Consistency is key in Web3. 🔐
Some days you put in 12 hours of work, others just 1.
Don't beat yourself too much about it.
1 is better than 0.
Never ditch everything completely. Even writing a single twitter post a day will keep your mind where it should be. Once you start
After reading a bug bounty writeup from
@deadrosesxyz
I got hooked up on them immediately.
It's like you peek into the mind of the hunter. 🧠
I found this resource that is stacked with such write-ups
I read most of them last week.
Does anybody know of
Web3 security is a billion dollar industry and it will continue to expand.💸💸💸
Doesn't matter if you are coming "late".
Many people are leaving their high-paying full-time jobs to ⚠️RISK⚠️ becoming a security researcher.
That should tell you a whole lot.
Do not hesitate.
About 2 months ago I started to actively audit contests.
The most interesting part about my journey is that I immediately started with a pretty large codebase.
(around 2.5k nsloc, for those of you who are curios it was
@SizeCredit
on
@code4rena
, soon when the report is
If you have been actively auditing the past 3 months, there is 90 percent chance, you have audited a staking contract. ⭐️
Currently I am auditing one, the most helpful resource I found was this video from the smart contract programmer. It could be a little math heavy but by the
Auditing is not a simple task, not at all. 📌📌📌
But why making it harder with additional tools, different approaches, reading lots of stuff that is unnecessary at the moment and so on.
Use the Bulgarian CEI pattern 🇧🇬
- Check the code
- Effectively spot the bugs
- Immediately
The most rewarding feeling an auditor could experience is not a 6-digit payout. It is when you understand a codebase that you thought was impossible to grasp.
Several days of intense researching, reading the docs, reading every function line by line multiple times, no
Today I turn 24
Even though I am considered young, the amount of amazing security researchers way younger than me is incredible and is only a sign of how great web3 security is as a space
I am very happy to be here, getting to know a lot of smart people and securing the web3
I said till the end of September I will be top 10 in a contest.
Here are my results for
@tadle_com
contest on
@CodeHawks
💰 Reward: 508$
⭐️ Rank: 10
🐛 5/14 highs uncovered, 0/4 mediums
The competition was fierce with about 1.8k findings
Grats to all in securing the protocol
If you wonder when is the best time to become smart contract security researcher, it is 2024.
No, it is not some time in the past, it is right now.
Most of the people who are entering this space need to hear this.
Don't bookmark this post to read later for motivation. I don't
Managed to secure my first 3-digit payout from contests(26th place). 💸💸💸
I've read the report, saw what I missed(there were 2H and 2M , I found 1M).
Gratz to all participants for securing the protocol. The contest was TempleGold on
@CodeHawks
My goal is 4-digit payout and
I really want to keep the motivation in all the great researchers that are currently trying their best in the web3 space. ⭐️⭐️⭐️
As I currently hit 1k followers, I decided to do something small, but from the heart for the community. 🫡
Today I am announcing a week of bug
If you are still wondering if there is a place for you in web3 security lets observe some stats📊 on
@code4rena
leaderboards.
Code4rena leaderboard 2022:
About 800 active auditors.
Code4rena leaderboard last 365 days:
About 1500 active auditors.
Takeaway:
These are not
Your brain should always click whenever you have abi.encodePacked() in authentication, signatures and data integrity.
📌📌📌
Why is that you may ask, let me explain:👇🧵
abi.encodePacked(string,string) may result in a collision in some scenarios, let me give you an example ⭐️
Find the bug challenge part 1⃣
Reward: 30$ 💵
❓❓❓
What could be the problem if Logic is the implementation of the Proxy contract?
Whoever guesses it first is the winner! ⭐️
I'll post the results tomorrow same time.
Happy hunting! 🐛
Another smol win. This time from the
@TraitForge
contest on
@code4rena
. Thankful that I could contribute to the security of the protocol.
