This year I have earned ~$250k from audits so far:
- Contests: ~$185k
- Private audits: ~$60k
- Immunefi: $6k
Looking back, there were a few key insights that helped me achieve this:
1) Keep pushing when you're on a streak
2) There are no secrets. All the top auditors rely on
Here's the story of my first bug on
@immunefi
🐛😱
The timeline from choosing the program to getting paid was ~7 days 🔥
- payout: $1k
- severity: Low
- program: IPOR
The full story 👇 🧵 (1/9)
Another day, another Win 🏅🏆
Had a lot of fun auditing
@prtyDAO
@code4rena
And got a nice payout of $18k!
Can't wait to share my findings with you once the report is out🔥
I'm incredibly proud to announce that I got promoted to Lead Auditor at Trust Security 🎉
Didn't have the time to post anything for the last few weeks since I was busy working towards the promotion 😅
Recently I found my first bug on
@immunefi
which earned me 1k.
Currently ranked 491st.
No new bugs have been fixed since then in the protocol...maybe I'm not so bad after all 🤣🤣
Who wants to see a writeup? 🧐
I realized there were some distinct phases in my auditing journey:
1) Month 0-1:
Learned basics, started doing contests but desperately failed
2) Month 2-3:
Good contest results coming in but still lacking a lot of Web3 specific knowledge
3) Month 4-6:
Learned specifically
People ask me for the first step in my auditing journey.
Within 3 days I devoured this book 😋
It contains all the Basics of Ethereum, provides accurate information and lays the groundwork for diving deeper.
I'm proud to announce that I am now working with Trust Security 🔥
Thanks
@trust__90
for reaching out to me.
Happy to put my skills to work, providing exceptional audits for our clients 🤝
Auditing income: imagination vs reality ⚔️
The reality is that most barely earn anything when they start.
BUT: Once you reach a certain threshold, progress accelerates 🚀
This is my favorite resource on Invariant Testing.
It goes a step beyond the baby examples that you see elsewhere and leaves you in a position to setup your own Invariant Test infrastructure.
Making $100k from auditing is not as hard as it sounds if you have a plan:
> 5 Top 3 finishes: 5*$5k = $25k
> Win 2 audit contests: 2*$15k = $30k
> 1-2 Immunefi bounties: $10k
> Private audits (leverage contest wins to get clients): $20k
> Judging, Lookout, bad contest payouts,
Here's how I got paid twice for a bug I found on
@immunefi
and
@sherlockdefi
🐛
- payout: 2 * $5000 = $10000 🤯
- program: Perennial
- severity: Medium
The full story 👇 🧵 (1/10)
I often read this advice ❌
"Work through all findings of a certain contest" or "audit the code yourself and see what you missed".
Try this instead ✅
-> Pick 1-3 top auditors you admire and only care about their findings
-> This teaches you a WINNING MINDSET instead of winning
How to earn more without finding more bugs? 🤑
Answer: Write better reports ✏️
In
@code4rena
the best report receives a 30% bonus but I still don't see many people optimizing for it.
🧵👇(1/2)
I'm proud to be a part of the first ever
@code4rena
Blue Team for the Dinero Pirex-ETH protocol.
This new format provides the quality of C4 audit contests for bug bounties to ensure the sustained security of live contracts.
Instead of asking: "What do I need to learn to become an auditor", ask yourself the following question:
"Based on the bugs that were found in this audit, what do I need to know and do in order to uncover the same or similar bugs?"
You don't need to understand Solidity and Web3
Talented auditors are still in short supply.
The fastest way to make money for a technical person is not to grow a following or "personal brand" but to compete in audit contests / bounties.
Once you've got the auditing skills, there are endless possibilities, including growing
Three mistakes to avoid to become an auditor:
1) Getting stuck in learning 📚
2) Not setting up a quick feedback loop 🔁
3) Not connecting with fellow auditors 🧑🤝🧑
What are some other mistakes?🤔
Why is everyone posting their progress today 😂
Here's mine for April:
- 2 code4rena Versus contests
- first bug on Immunefi
- 1 private audit
- started Twitter 🔥
Here's a finding that really shocked me and showed me I need to think outside the box 🤯
I was trying to find minor inconsistencies in calculations while all along the whole system could be taken over by a single transaction 😅
I keep my auditing notes in multiple places:
> Notion (high level overview of the audit progress)
> Notes within the codebase (my main place for notes)
> Paper (see below. helps me think through ideas)
> Notes app on my phone (whenever I get a random idea I put it there to
Tools I use for auditing:
- VSCode (+ audit plugins)
- Hardhat / Foundry
- Notion / Notes App for things to remember
- Custom shortcuts for "audit-info", "audit-issue"
- 🧠 🧠 🧠
Am I missing something? 🤔
My biggest realization this year is that auditing is a self-fulfilling prophecy:
You think there aren't any severe issues
-> You find only Low / QA
You think there are severe issues
-> You drain 100% of the pool
A beginner auditor asked me yesterday how long it will take until he can start winning contests...
