This is what I've achieved in my first 6 months of auditing smart contracts:
🏇Competitions:
🏆 WIN 2 competitions
🏅 Rank 8th on BLAST (history biggest competition)
🏅 Climb 14th on
@cantinaxyz
all-time leaderboard
🏅 Climb 55th on
@code4rena
90-day leaderboard
💥 Found a
Last night, I didn't sleep. Actually, I haven't slept enough for many weeks.
This time, however, it was out of excitement.
I finally 🏆WON🏆 my first competition.
Some stats:
🏇6th competition
⌛️ 3rd month of contesting
🏅59th on the 90 day leaderboard
🏅377th on the all-time
If you write smart contracts (like me) or try to break them as an auditor(like me), you probably heard about fuzz/invariant testing
After 3 full days of research I finally managed to grasp the practical implications and benefits of it
I've created a map so you can do it in 1🧵
First time on
@immunefi
and results don't lie
It was a 5 day struggle and inner battles! Will see how it unfolds🧐
Had a great experience! Credits to
@0xMackenzieM
and the whole team!
I ranked 8th in HISTORY'S BIGGEST COMPETITION - BLAST
I'm a bit overwhelmed, so I'll start with some stats until proper words line up in my head
Stats:
💥1 HIGH
💥1 MEDIUM - a deliberate solo
💥Climbed to 14th🏅at Cantina All Time Leaderboard
💥 My 6th competition
💥 My 2nd
I analyzed the report of a contest I participated in on
@code4rena
.
One specific finding by
@milotruck
taught me a LOT. It was so simple, yet only 3 out of 125 auditors found it.
WHY ? - They asked the right questions!!
I'm doing a breakdown of the mental model that empowered
2nd 🏆WIN🏆 in a ROW
If an oracle (a real one 😅) has shown me this in his 🔮, it's up to debate if I would have believed it.
But then, there's facts👀
Stats:
🧨solo and the only HIGH
🧨4 Mediums - 2 selected for report
🧨Found 4 of the 5 newly introduced vulnerabilities
Analyzing the reports from past contests is probably the most important skill that will turn you into a GREAT auditor IF you do it PROPERLY
I have invested a week and ALL of my experience to create the ultimate deep dive on the subject.
I break down
☝️If you're just getting into auditing or having a hard time with contests, I suggest you bookmark this thread and consume it.
I've become a bit annoying writing about shadow audits for the thousandth time.
💪But there is a reason for it - it works!
I see many aspiring
I just finished watching
@milotruck
video, where he talks about auditing
😱It has a LOT of ALPHA!😱
But it is a lengthy video (~1h 30min)
I'm compiling the key ALPHAS for all of you that don't have that time, because it is a knowledge WORTH having🧵
I spent the day analyzing the security implications of the 63/64 gas rule in Ethereum.
The occasions where it can lead to exploits are rather rare, but they still exist.
In case your protocol has logic depending on gas calculations it's important you're aware of it.
This
I dedicated my single day off from auditing this month to do a deep dive in a new web3 concept!
👉 Account Abstraction (ERC-4337)
I invested 9 hours, read 26 articles and went through 3 threads(X & Reddit).
All that experience I’ve compiled into a short guide with only a few
Once you start accumulating knowledge intensively, at a certain point, your brain🧠 starts overflowing.
I recently experienced this when I stumbled upon a finding about force sending ETH using self-destruct.
It felt as if I was reading about it for the first time. Even though I
Writing smart contracts with upgradeability in mind is tricky.
Thankfully
@OpenZeppelin
has streamlined most of the process.
But regardless of the brilliant docs, I'm noticing that a lot of devs don't understand the _disableInitializers() safety mechanism.
It is a very costly
In the last 3 months of 2023 I've managed to:
📌Get into web3 security
📌Do 3 shadow audits
📌Participate in 4 contests
📌Find my 1st bug
📌Do my first team audit
📌Audit my first big protocol - 4K sloc
📌0 -> 360 followers
📌Connect with awesome auditors
For 2024, the goal is
Foundry fork testing is awesome🚀
If you want to make your smart contracts safer or try to provide a plausible POC for an exploit - look no further
Its genius because:
- It's dead SIMPLE to setup
- Saves LOTS of time
- Uses REAL blockchain data
Here is a concrete example👇
I finished analyzing the findings of a contest I won and I got some great insights.
The specific thing about this contest was that I experimented with a different auditing approach.
My experience from past audits has shown me that I was grinding too much on tiny details,
Try/catch statements in Solidity are quite tricky!