Wish them the best! ✌️
Most people find it really hard to jump into audits, even though they learned for month and months.
Here is a video of
@0xOwenThurm
that guides you perfectly in how to jump into your first contest and do your best.
Enjoy ✌️
The first 3 public contests you do are going to be hardest. 📌
In these 3 audits, you will experience the most intense roller coaster of emotions ever.
These are the audits that will test your mentality, and the amount of discipline you have.
They will give you the first scent
Is Rust gaining momentum. I see two very large Rust contests:
1. Axelar on
@code4rena
- already started
2. Centrifuge on
@cantinaxyz
- starts on the 19th of August
Maybe it's time to niche down a little.
Here is a playlist that can get you started with Rust
If you want to be an exceptional auditor, don't do what other auditors do.
What works for them at the moment, may not work for you, as there are levels to this.
I've learned that the hard way.
Keeping it simple is the key.
8 hours a day.
Read code and research the EVM.
You want to know how to navigate larger codebases?
📌📌📌
Here's how 👇
1. Grab an external function that creates a flow(supply, borrow, liquidate, repay, withdraw, depositCollateral, claimPrize, etc.)
2. Try to understand it as deeply as possible looking through every call it
Yesterday I managed to hit 1000 followers.
Love the space, love the energy.
Lots more content coming along.
Tomorrow I will announce something cool that you can participate in, so stay tuned. 💰
2000 till the end of the year. Mark my words.
Thank you all! ✌️
Improving as an auditor is doing what you are scared of.
Scared of that 5000 nsloc codebase - do it
Scared of that escalation war - do it
Scared of asking the devs a question - do it
Scared of the competition - crush them
Ready to give up - repeat ☝️
Whenever you think you
Another great tool that is a must have for an auditor is the Solidity Metrics extension.
It will calculate nSLOC, complexity score and a lots of other interesting stuff. There is also visualisations such as:
- Inheritance hierarchy of contracts
- Risk reports
- Call graph
It
Whenever you audit, if you find something extremely hard that seems impossible to understand, remember one thing before giving up:
📌📌📌
Lots of other auditors found the same thing hard and gave up on it. Be the one who doesn't. This is how you find unique 🐛
Every time I see someone post a win on a contest or a success story in web3, I am getting extremely happy, because someone is changing his/her life for the better doing what he/she loves.
Keep grinding 🫡
This post will be an update as to where I am at the moment with web3 security. 📌📌📌
It has been an amazing month! Why is that?
I've managed to put on an average of 6-8 hours of focused work per day (some days 10 hours, other days 3, any hour counts), it was hard at first but
While everybody tells you how their Web3 journey started with "Mastering Ethereum", mine started back in 2021 losing 5k USD on Binance Futures. 🔪 😄
Here I am 3 years later, trying to get my losses back with Web3 security. 🤓
Staring at code for hours on end helps you to grasp every little detail of it. 👀
Even when I am resting the flow of the protocol stays in my head. 🧠
That's why I tend to find more of the complex bugs around the end of the audit. 🐛
I did this for a week now, and I want to say that it just glues me to the monitor for 3 - 4 hours straight of pure focused work.
I don't know what it is, but I really did 10x
Thank you
@nisedo_
🫡
If anyone wants to give it a try -> type 40 Hz Gamma Binaural Beat in youtube
If you want to have a better understanding of a codebase do this 👇👇👇
At the end of the day just scan it one last time without any comments, notes etc. Just pure code.
It still amaze me how with every scan I interpret it differently.
It is the same code over and over again,
Today the results for
@SizeCredit
were published, unfortunately my submissions got invalidated.
Congrats to everyone who succeeded in protecting the protocol. 👏👏👏
Despite my results, this presents great opportunity to me. There were a total of 17 H/M🐛 uncovered. Once the
As competition arises, we see around 2k+ submissions in contests with low sloc.
Next 2-3 months, I will mostly do 3k+ sloc competitions.
