Always exciting to audit NFT protocols, kudos to
@pow_vt
for the quick response time
@Arcade_xyz
is now hosting a competition with a $60k pot up for grabs, gl sers🤸
(hint: a few notable refactorings were done during the mitigation round, worth a shot to focus there 👀)
It has become customary to get an audit from Renascence before holding a contest.
Collaborating with the
@Arcade_xyz
team has been a truly enjoyable experience.
Be sure to read the report here: 👇
A year ago I discovered competitive audits ...
‣ Didn't know Solidity
‣ Didn't know what a vulnerability is
‣ Thought hacking is for wizards
I only knew that
@code4rena
was permissionless, no bs interviews, pure skill. That was enough to get me interested.
A year later,
First place in the Maia Dao omnichain contest 🏆🎉
This is my second win for the year so pretty stoked about it 😁
Congrats to everyone and thanks
@code4rena
for the opportunity 🍾
3 firm Audits, Sherlock Audit, Critical bb report from an elite white hat, live on Immunefi and still …
Really devastating news, I hope a solution is reached, it seems the Kyber team did everything they can to protect their users, so unfortunate 😕😕
Trying to wrap your head around the ENS contest
@code4rena
?
I'll try to give you a quick visual idea of the Multi Delegate contract's purpose.
Let's explore 🧵👇
Unique Critical issue worth thousands of $$
What can you learn from the report
‣ Identifying separate small inconsistencies
‣ Chaining together the found weak points
‣ Constructing a critical severity attack vector
Submitted by me &
@deadrosesxyz
I have this theory that
@PatrickAlphaC
&
@ProgrammerSmart
are the same person
Both have:
‣ Frog as a profile picture
‣ Excellent Solidity tutorials
If you are a beginner eager to learn Solidity and dive into blockchain development / auditing that's all you need to start👇
Almost 1k lines in writing all sorts of experiments and PoCs in Chainlink Staking v0.2 contest 😤
By far my favorite way to understand complex code - read - write a short scenario - examine state - repeat🤯
Add
@deadrosesxyz
on a killing spree and the audit just can’t go wrong
A skill in auditing that isn't much talked about is Decision Making. Selecting which parts of the code to deeply focus on is vital to utilize the allocated time to the maximum👨💻.
Some of what I prioritize:
‣ Complex functions
‣ Novel functionality
‣ 3rd Party Integrations
2/3 High issues and bunch of mediums got us 6th place in
@caviarAMM
audit contest, just saw the main protocol has over 1 million in TVL 😳
Thanks
@code4rena
for the opportunity
RESULTS ARE OUT 😇🤑
Huge 3rd place with
@deadrosesxyz
as part of
@voyvodaxyz
We made an all-out effort for this contest and I am happy it paid off.
So much knowledge and new skills unlocked throughout the review on top of the generous reward.
As always thanks
@code4rena
🤝🤝
Just finished the epic Maia Dao contest, teaming up once again with
@deadrosesxyz
, let’s hope for some good results 😁😁🔥
Thanks
@code4rena
for the opportunity
GG
@MaiaDAOEco
I joined forces last weekend with
@gogotheauditor
and
@deadrosesxyz
to take down an audit contest
@code4rena
- tons of fun, high pressure and a great learning experience - Here are some key takeaways from hacking in a team 🧵🧵
I thought I wouldn't participate in audit contests anymore due to some other opportunities in this space, but last weekend I decided to try something new and team up with
@deadrosesxyz
and
@__alexxander_
as team
@VoyvodaSec
for the
@caviarAMM
contest at
@code4rena
👀
I think we
Starting to wrap up the Maia audit
@code4rena
This time it was a lot tougher to find vulnerabilities but I think I managed to squeeze out a few interesting findings
Good luck to everyone participating 🍀
Should auditors include coded POCs in their reviews / competition submissions?
I see how for top-tier researchers this might be unnecessary time spent, however, I think for the majority of auditors there is high ROI in writing one.
Here are 3 reasons to include a coded POC 🧵👇
Excellent resource by
@LayerZero_Labs
&
@SpearbitDAO
about Cross-Chain Security
Mainly
‣ The need for node software diversity
‣ How to mitigate inherent risks with service contracts upgrades
‣ Pre-Crime & how it can prevent getting hacked
Thread🧵👇
In-between audits, I've decided to explore the Curta CTF challenges. They are a great opportunity to improve at low-level Solidity (not only) & overall EVM understanding. Nevertheless, the puzzles are engaging and fun to try and solve.
Curta CTF Puzzle
#2
A Write-Up 🧵
The participants in the audit included at least 5 of the most skilled auditors out there, 20+ high issues and 30+ mediums with judging standard that is by no means superficial, the other audits by Spearbit and Sherlock bring the total amount of H/M findings to 200+
An attack which happened yesterday to a codebase that was audited in Code4Rena
Btw we have a very similar attack vector exercise in the smart contract hacking course 🤫
In audit contests the codebase can be too vast to cover it fully in the allotted time
Consider focusing on some of the following aspects to optimize your time⚡️
‣ Long and complex functions
‣ Gas calculations & accountancy
‣ Forked code that can be diffed to see new changes
A good amount of audit contests are commencing this week… My general advice would be
‣ Pick a project that seems interesting
‣ Dont multitask, explore the codebase thoroughly & stick to it till the end
‣ Leave some extra time to polish vulnerability reports
‣ Have fun ✌️
November will be swarmed with opportunities in the web3 security space.