💣They are not complex!
But more often than not are a source of confusion and depending on the logic that builds up on them can also lead to some security holes.
When I initially started writing smart contracts I approached
Today marks the 2nd month of my journey into smart contract auditing
- 1 Med
- 2 Shadow Audits - 4H & 9M & 4 L
- 180+ followers
- 140+hours pure grinding/learning
My next goal is to test all the newly acquired knowledge into a real contest and see how I progressed
This time I managed to rank top 10⭐️ for the Goat(🐐).tech competition
Stats:
🪲 2 Highs
🐛 2 Mediums
I still consider this a decent result. Will analyze the submissions over the weekend and work on my weak spots
🔥Special credits to
@cantinaxyz
for the provided opportunity!
When you're learning and looking to get into contests one of the best ways to accelerate your progress is by doing shadow audits.
💪It definitely helped me, so It'll help you as well💪
But you're probably not sure how to approach this and which contest to pick.
Fear NOT!
In
Turns out my article made it to the
@blockthreat
weekly newsletter
This is a huge recognition of the efforts invested in producing that content.
Appreciate this, greatly!
Effort DOES get NOTICED ( Same goes for auditing )!
Shoutout to
@HatsFinance
for providing the stage.
Just finished a contest & I'm jumping straight into the next one.
I think I'm getting quite good at understanding protocols at a deeper level !
💣It's the second time in a row that I experience the following:
At 70% of contest duration I stop looking for bugs, because I don't
Just finished another contest and a repeating pattern keeps revealing itself before me.
- You open the protocol, feel overwhelmed and can't comprehend how it is possible that any exploit could be found
- A couple of days pass, you get a deeper understanding of it's inner
A great tool I've discovered recently for analyzing everything related to Ethereum L2s:
📌 User adoption and distribution
📌 Cross-chain interactions
📌 Breakdown by chains, periods, volume, etc..
📌 Fees paid on a daily, monthly basis and comparison between each chain
📌 L2
I'm noticing a repeating pattern when auditing complex protocols
Most of the time the bugs do not lie in the complex concept the particular protocol revolves around ( e.g. some Math formula, a novel Reward/Fee distribution technique, token rebasing etc..)
Most of the
Stable coins can be tricky
🧠Often developers build protocols under the false assumption that stable coins constantly retain their 1:1 relationship with the underlying asset
Such assumptions are dangerous 🔥and could expose your protocol critically
For weeks, I've been pushing myself hard to shift my auditing approach, and it's starting to yield results.
The changes I've made include:
- I no longer audit past the point of frustration. I take breaks and allow my brain to breathe
- I dig deep, but not too deep - If I find
Just finished another contest (
@revertfinance
).
🛠️I've been grinding the last 20 days non-stop, I barely had any time to post here.
I'm learning so many things at a fast pace - about auditing, about mental control, about approaches, about fighting exhaustion and lack of
Auditing is about being creative!
I believe creativity is a rare skill, that can be gained in 2 ways:
🔹 you're born with it
🔹 you exercise relentlessly until it becomes 2nd skin
If you (like me) are among the second group, I invite you to keep reading.
I'll be doing a
I have a couple more days before diving into a competition.
This is how I decided to invest my time away from auditing.
1. Open C4 365-day leaderboard
2. Open
@SoloditOfficial
and start typing all those names from the leaderboard
📌I'm using the following filters - e.g solo
Still having a Hangover from
@cantinaxyz
Blast contest 😵💫
It was a 20 day non-stop grinding, reading, deciphering and testing
It was the most demanding contest for me so far:
📌A lot of the cross-chain stuff (e.g Optimism) blew my mind initially as it was my first contact with
Finished wrapping up for the
@RenzoProtocol
contest.
I'm taking a break for 3 days, which I'll dedicate entirely to the Uniswap V3 Development Book.
The goal is to level up my understanding of concentrated liquidity protocols in order to gain a deeper context when auditing
Scored a Medium finding in my first contest ever. It was the
@WildcatFi
protocol at
@code4rena
.
Nothing impressive, but it's enough fuel to keep me going till the next gas station (pun intended)😁
Achieving great results is possible only for someone capable of great dedication and unwavering perseverance
🏆
@ilchovski98
is exactly that type of guy - I know him personally!
