HollaDieWaldfee
@HollaWaldfee100
Followers
3,747
Following
186
Media
106
Statuses
3,232
Web3 Security @RenascenceLabs || Lead Senior Watson @sherlockdefi || Lead Auditor for 🎯 Get your code secured 🛡️ 👉🏽 DM for quotes
Joined February 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#FayeBDPartyInNanning
• 99748 Tweets
Release Now
• 49533 Tweets
メジャー
• 35920 Tweets
鶴丸国永
• 25468 Tweets
#キントレ
• 22388 Tweets
#HaryanaElections
• 17585 Tweets
TANATAT STAGE BIRTHDAY
• 17570 Tweets
CWR x CeraVe Cleanser
• 17203 Tweets
オースティン
• 13486 Tweets
TREASURE AT MANDIRI KARNAVAL
• 12913 Tweets
UNLV
• 11942 Tweets
Syracuse
• 11458 Tweets
花火大会
• 10907 Tweets
BINI WITH PENSHOPPE
• 10710 Tweets
#私の生活に欠かせないもの
• 10223 Tweets
How I made >$100k in less than 6 months transitioning from Bug Bounties
@Hacker0x01
to Smart Contract Auditing
@code4rena
@sherlockdefi
@immunefi
My story 👇 🧵(1/7)
42
69
455
This year I have earned ~$250k from audits so far:
- Contests: ~$185k
- Private audits: ~$60k
- Immunefi: $6k
Looking back, there were a few key insights that helped me achieve this:
1) Keep pushing when you're on a streak
2) There are no secrets. All the top auditors rely on
38
46
438
Here's the story of my first bug on
@immunefi
🐛😱
The timeline from choosing the program to getting paid was ~7 days 🔥
- payout: $1k
- severity: Low
- program: IPOR
The full story 👇 🧵 (1/9)
21
37
245
Another day, another Win 🏅🏆
Had a lot of fun auditing
@prtyDAO
@code4rena
And got a nice payout of $18k!
Can't wait to share my findings with you once the report is out🔥
41
9
242
Solidity Math is one of the basics you need to know.
Can't recommend this resource enough to get the basics right.
First part of the 5-part series 👇
8
64
243
Here are my actual resources I used to learn auditing 😎
(This is a screenshot from my notes, I did not look into the things with the red lines)
18
38
239
I'm incredibly proud to announce that I got promoted to Lead Auditor at Trust Security 🎉
Didn't have the time to post anything for the last few weeks since I was busy working towards the promotion 😅
38
5
225
Recently I found my first bug on
@immunefi
which earned me 1k.
Currently ranked 491st.
No new bugs have been fixed since then in the protocol...maybe I'm not so bad after all 🤣🤣
Who wants to see a writeup? 🧐
27
9
165
Are any beginner auditors interested in seeing my notes for a contest that I placed 1st in? 🤔
Similar to what
@IAm0x52
did for one of his contests.
44
4
164
I realized there were some distinct phases in my auditing journey:
1) Month 0-1:
Learned basics, started doing contests but desperately failed
2) Month 2-3:
Good contest results coming in but still lacking a lot of Web3 specific knowledge
3) Month 4-6:
Learned specifically
14
18
165
People ask me for the first step in my auditing journey.
Within 3 days I devoured this book 😋
It contains all the Basics of Ethereum, provides accurate information and lays the groundwork for diving deeper.
16
20
151
I'm proud to announce that I am now working with Trust Security 🔥
Thanks
@trust__90
for reaching out to me.
Happy to put my skills to work, providing exceptional audits for our clients 🤝
26
5
150
Auditing income: imagination vs reality ⚔️
The reality is that most barely earn anything when they start.
BUT: Once you reach a certain threshold, progress accelerates 🚀
10
15
152
This is my favorite resource on Invariant Testing.
It goes a step beyond the baby examples that you see elsewhere and leaves you in a position to setup your own Invariant Test infrastructure.