It's always a decent plan to pick 1-2 contests and focus deeply on them but can't deny it's also alluring to go all out and play for more than that.
What's your game plan for the upcoming month, anon ?
I often don't find much ROI in using a tool to visualize components / user flows in simpler projects
However, there are cases where visualization really helps, especially when a user flow can branch out into multiple possible execution paths
Example from a recent contest 👀
Had to deploy a system locally from scratch to write some forge tests, this can be quite insightful about the architecture and details of a smart contract protocol.
Try and look upon roadblocks as learning opportunities😁
Plans for August are compete in
@goodentrylabs
audit 01.08 - 07.08
@chainlink
audit 11.08 - 28.08
both audits hosted by
@code4rena
+ finish some side studies around uniswapV3
Let’s go 😁😁
Just wrote my first programme in Rust and wow it seem like such a cool language.
(Not in connection with the Zk audit)
(A cool post inbound tomorrow… ✌️)
ERC20 Votes is an extension of ERC20 that allows users to utilize their tokens as voting power. The main restriction, however, is that you must delegate your full voting power to only 1 address.
ENS Multi Delegate contract solves that by using ERC1155 & Proxy contracts.
The past 4 weeks I didn’t have a proper day off - was in almost constant auditing / learning 😤
I got the whole Sunday off and really feel recharged and ready to go again👾
Time to finish
@gitcoin
allo v2 contest on
@sherlockdefi
and see what’s next🔥🔥
Multi Delegate creates Proxy contracts that receive the user's tokens and delegate them to the target addresses. In return, the user receives ERC1155 tokens that track his ownership of the ERC20 Vote Tokens inside the Proxy. Further token managing is done through multiDelegate().
We're excited to released our seminar with
@agfviggiano
on:
Complex Fuzzing Techniques with a practical case study example on the eBTC protocol.
Dive into some deep fuzzing alpha (link below)👇
High-five to
@code4rena
for providing immense value. I believe no private auditor would be able to unveil that much findings. As for the protocol itself - no audit would fix profound design flaws, they should have reimplemented from scratch.
I still think Ethernaut is a great resource if you’re just starting out and need some hands on around security concepts / vulnerabilities, I solved it when I was starting out and defo was a boost. For foundry solutions 👇👇
And this is going to be the repo with all the challenges and solutions:
Make sure to add it to your bookmarks, clone it, and leave a star so you're ready once the tutorials are out! 😉
After several successful audit contests, I want to share some of the findings 🎉What's your preference -
detailed write ups (Github reports/articles) or engaging video content (YouTube videos)? Vote and comment below! 😁🙏
A day off from auditing… Im compiling some reports from past audits - it’s a cumbersome task but at the same time you see how many vulnerabilities you’ve found and how much you have improved 🙌
Keep pushing 🔥
Time to start the second round of
@MaiaDAOEco
audit contest hosted by
@code4rena
👀
Last time results were pretty good but this time I feel the competition will be insane, let’s see how it goes 😁😁
Also can’t wait to dive into Layer Zero, very much enjoy learning new protocols
Once again doing an audit in a team with
@__alexxander_
I just remembered how nice auditing with a friend is. Especially considering how our skillsets combine so perfectly.
I have extremely high expectations for this one 👀
@GalloDaSballo
Generate higher level diagrams of the contracts, each diagram with name of contract + what inherits, state/immut/const vars, list of external / public functions. Function call chains + internal functions though get complicated fast but the above is enough for a general grasp.
Recently finished the ToB Fuzzing workshop. The best episode imo is the one on AMMs and probably enough to get you started + it contains some tips on setting up external testing with Echidna
Do you prefer Echidna or Foundry for property tests & what’s your favorite feature 🤔
2) High pressure. Knowing that your teammates are putting in hard graft means you have to perform at the top of your abilities as well. Even though you are a team there is a healthy amount of natural competitiveness that ultimately drives the whole team to be better.
@gogotheauditor
Its also black and white classifying if an issue is high, but mediums fall on a much larger spectrum - some mediums are borderline highs others are borderline QAs yet the same points, splitting the medium category in 2 (according to impact) could be a solution but introduces
@KrisApost1
‣ Finds bug (hype)
‣ Writes PoC & passes (more hype)
‣ Protocol is Rekt (even more hype)
‣ Few minutes go by …
‣ Protocol is Rekt (void, stares at screen / wall, realizes this could have been prod, questions the meaning of life & universe)
Going through a known codebase where the developers have made a great effort to mitigate the vulnerabilities you’ve disclosed is very satisfying
That’s when you really feel like you’ve contributed & created meaningful value
@milotruck
I was thinking the same a few days ago. You need to have an insane edge to do multiple audits in few days i.e be one of the top 0.1% auditors, incredible speed, know some obscure solidity technicality or some other integration details that can land you unique findings.
