pkqs90
@woshilalala
Followers
1,287
Following
257
Media
21
Statuses
296
Web3 Security Researcher | Lead Senior Watson @sherlockdefi DM for audits.
Portfolio →
Joined January 2021
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Adalet
• 203112 Tweets
Gazze
• 119644 Tweets
ベイマックス
• 106032 Tweets
Chester
• 101089 Tweets
#サクサクヒムヒム
• 53867 Tweets
NANON LETSGO NYFW
• 46808 Tweets
#笑うマトリョーシカ
• 46341 Tweets
HAPPY BIRTHDAY TANNIE
• 39129 Tweets
#ساعه_استجابه
• 33501 Tweets
#dilanpolat
• 31415 Tweets
E. Jean Carroll
• 28909 Tweets
#2KDay
• 28903 Tweets
#DAY6_9th_Page
• 26759 Tweets
#4MINUTES_EP7
• 26706 Tweets
#浦島坂田船11周年
• 26285 Tweets
Franco Escamilla
• 26207 Tweets
#HAPPY_EJ_DAY
• 24461 Tweets
Game Day
• 22481 Tweets
Ayşenur Ezgi Eygi
• 18723 Tweets
#데이식스_청춘의_9번째_페이지
• 15949 Tweets
おぱんちゅうさぎ
• 15600 Tweets
BGYO DESERVES BETTER
• 10857 Tweets
Ocak
• 10025 Tweets
Pinned Tweet
After 7 months in public audit contests, here’s what I’ve achieved:
- Rank
#12
on Sherlock's all-time leaderboard.
- Rank
#8
on Code4rena's 2024 leaderboard.
- Won 5 audit contests, with also 12 top-10 finishes.
- Earned ~$147k in contest rewards.
Shout out to
@sherlockdefi
and
30
10
290
Landed
#1
in the
@predyfinance
contest on
@code4rena
:)
Some highlights:
1. My first DeFi protocol (Perp trading + UniV3) win with ~5000 nloc.
2. Biggest pot I've won to date, thanks to the hunter/gatherer bonus.
3. This also takes me to
#6
on the 2024 leaderboard.
The
44
8
212
Landed
#1
in the
@SuperBoring_xyz
contest on
@sherlockdefi
:)
This contest had some cool new concepts. I dug through a lot and managed to find 6 out of 7 issues with 4 solo, breaking my own record for the most solo findings in one contest.
This is also my 5th contest win. Gonna
🏆
@superboring_xyz
Audit Contest Results 🏆
Congrats to:
1.
@woshilalala
- $10,415.20🥇
2.
@brandon_shi
- $4,040.38🥈
3.
@KupiaSecurity
- $2,020.19🥉
@woshilalala
made $8,500.00 fixed pay + $10,415.20 from the contest pot!
$28,500.00 rewards ➡️ $9.6M+ paid out in rewards.
3
5
26
14
1
144
Landed a 6th in the Noya contest on
@code4rena
.
This was a interesting one:
1. It was a yield farming protocol with 20+ external integrations. I spent most of the contest reading code/docs from other DeFi protocols and writing reports endlessly.
2. There were 23H63M issues in
13
3
98
Some of my common thoughts when reading issues from other contestants:
1. How tf did he find this?
2. How tf did I miss this?
...
3. How tf is this valid?
8
9
88
Sharing some alpha.
Two ways to gain the most from audit contests, based on my experience:
1. Pick contests slightly above your skill level. Try best to catch all issues, and don't stop until you're confident none are left. If in the end you still miss over half,
2
2
75
Landed another 6th in the
@SizeCredit
contest on
@code4rena
.
It was a 200k pot contest, so I expected a lot of competition. I tried my best to find all the issues, but still missed over half ... again (2H6M/4H13M)
During PQJA, I was shocked at how many issues I missed and gave
10
1
66
Never thought of getting to Senior Watson so quick when I started auditing this year.
But knowing this is mostly due to luck makes me want to grind even harder lol 👀
7
1
58
Really proud about the results - 1st contest win, 3/3 findings, 1 solo, and the project had 8 previous audits.
Gotta keep grinding 🚀
🏆
@m0labs
Audit Contest Results 🏆
Congrats to:
1.
@woshilalala
- $31,172.76🥇
2. 00001111x0 - $9,707.61🥈
3.
@xiaoming9090
- $5,795.59🥉
@xiaoming9090
made $28,500.00 fixed pay + $5,795.59 from the contest pot!