3
19
151
Making $100k from auditing is not as hard as it sounds if you have a plan:
> 5 Top 3 finishes: 5*$5k = $25k
> Win 2 audit contests: 2*$15k = $30k
> 1-2 Immunefi bounties: $10k
> Private audits (leverage contest wins to get clients): $20k
> Judging, Lookout, bad contest payouts,
11
15
147
Now making it official 🌌✨
I'm the mysterious "roguereddwarf" on
@sherlockdefi
Currently ranked 7th on the Sherlock Leaderboard 🚀
21
10
149
If you start auditing today, do this:
1) Learn EVM + Solidity basics
2) Do a few audits to get a feel for how it works
3) Specialize in one area
11
21
131
This just paid $26k 🤯
I guess we'll never forget checking OZ versions now 😂
12
8
133
Here's how I got paid twice for a bug I found on
@immunefi
and
@sherlockdefi
🐛
- payout: 2 * $5000 = $10000 🤯
- program: Perennial
- severity: Medium
The full story 👇 🧵 (1/10)
11
19
131
I often read this advice ❌
"Work through all findings of a certain contest" or "audit the code yourself and see what you missed".
Try this instead ✅
-> Pick 1-3 top auditors you admire and only care about their findings
-> This teaches you a WINNING MINDSET instead of winning
12
12
133
How to earn more without finding more bugs? 🤑
Answer: Write better reports ✏️
In
@code4rena
the best report receives a 30% bonus but I still don't see many people optimizing for it.
🧵👇(1/2)
7
12
131
- I don't read many reports
- I don't follow up with news
- I haven't "learned" anything
But I find bugs nonetheless
14
5
117
Writeup of a C4 SOLO finding 🔥
- Contest: Mute
- Severity: Medium
- Categories: Math (incorrect reward calculation) 🧮
The writeup 👇🧵(1/7)
8
16
114
I'm proud to be a part of the first ever
@code4rena
Blue Team for the Dinero Pirex-ETH protocol.
This new format provides the quality of C4 audit contests for bug bounties to ensure the sustained security of live contracts.
4
3
75
Instead of asking: "What do I need to learn to become an auditor", ask yourself the following question:
"Based on the bugs that were found in this audit, what do I need to know and do in order to uncover the same or similar bugs?"
You don't need to understand Solidity and Web3
8
13
107
Talented auditors are still in short supply.
The fastest way to make money for a technical person is not to grow a following or "personal brand" but to compete in audit contests / bounties.
Once you've got the auditing skills, there are endless possibilities, including growing
5
6
105
Three mistakes to avoid to become an auditor:
1) Getting stuck in learning 📚
2) Not setting up a quick feedback loop 🔁
3) Not connecting with fellow auditors 🧑🤝🧑
What are some other mistakes?🤔
14
17
101
Why is everyone posting their progress today 😂
Here's mine for April:
- 2 code4rena Versus contests
- first bug on Immunefi
- 1 private audit
- started Twitter 🔥
10
3
97
Here's a finding that really shocked me and showed me I need to think outside the box 🤯
I was trying to find minor inconsistencies in calculations while all along the whole system could be taken over by a single transaction 😅
3
6
101
I keep my auditing notes in multiple places:
> Notion (high level overview of the audit progress)
> Notes within the codebase (my main place for notes)
> Paper (see below. helps me think through ideas)
> Notes app on my phone (whenever I get a random idea I put it there to
15
3
101
Tools I use for auditing:
- VSCode (+ audit plugins)
- Hardhat / Foundry
- Notion / Notes App for things to remember
- Custom shortcuts for "audit-info", "audit-issue"
- 🧠 🧠 🧠
Am I missing something? 🤔
19
13
101
I haven't seen a single auditor that has worked consistently for 6 months and is not on track to get 4 digit payouts regularly.
12
5
96
My biggest realization this year is that auditing is a self-fulfilling prophecy:
You think there aren't any severe issues
-> You find only Low / QA
You think there are severe issues
-> You drain 100% of the pool
6
6
98
A beginner auditor asked me yesterday how long it will take until he can start winning contests...
It took me 4 months to win the first audit contest which was in February this year.
However I didn't have the goal of winning a contest.