Those result only strengthen the statement above
Well done, Amigo💪
I just got 1st place in a
@code4rena
competition! 🥇
🏆 This got me to 28th place on the 90-day leaderboard
Extremely happy with the result! More is coming very soon 💯
Thank you
@THORChain
for the opportunity to secure your protocol 🫡
Things are gradually getting better with each contest🙏
I also made it to the leaderboard for the
@UbiquityDAO
contest - ranked 14th out of 257
This was my 2nd competitive contests and my 1st month of active contesting.
Maybe there is some hope for me🧐! Who knows 🤷♂️
Only
🧠A materialized view of what happens in your brain when you try to get better at smart contract auditing(or anything else).
When you struggle, you must not give up and wait for your brain to make those connections. As you can see it takes a bit of time and push to get them
⌛️96 Hours(16 days * 5 hours) -> the amount of effort I have invested in my last
@code4rena
contest
⌛️Took a 3 day break
⌛️Starting today I'm entering a new grinding session -> Audit/Compete >= 4.5 hours daily for the next 1 month
Curious to see what I'll be able to achieve💰
So things are gradually beginning to take some shape!
🎯First 3 figure sum
🎯First team audit (with
@Audinarey
)
🎯Second month of my auditing journey
🎯First 4K sloc codebase & second contest overall
The big win for me here is obviously not the 💸, but the fact that even
reNFT drive-through🏎️
🗨️ ME:
- A double 🍔with🍟and a🍺please
🗨️ Nice Lady behind the counter:
- That would be $16 USDC for you sir !
🗨️ ME
- Sh*t, I didn't earned that much. Remove the 🍺 !
✨Congratulations to everyone that managed to afford the 🍺
3 or so months ago I started my web3 auditing journey with 3 questions:
1. Am I going to achieve something at all ❓
2. All this time and effort every SINGLE day - is it worthwhile ❓
3. Does this thing get any easier, less exhausting or at least a bit less stressful❓
I can
🗨️"Always Round Up in Favor of The Protocol"
If you've been developing a protocol with Vault functionality or maybe audited one, you must of heard this at least once.
🧐But what is the problem & why should I solve it?
🧵 I'm dedicating this thread to help you understand the
I spent the last 5 days away from contests to clear my head.
However I did not waste that time. I've managed to:
- Read the Uniswap V2 book
- Write a couple of well researched posts inspired by my experience as an auditor
- Read a dozen of articles
- Research and follow some
This Thursday, I'll be speaking alongside 4 great auditors in this Twitter Space organized by Hats.
Each of us will openly share our journeys to becoming Security Researchers - the challenges, the wins, the losses, and everything in between.
If you have some burning questions,
Shadow Auditing was the thing that gave me the biggest boost and confidence in competitions.
It's the thing that enabled me to make 3-$$$ 💸 in my 2nd contest.
I get asked a LOT about how I approach shadow auditing.
I'm giving you the step by step approach I used and got me
When using DEXes as oracles to get the price of an asset, there is a general rule that every responsible web3 developer should follow
🖊️ Statement:
Do NOT use spot prices to determine the price of a token!
👉 Argument:
Because spot prices can easily be manipulated!
Even though
My last audit pushed me really hard to learn about the attack vectors that occur when developing an AMM protocol
I researched almost a day & turns out quality information is rather scarce😱
✨I'm sharing with you the 2 TOP articles I found containing lots of ALPHA!👇
Today marks two achievements in my personal record book:
1. I've completed my 30 day non-stop auditing challenge for January.
- It is a serious feat for me considering I was at the brink of over exhaustion a couple of times
- I managed to compete in 3 different contests
- I
I recently analyzed the report of a contest I participated in - ECG (
@CreditGuild
) on C4. It was my first big protocol.
There were some very interesting insights I gained for myself, like:
"Valuable, low duplicate bugs != complex bugs. Which also does not mean they are easy to
Been grinding a 2nd day on the Salty contest at C4 and this is quite the mental challenge for me.
It's the first time I'm auditing an AMM-like protocol.
The thought that constantly goes through my 🧠is :
"Man I should have red
@RareSkills_io
book on Uniswap "
Now I gotta
Really challenging thing for me when combining a full-time dev job with smart contracts auditing is the constant context switching
Just as in programming, a context switch is💰costly operation and even though I'm a web3 developer, switching is still quite hard
Here is what I
Today marks exactly 1 month since I've dived into the world of web3 security:
- I spent 2 weeks in preparation
- 2 contests at
@code4rena
- 1 medium submit
- finishing
@LooksRare
contest at
@sherlockdefi
- posting on X every single day about my journey
Been reading the sherlock report of the optimism bedrock contracts from a month ago🤯
Each finding redefines my concept of creativity
Feels like some alien species were sent to planet Earth disguised as smart contract auditors on a mission to get this industry where it's
Just finishing up on another shadow audit. This time I implemented everything learned from the previous one, from 15+ live audit videos & 10+deep dives
I felt way more confident, found more complex bugs and learned a LOT
I'll be creating a thread soon,because it was worth it💪
If you're a web3 dev, there is no way you haven't used or at least heard about the safeTransfer method
However the word safe can create a false sense of security for your protocol if you don't understand well how it works.