$88,000.00 rewards ➡️ $7.6M+ paid out in rewards.
1
0
5
10
0
60
Random thought: At what point is an auditor *ready enough* for private audits?
I used to think it was when you achieve 10k+$ in contests or win a few. But now that I'm there, I still don't feel ready, especially when I'm constantly making stupid mistakes or missing stupid bugs.
10
3
54
Another small win, and my first time being LSW.
Keep grinding 🫡
🏆
@GammaStrategies
Audit Contest Results 🏆
Congrats to:
1.
@woshilalala
- $4,813.30🥇
2. joicygiore - $4,679.48🥈
@woshilalala
made $4,500.00 fixed pay + $4,813.30 from the contest pot!
$17,000.00 rewards ➡️ $8.6M+ paid out in rewards.
1
0
9
5
0
52
Gonna pick Zetachain. Reasons:
1. My first contest on Cantina;
2. My first cross-chain protocol;
3. My first contest with Rust involved (learned Rust last week).
What could go wrong?
Looking forward to the Big mac meal as rewards :)
8
0
51
Landed a 7th place in the panoptic contest on c4. It was a challenging codebase with many new concepts.
However, can't say I'm really happy with the results, as the issues I missed seem so simple in hindsight.
Another intestesting fact is that almost half of the issues are
2
0
33
Replacing my audit music list with this.
New Episode Alert!
We're thrilled to feature
@deadrosesxyz
on this episode!
Being in his 19 he is on track to hit $1 million in 2024, this man is redefining success in the bug bounty world!
Tune in to hear his incredible journey:
5
13
124
3
1
27
Crazy bullish.
Whoever sleeps in July is gay (huh).
Take a good look now because July is only going to get busier from here
3
1
72
3
0
25
Landed a 4th in the tellers contest.
Kudos to the top 3 winners! The competition was really tough, I found 12 HM issues, but still missed over half..
Gotta make it to top 3 next time 🚀
🏆
@useteller
Audit Contest Results 🏆
Congrats to:
1. EgisSecurity - $3,871.54🥇
2.
@0xadrii
- $3,696.91🥈
3.
@0xSimao
- $1,724.32🥉
bughuntoor made $6,500.00 fixed pay + $1,155.11 from the contest pot!
$28,500.00 rewards ➡️ $8.3M+ paid out in rewards.
3
2
18
5
0
27
And another small win.
Next goal is to win a defi protocol. I've always struggled with those a lot.
🏆
@MidasRWA
Audit Contest Results 🏆
Congrats to:
1.
@woshilalala
- $1,058.63🥇
2.
@Afriauditor
- $988.97🥈
3. PNS - $726.63🥉
@woshilalala
made $4,500.00 fixed pay + $1,058.63 from the contest pot!
$13,500.00 rewards ➡️ $8.7M+ paid out in rewards.
2
0
3
5
0
22
Having one of those weeks where it's hard to focus and stay motivated. Sometimes I just don't feel like working on anything...
And with 19 contests running in parallel, it's just so overwhelming 😂
1
0
16
Best gamefi model. You can argue with strangers, and earn money at the same time (or not if you just enjoy arguing).
2
0
13
Gotta go study my EIPs
1
0
8
Lucky to land a 2nd in this contest.
Didn't catch any H/M issues (submitted a few though, non were validated), but luckily there were no validated issues in this contest, and my ranking was second among all the contestants, so... 😂
🏆
@vvvchain_io
Audit Contest Results 🏆
Congrats to:
1.
@IllIllI000
- $3,315.31🥇
2.
@woshilalala
- $1,317.66🥈
3. fugazzi - $824.34🥉
@IllIllI000
made $5,500.00 fixed pay + $3,315.31 from the contest pot!
$17,000.00 rewards ➡️ $8.0M+ paid out in rewards.
1
0
7
0
0
7
@0x3f97
@SizeCredit
@code4rena
One of the bugs I missed and found interesting was related to race condition. As for the second question, I would also like to know the answer to that :)
0
0
6
Last week, I picked a Sherlock contest that had 8 previous audits in the past 2 months...
Not the best move, since obviously there are no low-hanging fruits. Every potential attack vector I can think of seems already covered.