My goal was to make some money on the side
8
3
94
Here are some tips to choose the best audit contest:
Goal: optimizing for $$$:
-> longer contests > shorter contests
-> stay away from the obvious (big protocol name, biggest pot, first to start)
-> the least obvious can become the most obvious if many people think like you
->
4
6
91
When I started auditing I was concerned that I was too late to the game.
Looking back, this feels stupid.
You could probably wait for another year and still be early.
Having audited some of the base layer protocols must feel like a cheat code in a few years.
4
6
90
I'm better at finding Highs than at finding Mediums!? 🤔
53% Highs found vs. 34% Mediums found
What you can learn from this 👇🧵 (1/5)
7
9
93
How to generate ideas during an audit and find bugs 🐛
1) Look up similar protocols and see what bugs plagued them
2) Go for a walk, think and take notes when you have an idea
3) Think about the protocol when you are about to fall asleep
More about the tips 👇 🧵(1/4)
6
20
90
Is all this talk that 18 year olds can make $50k on Immunefi just a psyop? 🧐
I remember last year the talk was just the opposite. People were complaining about bug bounties. In the last few months it has completely reversed.
And if it's so damn easy to make money there, how
14
2
89
Just received this message from
@0xEV_om
One of my posts motivated him to keep grinding and win the Olas contest on
@code4rena
🔥
He earned $29k from it. Truly impressive 🙏
5
2
89
Unpopular opinion:
The Blast contest won't be the best opportunity since everyone is hyped up from the zkSync contest and wants to be the one making $500k.
The real alpha is the HydraDX contest on
@code4rena
.
20
4
86
Audits is the only job where you have to be ashamed if you're only making $100k a year.
The reality is: Barely anyone earns $100k a year in most countries.
8
3
86
On Jan 10th, there will be 8 audit contests in parallel.
And the bull run hasn't even started yet.
> My prediction for 2024:
There will be at least 1 day with 20 audit contests in parallel.
13
3
87
My auditing schedule ⏰
~ 9 am: wake up
9 - 11 am: finish easy tasks (email, discord messages) and start focused work
11 am - 1 pm: workout
1 - 5 pm: focused work
I thought auditing would save me from a 9-5 job😅
12
3
88
My auditing stats for August 📊
- 2 private audits
- earned ~$22k
Had quite a chill month ☀️⛱️
I'll work harder in September, I promise 🙏
15
1
86
Recently I found a bug that was undiscovered over the course of multiple audits.
I simply went one step further than the other auditors, checking the code that they assumed was secure by default.
Ask more questions and you'll get more answers 💡
6
2
86
I have changed my mind on team audits the last 2 months.
Going forward, I want to do more of them. Also because it keeps me more excited for auditing.
Anyone here interested in auditing with me at some point in the next 1-2 months?
Please only DM if the experience gap isn't
20
3
85
The truth is I have never completed the Solidity course 🙃
I got to Lesson 7 but then jumped into contests because I was too excited.
If you do the course now, don't do the Python & Brownie one.
Do the Foundry one instead:
9
2
83
Best way to earn money from competitive audits?
Play on your strengths 💪
Do what nobody else can
Skip what everyone can do
11
3
86
1 year ago I used to say people are lying when they claimed they make $20k a month.
This is the wrong mindset.
If you think it's not possible you will never reach it.
If you realize it's possible you can make $20k your new baseline.
6
6
87
My goals for the remainder of 2023 🎯
1) Do private audits
2) Win competitive audits
3) Share progress on Twitter & connect with others
I'm intentionally not attaching any exact numbers.
Will end up completely different anyway 😅
What are your goals? ✏️
20
2
84
Auditing is a very technical subject.
But the biggest challenges are non-technical and relate more to time-management, motivation and so on.
4
2
82
1 year ago from today I started the
@reserveprotocol
audit contest.
This turned out to be my first audit contest win and it got my auditing career started.
It gave me the confidence needed to achieve 6 more wins and a lot of opportunities opened up as a result of it.
8
2
85
This is easily my favorite video about the EVM.
It helps with understanding the big picture and gives some guidance on tackling the Geth implementation as well.