It took me 4 months to win the first audit contest which was in February this year.
However I didn't have the goal of winning a contest.
My goal was to make some money on the side
Here are some tips to choose the best audit contest:
Goal: optimizing for $$$:
-> longer contests > shorter contests
-> stay away from the obvious (big protocol name, biggest pot, first to start)
-> the least obvious can become the most obvious if many people think like you
->
When I started auditing I was concerned that I was too late to the game.
Looking back, this feels stupid.
You could probably wait for another year and still be early.
Having audited some of the base layer protocols must feel like a cheat code in a few years.
How to generate ideas during an audit and find bugs 🐛
1) Look up similar protocols and see what bugs plagued them
2) Go for a walk, think and take notes when you have an idea
3) Think about the protocol when you are about to fall asleep
More about the tips 👇 🧵(1/4)
Is all this talk that 18 year olds can make $50k on Immunefi just a psyop? 🧐
I remember last year the talk was just the opposite. People were complaining about bug bounties. In the last few months it has completely reversed.
And if it's so damn easy to make money there, how
Just received this message from
@0xEV_om
One of my posts motivated him to keep grinding and win the Olas contest on
@code4rena
🔥
He earned $29k from it. Truly impressive 🙏
Unpopular opinion:
The Blast contest won't be the best opportunity since everyone is hyped up from the zkSync contest and wants to be the one making $500k.
The real alpha is the HydraDX contest on
@code4rena
.
Audits is the only job where you have to be ashamed if you're only making $100k a year.
The reality is: Barely anyone earns $100k a year in most countries.
On Jan 10th, there will be 8 audit contests in parallel.
And the bull run hasn't even started yet.
> My prediction for 2024:
There will be at least 1 day with 20 audit contests in parallel.
My auditing schedule ⏰
~ 9 am: wake up
9 - 11 am: finish easy tasks (email, discord messages) and start focused work
11 am - 1 pm: workout
1 - 5 pm: focused work
I thought auditing would save me from a 9-5 job😅
Recently I found a bug that was undiscovered over the course of multiple audits.
I simply went one step further than the other auditors, checking the code that they assumed was secure by default.
Ask more questions and you'll get more answers 💡
I have changed my mind on team audits the last 2 months.
Going forward, I want to do more of them. Also because it keeps me more excited for auditing.
Anyone here interested in auditing with me at some point in the next 1-2 months?
Please only DM if the experience gap isn't
The truth is I have never completed the Solidity course 🙃
I got to Lesson 7 but then jumped into contests because I was too excited.
If you do the course now, don't do the Python & Brownie one.
Do the Foundry one instead:
1 year ago I used to say people are lying when they claimed they make $20k a month.
This is the wrong mindset.
If you think it's not possible you will never reach it.
If you realize it's possible you can make $20k your new baseline.
My goals for the remainder of 2023 🎯
1) Do private audits
2) Win competitive audits
3) Share progress on Twitter & connect with others
I'm intentionally not attaching any exact numbers.
Will end up completely different anyway 😅
What are your goals? ✏️
1 year ago from today I started the
@reserveprotocol
audit contest.
This turned out to be my first audit contest win and it got my auditing career started.
It gave me the confidence needed to achieve 6 more wins and a lot of opportunities opened up as a result of it.
This is easily my favorite video about the EVM.
It helps with understanding the big picture and gives some guidance on tackling the Geth implementation as well.
Twitter is full of secret auditing knowledge? - Wrong
Only 26% of the Top 10 Auditors on
@code4rena
and
@sherlockdefi
are active on Twitter (i.e. post regularly) 🧐
👇🧵(1/3)
This is what got me started on my Security journey.
It's literally the best course I've ever done.
You start building simple circuits from NAND gates and continue through multiple layers of abstraction until you end up with a game of Tetris.
It helped me build the fundamentals
I'm excited to announce that
@code4rena
has invited me to their Twitter space with
@reserveprotocol
on Wednesday 11am PDT 🎤
We're going to discuss Reserve's contest, and I'm going to share my experience finding 1 High and 6 Mediums making $26k along the way.
Today I had my first university exam in months.
I had to memorize the most basic formulas for data mining algorithms (k-Means, k-NN, linear regression, ...).
That's exactly what's wrong with traditional education.
You learn to apply known solutions to the most basic examples.
In 2024 one of my goals is to find at least one High in Immunefi.
I only spent like 5-6 days on Immunefi total this year and made $6k. Considering this, it wasn't too hard to find bugs.
I really want to know how long it takes me to get a High or Critical.
How I started winning audit contests:
-> Audited 24/7 for 3 months
How I keep winning audit contests:
-> take breaks
-> do things besides auditing
I was quite burnt out in July. Taking it slower has allowed me to still be in the game ✌️
I wish someone had told me that going from $0 -> $1000 is just as hard as going from $10,000 -> $20,000.
