I just got 1st place in a
@code4rena
competition! 🥇
🏆 This got me to 28th place on the 90-day leaderboard
Extremely happy with the result! More is coming very soon 💯
Thank you
@THORChain
for the opportunity to secure your protocol 🫡
A month ago I quit my job as a blockchain dev to become a security researcher full time 🥷
Today I managed to get 10th place in the DittoETH contest and get my first 4 figures reward!
I would like to thank
@pashovkrum
for his great initiative of supporting the community by
Managed to secure 9th place in the
@RenzoProtocol
@code4rena
contest with 4 highs and 4 mediums!🥷
This catapulted me in the 90-day leaderboard to
#81
place! 🏆
Auditing Renzo was very pleasant and exciting for me as it was my first time exploring an
@eigenlayer
integration 🫡
Web3 security contests ALPHA 🚨
If you want to have fewer duplicates of your issues just don't share them in the discord channel of the competition where all wardens can see them 🤯
Follow me for more web3 security advice 😂
July 2024 - $5,000,000 in contests
If you want to:
🤑 make serious cash
🔨 build your reputation
🥷 start a career in web3 security
make sure you give your all during the following 30 days!
Thats your shot, it is time to double down!
Future looks bright 🤩
Currently, I have a free time slot between contests and I would like to provide a security review to one protocol free of charge.
If you need a security service or know somebody that needs one DM.
I would be happy to give as much value as possible 🫡
You do a competitive audit and you don't know where to start? Make sure you do these:
- Join the contest discord channel. There you can ask questions regarding the codebase and see questions and answers that other people are talking about.
- Run Solidity Metrics in VScode on
Improve your auditing by analysing your results from contests 📊
Write down the titles and the duplicate count of the issues you found and separately do the same for the issues you missed ✍️
What does the data show you? Do you submit mainly highly duplicated findings? Or do
Worked hard on an audit...
my head was about to explode...
went on a walk for 30 min...
found 2 issues while walking and playing the code inside my head 🤓
Note to self: take breaks
Some auditors have very deep niche knowledge and outperform hundreds of auditors in contests.
Protocols could make a pretty sweet deal if they manage to secure a private engagement with them. Quality over quantity.
I don't have anyone in particular in mind 🤫
@EgisSec
👀
Mentality is everything.
How you look at things can alter your performance so much.
Coming from a place of curiosity, abundance and competing with yourself instead of with others can make your journey so much enjoyable and efficient.
Always write down your attack ideas during an audit and go through them.
Otherwise you risk to end up like me while sitting on a bench in the park 2 days after the contest’s end to remember an issue with the codebase
🧑💻 Here is the progress I made on my web3 journey so far:
• managed to secure a position as a web3 developer ✅
• went through ton of materials such as the book mastering ethereum, multiple smart contract programer’s playlists, the inner workings of the EVM, multiple
Web3 security contests ALPHA 🚨
If you want to have fewer duplicates of your issues just don't share them in the discord channel of the competition where all wardens can see them 🤯
Follow me for more web3 security advice 😂
If you do contests make sure to read the Q&A section very carefully.
You can come up with some unique findings based on the info there or improve your valid findings ratio by not submitting that much invalid issues.
If you hit a plateau in the thing you do, it might be time to change things up. Experiment with new approaches, explore new ideas and talk to more people.
You can't expect to get a different result if you do what you have always done✌️
Team audits provide a ton of value 💯more experts looking at your code is always better than one expert
BUT
Solo auditors have their place and are a perfect fit for:
👉 protocols with little to no external funding
👉 small codebases
👉 in-house security
👉 niche expertise
Integrating
@Uniswap
swaps in smart contracts during the day at my dev job and going through the Tswap section of the
@CyfrinUpdraft
course at night 😈
This is going to be a good combo 😏
Rebasing token issues are simple and yet not reported that much in the competitive audits I participated in.
If the protocol says that they are included it is worth to check if they are handled correctly.
Just finished Part 1 from
@CyfrinUpdraft
!🥳
I must say that
@PatrickAlphaC
and his team do an amazing job leveling up the skills of the web3 security community!🫡
All concepts were clearly explained, up to the point, with practical tips regarding audit processes, common attacks
Looks like negotiation skills apart from the technical ones are very valuable in web3 security.
A unique high-severity vulnerability that paid 17k was first considered out of scope, only to be considered valid after numerous discussions.
Whether it is bug bounties, private
One of the smartest things you can do as a dev is to go through the parts of the
@SoloditOfficial
checklist that are relevant to you.
This will save you from many hacks (yes, really) and prevent low-hanging fruit findings.
Consistently putting highly focused hours of work is what everybody who wants to master a craft must strive for.
FOMO, dopamine spikes, bursts of outrages focused hours followed by lack of sleep and drop in performance and consistency, lack of confidence, focusing on others
🚨🚨🚨
Just so you guys know, some people are sending DMs looking for consultations or offering gigs for their project but then they want you to download their application, install it on your machine and you will be prompted to input your password to make a “system update”.
Visited Defillama's hacks section expecting novel bugs, but found protocols losing millions due to basic mistakes.
Teams are overwriting storage variables with contract upgrades or failing to batch multi-sig transactions, leading to "known compound v2 donation attacks".
Why?
In the context of EIP712 do you know:
- When to use encode vs encodePacked?
- How to handle arrays or nested structs?