In this post I'll explain the behavior and security
For everyone participating in the salty contest at code4rena.
I'm sharing a Reddit thread where
@danielcota
(the guy behind it) gives some insights about the atomic arbitrage, it's purpose and how it was integrated into the protocol.
It helped me build more context & get a
Love
@MarioPoneder
judge comment on one of the findings for the Unistaker contest on C4
The submission was really interesting and very well argumented, but was still downgraded to QA.
This is what I would define as handling things in an ethical manner
You're an aspiring auditor trying to take yourself to the next level?
Most of us think about auditing a past contest, but only a few actually do it, because no $ will be made directly and due to FOMO.
I just finished such an audit and learned A LOT. I'm sharing my experience🧵
‼️My last contest taught me something very important
ALWAYS consider the code is FULL of bugs!
I found 2 evident bugs in an already audited(twice) protocol leading to high risk vulnerabilities & it was nothing complex, just parts overlooked by the devs (& auditors apparently).
This time I'm sharing the 5th spot with a couple of other awesome auditors for the Jala Swap contest
I went through the report carefully. My missed bugs were definitely something I could have found.
I've analyzed my mistakes and deficits. It's only a matter of time to clear
My last five audits were all on protocols that were larger (3.5K+ lines of code)
I felt a bit tired and decided to try a couple of smaller ones (below 1K sloc), thinking that:
👉 it would be easier
👉 it would take less time - allowing me to participate in more contests within a
Today I've spent some time to update myself on the recent changes around the SELFDESTRUCT opcode.
If you(like me) did not have the time to read about the changes, I'll summarize it for you:
📌On self-destruct ONLY the ether balance of the contract will get transferred
📌The
It's my first time participating in a really long contest. And it helped me reach a critical mindset shift
It allowed me to spend a considerable more time analyzing and going deep into the protocol.
Iterating n number of times over each smart contract again & again.
In the
A new milestone🎯
🤩Reached the 500 hundred followers mark
Considering I was at ~ 350 3 days ago, it's also quite surprising to me
Thanks to everyone for the support and trust
As the motto in my bio states:
🛡️I'll keep on grinding DAY & NIGHT, trying to make web3 space RIGHT
What's the morale of the story?
✅ ALWAYS DOUBT EVERY ASSUMPTION made in the code you audit
✅KEEP ASKING QUESTIONS, until you find one that sparks your creativity
✅BE CRITICAL and take nothing for granted, research it
Being on-boarded to existing Solidity project or auditing one presents a similar problem - understand how it works
Key of the process is to decipher the small parts in order to draw the whole picture
I recently found `chisel` which supercharged my ability at building context🧵
Another small surprise during the weekend, after making it to the leaderboard of a contest.
I ranked 12th at the last Secureum RACE.
Considering I was 40+ 2 months ago, it's definitely showing some progress
Let's keep that consistency going💪
A short summary of the exploit:
📌 It's a p2p lending protocol, that has the functionality to sanction lenders/borrowers
📌 When sanctioned an escrow vault is deployed for that account to hold it's funds. If sanction is lifted funds get returned to the account
📌
Just started wrapping up on my last contest for this month! This one really took a toll on me.
I struggled a lot, slept little, but also pushed myself to the max!
Now that I’m going through all my
@audit
bookmarks and compiling them to findings it turns out there are LOTs
For those participating in the
@ethena_labs
contest at
@code4rena
- this is a very on-point article explaining the EIP4626 standard and how common vectors related to it work
I've started submitting my findings to Blast.
A curious thing I've noticed in the UI is that there is a counter showing you the number of submissions.
According to my calculations from the last 2 days there are roughly 20 submissions every 2 hours.
Interested to see how high
5 contests in C4, 3 of them are invitational !
Could this be the start of the new normal for future contests?
Curious to see how things will unwind in the coming months, but I guess the ever increasing number of submissions could be responsible for this
If you need inspiration, then this has to be your wake up call.
If you want some bonus motivation, read through the comments.