All the months grinding my way to $1000 would have been much easier.
The best auditors in audit contests earn roughly
$1k - $3k per day
This is based on historic C4 and Sherlock data and assuming that they work on all contest days which they probably don't.
On the other hand they may not get a top placing in every competition.
So I think the
Highly recommended read 👇
When I committed to following these principles, I was finally able to get out of the learning trap and make meaningful progress.
That was ~3 years ago. Looking back I can say it has significantly impacted my thinking.
@bytes032
* difficult contests pay better
* longer contests pay better
* higher SLOC/day pays better
* don't jump into the first contest when there's been a period of few contests (FOMO)
Audit contests are the best way to level-up as an auditor.
When you're surrounded by unique findings every single day then you'd have to try very hard not to become a better auditor.
Look at all the people on
@code4rena
,
@sherlockdefi
and
@CodeHawks
that have started their
Ready to climb the
@code4rena
leaderboard? 🪜🏆
The steps:
1) managing resources pre-contest
2) managing resources in the contest
3) mindset
Let's dive in 👇🧵(1/8)
Here's my repository for the DODO Margin Trading contest where I placed 1st.
I know it's just a small contest, but I will probably publish more repositories in the future.
Alpha for auditing a hardened codebase 🛡️️🧠
Analyze the test cases and identify:
1) devs' assumptions
2) untested scenarios
Don't assume tested scenarios are secure, but they're more secure than untested ones 🧐
It's insane how many bugs you can find if you have a team where everyone understands the code deeply and you're just throwing around ideas how you could break things.
You end up with more leads than you can even follow up on and a lot of them will lead to bugs.
One of the reasons why many people don't see consistent results from audit contests is that they can't put all their effort and focus into it.
They may have a life going on outside of auditing and need to take care of their family.
You can't compete with someone that can spend
Honest breakdown of what I've earned from building a presence on X:
-> 2 solo audit clients: ~$25k
-> Consulting: a couple hundred $
I think there will be more benefits in the future but for now I'm not even sure this has covered the opportunity cost.
I sometimes wonder how many auditors are actually living the auditor lifestyle of working at the beach, travelling around the world and how many are just sitting at their desk all day like me😅
I improved my auditing skills a lot by writing high quality reports. And I had multiple benefits from this👇
1) learning much faster by challenging myself and not going down the easy path
2) getting recognized as a serious auditor
3) higher payout for selected report
4) being
I was just asked what a talented and hard-working beginner auditor can expect to earn from auditing.
I gave him a roadmap as response 🗺️
1. $1k a month. This probably means you understand the basics and can find some good bugs. Attainable in 0-2 months.
2. $1k -$10k a month.
In 2023 I have done 20 audits so far:
- 13 contests
- 7 solo audits
This results in ~14 days per audit or only 2 audits per month.
Quality findings > audit quantity
A lot of insight and growth comes from participating in audit contests and seeing what's NOT an issue.
For example:
> It's not possible to manipulate rewards
> This piece of assembly was correct
> There was no reentrancy
Arguably, I have learnt much more from the bugs I have
Improve your auditing skills every day:
→ set up a feedback loop
→ do more of what works
→ do less of what doesn't work
→ challenge yourself each day
The feedback loop can be learning from the findings that you missed but it also includes improving your own findings:
→ are
There's one big realization I take away from my current team audit.
I have underestimated the power of seeing what I've missed in almost real time.
In a contest you only see what you've missed at the end of the contest.
In a team audit you see it much sooner and there's a much
The kind of understanding that you need to have in order to audit a codebase is not the same that you need to have to use it or take part in developing it.
There is some overlap but it's less overlap than you might think.
Especially in contests and bug bounties you only need to
I'm starting a big new audit today.
The first few days are the hardest. When you can push through them, it gets easier.
At least until you need to write the report 😅
Here's what I would do differently if I started auditing today:
1) look immediately for high value H/M bugs
2) build a presence & document my journey earlier
3) connt with other auditors moreec
Nowadays there's a much higher barrier to get into auditing. The easy bugs from back
When I started auditing on
@code4rena
, one of the common pieces of advice you would get was "Read ALL past reports".
This has become impossible by now.
There's now an unlimited number of findings to learn from.
@SoloditOfficial
alone has indexed over 8000 findings.
The
You can earn $1k or you can earn $10k with the same effort.
It all depends on the right choice of the contest.
Most of the money is made before you start auditing.
@PatrickAlphaC
Seems like half of my DMs will soon look like this:
1. Do Patrick's Solidity development course
2. Do Patrick's Smart Contract Auditing course
A big part of becoming a successful auditor is to build upon previous successes.
In a sense it is a self-fulfilling prophecy.
When you know from previous experience that THERE ARE BUGS and that YOU CAN FIND THEM, it becomes a lot easier.
Yes, you're still early if you start auditing today.
But at the same time it's probably a good time to have some FOMO if you want to fully catch the next bull run 🧐