22500 USDC. My second highest payout (the first one is on
@immunefi
)
Reward payout 1 / 3 in USDC, 2 / 3 in OP token.
@sherlockdefi
@optimismFND
Starting today let me use Twitter to trace and record my bug bounty-hunting journey.
I recently got promoted to senior watson under my name handle ctf_sec at
@sherlockdefi
, the 10K per week payout sounds alluring, but it is not quick money. This thread is about the role of senior watson.
Doing smart contract audit and do not know where to start reading the code after reading the doc? I find a feature of this VSCode extension very useful!
Back in Mid-April, I submitted a bug report in immunefi, the project is unresponsive, after after 4 months, the project confirm the report and just paid me 15K, I don't think this can happen without the help from
@immunefi
and
@0xMackenzieM
!!!!!! They helped follow up! ❤
Making this repo for collecting a list of independently hosted web3 bug bounty, for example, stargate are independently hosting bug bounty up to 15M and frax are idepedently hosting bug bounty up to 10M, free feel to make pull request and expand the list!
Thanks
@trust__90
for the offer! I am glad to have the opportunity to team up with the best top-tier auditor in this space. Also by reading the portfolio, I notice c3phas's skill set is special. I would love to @ him but I cannot find his twitter.
My thoughts on
#Code4Rena
after diving in: Inspired by
@andyfeili
video &
@PwningEth
incredible $8M earnings in 6 months through bug hunting, I decided to become a blockchain security researcher. Here's what I discovered about the evolving landscape of this competitive space.
First year stats:
Made ~$680k
Audited 115 codebases
Found ~140 high risk vulnerabilities and ~250 medium
Spent ~1300 hours reviewing code
Created 267 files in remix
Drank ~90 gallons of pre-workout (my caffeinated beverage of choice)
There are currently 17 senior watson in sherlock. To earn 20K per week audit in 25% percentile, you need to be better than IIIIII, watchpug, thec00n and xiaoming90 🥲🫡😲🫠
For the contest that is not listed and I participated, I got my ass kicked, but I consistently learn from failure and apply my learning to new audits. I really enjoy that!
@code4rena
@sherlockdefi
@immunefi
1/ I wanted to take a moment to share some exciting updates on my recent journey. It's been an incredible experience for me as I started my own company and embarked on the path of building a business. I'm humbled by the opportunities that have come my way
#Entrepreneur
Sherlock recently hide the preliminary reward and instead display the number of valid issue. In the beginning, it looks confusing but after thinking about it, it is a great move to not shill the anxiety of seeing drastic payment change after escalation
1/ 🚨 PSA: Are you a protocol developer in need of comprehensive QA testing? Look no further than
@code4rena
's QA testing service! I recently tried it out and was blown away by the results. 2000 USD hourly rate with 8500 USD total rewards 💯
🚨 Attention all crypto enthusiasts! 🚨
Have you heard of the Sherlock Judging Contest? This is a great way to earn while learning and improving your auditing skills. Let me tell you more about it!
@sherlockdefi
The recent adoption of AI by ChatGPT has quite unsettled my heart regarding blockchain security. If AI can audit smart contracts, does this eliminate the need for security auditors? This thread introduces the C4 AI bot race to embrace the technology!
looking forward to the zksync contest, solely web3 auditing is too hard these days, I am trying to change my approach and accumulate more knowledge. web2 + web3 security :) we will see
Let’s take a look at the 90-day C4 leaderboard. A huge shoutout to all the Wardens who continue to help secure the web3 ecosystem 🫡
Top 5:
🥇
@milotruck
- $89,689.53
🥈
@xuwinniexu
- $54,458.81
🥉
@Xc1008Cui
- $42,912.08
🏅
@0ximmeas
- $38,106.34
🏅
@iamdirky
- $34,844.52
🥇IllIllI just made $121547.02‼️
Congrats to:
🥈float-audits - $13831.38
🥉stopthecap - $12341.18
and everyone in the
@GMX_IO
audit.
IllIllI made $60000.00 fixed pay + $61547.02 from the contest pot!
$225000.00 rewards ➡️ $3.1M+ paid out in rewards.
Draining $32M in 5 Minutes.
On October 3rd, 2022, we discovered and reported a critical bug in
@perpprotocol
that could have drained $32M, the entire deposited USDC in the pool.
The critical bug was discovered in the "AccountBalance" contract, which serves as the protocol's
Just to take notes myself, will raise PR later. there are other indepedent bug bounty program: Aptos, pool together, ethereum foundation, convex finance... anyone is welcome to help expand the list!
