3 years ago, I started learning Solidity on .
Now, I am a Co-Founder of a company with 50+ successful smart contract security reviews, an official security partner of Polygon Labs, and collaborating with some of the top auditors.
What a journey!
⚠️If you want to transition to web3 security, then this thread is for you! Pay attention, I will give you the exact steps that you need to take in order to start auditing smart contracts:
A 🧵
1/ First things first, you need to understand Ethereum as much as you can 👇
If you want to be a good Solidity developer and auditor, you must have a deep knowledge of the programming language and the Ethereum technology.
Here are 150 questions divided into 4 levels: Easy, Medium, Hard, and Advanced.
Test yourself! ✅
Here is a simple path to becoming a Web3 Security Researcher:
1. Basics of Blockchain
2. Fundamentals of Smart Contracts
3. Common Smart Contract Vulnerabilities
4. Niche Smart Contract Vulnerabilities
Link to a great roadmap:
Smart contract auditing opens the door to:
- Remote work.
- A global market.
- Many ways to earn (contests, bounties, private audits, etc.).
- Making friends around the world.
- Dopamine hits from finding Crit/High findings.
What am I missing?✌️
Started smart contract auditing 9 months ago.
Here are my results so far:
- 16+ private audits
- 15+ Highs/Crits found
- $70 000+ earned for the period
- Met with a lot of auditors IRL
- My life has been great ever since I have started
Our website:
Today, I have decided to do something I have never done before in my life. I will be quitting my regular job in cybersecurity next month to fully focus on auditing smart contracts. I have never let go of a secure income to pursue something I am passionate about. Now is the time.
MUST be known:
90% of the smart contracts that we have audited which integrate `UniswapV2Router02.sol` make this mistake which allows 100% slippage during swaps.
Most auditors know it but if you are someone who is planning to deploy such contract please know that:
The swap
⛽️🤑25+ GAS OPTIMIZATION tips that will help you become a better blockchain developer and a better auditor for
@code4rena
.
Part 1 of 3 posts:
1. Storage variable declaration doesn't cost anything, as there's no initialization.
If you are a Solidity dev you should definitely check this out.
High-level recommendations to build more secure smart contracts.
Really helpful stuff that every Solidity dev/auditor should know very well.
I always recommend this book to anyone that asks me how to start with smart contract security.
It is an excellent resource for gaining a solid understanding of the Ethereum technology without which you can never be a good security researcher.
Started smart contract auditing in November 2022.
Here are my results so far:
- 12 private audits + numerous C4 contests
- 10+ High/Crits found
- $30 000+ earned for the period
- Helped 40+ newbies
- Booked a ticket for the DeFi Security Summit event
Did you know you can get ready for a Solidity Smart Contract Dev job interview with a handy checklist?
Check out these 140 questions that will help you ace your interview.
The questions are divided into four levels: Easy, Medium, Hard, and Advanced. ✅
If you are a Solidity dev or a Junior-Mid auditor, make sure you pay attention here.✍️
Must-know contracts:
Token contracts: The most used token standards are EIP20 for fungible tokens, and EIP721 for NFTs.
Proxies: There are many different proxy implementations, have a
If you want to become really adequate in Smart Contract Security:
1. The staking algorithm of Sushiswap MasterChef:
2. In-depth explanation of the codebase of Uniswap V2
3. Compound V2
Little over $3000 made from smart contract auditing in January from home.. private audits + code4rena contests. I think I have finally found my way out of the matrix making money in a convenient way for me where in the same time bringing great value to the customers
2023 was beyond amazing:
- Quit my job
- Teamed up with an amazing business partner
- Co-Founded
@CDSecurity_
- Made over $140,000
- Conducted smart contracts audits for 25+ clients
- Met some great security researchers IRL in Paris
How was yours? 👀
Here are 5 DeFi protocols built on the Ethereum blockchain that are widely recognised as some of the most important and complex ones in the Ethereum ecosystem and every auditor should be familiar with:
A 🧵
KyberSwap is being exploited for millions of dollars as we speak.
Here is some data about it:
$7.5M on Mainnet
$315K on Base
$15M on Optimism
$2M on Polygon
$20M on Arbitrum
Exploiter wallet:
0xc9b826bad20872eb29f9b1d8af4befe8460b50c6
Messages from the hacker:
The best way to advance in Smart Contract Auditing/Development (and most jobs), is to have a mentor.
This was a game changer for me.