Excited to see what
@xiaoming9090
finds in the final
2
0
5
1
0
5
Broke some of my own records: 1. Editing a report until the last minute; 2. Submitting 15 HMs in a single contest
1
0
5
My bet is on
@xiaoming9090
Who's going to win the $1.3 million MakerDAO contest?
C'mon place your bets 🎲🎲🎲
My bet goes for
@panprog
, think he's the OG in the group.
18
3
31
1
0
5
@0xAngler
Yeah, I think from the protocol's perspective, the most solid way is to have solo/team audits initially, then go to public contests to make sure nothing is missed (although most of the time, a bunch of new bugs are discovered in the last step).
1
0
3
0
0
4
@deadrosesxyz
@nisedo_
My future reason for not writing a poc: avoid potential rugging from sponsor
0
0
4
@00iamma00
@sherlockdefi
Fully understand the codebase + try common attack vectors. With this you can find most of the issues imo.
0
0
6
@14si20
Sounds like a "user undefined behavior" issue? IMO these are pretty borderlined since they could've used the correct input (often provided by web2 portal) and if for some reason user chooses to call web3 function instead they probably should know what they're doing.
1
0
3
@MartinAtanasovv
@code4rena
Never thought of insider trading would be a problem for smart contract auditing 😂
3
0
3
Next move: blame everything on the intern.
0
0
3
0
0
2
@AliX__40
Just read your findings and realized I missed out on some obvious ones. I think you will get a very high ranking on this contest. Great job!
2
0
2
@Xc1008Cui
@HalbornSecurity
I've always liked it in cpp that unordered hashtables use the typename `unordered_map` to tell devs they are unordered lol.
0
0
2
实测这个教程很好!刚开始用 etherjs 的时候天天对着文档搜一些细节。之后花了半天过了下 wtf 教程,有很多实战场景,也能很好帮忙梳理整个 lib 的应用。
Solidity入门以后,推荐大家尝试写一些js脚本,将繁琐的链上交互自动化。Ethers.js是一个用于和以太坊区块链交互的js库,也可用于其他evm兼容链。
WTF Ethers教程,目前更新25讲,内容涵盖入门到应用,包括合约交互,批量生成和管理钱包,以及简单的抢跑机器人。
27
167
358
1
0
2
@waydou9
@predyfinance
@code4rena
Around 2 weeks. I'd say start with small codebases but don't be afraid to work on large ones. Imo working on large codebases and getting fxcked a few times is the quickest way to improve.
1
0
2
@xiaoming9090
Wish I'd read this earlier. I'm pretty sure I've seen this issue in previous contests and just assumed it was a by design rounding issue :(
0
0
2
@AliX__40
Bruh this is so similar to what I experienced. I think the contest you mentioned here is reNFT? That was my second contest, and I was also hit hard when I found basically nothing while there were 20+ valid HMs 😂
1
0
2
@14si20
@spectra_finance
@code4rena
Also spend a ton of time on this one. Only found something probably close to an H though. The codebase was really solid imo.
1
0
2
@milotruck
From an auditor's perspective, I definitely agree that if someone is going to do a private audit, they should be confident enough about their audit result, rather than relying on the protocol to get future audits.
0
0
2
@_zhyn
I agree, especially if the codebase is really large, it is impossible for 1 audit to do the job.
But from auditor's perspective, I think the correct mindset is to treat every audit like its last, rather than relying on future audits to catch the missed bugs.
0
0
2
0
0
2
0
0
2
@Guhu95
@xuwinniexu
@milotruck
What about: Learn/read more on security issues -> realize the same bug pattern occurred in previous codebase? I don't think this is that uncommon.
1
0
2
@NeoGranicen
actually I've read some pretty stupid code in places where most people won't believe it exists (e.g. production level self driving cars), so I'm used to that already lol
0
0
1
How many truths are told as jokes on April Fool's Day
I quit web3 security
After a year of trying I decided that web3 security is not for me
It simply has become overcrowded and filled with 18-year-old geniuses taking your bread
And the rewards after the bull run will dry up and the pie will become even smaller
Good luck all🫡
28
4
126
0
0
1
0
0
1
Felt a bit frustrated while auditing
@renftlabs
in the recent
@code4rena
contest - didn't spot any major issues.
However, reading their codebase was pretty insightful and I think it lets me learn what good quality code (and tests) should look like.
0
0
1
@0xpeternguyen
@predyfinance
@code4rena
It's hard. Imo the most important thing is to have a good design and code structure which luckily this one does.
0
0
1