At Algebra, we tried six audit companies over the past three years and finally found exactly what we needed. Many auditors focus only on standard patterns or weaknesses (like min/max or overflow), which doesn’t suit Algebra, as we manage the liquidity infrastructure for many DEXes running on our CLAMM model. @bailsecurity works differently — they start by understanding the full concept and architecture before diving deep into analysis. We’re happy to recommend them to all DeFi projects, especially DEXes!

This is a lengthy reflection on my experiences and lessons learned during the 15-day active escalation of my issue during the Maker DAO (now Sky) contest. ## Most valuable - Found 1 of 2 findings that were rewarded, so my input was valuable even after so many audits by big names. - Calculations about the ASIC/GPU cost + electricity - Data sources: - Spreadsheet (note the 2nd list): - Birthday paradox probability calculator (also 2 lists): - We discovered that the collision was cheaper than initially thought (many escalations initially said trillions), but it's actually in the millions-billions range depending on time constraints, not trillions. With ASICs/GPUs available for retail consumers. - This also led to an update for the paper that formed the basis for [EIP-3607]( - Confirmed by EIP and the paper author [here]( - How many votes are required for a governance attack, ~8% - - Unwritten rules of Sherlock's (now old) judging - > this is always the standard to let Watsons defend themselves and only resolve the escalation and there are no comments in 1+ day - - > it's some kind of unwritten rule to give time to defend yourself, which I believe is quite fair. But, in some cases, to not further extend the escalation period, I say in how many hours I'm planning to resolve the escalation - - Difference in judging: - Cantina - Does not allow escalations and comments from others in your issue, which is a plus - But also doesn't give you a chance to reply to the judge, which is not perfect. Basically, escalation is one message from you, then the final decision. Sometimes with less than perfect feedback or no feedback at all - Sherlock (old judging system) - Escalation wars that last for weeks, and being 1 vs. 10 is not easy - You have time to see the judge's motivation and add more context when you think the judge is missing something ## Learned - _“We cannot choose our external circumstances, but we can always choose how we respond to them.”_ — Epictetus - I think it was a great opportunity to learn and practice some skills. ### Technical - Got a better intuition about big numbers and possible collisions - Learned about the high cost of creating an address collision due to large numbers and currently available technology. - Some good points about renting GPUs on the retail market or hash power on Nicehash not being ideal for the attack. - How to better understand big probabilities, trade-offs between memory, CPU, and time (see my spreadsheet at the beginning). ### General - It gave me a giant motivation to learn. - “Truth is found neither in the thesis nor the antithesis, but in an emergent synthesis which reconciles the two.” — Hegel - "The growth of knowledge depends entirely upon disagreement." — Popper - You can often DM people and ask for reasonable help; many are open to it. Maybe having an active Twitter where you also share knowledge can help. - I worked on it a little. It's not always easy. I usually don't want to bother anyone with my questions. - Learned how to focus on one thing and postpone everything else for some time. - Do all calculations in spreadsheets or code, not by hand. - Recheck them in the morning after resting. - Learn to balance on the edge of burnout after a working weekend. - My energy was close to zero after the work, so I learned how to function in daily life on intuition, without too much thinking, with an empty head. I stopped trying to optimize simple routines. - I should have focused only on one issue from the start. - ChatGPT can be good for fact-checking and finding weak spots in your arguments—or others' arguments. I think it can become a really powerful tool in escalations when you provide it with all the rules, all the code, and ask it to invalidate/prove the validity of the issue. - I have not used GPT here for this, only to criticize my points, just some ideas for the future, to have even worse escalations - To pace myself. There are so many papers to research, so many possible ASIC optimizations, and really limited time. After working another weekend, you feel almost burned out. So you need to prioritize and limit what you can do. - Overall, it was an interesting self-exploration. #### Team - It would be great to have a team to research the findings from different angles. - Also, teams are better at absorbing big spikes of mental activity, as during escalation. - Next time, I'll try to make allies with duplicate authors if possible. This time it was tricky because my impact was the biggest. It could lead to a disagreement further down the road. ### Judging - Due to the complexity of the case, it can be difficult to gauge how much detail is necessary, what points the judge has understood or retained, and which aspects are most important to them. - It seemed like the judge might