6
12
84
Twitter is full of secret auditing knowledge? - Wrong
Only 26% of the Top 10 Auditors on
@code4rena
and
@sherlockdefi
are active on Twitter (i.e. post regularly) 🧐
👇🧵(1/3)
16
8
84
This is what got me started on my Security journey.
It's literally the best course I've ever done.
You start building simple circuits from NAND gates and continue through multiple layers of abstraction until you end up with a game of Tetris.
It helped me build the fundamentals
2
8
80
I'm excited to announce that
@code4rena
has invited me to their Twitter space with
@reserveprotocol
on Wednesday 11am PDT 🎤
We're going to discuss Reserve's contest, and I'm going to share my experience finding 1 High and 6 Mediums making $26k along the way.
8
3
76
If you're auditing a protocol and you don't find a way to steal all funds or lock all funds forever, you're probably missing something 😅
3
1
77
Today I had my first university exam in months.
I had to memorize the most basic formulas for data mining algorithms (k-Means, k-NN, linear regression, ...).
That's exactly what's wrong with traditional education.
You learn to apply known solutions to the most basic examples.
17
4
78
In 2024 one of my goals is to find at least one High in Immunefi.
I only spent like 5-6 days on Immunefi total this year and made $6k. Considering this, it wasn't too hard to find bugs.
I really want to know how long it takes me to get a High or Critical.
5
2
81
How I started winning audit contests:
-> Audited 24/7 for 3 months
How I keep winning audit contests:
-> take breaks
-> do things besides auditing
I was quite burnt out in July. Taking it slower has allowed me to still be in the game ✌️
5
2
76
I wish someone had told me that going from $0 -> $1000 is just as hard as going from $10,000 -> $20,000.
All the months grinding my way to $1000 would have been much easier.
7
4
76
The best auditors in audit contests earn roughly
$1k - $3k per day
This is based on historic C4 and Sherlock data and assuming that they work on all contest days which they probably don't.
On the other hand they may not get a top placing in every competition.
So I think the
10
3
80
Highly recommended read 👇
When I committed to following these principles, I was finally able to get out of the learning trap and make meaningful progress.
That was ~3 years ago. Looking back I can say it has significantly impacted my thinking.
5
6
79
@bytes032
* difficult contests pay better
* longer contests pay better
* higher SLOC/day pays better
* don't jump into the first contest when there's been a period of few contests (FOMO)
4
9
79
Audit contests are the best way to level-up as an auditor.
When you're surrounded by unique findings every single day then you'd have to try very hard not to become a better auditor.
Look at all the people on
@code4rena
,
@sherlockdefi
and
@CodeHawks
that have started their
4
3
73
Can we please slow down?? 👀
Every time I check there are more contests and some aren't even listed yet 😅
12
5
76
Ready to climb the
@code4rena
leaderboard? 🪜🏆
The steps:
1) managing resources pre-contest
2) managing resources in the contest
3) mindset
Let's dive in 👇🧵(1/8)
7
14
75
Here's my repository for the DODO Margin Trading contest where I placed 1st.
I know it's just a small contest, but I will probably publish more repositories in the future.
2
6
74
Alpha for auditing a hardened codebase 🛡️️🧠
Analyze the test cases and identify:
1) devs' assumptions
2) untested scenarios
Don't assume tested scenarios are secure, but they're more secure than untested ones 🧐
4
8
71
It's insane how many bugs you can find if you have a team where everyone understands the code deeply and you're just throwing around ideas how you could break things.
You end up with more leads than you can even follow up on and a lot of them will lead to bugs.
3
3
74
One of the reasons why many people don't see consistent results from audit contests is that they can't put all their effort and focus into it.
They may have a life going on outside of auditing and need to take care of their family.
You can't compete with someone that can spend
7
5
72
I'm more motivated by finding cool bugs than by making marginally more $$$.
Chasing the money is just so mentally draining and boring.
5
4
71
Honest breakdown of what I've earned from building a presence on X:
-> 2 solo audit clients: ~$25k
-> Consulting: a couple hundred $
I think there will be more benefits in the future but for now I'm not even sure this has covered the opportunity cost.
