridges transfer assets cross-chain, but do you know how this happens? 🤔💭
Bridges generally 🔒 lock the original asset in a "bank" 🏦 contract on the first chain and mint the asset (more precisely, a copy of it) on the
What to check for when working with ERC20s🕵️?
1. Fee on transfer / rebase
2. Callbacks
3. Returning false
4. Revert on address(0) / amount of 0
5. No return values
6. Black lists
7. Subsequent non-zero approvals
8. Multiple addresses
9. Upgradeable
10. Flash mintable
11.
How an underflow lost Velocore 6.8 million
This technical explanation is simplified and short, so even non-technical people can understand it.
📌 The System
During withdrawals, Velocore charges a fee. Withdrawals are marked as ":" and deposits as "?".
Notice how for
To those who hunt on
@immunefi
:
> What are some important lessons that you've learned?
> Any tips and tricks?
> Anything you want to share with people who want to start?
Let's make this tweet useful so everyone else who wants to start can learn the lessons without the pain.
> find a bug
> start PoC
> 30 min in, almost done, but it's reverting
> spend 3h trying to debug it
> no success
> take a 10 min break
> come back refreshed
> realize that for your user to withdraw, you need to put `vm.prank(user)`, or else the test contract will withdraw🤦
When you work with
@GuardianAudits
, you slowly realize that Owen's videos, although sounding simple, are what is needed to become an excellent auditor.
It's that simple, just stick to the basics and you will be in the top 10%.
Everyone is hyping solo findings, and they are good when competing in open platforms, however nobody is giving credit to the guys who finds 80% of the bugs.
They will be great for a solo auditors or working in firms, as it's better to find 8/10 than 2/10 with one solo.
Did you know that ETH Chainlink feeds have 18 decimals (stETH/ETH, AAVE/ETH...) while USD feeds have 8 decimals (ETH/USD, DAI/USD...).
Might be useful in an audit🕵️♂️!
Here's a really common 🐛 bug🐛 in projects that integrate with AAVE V3:
Mixing collateral and borrowing assets together, even if these assets are from siloed borrowing or in isolation mode.
If you're doing only contests and can't find other work, whether solo or in a team for audits, there are two possibilities:
1. You are a hidden gem.
2. You need to improve.
In either case, you should participate in more competitions and connect with people who can help you grow
2nd 🏆WIN🏆 in a ROW
If an oracle (a real one 😅) has shown me this in his 🔮, it's up to debate if I would have believed it.
But then, there's facts👀
Stats:
🧨solo and the only HIGH
🧨4 Mediums - 2 selected for report
🧨Found 4 of the 5 newly introduced vulnerabilities
A lot of people share resources for learning on Twitter, but have they actually used them 🤔?
Or did they simply find them and decide to tweet about it 🧐?
OZ Bug That You Probably Don't Know About 😱
GovernorVotesQuorumFraction, a name so long you cannot read, is the governor contract for the voting scheme standardized by OZ.
The bug lies in the fact that if the percentage of needed votes is lowered (e.g., from 50% to 40%), old
Did you know that UNI V3 has a feature that enables you to trade without paying a fee?🧐
You can even earn some yourself!
It's not the most convenient way, but due to the new system that UNI V3 uses, which resembles limit orders, you're able to place a trade just below the
How can you spot🕵️♂️ an infinite loop in smart contracts?
Here below is a short code that you can look into. Try to discover the vulnerability on your own. The headline should provide you with enough knowledge to make it easier.
Did you find it? If not, solution is here.👇
Here's how to break deposit/borrow limits
PLAN 📝
1 Look at where the limit is implemented and what values it restricts.
2 Understand how it restricts them:
- Fixed max limit on deposits (e.g., 200k max deposits) 💰🚫
- Fixed max percentage of borrows on deposited
Sleep and how to be better at it!
Everything in this life is a skill, even sleep! So here are some good concepts that can improve your sleep.
(1) Go to bed and wake up at the same time every day. It takes 3-7 days for your body to adjust when you change the schedule. So go to
How to make sure you never succeed🤔?
1⃣ You are not good.
> don't review any of your work
> don't learn anything new
> don't practice
> don't take feedback
2⃣ No one knows you.
> don't post on twitter
> don't connect with other members
> don't show your work
> be rude
Only auditing won't make you better.
It's like going to work in your car every day won't make you an F1 racer.
What you need is to focus on deliberate skill improvement. Solve puzzles, review your past audits, talk to other auditors and try to see their viewpoints.
Many people recommend the ZK book by
@RareSkills_io
, but has anyone actually read it? 🤔
I just finished it, and it helped me gain a basic understanding of ZK works. Would recommend it. However, note that it took me about a month while spending 1-2 hours a day on it.
Poor People's Mindset 🤦...
Yesterday, my friend was surprised to find out that I don't wake up at 11 AM, but at 6, and that I work more than just 3-4 hours a day.
They mentioned that, without a boss to dictate my schedule, if they were in my shoes, they would wake up at noon,
Auditors what do you do to improve focus?
I personally feel more focused after the a hard gym session and a hard pre-workout, although more often I take it post-workout 😅
If a protocol gets hacked, is the hacker the bad guy?
> No
99% of the time, if a protocol gets hacked, it's their fault, as they made inadequate choices regarding development and security.
Is the hacker the one stealing - yes
Does this make him "bad" - yes
However, placing
Recently, I've been tracking my time and I've found out that I am not as productive as I thought I was.
I take too many breaks and have too little focused time. No matter how good an auditor you are, if you spend more time on non-work-related activities, you won't accomplish
Do you ever feel like you don't want to work right now🤔?
Recently I had the all too common feeling of "I don't wanna work now🥺".
Most of you probably have experienced it already. It's like an invincible wall preventing you from doing the work🚧. You sit and try to work, but
Why I stopped tracking time, and never will again.
When I first started auditing I liked the idea of tracking time (I used toggle), so for about 3-4 months I tracked, measured, compared and improved on it.
Got average of 40-45 productive hours a week!
But I found something
Have you experienced burnout before 🤔?
I know a way to control it that will get you working the same day👇
Sit or lie on your bed, look at the ceiling, and let your mind wander for 2-4 hours.
Make sure you don't fall asleep, or else you would be taking a nap and not thinking.
Do flash loan attacks exist?
Because to me, it seems like there is a bug, and the attacker uses the flash loan just to extend his leverage. Correct me if I'm wrong.
2 years ago people told me to hold crypto, from there on I've been holding something called USDC.
It's value has not increased since then.
Crypto is a scam!
Front-running liquidations with the help of
@cvetanovv0
🕵️♂️
PS. I have expanded a little bit on the concept😉.
Do you see anything strange with the code below?
If not, let me show you👇!
If the provided amount (that you want to repay) is greater than the actual balance of the
Passion always beats pay!
When you've worked all month with passion and receive no payment, you don't care.
However, when working solely for pay and you don't get paid, doubts start creeping in, and you begin to question yourself.
Was this the right move?
Is this really
How to Make Your Own Roadmap 🗺️
This tweet is for new security researchers, so if you are one, 🚨 make sure you read it all 🚨
Back when I was starting, there were very few resources to help me get up to speed 🐢 .
Now we have the opposite problem - there are too many
Nothing major is bothering you, however you still feel unproductive🤔?
Death by a thousand cuts
This is why most people fail. Simple distractions can cause a massive drop in your productivity. This is when:
- A family member enters your room to tell you something useless.
-
I am amazed at how fast judging is done at
@cantinaxyz
.
SuperForm is not over, and they have already judged some issues. With this strategy, they will be able to significantly reduce judging times.