- Which types are atomic / dynamic / reference and how each type must be properly handled?
Recently discovered such issues in contests so I decided to drop the
Why in the last 30 days protocols lost 70M and what you can do about it?
The reasons for this include:
- trusted role making a mistake during deployment
- 3 X trusted role’s private keys got compromised
- contract updates - introducing a new storage variable that overwrote an
Just wanted to share that going to the gym frequently 💪 + running for 15-20 minutes after the workout 🏃♂️ while listening to web3 security interviews 🎧 with different people in the security space was and continues to be extremely beneficial to me.
Fits perfectly into the
I’ve been studying the whole weekend, preparing to join my 3rd contest for the month. There are so many opportunities in this space, I love it!
I feel January is going to be a very successful month for many people in the space 🚀
I have been auditing more and more cross-chain protocols lately.
Looks like this is one of the main directions where innovation is happening in the industry and investing some time exploring recent innovations could be a good ROI.
Honestly, the kindest, supper dapper Dino familia goes to
@DapperDinoNFT
!
Big things happening right now! Check them out!
$WTF, it is about to explode 🚀🧑🚀🚀
@pashovkrum
The industry have improved since then in orders of magnitude. The quality of audits and security researcher expertise have skyrocketed. Still it was great financial opportunity for wardens back then. Felling bad that I missed this money printing period 😂
@The_Meta_Portal
Roadmap! 2 days until mint 🔥 Dropping a mini game with extra hardcore levels tomorrow on the website.
The first person to complete it gets free NFT and the first 50 will get WL spot! 🚀
Wait for the announcement in discord 👀
Immunefi is excited to announce that we've joined forces with
@fuel_network
to launch the $1.3M Attackathon - the largest competition series in history!
🎯 The Fuel Attackathon Education Period Starts on June 3rd
🎯 The Fuel Attackathon Hunting Period Starts on June 17th
Learn
If you are not sure how lending & borrowing protocols work, I recommend the beginner-friendly video made by
@eattheblocks
to get your foot in the door.
@0x_jp_86
If we have contract A that accepts deposits and Alice wants to transfer her 100 USDC, she will approve contract A for 100 USDC before making the deposit.
After that, an attacker could make a deposit (before her) by using Alice's tokens If contract A allows the use of arbitrary
I followed the advice from
@ilchovski98
to ask myself as many questions as possible and realized that the protocol interacts with Uniswap V3 on a low level.
And guess what? I haven't dived deep into Uniswap V3.
So, I started watching
@ProgrammerSmart
's playlist and coding along
@preslavsec
Go through all the findings you have missed in a contest you participated in. For each create your summary of the finding and write the reason why you missed it. This way you will learn a ton and you will be building intuition for next time.
@MartinMarchev
@code4rena
@THORChain
Thank you Martin, just learning from the best 🫵!
It is definitely a breath of fresh air since I started doing it full time.
This month will be very busy for sure and I can’t wait to post the results from it!
2/18 Ethereum Proof of Stake algorithm requires each validator to lock 32 ETH to be able to participate in securing the network.
By validating the network the validator earns rewards. If it acts maliciously, the validator is penalized and risks losing all his deposited ETH.
Does anybody know an NFT project where people can group up as in a guild and compete against other guilds within their community? Wondering if
@The_Meta_Portal
is the only one with that idea...
By participating in contests you can easily identify where you have gaps in knowledge, take a step back, do your research and more forward.
This way learning is not passive and you retain information a lot better when you put into practice the new concept you just grasped.
When you get an audit pay attention to the incentives!
❓Are auditors well incentivized to find as much bugs as possible
❓Is the audit pay per vulnerability
❓Are auditors competing with each other
❓Is the security company new and the founders are hungry to prove themselves?
6/18 Ethereum security is unmatched.
This is good until you have a brilliant new idea/service that has a decentralization aspect and you need to create a brand new network of validators, incentives, and capital to secure it.
@sirajraval
Siraj, I like you but very often you do things like these. Be real, it’s ok to be you and take your time. It is a marathon not a sprint. I believe in you and you should too!
Pretty good advice for dealing with codebases.
I think that it would be very beneficial for junior auditors to hear what senior ones have to say.
Personally I am curious to know what are
@zachobront
and
@0xDjangoOnChain
2 cents on this 👀
I realized there were some distinct phases in my auditing journey:
1) Month 0-1:
Learned basics, started doing contests but desperately failed
2) Month 2-3:
Good contest results coming in but still lacking a lot of Web3 specific knowledge
3) Month 4-6:
Learned specifically
9/18 Developers with brilliant ideas💡 that need validators to secure their system go to Eigen Layer and say (proposing AVS - Actively Validated Services):
Dear Validators,
Secure my network by running my software on your machine.
Act according to these rules and you will
@santipu_
On the other hand, I was amazed at what findings got validated (unique) by just having a 3rd party admin of a protocol the code integrates with marked as Restricted.
3/18 Many users do not want the overhead of running a validator node or do not have 32 ETH to participate.
Liquid Staking comes to the rescue.
Protocols like Lido and Rocket Pool run their own validator nodes and allow users to deposit small amounts of ETH for a proportional
7/18 It is very difficult to pull this off because you need to convince people to run your client software and move their capital from mainstream methods such as Ethereum POS to your system for higher rewards.
Effectively competing with Ethereum for security.