Impressive stats. Doing an audit contest in
@code4rena
and
@sherlockdefi
requires the auditor to be creative, finding unique high-severity bugs to get a good payout, while doing a private audit requires the auditor to find "all bugs". Both secure the codebase in different manners
Personal smart contract auditing stats for March:
- 3 private audits
- 9 Critical, 4 High, 9 Medium severity issues found
- 54 hours of focused work
- $46500 earned in total
Doing security related stuff outside of solo audits, updating you soon🫡
@immunefi
I am sharing the recent 5 immunefi projects which paid and acted in good faith for my submissions.
If others can also share, we can have a list of many good faith projects
1. Radiant
2. Push Protocol
3. Stader for BNB
4. Oasys
5. Eco
@Blast_L2
audit contest just ends. Thanks
@cantinaxyz
for hosting such a great competition. Blast is add native yield feature on top of OP stack. Currently the ETH yield comes from LIDO stETH, USD yield comes from maker DAO. The gas yield comes from user's gas spent in contracts
Web3 security is very new. Code4rena is about 2 years old while sherlock's audit platform is barely 1 year old. This basically means that starting one year before is like leading the industry 10 years ahead. if we start auditing now, we are 10 years ahead of others!
@trust__90
I never pay attention to this. Someone can be consistently ranking the top in gas optimization. Consistently ranking the top in anything is a skill and not easy. A lot of respect. Because gas optimization does require deep understanding of the protocol and even low level EVM code
This project host a audit competition with
@sherlockdefi
but then they terminate the competition and launch in rush without reviewing / mitigating the bug submission.
⚠️ Seneca exploited ⚠️
@SenecaUSD
was exploited earlier today, with approved user funds at risk. Millions were stolen from users of the protocol.
If you've used Seneca in the past, we recommend checking if you're at risk using our Exploit Checker 👇
🚨🔒👀 Stay ahead of the game in the world of cryptocurrencies with ! This platform is a crypto exploit aggregator that collects and shares information about the latest security breaches and risks in the blockchain industry 🛡️💰💻
Prospective bounty hunters, you're gonna have to get used to getting no return on work that deserves it.
I say this as if it doesn't hurt. It does.
This year I successfully landed one bounty out of many attempts.
That said, the ROI is worth it. Stay the path.
This thread is valuable. I love the charge 📷Per-vulnerability-found model. That sounds fair to protocol and also makes sure the auditor's finding is fairly compensated!
1/43
How I went from charging just $50 down to $50,000+ per Smart Contract audit.
The ultimate guide to "making it" as a Smart Contract auditor so you can do it too.👇 🧵
Introducing Code4rena Test Coverage: a scalable approach to ensuring comprehensive test coverage for web3 projects 🤝
Read more about implementing Test Coverage as part of your security approach here:
Visit the webpage here:
@code4rena
@sherlockdefi
@immunefi
🧵6/6 If you're considering a career in
#BlockchainAuditing
or
#BugHunting
, take the leap! The opportunities to learn, grow, and contribute to the security and innovation of the DeFi space are endless. I hope my experiences inspire you to embark on your own journey. 🌟 Good luck!
Emm I just realize 1 unique = 5 medium in sherlock, while 1 high = 3.3 medium in code4rena / cantina. Because 1 high = 4.5K, 1 medium = 900 in this contest.
@BlockSecTeam
@ParaSpace_NFT
🧵7/7 The story of blocksec's successful whitehat rescue is a shining example of how the right tools, knowledge, and dedication can make a huge difference in the fight against cyber threats. This is a glorious tale that should inspire and encourage us all. 🌟🎉
#crypto
#security
If you are doing or planning to do
@immunefi
you should check out the following repo from
@sayan_011
which includes write-ups from past researchers. Great resource!
People are saying all kinds of terrible things while being uninformed so allow me to share more details.
I've initiated coordination privately with Immunefi officials 3 hours before the white-hack. 90 minutes later, I realized the asset is currently used by the frontend and
🥇ctf_sec just made $10,198.67‼️
Congrats to:
🥈
@berndartmueller
- $2,421.17
🥉
@bin2chen
- $1,940.46
and everyone in the
@Bond_Protocol
audit.
ctf_sec made $6,000.00 fixed pay + $4,198.67 from the contest pot!
$23,600.00 rewards ➡️ $4.8M+ paid out in rewards.
@merkle_bonsai
31. but most of them are low / informational. haha. I am not sure I get high but I wish someone can bump the reward pot to 1.2 million using high severity finding and then people that found medium can get a large share as well!!!!!
🥇
@iamdirky
just made $2,095.38‼️
Congrats to:
🥈ctf_sec - $6,034.10
🥉ast3ros - $1,928.82
and everyone in the
@DinariGlobal
audit.
ctf_sec made $4,000.00 fixed pay + $2,034.10 from the contest pot!
$16,000.00 rewards ➡️ $4.6M+ paid out in rewards.
Frankly, I joined web3 security because it paid higher than web2 sec. Last year I was telling everyone to switch due to the opportunities and growth in this industry.
However with the job market tight and competition fierce in audit contests, it is no longer the case for the