I'm honoured to have been involved with
@0xPolygon
zkEVM audit. They're one of the best protocols to work with in the space and I have a lot of respect for the team's professionalism.
Every component of Polygon zkEVM (including the prover) has been audited—and those audit reports are available on GitHub.
How else could you DYOR?
Read the findings from
@spearbitDAO
’s security audit 👇🏽
I think there are huge untapped opportunities to work in web3 security🔒that aren't EVM specific.
Cairo and ZK circuits require two vastly different skillsets, yet there are hardly any proficient auditors in those spaces.
1/6
Paid courses in smart contract security are really setting a bad precedent for the industry. Ya'll really be selling people on the idea that they can make a lot of money when the reality is that only very few will. Don't be greedy when the field is already so lucrative.
It seems like auditors commonly feel overwhelmed with large and complex codebases. This applies to everyone but especially newbies just getting started on their security journey.
Here are some ideas on how I like to approach new codebases.
1/
You’re joking if you think the best path forward is to onboard more auditors. Whitehats are scrappy, unlike most auditors. If you wanna be scrappy, learn to do what’s difficult and don’t be focused on the same shitty vulnerabilities as everyone else. Even if there is a market for
To be clear. I'm not entirely against paid courses, but in reality most of them tend to give off the grifter vibe. In an ecosystem which prides itself on open source tech, why do we feel the need aggressively market through MLM and false promises.
Your course website lures
I often get asked what makes a good auditor great. So here are 3 key skills which I believe are the differentiating factor:
1. Curiosity to understand.
2. Desire to break things.
3. Ability to context switch between smart contracts.
🧵👇
I'm excited to share another audit that I did alongside some others at
@SpearbitDAO
on Maple's V2 protocol.
Had a blast working with
@lucasmanuel_eth
and the rest of the folks at
@maplefinance
on this one!
Truth is, there is no single preventative measure that prevents protocols from being hacked, so stop pretending that there is. It is simply unsustainable to assume that 10% of TVL can be set aside and left unallocated.
We need to define new frameworks for web3 hacks as they are
auditors genuinely have so much alpha when it comes to investing in this space.
countless times have I worked on incredibly promising projects with amazing codebases, only to miss out on putting $ in because I was too hesitant.
time and time again I'm reminded to just follow my
web3 security is much easier to learn than traditional security. Domain knowledge is pretty small, but the stakes are MUCH higher. Although, I do think it takes a different kind of creativity to catch interesting business logic bugs.
Considering how lucrative it is, I wonder
Now that keeping 10% of stolen funds is the new norm, will we start to see protocols introduce intentional bugs, attack the protocol and return 90% of funds to users while avoiding any legal action?
Pay-per vulnerability audits sound like a great idea on paper and I do think they have their niche. But doesn't it promote seeking out projects that are likely to be riddled with bugs instead of prioritising high impact projects? Also I dislike the idea of having to fight clients
I have 2 invite codes for
@cantinaxyz
that I'd like to give out to the right security researchers.
Reply to this tweet and I'll distribute them later tonight ✌️
Spearbit lead security researcher and code4rena judge
@0xleastwood
will be joining me for an interview to share his alpha this weekend. What do you want me to ask him?
SEAL 911 is an important initiative with behind the scenes work by prominent individuals in the industry.
It's about time we make it easier to contact the right people for when bad guys start doing bad things.
On the other end, ZK circuits have limited learning resources, but there is growing demand for anyone who is willing to spend the time to understand Circom and/or Halo2 circuits.
5/6
what competitive advantage do traditional audit firms offer over reputable independent security researchers with a proven track record?
it seems to me that it has never been easier to build your own brand in this space, so then would it not be fair that the best researchers are
Bogotá! 10/9/22, C4 Wardens will be sharing their favorite methods for securing smart contracts and participating in Code4rena audit contests.
is the first of many global hackathons hosted by
@sozuhaus
and sponsored by
@BitDAO_Official
@MetaMask
@G7_DAO
Security Matters w/
@0xleastwood
&
@SpearbitDAO
During the development cycle, it is important to get as many different perspectives as possible.
Learning from others and understanding what they observe and are thinking about can bolster a projects internal security acumen.
You still need to keep up-to-date with the types of vulnerabilities you should be looking for. And hence I'd advise you read
@code4rena
reports.
Try your luck auditing an older contest's codebase for a day or two before going through the report.
7/
Would be cool if there was an open source tool for security researchers to track protocol upgrades.
Whitehats would be able to react quickly to code changes and hopefully focus their efforts "newer code". Maybe this is something
@immunefi
could build in-house?