Their understanding put against yours either confirms what you believe is true and increases confidence or in the case of disagreement - a meaningful discussion can arise that takes all of you in a deeper dive in the issue at hand.
My life cycle 🔄
- Finish audit: confidence soars, feeling invincible
- Start new audit: grappling with complexity, questioning life choices 😅
- Humbling phase: struggle is part of the game
- Bug found: I'm back!
- Repeat: Cycle continues, knowledge compounds
3) It’s great fun. Chatting with like-minded people, having a laugh and the occasional inspirational talk on how you are going to come out victorious with 1st place 😤🏆Definitely recommend.
@GiuseppeDeLaZa
@code4rena
I think you might be reading only the comment. If you open the QA report where the dup is from I believe there is sufficient proof.
So many people decided they wanted to become ZK security researchers yesterday, just by learning the basics in 1 week and entering a contest next month.
My opinion is that unless you have longer term plans to do ZK stuff, you should focus on what you're already trying to succeed
@sockdrawermoney
I almost fit description
#1
-dog name is Ares, after the greek god of war (mostly in combat with stray cats that dare to jump in the backyard) only thing is Im short of 23 million but am sure c4 will take care of that 😂😂
@PaladinCharles
Its true complexity is increasing, but there is still NO entry barrier in terms of doing real work on real protocols asap, in traditional sd you have to spend months in tutorial hell, interviews, eventually to get hired and meet prod code, in auditing you just hop on a contest 😇
@14si20
@0xT1MOH
My first Chainlink contest (CCIP) I didn’t find anything but I left the audit feeling much improved, it felt that after such a good cb whatever I audit next will have so much issues. I’ve done audits where there were so much issues that it felt depressing the project is doomed
1) Full and correct comprehension of the codebase is achieved much faster - throughout the process of creating issues you are constantly able to see how a different person rationalizes about different mechanics/relationships of the system components (…)
1) A coded POC is the most supreme evidence you can provide that a certain vulnerability exists, especially for findings that are not straightforward and trace among multiple functions / contracts. Moreover, it's a great way to filter out false positives & boosts report quality.
@MidvelCorp
Here is also
@merkle_bonsai
way of doing things - absolutely tearing through the contracts + also a good point that following dev's thoughts too closely can introduce bias
Ultimately everyone adopts a different approach & should adapt to the project.
@0xTendency
Maybe 1-2 weeks. Submitted it during the short period where C4 had a change in duplicates formula. Ended up valid but with 30 dupes, didn’t receive award 🥲🥲
Solidity and debugging got the best of me today. Spend 6-7 hours solving one of Ethernaut challenges and couldn’t quite reach a final solution. Battle resumes tomorrow 😴🫡
@merkle_bonsai
@shealtielanz
I recently found that being meticulous about the coded PoC and report writing improves your context understanding, I want to try drafting reports a bit earlier during audit comps, by far when I finish with report writing at the end I have even more ideas to test out but no time
@ShieldifySec
@jeffsecurity
Decision making. We usually have X amount of time for an audit, identifying which parts of the code are critical and with what tools to verify their correctness is paramount to be as effective as possible 😯 What do you think ?
The rules are fairly simple - the `generate(…)` function generates a unique starting position from a seed & you have to make the `verify(…)` function return true by supplying a valid solution.
The following challenge is all about CREATE2 in Solidity.
The `verify(...)` function accepts the unique `_start` & the `_solution`. It left shifts the constant 0xF1A9 by 16 bits therefore producing a 32 bit number that is then exclusive “OR”d with `start`. This result is stored in `prefix` & the winning conditions are checked.
@hake_stake
Depends really how dense the complexity is sometimes I go over the same 50-100 sloc multiple times, sometimes I blast through way more than that 😅
Dabbling with OpenZeppelin’s Ethernaut challenge - currently completed 1/3 of it and finding it very insightful. Let’s see how long it will take to finish all levels 👀
@OpenZeppelin
After that all was left to do is deploy the Solution contract with the now known salt and call `verify(...)` with the start position and the address of the newly CREATE2 deployed contract.
Puzzle Solved 🔥
@0xT1MOH
@MaiaDAOEco
@code4rena
Not necessary low, but it was a vast & fresh codebase with much opportunity to find unique vulns. The code now looks a lot cleaner & with the reduced scope it should be harder, but who doesn't like new challenges 👀👀
Although I didn’t participate in the contest, still listened to the talk - very interesting info about the protocol development timeline and decisions, also great insight into what goes behind the curtains of judging and sorting submissions
I decided to implement a miner to brute force the target address in Rust (no prior experience lol😅). After 2-3 hours a multi-thread miner was done and… it was painfully slow (would take a day to finish).