To all French speakers 🇫🇷 in Web3 security ⛓️🔒, we've just started a community dedicated to French-speaking enthusiasts and professionals in Web3 security
@soliditors
➡️ Send me a DM to join the Discord
One of the easiest ways to find bugs in an audit is to look where the test coverage is lacking ❌
And this is the best way to have a clear vision of what the tests are covering or not:
1. Download Coverage Gutters:
2. Cmd+Shift+P -> Open Settings (UI)
Writing your PoC?
Need to interact with a local or deployed contract?
Tired of writing the whole interface by copying the func sigs and deleting the bodies over and over? 🫠
You can generate an interface from an ABI with one command: `cast interface` 🪄
→ For a local contract:
So you found the sus function (deposit / approve / mint / transferFrom etc.) in your audit and you wish you could quickly and easily test all the ERC20/ERC721 weird behaviors for that juicy high finding?
1. forge install zeroknots/brokentoken
2. write your 4 lines test as shown
So today, I participated in a CTF competition, on the team of
@cmichelio
,
@HickupH
and
@pashovkrum
.
Yes, you read that right.
How I, a noob anon with just 4 months of experience in web3 security ended up on a team with 3 of the best auditors that web3 will ever see ⬇️
IMO, these are the 3 most underrated technical web3 YT channels:
🧑💻 For Solidity / EVM deep dives:
@cryptojesperk
⛓️ For Blockchain / EVM technical overviews:
@jordanmmck
🏦 For DeFi concepts made simple:
@kermankohli
Listing out all the entry points to the protocol is crucial in any audit to determine the user flows and the possible attack paths ⚔️
And it all starts with mapping out all the `external` and `public` functions which aren't `view`/`pure`.
Here's the quickest and easiest way to
This might be the most underrated content in all of Web3 💎
@tinchoabbate
, one of the very top researchers out there breaks down step by step from a technical perspective one of the most brilliant hacks we've ever seen:
@TornadoCash
🌪️
And it's only got 52 views 😲
We’ve all been there, you start a new contest, 30 contracts in scope, and you already feel lost searching through all the folders to find which files are in scope and which are not 🫠
How to have all in scope files marked in VSCode and opened in a click? ⬇️
1. Go to the README
I have listed all the non-Solidity contests that I could find on
@code4rena
,
@sherlockdefi
,
@CodeHawks
➡️
If I missed any, drop a comment and I will add it
I used to think that the best auditors had ~80% of their submitted issues validated 🎯
Interesting to see the "winrate" of some of
@sherlockdefi
's top auditors 👀
Me:
- Anyone can succeed in web3 security with hard work and determination
All the best SRs:
- BSc + MSc in Computer Science
- 5+ years in web2 backend development
- 200 IQ
Recently I've been studying
@IAm0x52
's findings on
@SoloditOfficial
and I really learned a lot from the 9 Solidity YouTube Tutorials he took the time to make and include in his reports:
as
@zachobront
n°1 fanboi in the entire universe, there's no better way to start the year than by reaching the leaderboard and ranking 13/146 in his
@TheSecureum
RACE-25 🎉
The path to becoming a successful competitive auditor is long and hard but straightforward:
- Choose a contest
- Commit 100% from start to finish
- Code a PoC for every H/M issue you find
- After the contest ends, code a PoC for every H/M finding you missed
i recently switched from studying random findings on
@SoloditOfficial
to studying all findings of a specific auditor, focusing on their mindset and thought process
here are my top 3 with the link to access all their findings on
@sherlockdefi
(including the excluded/non-rewarded
1st best advice I've ever received:
@GalloDaSballo
: write as many PoCs as possible 💯
2nd best advice I've ever received:
@3DOCsec
: write your own tests from scratch without even looking at the tests already written by the devs 🫣
I'm trying it for the first time on the
I had fun learning a bit of Rust by coding auditsetup to automate my process of starting a new audit in a single click:
→ git clone audit repo ⬇
→ open code editor 🧑💻
→ open and mark all files in scope 📌
→ create a folder with:
→ notes .md 📝
→ findings
one great thing i took from ultimate goat
@0xWeisss
is to comment every single line
"On every line you go through add //ok as a comment at the end once you have reviewed even if boring, it makes you review every line to the dot"
in complex parts of the code i often go one step
The best habit I've implemented in my routine to improve myself as a Securitoor🕵🏻♂️
I study 10
@SoloditOfficial
H/M findings every night before going to bed 👨🏻💻
If I’m on a specific audit I will look for related issues otherwise I pick random.
For each finding:
→ I add the
Pashov Audit Group's first smart contract security team audit report has just been published, 10 more coming🫡
This month-long audit has ~25 Critical/High/Medium findings and we did have 2 guest auditors. Worth a read✌️
TL;DR
A year ago, I stumbled upon
@cmichelio
's iconic article, and since then, I've been having a blast staring at smart contracts all day
And a massive shoutout to the
@CyfrinAudits
team, from
@CyfrinUpdraft
, to
@CodeHawks
to Solodit-you guys are the real MVPs 🫡
CodeHawks brings top security auditors and protocols together to strengthen security.
But do you ever wonder how they become an auditor in the first place?
CodeHawk auditor
@nisedo_
shared his journey with us
👇
The only thing missing for
@SoloditOfficial
to truly be "The Bible for Security Researchers" was the audit reports from one of the most prestigious firms in the space:
@GuardianAudits
🛡️
If watching
@0xOwenThurm
's 113 videos wasn't enough for you, you can now read, reread, and
Inspired by
@PatrickAlphaC
,
@0xOwenThurm
and
@KrisApost1
, I've been trying out the Pomodoro Technique for a few days and the results are great!