Under the hood, Cairo is a language used to write provable programs, powered by STARKs. However, Cairo's attack vectors are fairly consistent with other smart contract languages and hence experienced EVM auditors should not find it difficult to migrate over.
2/6
Step 4.
This is where I start thinking about ways to break any assumptions made by the developers. This is probably where you spend the least amount of time but the time you spend here is most effective. All my best bugs are found in the part of the process!
5/
Improper access control, arithmetic overflow and underflow, storage collisions and signature replay are all common issues found both in EVM and Cairo.
Although, some attack vectors may not apply to newer compiler versions.
3/6
Step 1.
Have a base level understanding of what the protocol actually does before you dive deep into the code. What goals are they trying to achieve? I like to keep this as high level as possible without diving deeper into technical documentation.
2/
@andyfeili
10k a month is a bit of an understatement for independent auditors. I would say that is close to the minimum that most audit firms are paying right now.
Cairo programs typically have two key issues which differ to other smart contract stacks:
1. Finite field math is not intuitive for developers and often leads to mistakes.
2. Imported libraries expose all external functions even if they are not used by the base contract.
4/6
Step 2.
Look for ways users interact with the codebase when things work the way they intend to. This is the part when you can start thinking about how to mess with certain components but you won't find the gnarly bugs here.
3/
Step 5.
Profit??
It's important to understand that this won't necessarily make you a better auditor, it just makes the time you spend auditing a lot more effective.
6/
It's really awesome to see platforms like
@code4rena
push security in the right direction.
Spending $$$ on audits is the most effective way to preserve the future value of a project and it should never be neglected!
Inspired by
@code4rena
annual review, I made a monthly one for Dec 2022. The numbers are crazy
$670.000+ paid to ~266 wardens and ~15 teams.
196 high-risk findings (41 unique)
649 med-risk findings (112 unique)
Retweet if you want to see more of these.
Step 3.
Now I like to go deeper into the technical documentation once I've understood how the system works. This can be tedious and boring but it's 💯 necessary.
4/
this is also why the big vc players have such talented security researchers working for them.
they play two roles, first to perform continuous checks on their portfolio companies and secondly to vet any new investment opportunities.
It's been over a month since the first ever
@ethaly_io
, and I've been reflecting on what made this experience so unique. This was a special group of people in a magical place, curated with intentional open room for community, relaxation, and mental space to innovate.
We’ve assembled some of the best minds web3 security has to offer for an alpha-packed space on the future of web3 security review models.
This Friday at 10:30 AM EST via Twitter Spaces.
Be sure to turn notifications on for when we go live!
@0xe8C
It was something that irked me for a bit, but it's been getting worse as more people partner up with the course creator. It goes against the whole ethos of this space where code and education should be open sourced.
3. Ability to context switch between smart contracts
Good smart contract systems are typically modular, however, auditors often have to jump through multiple contracts to understand proper transaction flow. The ability to cache how these functions interact with each other is key
2. Desire to break things
Thinking from the perspective of an attacker is a skill that a lot of developers do NOT have. Most interesting bugs tend to be related to improper integrations with external protocols or poor assumptions about how systems are intended to function.
@2025Proj
Maybe someone's gotta put together a roadmap for this with publicly available content. Although, I'm sure this has already been done. Secureum is a good example of this.
1. Curiosity to understand
Most of an auditor's time is spent reading docs and understanding how user's interact with the protocol. So it's important that this is something you ultimately enjoy.
@cryptofishx
I totally agree, the incentives are wacky. We are making this the norm so it is to be expected. White hats would be even more likely to hack and return funds instead of report the bug bounty directly to the team. Understandably, there are good reasons to do this too.
Considering a bunch of randos were involved in the Nomad hack, I wouldn't want to be caught holding the bag 💰 when chain analysis and exchanges start getting involved.
I strongly suggest reaching out to the
@nomadxyz_
team and returning stolen funds.
@nauhcner
I would not be the best person to answer this but I think you would need a decent grasp on algebra and elliptic curve math.
👇 is a good way to check for any knowledge gaps before getting started.
@peak_bolt
@1_00_proof
most talented web3 security professionals are earning 300k+ a year. It's a much shorter time frame to hit the upper echelon of salary in this field than it is in web2.
@dguido
@Montyly
I'm not advocating for solo audits, I think team audits are still the most effective way to review code. I wouldn't be surprised to see independent security researchers begin to team up more and more like this in the future.
@bytes032
i mean there is no reason why you couldn’t have dumped the 30k in tokens after being paid right? unless it was super illiquid, then they are really just scamming you lmao