We would audit in parallel, and afterward, he would show me where I made mistakes, what I missed, and how to improve.
Find a mentor. ✅
Most auditors know these simple gas optimizations, but if you are a developer who wants to save some gas next time you are writing a smart contract, please check this out:
Smart contract auditing opens the door to:
- Remote work.
- Very high salary jobs.
- A global market.
- Making friends around the world.
- High demand of jobs for web3 auditors.
WETH can't go insolvent because it's always backed 1:1 with ETH.
The logic behind it is simple and requires only about 60 lines of code.
Here's a quick rundown of how WETH works 🧵:
This repository covers critical bug fixes from Immunefi (2023-2024), detailing vulnerabilities, their impact, and fixes.
These 6 bugs paid off more than $2M.
Amazing work brother
@tpiliposian
!
I believe this is my favourite article about deep work.
"In order to produce the absolute best results you’re capable of, you need to commit to deep work"
Really refreshing and interesting stuff to read:
How to decompose a bytecode?
A short🧵
The bytecode is the compiled code of the smart contract that is stored on the Ethereum blockchain and executed by the network.
If you are a Solidity dev or a Junior-Mid auditor, make sure you pay attention here.✍️
Must-know contracts:
Token contracts: The most used token standards are EIP20 for fungible tokens, and EIP721 for NFTs.
Proxies: There are many different proxy implementations, have a
Workflow of Solidity Compiler. Simply explained.
The main process (blue) converts Solidity code into EVM bytecode and generates an ABI for interaction.
The Yul process (green) compiles intermediate code for different backends, activated by specific flags.
The formal
✅Smart contract auditing tip:
Most auditors that are just starting have this problem of not really understanding the codebase of the protocol. I know it can be frustrating, but try little by little.
👇
After doing 10+ private audits and numerous contests in Code4rena I came to the conclusion that any codebase no matter how hard it seems in the beginning can be understood on a very descent level if you put enough hours into it.
Moreover, I have discovered that the process of
Many security researchers avoid complex topics like EIPs, ZK, or L2s.
Remember, most people find them intimidating and skip learning, missing the chance to master that tech.
Instead, push through and become an expert in these areas!
`delete` will reset the length of the array to 0 and delete the elements in it. But as the `stuff` array grows, the gas price for the `delete` operation on it grows as well.
If `stuff` becomes too long, it will become undeletable due to high the gas cost. Thats why its length
Yesterday while doing a private audit, I have stumbled across SSTORE2 library, haven't heard about it before so I had to dig deeper. If you are into gas savings you must have a look at this! Here is what I have found:
A 🧵
You are not bad at smart contract auditing.
You just need more practice.
Don't give up.
Read more findings, read more articles, read more code.
You will eventually get better. Believe me. ✅
Just found this article which contains links to integration tips for 5 of the top DeFi projects. This should be a must-read for solidity devs as well as for the auditors:
Really an amazing summary of my favourite smart contract development framework - Foundry.
This article is perfect if you want to get familiar with Foundry and learn how to use it for learning past hacks:
Another amazing article worth reading for every Web3 sec auditor, as well as for the Solidity developers who use Inline Assembly to save gas, by
@DevDacian
.
It consists of a deep dive into 6 vulnerabilities, so you won't let them slip away next time:
A lot of new smart contract security researchers DM me, saying they can't find bugs or aren't improving.
Ask yourself:
- How many attack vectors do I study daily?
- How much time do I spend bug hunting?
- How badly do I really want it?
The answers will show you why.
In every new beginning, I start by copying what the top people in the field are doing. As I gain experience, I add my own touch, making my approach convenient and special.
If you are a beginner and you don't have any auditing process, read this ASAP:
Hands down the best article I have ever read on UUPS Proxy Standard.
It contains:
*Walkthrough of OpenZeppelin UUPS Upgradeable
*Learning about UUPS using Remix
*Vulnerabilities in UUPS
and more.
RareSkills never disappoints.
Guys, I know web3 security is very lucrative and interesting for most of you, but understand this:
YOU HAVE TO PUT THE HOURS IN!
Spend a lot of time reading smart contracts (later I will write a tweet for the most important ones to get started). 👇
Tips on how to become a better smart contract auditor 🧵:
I'd appreciate a retweet, spread the knowledge 🫡
Being a smart contract auditor requires a combination of technical expertise, critical thinking skills, and attention to detail. 👇
If you want to have a solid knowledge of Solidity and Foundry, the number 1 resource in my opinion is Smart Contract Programmer channel in Youtube.