I want to challenge myself in order to level up.📈📈📈
Will post everything about my journey.
Godspeed.🫡
Most of the people in web3 are very intelligent and open to communication.
Use this to your advantage as it could leverage your knowledge a lot. Some things are learned only by experience
Most of you have seen the word Slippage in DEFI.
What is it exactly?
How it could lead to serious vulnerabilities? 🐛
📌📌📌
I have found this article from
@DevDacian
and it's a pure gem.
Make sure to check it out. It will up your game a lot.✌️
All in all I got 2 out of 6 Highs and 3 out of 19 Mediums in the
@traitforge
contest
Today i would like to do a recap on the Highs. Which ones I caught and which ones I missed. What was the thinking process behind it, and what I could improve.
Tip for Smart contract security researchers:
Think as a blackhat 🎩🎩🎩 (but please if you find something don't steal all the funds)😁
Jokes aside ask these questions when you are doing an audit:
1. What if I call this sequence of methods?
2. What if I provide X input as value
My favourite thing to do while waiting for a contest to start is to read a past report and writing POC's for some of the vulnerabilities in it for better understanding.
This way I activate my brain to go into "auditing mode".
What's even better is recognising a similar
If you have these questions:❓❓❓
How to approach a codebase?
How much time to audit per day to be the most productive?
What is the average time spent auditing per month?
How to handle burnouts?
How to be disciplined?
All the questions that an auditor could have are answered
I can relate a lot to
@windhustler
and what he said in this podcast with
@HackenProof
Being a corpo Java software engineer for over 3 years hadn't developed my mindset and approach at codebases such as Web3 security did in 3 months. Sometimes you need to
Recently I am trying to learn as much H/M vulnerabilities on as possible. Having all that knowledge will help me in future contests and private audits a lot.
The problem was I didn't have methodology for studying these vulnerabilities,
@andyfeili
has
Find the bug challenge part 3⃣
Reward: 50$ 💵
This is my implementation of an ERC4626 vault.
The thing is that I did not pay for an audit and now I am holding lots of TVL $$$ 💸
Find a way to drain my vault and win the prize.⭐️
Everything else that is not shown in the
Stumbled upon this podcast by
@HackenProof
where fellow Bulgarian SR
@gkrastenov
shares amazing alpha.
Highly recommend if you want to know about private engagements. How to start finding your first clients and retaining them for the long run by giving solid service.
Always
Tip for newly onboarded auditors that will bring y'all some serious cashflow. 💡
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1. ❌ Stop asking others "Am I late for web3 security?"
2.✅ Start asking yourself "How does this function changes the state of the protocol?"
I rarely post something that is not web3 related, but this video has had me glued to the monitor for an hour.
📌📌📌
The importance of 10-12 hour workdays is massive.
Yes they are hard and painful.
Yes you feel miserable rotting for so many hours in front of the screen.
Success should not be that thing, where you bow to everyday and pray that sometime you might reach it.
It should be made a standard. Same as, do not eat food from the floor.
Let's say this month you need to find at least 30 vulnerabilities in contests.
Now this is the
As I have around 3 years of backend development(Java)
It was very hard to read the "formatted" code in Solidity.
Just the way it was laid, didn't match with my workflow.
I've found this extension for VS Code which is allowing you to configure a formatter the way you like.
In
Web3 is in its early stages but things move very quickly. You have to be agile.
👇👇👇
You either watch things happen, join things as they happen or make things happen.The ball is always in your court. The choice is always yours. ✌️
After the weekend is over, Monday is such a nuisance. You are resting then suddenly you need to get out of your comfort zone and start to work.
Getting into web3 security, will eliminate this dread forever.
No days off 🙃
If you are participating in a contest, where there are no sponsors that can answer your questions and the documentation is not that good.