not have fully grasped some of my arguments, especially regarding the math, or perhaps didn’t account for all my points and leaned on others' interpretations. However, I recognize this could be my own bias, as it's easy to feel this way in such situations. - It's better to add all the possible variations of the attack in the issue, otherwise some judges may nitpick your attack path, when minor change (e.g. attacker is a contract instead of EOA) would keep it valid. - It was interesting to observe how the judge's opinion shifted significantly between issues—valid to invalid, and back (not in my issues, other escalations). In many ways, it's a positive trait to be open to revisiting decisions, though it did make me wonder how likely it is for opinions to change once the issue is thoroughly understood. - After @cantinaxyz, I thought it's not usually the case, maybe because they have several judges and are in constant contact with the sponsor, and it's harder to change their minds. - Experience in escalations can play a big role in the payouts you get, as well as the number of experienced participants in the contest. It's not only about finding bugs. - Maybe it's best to ask the judge what they want to know to deem the issue valid. You can waste a lot of time on different calculations the judge won't even look at. - It was interesting how my issue was based on another issue, which was based on another issue, based on an EIP. Several layers. - HoJ - The judge doesn't get as deep into the issue as we want them to (at least initially and in smaller contests). They have to believe some of the facts without checking them (they can't be an expert and spend weeks reading all the papers). - I thought the judge would remember every fact I gave. But HoJ is human, lacking context (they didn't audit the contest), often lacking niche skills required to understand the issue (which is true with real-world judges who rely on expert opinions too). You may need to summarize, repeat your points, especially when there is a constant rain of another person's objections. - The additional contest rules are really important: - It was considered invalid in part due to the new rules, which the HoJ interpreted differently than I had initially expected. - Most of the escalations I noticed from others were about new rules Maker added. It really feels like you need to be a lawyer, reading all the rules and understanding how to apply them to the context. Ignore the real-world impact and apply only artificial boundaries. - If the limits locked on contracts were even 2 times higher, I would have had a much easier time defending my issue, with much less expectation. - The HoJ's approach matters too: - They opted to focus solely on currently available technology, rather than considering theoretical estimations, which had been taken into account in previous issues. I would have spent less time on some arguments if I had known that from the start. - While Sherlock rules state that "Any request to resolve issues outside of the escalation period is not guaranteed to be addressed," in practice, these requests are often still considered. Comments and new arguments can be added during and after escalation from any account, and the HoJ generally takes them into account. - Next time, I think I'll ask the judge directly, "What information would help in determining this as valid?" to ensure I focus on the most relevant points. - It often matters who your opponents are. - Strong opponents can be tough to compete against, as they often know the small details in the rules and use them to challenge the validity of your issues. - Even if the issue had been deemed valid multiple times before. - This highlights a potential downside of big contests where anyone can escalate issues (unlike @cantinaxyz, where you can only escalate and comment on your own issue, which feels much more manageable). - The contest created a strong incentive for others to escalate every issue. - Being one person up against 10 more experienced escalators isn't ideal. - When I submitted the issue, I hoped I could relax since @IAm0x52 had submitted the same issue before, and I expected he would handle most of the escalations. - But that wasn’t the case—he didn’t submit it, and none of the bigger names did either. - @panprog is a very skilled escalator, and I would much prefer to have him on my side. He has a sharp eye for details and can use even the smallest rule to invalidate an issue. - I wonder if the result would have been different had he and others found the same issue and been on my side. It might have been judged valid (though, of course, I'm biased). - Another reminder that I'm not very good at escalations—I haven't won a single one yet. - In one issue that was escalated, I left a comment explaining why it was invalid. - The HoJ was not convinced by my argument, - But after someone else added further arguments, - The HoJ concluded that the escalation was indeed invalid, - And the issue was ruled invalid. - I have a lot to learn in this area, though I'm not sure if I want to. - Good escalation lessons, how to argue, from the best. It was a little bit too expensive regarding time. - Don't give up too early, or at least give some time before you do it. You can get a new idea, sometimes from