This is all you need guys, don't overcomplicate your journey with a thousand resources that at the end just confuse you.
IMO Solidity devs should upgrade their security knowledge daily (at least common bugs, patterns, access control mechanisms, etc.).
Be curious about security.
Don't be like: "Meh, the auditors will fix that if it's not okay."
Try to actually write secure code.
The Solidity documentation should not be underestimated by anyone learning the language.
It's always updated with the newest version and contains detailed information about how the programming language works, covering every aspect of it.
Tips to Improve as a Smart Contract Auditor:
- Read Web3 security experts' tweets daily
- Read 1-2 articles daily
- Study findings and attack vectors daily
- Read and analyze a lot of code
- Practice on Code4rena and Sherlock
- Chat with fellow auditors
Amazing study material for anyone trying to learn more about vulnerabilities in smart contract systems.
A collection of around 40 Foundry tests reproducing exploits accompanied by diagrams and context links.
You are a Solidity dev or a beginner in Web3 Security?
This list of questions wont' make you a security expert but will significantly improve the security of the code you are writing/reviewing.
Thank me later:
PRO TIP for solidity auditors:
Read and analyze the bugfix reviews from Immunefi's Medium profile.
How the Whitehat found this?
What was the clue that helped him spot the vulnerability?
Do that often. Thank me later✌️
After spending last night drinking vodka with
@pashovkrum
, we decided to do the pull ups challenge on 30 degrees with little to no sleep for maximum difficulty 🤣 Managed to do 25, not the best technique though😂 I challenge all security researchers to do it as well, its fun😁
Cryptographic proofs (merkle trees, signatures, etc) need to be tied to msg.sender, which an attacker cannot manipulate without acquiring the private key.
This code is insecure for 3 reasons 👇:
1. Anyone who knows the addresses that are selected for the airdrop can recreate
After 2.5 years in my Web3 security journey and trying to provide value to the space, I have finally reached 5,000 followers.
Want to thank all my followers for the support, I really do it for you guys. It brings me joy when I am able to bring value to as much guys as possible😊
Here is something interesting if you want to test your Solidity knowledge👇
There are 40 multiple choice questions, and each has a time limit of 45 seconds to answer.
Here are 5 resources that I use to improve my smart contract auditing skills daily:
Retweet to spread the knowledge 🫡
1. Twitter posts by
@pashovkrum
and
@bytes032
2. Code4rena past audit reports
3. Articles about every little problem that I am not aware of
4.
@pashovkrum
' s
As a Solidity developer, you should never let such dumb bugs slip through.
Here anyone can arbitrarily burn NFTs.
I have seen similar access control findings a lot of times.
Sometimes serious bugs are that simple.
I see a lot of web3 security guys quit. Wondering why is that.
Is it too hard?
Are they not consistent enough to progress?
Or maybe they didn't manage to make money the first 3 months of doing it?
I only started to make good money after around month 7.
It takes time..
If you are the type of guy who prefers learning through videos and not through reading articles/reports, pay attention here.
In my opinion the best channel for becoming an absolute beast in Web3 Security in 2024 hands down is
@0xOwenThurm
's.
Learning from Code4rena reports can be considered an effective way to learn web3 security for several reasons:
Please retweet to spread the knowledge🫡
A 🧵
One of the best ways to improve at finding bugs in smart contracts, especially if you are a beginner/intermediate in the space, is to:
1 Choose a protocol category:
2 Study as many attack vectors as possible
3 Practice finding bugs in contests
4 Repeat
How to decompose a bytecode?
Bear with me here:
The bytecode is the compiled code of the smart contract that is stored on the Ethereum blockchain and executed by the network.
The first part is the loader code. It is the type of code that would create the smart contract,
Make sure you BOOKMARK this, if you don't know even only 1 of these, they are gold.
Top 3 blogs about SMART CONTRACT SECURITY that I read from almost everyday in order to level up:
1.
2.
3.
If you don't know the basics of the EVM, this article is a must-read!
It compares the EVM to traditional operating systems (OS).
Discover EVM's true nature, architecture, hardware interactions, and how it secures smart contracts through sandboxing.
Become familiar with the most used smart contracts
Written by cmichel:
A 🧵
1/ There are certain contracts, patterns or even algorithms that you will see over and over again during your auditing career. It’s good to become familiar with them and deeply understand how they work👇
Some Merkle trees have a security vulnerability.
It is explained in this comment in `MerkleProof.sol` by OZ.
