Happy to announce that the 33Audits & Co. team just finished a private audit of our biggest protocol audit so far for the
@juicebox_money
team.
Our team found 1 Critical, 4 Highs, and 14 Mediums.
At just over 8000 nSLOC, JuiceBox V4 really is an amazing and well-developed
If you're a Smart Contract Auditor, then you're probably aware of the $2.35 Million dollar contest that
@Uniswap
@UniswapFND
is having on
@cantinaxyz
next week.
However, not many people are sharing how to prepare for the audit.
If you're planning on joining the audit next
KyberSwap had a $200,000 max bounty on
@immunefi
The hacker still chose to exploit the bug for $47 million instead.
My guess is that this will end up leading to a 10-20% "reward" for the hacker.
I wonder if at any point the hacker thought about submitting this as a bounty
If you're a new auditor this is all you need to study before being ready to jump into contests.
- Patrick's Foundry Course
-
@intogateway
Course to level up and learn the advanced stuff
- Read 3 previous audit reports(Jpeg'd,beedlefi, one of your choice)
- Start doing contests
Junior Auditors/Solidity Devs are dangerous when you pair them with me. With my teaching skills and their dedication to grind until they win, we're unstoppable. Coal under pressure makes diamonds 💎
WARNING TO ALL AUDITORS.
There's a group of bad actors currently targeting auditors.
They've reached out to me from three different accounts telling me they want to hire me and asking to me install some software to get an idea of the "job" Clearly this is a scam.
But don't
If you started Smart Contract auditing today there’s no way by July of 2024 you won’t be making at least $1000 a month.
Here’s the step you need to take to become great by end of next year.
Give it six more months and I’m sure you could create a $10,000 a month business.
The
I remember seeing this in Discord over a year and a half ago. A DAO was looking to hire a Solidity developer for $900,000 a year. I remember this was at the TOP of the bull run.
I want to put that screenshot on my wall as a reminder that those with the right skills will reap
I’ve had a small squad of auditors who I’ve been learning Solana Programs/Rust development and auditing with these past few months. I saw the narrative before it happened due to my previous days as a degen. It was clear to me that the Sol ecosystem would be a HUGE opportunity for
I just closed another client on retainer for $1000 a month for the next three months at just 5 hours a week. Super excited to start working with this team.
They reached out because they want someone to sit down with them for a few hours a week who will answer their questions
This repo is awesome! It compiles a ton of different resources related to oracle manipulation including previous hacks and some preventative measures.
Take a look!
OTHER AUDITORS ARENT PAYING YOUR BILLS YOUR CLIENTS ARE
Let me repeat that again. Auditors on Twitter don’t pay your bills, they’re not hiring you, they’re not sending you money.
You know who is?
Developers, protocols, CTOS and CEOs. So why are you so worried about what
We're looking for a frontend dev who has experience with web3 development.
If this sounds like you reach out and let's talk.
Looking for someone to partner with long-term.
People have been DM'ing me lately asking how they should get started in Smart Contract Auditing.
This is how I would accelerate my road to $10,000 in my first six months in Smart Contract Security if I got to do it over. 💰🛎️
With October closing last week it has been my most profitable month so far. Closing in just a little over $5000. 10 months ago when I quit my full-time Solidity role working at Consensys a lot of people told me I was a complete idiot for doing that in a bear market.
Granted I'm
Are you a Smart Contract Auditor that wants to learn how to find vulnerabilities in proxies?
Don’t worry I got you covered.
Check out this repo with awesome examples in Solidity!
This is probably one of the best sites I've seen so far to get an aggregated view of security blogs.
If you're a Smart Contract Security Auditor check it out.
You can specifically search for any type of blog or bug type.
Just published a new blog about a few of the ERC20 bugs that I found in the 5 different contests that I participated in last month!
ERC20 attacks are common finds nowadays but are still fun to learn about because they're all so unique!
Are you an auditor looking for you next easy find?
ERC20 bugs are pretty easy to spot so you should learn about them!🏖️🕶️
Check out this article I wrote to get you stared!
This notion template is a requirement for Smart Contract Auditors.
@Sm4rty_
is awesome for creating this and sharing it for free.
It’ll help you organize yourself during your next audit and during report creation.
It’s always a bit funny when auditors ask me. “Are you developing now?” Truth is I never stopped developing. I actually don’t see auditing and developing as mutually exclusive. Imo think the go hand in hand and learning one makes you better at the other.
Plus dev work pays well
I just looked back at the first notes I took when I started studying Smart Contract Auditing in January of this year and it says...