an unexpected place. - The HoJ decision can be just the start of the discussion, often not a final saying. ## Achieved - Grateful for the support I got and how others valued my input. - > My heart goes out to participants like 00xSEV, who tried their best in both the contest and the subsequent escalation war. - @haxatron1 - - > I want to express my sincere gratitude to 00xSEV specifically, as well as to other Watsons participating in the hash collision discussion: together we've shed a lot of light on this issue, which will make future discussion much easier. Especially 00xSEV's intellectual honesty is exemplary, as his great time/cost analysis brought previously unseen precision into this issue, to the degree that undermined his own positions. This is in general the degree of objectivity we should strive for in any discussion. - @kuprumxyz - - I got as much as I could except for the money. - I also see that escalation is getting easier—I don't get as stressed. - I believe my issue (link at the start of the post) has the biggest (critical) impact and is probable, even though it's expensive and long to execute. - The issue could destroy the protocol. The impact is in the billions; the cost is in the tens-hundreds of millions. - No one else from the big names found it, or at least they haven't submitted it. - It's already kind of a miracle that I found anything after all the audits and internal reviews, something others missed. - I did my part in helping secure a grandpa of DeFi, a protocol I respect. I'm grateful for the opportunity. - The issue went far: - It was Medium several times before (I found 4), even when the impact was in the low millions. - It was approved by the first judge and the sponsor. - However, the HoJ had a different opinion. I couldn't fully prove its validity to them. - The biggest number of comments in this contest (great discussion). - I believe this issue is important for the industry as a whole because CREATE2 is used so extensively, and the attack is not well-known. - I gave some estimates based on current technology and theoretical ASIC, similar to the miners used in Bitcoin (links at the start of this post). - I bet in future issues, someone will improve on it, find more cost-effective ASICs or GPUs, or more papers showing the costs. Maybe the AI boom will calm down and GPUs will become cheaper. I think it's easy to get to millions for sure if you spend a month researching and making your case. - If the issue isn't fixed (I believe they will), I'm almost certain Maker will be attacked within 10 years. - Grew my Twitter and hope I grew my brand a little. It should be easier to connect with smart people in the future. - I know that Sherlock had been preparing new judging rules for a while, but I think this, along with other escalations, contributed to their decision to change the current judging system, which will hopefully be better for everyone. ## Escalation phase improvement suggestions: - (I wrote it before the new Sherlock rules were implemented) - It was already said enough on ways to improve Sherlock's judging. Here are some ideas I didn't see before: - The biggest issue for me was the lack of clarity about when I could take a day off. It didn’t feel right to say that my work week was over and that I would respond next week, especially since many people were involved. - I would do something about the time length of the escalation phase. Checking your issue every day for weeks isn't optimal. - Maybe Cantina's solution is good, where only the issue owner can escalate and comment. - Maybe strict time limits (but this could lead to less optimal decisions with less information). - Maybe one escalator, one message. - A committee of judges might offer a more balanced perspective compared to relying on a single judge. This could help ensure more consistency in decisions, as sometimes the same issue can be judged differently depending on the HoJ. I believe @code4rena has adopted this approach in some cases. - I don't think that it's enough to have one judge when the issue is not a simple one; you need some experts like cryptographers, and mathematicians. Maybe a platform may have a pool of advisors that you can contact. - A joke with a grain of truth: With such fierce escalations and all the rule changes for big contests, we need lawyers/coaches who know all the rules and precedents and will fight for you during escalations. - Or at least give consultations, like: - "For this judge, focus on the final outcome and provide all details clearly. They may not dive deep into calculations. The attack limit is about 10 years and 10 million; beyond that, they may judge it invalid." - "This judge is strong in math, so just share the relevant papers. They’ll handle the calculations." ## Emotional regulation: - It was a good test and practice for emotional control. - Helped significantly: - Gym - Breaks - The more you work without days off, the longer the breaks—up to 2 hours of work, then rest for the whole day. And work for 30 minutes - 15+ minutes break during the most exhausted time. - Limiting information intake during the breaks, perfectly no YT, internet, or books. Especially ones that require you to think to understand. - Psychological techniques: - _Self-compassion_ book (I read it a while back, and it helps to have some "mantras" to calm down the inner critic). I had a good chance to practice it. - Just notice the emotion, don't see it as part of yourself. - Look at the long term. Like, there's a high chance to get a good income in 1+ years. Life doesn't end with the current contest. - Yes, I didn't win, but I'll show my best today and learn. That's what matters in the long run. - Create a daily time slot to allow yourself to be anxious. 