One of the ways to have secure Merkle trees is to double-hash their leaves.
Read more here:
Look.
If you don't understand rounding issues in Solidity, simply watch this video where it is explained perfectly.
Then read 20+ rounding issues from and there you go. Now you have a decent foundation of these bugs:
And still the number 1 YouTube channel for Smart Contract Security in my opinion is...
@0xOwenThurm
's.
Watch all of the videos, try to comprehend them as much as you can and you will be ahead of a lot of people in the space.
Amazing content!
✅
Here is some ALPHA to all the smart contract auditors.
Penpie was exploited couple of days ago for ~ $27M.
@rotcivegaf
wrote a POC of the exploit.
You can learn a lot here:
Seems like there aren't many bug bounty platforms specifically for Web3. The ones I know and are legit:
Immunefi - total paid $85,000,000+
Hackenproof - total paid $7,358,983
Hats Finance - total paid $400,000+
Any other significant related platforms that I might have missed?
Enhance your Solidity skills by reproducing attacks.
Follow these 4 steps:
Step 1: Information Gathering
When an attack is discovered, Twitter is often the first place where updates and analyses are shared by top DeFi analysts:
Step 2: Transaction Debugging
Typically, within
Exactly a year ago, I wrote a simple borrowing/lending contract of about 300 lines of code with which I wanted to apply for a Junior Solidity developer job. Today I decided to audit it. Maaan, now I realise that I knew almost nothing about security back then 😂. Whole lotta
For anyone who needs it today:
You’d be amazed at how much better you get at smart contract auditing after doing it a hundred more times.
If you want to win, keep doing it.
Consistency is the key. ✅
3 tokens that are widely used but their decimals != 18. Be careful with these in projects, they can be problematic when the code expects the standard 18 decimals.
1. WBTC - 8 decimals
2. USDT - 6 decimals
3. USDC - 6 decimals
To all my crypto followers:
If you’re not achieving the success you want and aren’t putting in a few hours on weekends, you’re missing out.
A little extra effort can make a huge difference.
Don’t let meaningless distractions hold you back—stay focused on your goals guys.
If you are a Solidity dev you should definitely check this out.
High-level recommendations to build more secure smart contracts.
Really helpful stuff that every Solidity dev/auditor should know very well.
Smart Contract Auditing helped me:
- to learn how to provide real value
- to understand sales and communication better
- to understand how to serve our clients better
- to earn enough to live comfortably
- to make friends all over the world
- to work from anywhere
Thankful 🙏
Smart Contract Auditing helped me:
- to learn how to provide real value
- to understand sales and communication better
- to understand how to serve our clients better
- to earn enough to live comfortably
- to make friends all over the world
- to work from anywhere 🙏
5 things which you MUST check in a smart contract or you may miss a Med/High risk vulnerability 👀:
1. Check for casting errors
2. Check if division can round down to zero or if it can be divided by zero
3. Check if each contract input is properly validated
4. Check all
Dropping some real alpha in this thread, so read it couple of times and try to apply it to your next audit 🧵
1/ A threat model for a smart contract is a way to identify potential security threats and vulnerabilities that may exist within the code of the contract, as well as..
Private audits + reading past Code4rena reports. It can be challenging to balance both, but the rewards of improving your skills and staying up-to-date with industry trends are definitely worth the effort.
Here are a few tips to help you manage your time effectively: A 🧵
My current approach for smart contract auditing:
1. Read the documentation and take notes about the important things
2. Summarise my notes into a neatly organised text
3. Read the code + natspec and take more notes
4. Try to draw the architectural diagram of the project👇
⚠️Bookmark and Retweet:
In order to start spotting more bugs in future audits, you have to constantly be learning attack vectors. Here are 4 GOLD resources for you:
1.
2.
3.
4.
Finished watching a video called "What is security in Web3" and found it to be incredibly well-structured and valuable.
Here is a summary of the key points, aimed at helping Web3 projects understand their security options and how to maximize their security strategy:
If you're not well familiar with these DeFi smart contracts, you have some catching up to do my friend: 👇
1. MasterChef: Stake LP tokens, earn proportional rewards with time * stakeAmount.
2. Compound: The foundation of decentralized lending protocols. Key to DeFi primitives'
If you are auditing and stumble across this:
`0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff`
Don't panic, its pretty simple. This is the hexadecimal version of uint256 maximum value. The same as type(uint256).max.
This is a little cleaner than using the