Probably the best motivational post I’ve stumbled upon in a while.
9 months ago, I decided to turn a new chapter in my life and learn all I could about web3 security. I started by crunching the basics in the
@RealJohnnyTime
SCH course.
9 months later I am booked with private audits until May...
I'm auditing a protocol, that does not have proper tests.
Setting up tests from scratch to construct a POC is a real pain in the *** and too much time wasted🤯
I decided to skip the POCs this time
And I must admit it feels awesome. I should do this more often😊
So much time
Wow! 100+ new followers from a single thread in a day.
That was my follower count for the previous 1.5 months and 200+ posts. This really motivates me to keep learning and share the useful things I find with everyone.
Thank you guys! It means a LOT🙏
If you write smart contracts (like me) or try to break them as an auditor(like me), you probably heard about fuzz/invariant testing
After 3 full days of research I finally managed to grasp the practical implications and benefits of it
I've created a map so you can do it in 1🧵
I'm sharing the concepts I've learned in the recent
@ethena_labs
contest at
@code4rena
along with some good resources that helped me understand the protocol
🧵
If you think FE dev skills can't give you an edge when auditing smart contracts, you should take a look at this finding 👇
Different backgrounds impact creativity in a different way!
Use that to your advantage🚀
💸 Judging by the leaderboard, this
The last report I examined, taught me something VERY important. The way you you “sell” your finding is the way you get “awarded” for it !
Below I’m showcasing how an identical finding ranks both as High and Medium at the same, the only difference being the explanation provided🧵
Yesterday I joined another contest with a fellow auditor and friend
@ilchovski98
, which marks the second time I'll be competing in a team.
The idea is to build upon my last such audit and gain as much new knowledge as possible
I'm constantly switching audit approaches so that
The verdict after my 3rd contest -> I lack efficiency BIG TIME
Priority
#1
💣
- Increase efficiency -> use x2 less brain power on auditing per unit of effort
- Avoid frustration
How?
- Follow
@0xOwenThurm
genius advice- cut the feedback loop TIGHT
How I'll do it exactly?
🧵
They say complexity is your ally in smart contract auditing.
I'm would say you first have to conquer it before you can make it your ally
Overcoming the mental obstacle of size is hard!
I'm currently trying to audit a ~4K SLOC protocol and this is what it feels like :
On Mitigation Reviews and Why You Need Them for Your Protocol
I've recently completed a mitigation review for a protocol.
The experience gave me 2 invaluable insights:
📌 one geared towards protocol founders
📌 the other towards fellow security researchers
🪙 Protocols
If
I'll be accomplishing an important goal I have set for this month:
🎯 participate in a contest in team
The big names recommend this as the best way to upskill yourself as an web3 auditor
Time to put this to the test & see if it holds true
I will share my honest feedback👌
Provided you followed all the steps and tips I've laid out for you, I can guarantee you have progressed x10 more than if you were just reading that report for 2 hours.
It takes time and dedication, but you're only doing this once (I actually did it twice😅). After that it's only
Our team is currently implementing Uniswap into a suite of smart contract we're building for a client.
It's an enriching experience to have both the dev and the auditor mindset:
- makes you think about security when building
- helps you understand developers when auditing
3. Now that you know how this thing works, you need a couple of practical and well explained examples, that showcase when and how it can be used in real-life scenarios
@DevDacian
has the best article on that
Read-time: ~1 hours
A nice website, where you can calculate the gas costs for common trx types on popular EVM chains - token transfers, Uniswap, Curve, Compound, Lido, SushiSwap, etc. operations.
It might be useful, when trying to argument a gas related finding in an audit.
This interview is a great insight on the point-of-view and expectations that protocols have towards auditors.
Being able to put yourself in someone else’s shoes has always been an alpha skill to have
I want to say THANK YOU🙏 for all the motivating and positive feedback to my latest thread
🤩It gives so much purpose to all those efforts &
It's quite the confidence booster seeing that I actually provided value for others
⛽️This is the best fuel I could get for the long,
I analyzed the report of a contest I participated in on
@code4rena
.
One specific finding by
@milotruck
taught me a LOT. It was so simple, yet only 3 out of 125 auditors found it.
WHY ? - They asked the right questions!!
I'm doing a breakdown of the mental model that empowered
First things first. Let's make sure everyone is seated at the same table, by defining what shadow auditing means.
✏️It basically means to REDO a past contest, which already has its final report out.
The 2 main benefits are:
📌You're simulating a real contest
📌After completing