10
0
69
I sometimes wonder how many auditors are actually living the auditor lifestyle of working at the beach, travelling around the world and how many are just sitting at their desk all day like me😅
18
2
65
Tips for finding a SOLO:
- Stop being on social media so much 😂
- Stop pattern matching old reports ⛔
Its about what not to do instead of what to do 💪
6
3
70
I improved my auditing skills a lot by writing high quality reports. And I had multiple benefits from this👇
1) learning much faster by challenging myself and not going down the easy path
2) getting recognized as a serious auditor
3) higher payout for selected report
4) being
6
6
68
That's what I enjoy about a deep-dive resource.
Walking through the codebase with examples so you can continue exploring on your own.
3
12
71
I was just asked what a talented and hard-working beginner auditor can expect to earn from auditing.
I gave him a roadmap as response 🗺️
1. $1k a month. This probably means you understand the basics and can find some good bugs. Attainable in 0-2 months.
2. $1k -$10k a month.
16
5
73
In 2023 I have done 20 audits so far:
- 13 contests
- 7 solo audits
This results in ~14 days per audit or only 2 audits per month.
Quality findings > audit quantity
7
0
69
A lot of insight and growth comes from participating in audit contests and seeing what's NOT an issue.
For example:
> It's not possible to manipulate rewards
> This piece of assembly was correct
> There was no reentrancy
Arguably, I have learnt much more from the bugs I have
5
3
68
Improve your auditing skills every day:
→ set up a feedback loop
→ do more of what works
→ do less of what doesn't work
→ challenge yourself each day
The feedback loop can be learning from the findings that you missed but it also includes improving your own findings:
→ are
1
6
70
When everyone is busy at Devconnect is the best time to go hard on audit contests.
Thank me later 😎
5
1
64
There's one big realization I take away from my current team audit.
I have underestimated the power of seeing what I've missed in almost real time.
In a contest you only see what you've missed at the end of the contest.
In a team audit you see it much sooner and there's a much
7
1
68
The solo High I found in the Aloe contest was my first solo High ever 😱
Can't believe I was Senior Watson without any solo High 😅
10
1
68
Tip for auditing 💡
Block all appointments possible during the audit.
-> Think about the audit as much as possible and get immersed in the protocol 🧠
4
4
67
The kind of understanding that you need to have in order to audit a codebase is not the same that you need to have to use it or take part in developing it.
There is some overlap but it's less overlap than you might think.
Especially in contests and bug bounties you only need to
18
1
67
I'm starting a big new audit today.
The first few days are the hardest. When you can push through them, it gets easier.
At least until you need to write the report 😅
11
0
67
Here's what I would do differently if I started auditing today:
1) look immediately for high value H/M bugs
2) build a presence & document my journey earlier
3) connt with other auditors moreec
Nowadays there's a much higher barrier to get into auditing. The easy bugs from back
6
3
66
Just finished my 30day meal prep with the pomodoro technique 😎
Ready to make $200k this month 🚀🚀🚀
10
1
65
When I started auditing on
@code4rena
, one of the common pieces of advice you would get was "Read ALL past reports".
This has become impossible by now.
There's now an unlimited number of findings to learn from.
@SoloditOfficial
alone has indexed over 8000 findings.
The
10
4
65
You can earn $1k or you can earn $10k with the same effort.
It all depends on the right choice of the contest.
Most of the money is made before you start auditing.
4
3
66
@PatrickAlphaC
Seems like half of my DMs will soon look like this:
1. Do Patrick's Solidity development course
2. Do Patrick's Smart Contract Auditing course
6
3
65
A big part of becoming a successful auditor is to build upon previous successes.
In a sense it is a self-fulfilling prophecy.
When you know from previous experience that THERE ARE BUGS and that YOU CAN FIND THEM, it becomes a lot easier.
2
1
63
Yes, you're still early if you start auditing today.
But at the same time it's probably a good time to have some FOMO if you want to fully catch the next bull run 🧐
7
1
65
Stages of an audit 🧐
1. Code doesn't make sense
2. Code looks fine, pretty good actually
3. Code doesn't make sense. The bugs are everywhere 🐛
6
8
64
The code of the upcoming audit on
@code4rena
has been audited by GPT.
This could be the hardest audit ever 😅
11
1
64