30-60 minutes a day to process all thoughts, so you're calmer during the day. - More on it here: - Allow yourself to make daily decisions by intuition (system 1) and let the deep thinking part of the brain (system 2) rest. - From the book _Thinking, Fast and Slow_. - Don't overcommit. The escalations were a big task that took all my focus. I postponed everything else. Otherwise, it would be too easy to burn out. - We're still in a great sphere with good payouts and salaries. Gaining more experience will lead to higher payments in the long run. - Helped partially: - I can't control the result. What I can do is present my best arguments within the escalation phase time and my current knowledge. Maybe it wasn't enough this time, but it's not my last contest. - I do the best I can with the knowledge, time, energy, connections, and experience I have. I can't control more than my actions. - I'll wait for the questions and arguments before answering. It will save energy from thinking about all possible defenses against all possible attacks on my issue. - Meeting with friends/gf. - Limits—since I worked almost 3 weeks without days off, I worked as little as possible, 2-4 hours, then rested and did what I wanted. - Some podcasts to remind me there's more to life than this, like Pieter Levels' interview by Lex Fridman. - Didn't help: - Lowering expectations like "I've already lost, just do the bare minimum" because it's self-deception. I didn't actually believe I had lost. - Some friends may try to cheer you up with "You'll win for sure," which isn't helpful when the result isn't known. ## Some other thoughts: - By the end, I was ready for the escalations to be over. I was tired and more focused on wrapping things up than winning. I was looking forward to getting back to the calmer side of research. - I came close to burning out, which reminded me how important it is to pace myself. I needed long daily rest to stay productive and maintain balance. - It would have felt more satisfying if those who discovered something valuable, like @10xhash, received more recognition. While this system has its merits, it can feel unfair and disheartening for those who made significant efforts in the contest but didn’t have the same prior recognition. - I'm still unsure if participating in large contests is the best fit for me, aside from platforms like @cantinaxyz, which don't involve escalation wars, or bug bounties. - While it would have been great for the effort put in to be rewarded, sometimes the real value lies in the experience and lessons learned. - A reward for Low issues could have been a nice way to acknowledge the work of those who contributed. Since there was no Low pot, it might make sense to consider platforms in the future that offer a better chance for broader recognition. - But I grateful to receive a reward from the side-pot of course, it is a good way to show that my input was valuable - At times, it felt like the research efforts weren’t fully recognized, but writing this post helps ensure the work wasn’t in vain. Hopefully, it will be useful to others in the future. ## Thanks - MakerDAO(now @SkyEcosystem), @sherlockdefi for organizing the contest. - Thanks to the people who helped me during the issue: - @_Czar102, @arabadzhiev_, @khovr, @Haxatron1, @xc1008cui - Also: - @khovr for the paper and EIP: - @IAm0x52 for the first issue of that kind submitted in the contest: - @_Czar102 and @arabadzhiev_ for extending the issue and reducing the attack cost, for diving deep into cryptography in the previous issue, significantly reducing the attack cost: - Thanks to @panprog, @kuprumxyz and others for giving me the opportunity to dive deeper, providing good counterpoints. - Thanks to the judge @WangSecurity_ for giving me time to research, and I believe they tried their best to be impartial and get to the core of the issue (even though I disagree with the outcome). Great explanation of the decision from the HoJ. It was super clear. I do not agree with all the opinion-based points he stated but at least I see how he came to it clearly. So great job from the judge on this. ## PS You may also like what I learned during the _contest_ (before escalations), it was a big hit: ## PPS And for a dessert, at the very least, that discussion created a funny meme from @shunduquar (.

NEW Ask the Auditor: LIVE Q&A Chat with Zellic! @KakarotZkEvm and the @zellic_io team will answer your questions to help you compete in the $170,000 competitive audit Mark your calendar: Monday September 30th, 14:30 UTC in the C4 discord How to prep and link below 👇

A personal milestone: my first competitive audit not with a team, but by myself. Not bad, but deftly a space to grow. A personal goal: first place in a contest by end of year. A note to self: don't over-complicate PoCs. Thanks @Optimism and @code4rena!