This is your time to shine. 🫡
Examine the code as much as possible as most of the wardens will have different interpretations of the
Communication is key in web3. 🔑🔑🔑
In either contests or private audits you need to communicate with developers. Don’t think you can do it on your own, you may but there will be lots of invalidated issues ❌ obstructing your path to success✅. You are the security researcher,
Find the bug challenge part 2⃣
Reward: 40$ 💸
❓❓❓
This is an auction house protocol.
In an auction, participants can place bids. When a new, higher bid is made, the previous highest bid is returned to the bidder who placed it.
Comments:
Fee on transfer/deflationary/rebase
Second round of the bug hunting week is done! 🐛
As there are 2 scenarios in which the protocol could be exploited we have 2 winners.
(nobody managed to get both of the scenarios right)
Winners are:
@shibi_kishore
- caught the scenario where using an ERC777 token DOS'ed the
Nowadays, reentrancy vulnerabilities are at an all time low.
Why is that? 🤔
📌📌📌
Using ReentrancyGuard and the nonReentrant modifier.
Also applying the CEI(Checks -> Effects -> Interactions) pattern.
But that doesn't mean they could be 100% prevented.
Whenever you observe
A tip for smart contract security researchers:
Buy an actual whiteboard.💡💡💡
I can't really tell the difference functionally between Miro and an actual whiteboard, but actually getting up from my chair and drawing on a physical board has boosted my productivity and creativity
Most people deem web3 very risky, so they choose the "safer" option which is a corporate job.
Didn't know "safe" meant you could get laid off any time of the year even if you do your job perfectly fine. 🤐🤐🤐
Challenge for SR's: ⭐️
Whenever you have the urge to bookmark a post, just read it. 🤓
Bookmarking is the ultimate guide to procrastination.😴
Whenever you read it, if there is some crucial knowledge that you may reference in future audits, then bookmark it.✌️
If you're currently participating in the
@Karak_Network
Restaking contest on
@code4rena
, make sure that you read the ERC-4626: Tokenized Vault standard.
It is crucial to understand it, as it allows ERC-20 tokens to be represented as shares of a tokenized vault, while keeping
If you need to attain some Cairo knowledge, I recommend this video.
It is concise and gives the most value for it's length.
Even though there aren't many Cairo contests at the moment, if anyone decided to participate in some of them, this is a gem 💎💎💎
Hands down the best newsletter, if you want to keep up with everything regarding Web3 security.
They even have an archive that you could browse.
Lots of info, much alpha ✌️
had a really nice talk recently with
@deliriusz_eth
and
@escrow_
highly suggest all beginners to listen to this as I shared a lot of my insights on how to be a better auditor 👀
If you are new to the Web3 space, you probably have seen the words faucet and facet. It seems that they are the same term, but actually they represent different aspects of Web3.
📌📌📌
What are they and how they are used in actual scenarios I will explain in this 🧵👇
Damn it feels good when sponsors are responsive and they really try to understand your explanation of a vulnerability.
In the meantime, they show their point of view which can give you a different insight of the protocol.
That helps a lot. ✅
Big thanks to such devs, it is
While researching different attack vectors for the
@SizeCredit
contest, I have come across one of the best articles on Lending/Borrowing DeFi Attacks written by
@DevDacian
If anyone has something similar to this article please add it in the comments or DM me.
Thank you!
I decided to participate in the
@SizeCredit
code4rena contest. This is the first contest i take part in. At first glance 2.5k nsloc seemed a bit too much for a beginner like me.
After spending the whole day, learning and researching, watching the code walkthrough several times,
Doing audits/contests is probably the best you can do to level up.
If you are feeling miserable doing contest, I have happy news for you, you are on the right path. Misery makes you research.(misery=gain)
At first I didn't believe it. Now I'm full send on that info.
Jump into
This is amazing, I've managed to surpass 200 followers.
I want to thank you all! 🫡🫡🫡
📌📌📌
My only goal is contributing as much value to the web3 space as I can, doing audits and creating content.
Godspeed to 500.