"Use Call instead of send or transfer"
I think at the time I was doing the
@TheSecureum
BootCamp as it was the main resource to find out about
ERC4626 is quite common to see in Defi these days.
But if not implemented properly they can be a goldmine for hackers.
Let's dive into what they are and one of the issues you can look for when auditing.🧵
I've shared this link before but will share it again. If you don't know where to start when it comes to zk auditing study material, this is for you.
The million-dollar contest on
@code4rena
is about to be crazy. Can't wait to see some people score six-digit payouts.
I think the real alpha for 2024 is carving out a niche for yourself and building a business around it. There’s so many things that are still low competition relative to Solidity auditing.
Things like gas optimizations, writing fuzz tests, building and auditing in Rust, building
This past Sunday
@Uniswap
@UniswapFND
and
@cantinaxyz
hosted an amazing event for anyone participating in the Uniswap V4 contest. There was a lot of alpha that was dropped from the team and the firms that did the first round of audits. If you weren't able to make it I took some
For my auditing, full-time has been more about how long can I survive and not how much I'm making at the moment.
The first couple of months were really rough. I was making little to no money and was living off of savings. I knew if I stuck around long enough I'd hit a point
Really enjoyed this article on ERC4337 security.
Learn about the following
- Gas Fee Calculation Logic
- Signature Generation & Usage
- Reuse of Signatures
- Front-running
And more!! Check it out below.
For anyone new to Solidity
@BuildOnBase
did a great job of creating a Solidity BootCamp for newer devs to learn the basics quickly.
Topics include.
- Introduction To Ethereum
- Smart Contract Development
- Token Development - ERC20
- Token Development - ERC721
And more!
Check
1/ Are you a new auditor and looking for a layup in your next contest?
Something that isn't too hard to find but could lead to a decent payout and some points on the leaderboard.🧵
This one issue led to a $250 payout PER auditor in a recent
@codehawks
contest. Let's dive in!
1/ Excited to announce that starting today, I'm a member of the
@QuilAudits
Red Team, focusing on web3 security!!!🎉 🥳
Excited for this new adventure in the cutting-edge world of cybersecurity. Why did I choose to work with Quill Audits when they reached out? 🔍 📊
So many cracked devs on my TL who don’t know shit about the basics of comp sci so they can’t pass a Solidity interview but they can write an entire AMM in huff in three days. Something severely wrong with this industry and the way we rate people.
Smart Contract Auditors can benefit by using this checklist regularly when starting a new audit.
Don't go through all of it line by line. Instead, do a quick scan to see if there's anything you forgot to look for and remind yourself of things you should be checking for.
Here are some common Defi related attack vectors every smart contract auditor should know.
- Governance Attacks
- Oracle Manipulation Attacks
- Flash Loan Attacks
- Replay Attacks
Check out more here!
Persistence is key if you want to be a Smart Contract Security Researcher.
It took me almost six months of work before I made my first $1000. But if you want to...
✅Work for yourself
✅Make good money doing it
Then you HAVE to stick with it. The key is not giving up.
If you're an auditor looking to learn more about Account Abstraction bugs then I got you covered!
Check out this article detailing some ERC4337 bugs and how to mitigate them.
If you're just getting started with Solidity and looking for some practice this repo is a great place to get started.
It covers the following topics.
Question 1: Voting System
Question 2: Escrow System
Question 3: Withdraw Funds
Question 4: Rent Storage
Question 5: Staked
Wanna build a c4 bot?🤖
Want to automate a ton of low-severity findings for your private audits?⏩
Here's a sick bot that does a ton of that work for you made by
@thePicodes
Seriously
@PatrickAlphaC
seems to be one of the few people who understand the importance of community in this space. A person in his position could be taking advantage of people and yet he consistently surprises me by always putting community first.
Judges on
@CodeHawks
won't be able to see the auditor's identity when judging submissions - huge move to remove bias towards big names!
Other platforms said this was too hard to implement but apparently it wasn't too hard for
@PatrickAlphaC
!
No contests in the pipeline
Auditors: OMG it's so hard to make a living as an independent researcher. Only the best make money doing it. We won't be able to scale cause new auditors will leave to do other work that actually pays.
20+ contests in the pipeline
Auditors: This is
Are you a Smart Contract Auditor looking to learn more about TWAP oracles?
I recently did a private audit that used TWAPs and I learned a lot!
Let's dive in to learn a bit more about them and to see what gotchas you should look out for when reviewing them!