I've experimented with 25/5 and 50/10 timers ⏰ and it's the only method I've found that helps me get past the ~6 hours of auditing a
This is the best IRM explanation I've ever read, once again by the
@RareSkills_io
chads 👑
TDLR: "Interest rates are a function of the utilization of the assets in the protocol. The exact shape of the function is set by governance. The interest suppliers earn is less than what
Amazing technical breakdown of the
@eulerfinance
hack by
@tinchoabbate
of
@theredguild
💻🕵️♂️💸
Thought I knew all there was about this hack but I ended up learning something new 👀
Which hack would you like to see covered next?
KISS principle at its finest by
@lonelysloth_sec
:
« My general method is pretty simple. I look at pieces of code that look important, try to understand what assumptions it makes, then check if the assumptions are invalid in any scenarios.
If there’s anything in the code I don’t
because, like everyone else, I have more
@X
bookmarks than days left in my life to read them all, I've finally found a
@googlechrome
extension that lets me search through my bookmarks:
people act shocked, but it's just that this time it got out
i’m sure it happens a lot
i’ve seen newly-created accounts that are making the top 5 in contests or an account created on the last day of a contest that submits a solo finding..
To the participants of the recent $1.1M
@code4rena
zkSync competitive audit and the zkSync community 👇
As the competition came to a close, as is customary for our team, we conducted an initial review of the results and findings. Integrity, transparency and fairness are core to
@hansfriese
@SoloditOfficial
I looked up every checklist I could find and bookmarked the ones that seemed to be the best. There's a lot of redundancy between them, but taken together they cover all possible bugs I think:
I finally want to try my hand at bug bounty on
@immunefi
but the UX of going from contract to contract on
@etherscan
is 💀
How do the pro hunters do it? Is there some magic tool/process I don't know about?
Or is the solution really to have 47 Etherscan tabs open on your
First time I've made a diagram for an audit ✍️
It's a lot of fun with
@excalidraw
as well as being very useful for getting an overview of the protocol 👀
Did you know that the highest paid finding on
@code4rena
was found by the
@SpearbitDAO
team and
@sw0nt
during the
@opensea
Seaport May 2022 contest?
The bug "_aggregateValidFulfillmentOfferItems() can be tricked to accept invalid inputs" earned them each $212 372 💰
@cergyk1337
’s tool is just sooo great that
@PatrickAlphaC
is recommending it in his lastest Security & Auditing course 🔥
The best and easiest way to view all the code changes made in recent upgrades for a given proxy 👀
one could expect that one day a fake sponsor might launch a public contest with a malicious repository to drain the wallets of all participating auditors
The second highest paid bug on
@code4rena
was during the second
@opensea
Seaport contest in January 2023 and was a Solo Medium found by 0xsomeone paid $71,500 💰
"Incorrect Encoding of Order Hashes"
Did you know that the highest paid finding on
@code4rena
was found by the
@SpearbitDAO
team and
@sw0nt
during the
@opensea
Seaport May 2022 contest?
The bug "_aggregateValidFulfillmentOfferItems() can be tricked to accept invalid inputs" earned them each $212 372 💰
@IAm0x52
is not only the most brilliant Web3 SR (IMO), but also a skilled negotiator ⚔️
This finding below demonstrates both ⬇️
First, it took me a good 30 minutes to deeply understand the vulnerability 🤯
Then, it was like watching a masterclass in negotiation, with popcorn
I have been using
@ChatGPTapp
4/4o daily for everything related to auditing for a year. I switched to
@AnthropicAI
Claude 3.5 a month ago and it's an order of magnitude better
In today's "data no one has but no one asked for" segment, I'm pleased to inform you that the total rewards for all 617 contests since Feb 2021 amount to $40,425,829 💰
Tune in tomorrow for more data you didn't ask for
when auditing a function, i often wonder whether it's better to thoroughly examine the entire function before moving to other called functions or to follow the call path to its end each time
@infosec_us_team
's answer:
"Manually navigating back and forth through a medium to
Writing your PoC?
Need to interact with a local or deployed contract?
Tired of writing the whole interface by copying the func sigs and deleting the bodies over and over? 🫠
You can generate an interface from an ABI with one command: `cast interface` 🪄
→ For a local contract:
Yesterday's episode of "Sneak Peek into the Brain of an Audit God" by
@opensensepw
featuring
@milotruck
, was one of the best step-by-step explanations of an auditing process I've seen thus far 👌
He delves deeply into:
➡️ Preparing for a contest:
• How to prepare through
You can now watch me talk for 1.5 hours about how to stare intensely at code.
Hopefully some of you can gain insight from listening to my audit methodology!
Check it out here:
only after completing a month long audit with a genius like
@0xWeisss
do you realize how much more there is to learn
truly one of the most talented SR i know 🫡
We are excited to announce that we are releasing our 150-page internal research to the public. This report includes:
→ 112 hacks' scale, root cause, and underlying chain analysis
→ Correlation between security audits and hacks.
→ Post-incident responses from the team
→
There's a new kid on the block and it's looking very promising
@swissknifexyz
🇨🇭🔪
The all-in-one EVM toolbox 🧰:
→ Constants
→ Epoch Converter
→ Blockchain Explorer
→ ETH / Hex / Keccak256 / Padding Converters
@apoorvlathey
doing God's work once again 🫡
interesting that the two youngest and most talented SR atm have opposing methodologies with both astounding results
@HollaWaldfee100
: break it first, understand it later
@milotruck
: understand it first, break it later
I quit my full-time Solidity job in July and took a leap of faith into uncertainty.
5 months later, I managed to maintain my earning levels, cashing in ~$46k.
Here are some stats:
> Competetive audits: ~$24k
> Private audits: ~$14k
> Bug bounties: $8k
These are the 4 things