When it comes to web3 sec, my strategy is to not learn things I don't need at the moment.
One of this thing was Hardhat👷. I stumbled upon some unit tests written in Javascript that were run on Hardhat. I've been a Foundry user since the beginning of my journey and I got a
After about 2 weeks of actively auditing a contest I want to share some key takeaways about the whole experience as I think that could help a lot of security researchers going forward.
Thread below:
Tip for auditors.💎
Share everything about your research.
Post about your web3 thoughts.
It is good for your brand, it is good for the space.
All opinion matters.
The biggest flex a security researcher could have is finding 100% of the vulnerabilities in a protocol.😎
Of course this comes with time, a lot of fxing time.
It is for sure time well spent.✌️
A type of vulnerability that I've witnessed recently is not having a proper way of withdrawing assets from a contract.
Easy to explain example will be:
If you see payable function in a contract, there should be 100 percent a withdraw for native ETH. If there is not that is a
FAILURE ❌❌❌
is one of the best things that can happen, if you properly extract everything that led up to it.
Take 2 steps back, observe the larger image. Pinpoint what you've missed. The hardest of bottoms shows the stronger sides of an individual.
Embrace it ✌️
Web3 is very volatile. Sometimes the crypto market seems bearish and investors are backing off from the space. It is hard, it is problematic. It seems like everything will crumble down.📉📉📉
I have some major advice on how to handle such situations.
Read
Code
🤓
Something new that I tried today for the
@SizeCredit
contest is looking in the test suites so i can better understand the flow of the protocol.
I think as a security researcher, it is essential to always dig in in the tests.
I thought that I had an excellent understanding of
If you think you have nothing to do and may have a little rest, go to there is plenty to do there.
When I say plenty, I mean just a mere 12k findings to consume and upgrade your arsenal.
Everybody knows about the SR role on
@code4rena
Before achieving it there will be hardships in validating some of your findings.
What are the ways to improve your experience in PJQA while not having the SR role.
1. Have a friend that has the SR role so you can do escalations
Equivalent of contest results is the time you put into deep diving the protocol and learning all its mechanisms.
Needless to say: deep diving == money
💸💸💸
I found this amazing interpretation of the Ethereum Yellow Paper that makes it way more understandable.
📌📌📌
It is called the beigepaper.
I highly recommend reading it. If you had a hard time with all the mathematical stuff, you will surely understand it this time.
If you are wondering what kind of questions to ask the developers during a security audit,
@tinchoabbate
got you covered with this post.
It is concise and very informative. Must read 🧐
Wrapped up my report for the
@SizeCredit
contest.
Managed to find some vulnerabilities, hopefully they get validated.
It feels amazing finishing an audit, wow!
Can't wait to see what vulnerabilities I didn't catch.
Good luck to all the participants.
It was a pleasure!
Yeah, yeah, I get it, breakups are hard and depressing.
But have you ever invalidated the finding you were most proud of right after the contest ended. 🙂
Find the bug challenge part 2⃣
Reward: 40$ 💸
❓❓❓
This is an auction house protocol.
In an auction, participants can place bids. When a new, higher bid is made, the previous highest bid is returned to the bidder who placed it.
Comments:
Fee on transfer/deflationary/rebase
Sharing all your progress publicly, what you have learned, what you have missed to learn, what you will learn, is probably the best way to get some feedback and spread the knowledge. ✌️
Do not miss out on the opportunity.
If the protocol has good unit tests, make sure you use them to your advantage.
They could show you a lot.
How the protocol behaves in certain scenarios.
It's like additional documentation to search through.
A small change in parameters or maybe adding new elements to the
First round of the bug hunting week is done.
Winner is 🥁🥁🥁
@baba_shamsuddin
Congratulations to the winner! ⭐️
We started with something easy, things will get harder and harder. Be prepared.
I am happy to see lots of correct answers. Kudos to all!
The vulnerability is