Are you a Smart Contract Auditor who's new to Account Abstraction?
Want to learn about ERC4337 attack?
I went through
@soloditOfficial
and detailed some ERC4337 bugs that were found.
Let's take a look.🪐
The validateUserOp should always return SIG_VALIDATION_FAILED
If you're a Smart Contract Auditor participating in the
@MorphoLabs
contest on
@cantinaxyz
this article could help you uncover some bugs.
The awesome
@DevDacian
always does a great job of writing these and I find them extremely helpful when needing to revisit specific bug
If you're a Smart Contract Auditor who's auditing a lending protocol here are some great questions to ask yourself during the audit.
I've collected these from various Twitter threads, Github repos, and issues on
@SoloditOfficial
that I've seen over the past week while auditing
This year has been one of extreme growth for me and my private auditing business!
I recently joined
@TheBlockChainer
for an interview discussing everything about growing my independent private auditing business!
This interview has helped me reflect on how far I've come since
We just delivered on Uniswap V4 hook built for the
@AtriumAcademy
and
@UniswapFND
@Uniswap
.
Our team built a Time-Weighted Average Market Maker (TWAMM) that will allow DAOs to execute large purchases of their token for buyback programs.
I find this checklist for auditing cross-chain projects a real gem. There's a section specific to
@LayerZero_Labs
integration and security checks.
@windhustler
I wonder what you think about this🧐
This repo is amazing. It has reproduced attacks of all the major defi hacks using foundry. Great for new auditors looking how to build PoCs or see what actual attacks look like.
If you’re a Smart Contract Auditor doing a security review of an AMM here’s a check list to get you started.
Checklists can be a powerful tool for guiding your mindset in the right direction during an audit. They can be effective in sparking creativity, as you work through them
If you think there’s too much competition in crypto wait until the bull run. The demand for you Solidity skills will bring make you so much $$$. Employers think they’re cute by being selective right now, can’t wait for it to become an employees market. They’ll be begging for us.
Im planning on tripling my monthly income by this time next year to at LEAST $30,000 a month.
The pessimists will read this and say it’s “impossible”. Good, your pessimism only leaves more money in the space for me to collect. It’s the most counterproductive quality you have
Becoming a Smart Contract Auditor is possible for anyone who wants to put in the work and is willing to grind day in and day out.
I'm seeing folks who started six months ago starting to get their first big wins in contests. Proof that consistency is what leads to rewards.
2023 has been a year of a lot of struggle for me in my personal and work life which has eventually led to much success, which I’m grateful for.
However that doesn’t come without a cost.
I’ve seen my mental health deteriorate a bit over the past few months. So I’ve decided to
Here's a trick I've used to get a few leads through Twitter for private audits and turn them into repeat customers.
QUICK NOTE
DO NOT ever spam protocols in their Twitter DMs or on other platforms for leads. Sales will come to you if you know what you're doing. Dont be annoying
Stoked to join the
@UniswapFND
and
@AtriumAcademy
UniswapV4 Hooks Incubator.
Looking forward to building some cool products using hooks.
Will be posting a ton of technical content as I learn more about hooks and building with them.
Wen lambo? Maybe sooner than expected😉
Quick checklist for your next audit.
Click the link to see the details!
1: Architecture, Design and Threat Modelling
2: Access Control
3: Blockchain Data
4: Communications
5: Arithmetic
6: Malicious Input Handling
7: Gas Usage & Limitations
8: Business Logic
9: Denial of
Are you an auditor that whats to know more about Account Abstraction and ERC4337?
I've been researching the topic for the past few weeks and want to share some of the things I've learned.
Helping you feel more confident when auditing ERC4337 implementations.
Lets dive in!
This is probably one of the best-written issues I've seen in the
@beedlefi
audit report so far and in general tbh.
Amazing write-up by
@StErMi
and such a unique issue based on multiple things going wrong.
Just finished the Chainlink contest on
@Code4rena
with
🟥High: 1
🟨Medium: 4
Pretty confident about at least two of these being valid as we were able to write stong POCs and test cases for them. Let's see what happens though. Excited to get my name higher up on the board.
If you’re finding H and M vulnerabilities in contests but not really making much money cause of dups don’t be hard on yourself.
You’re actually probably a really good auditor and could potentially do well at a firm as JR or in easier private audits.
Thing is contests are
Gas Optimization 1️⃣
Ever wanted to get your first issue submitted to
@code4rena
but don't know where to start?
There's a ton of really simply gas optimizations you can scan for in a codebase without needing a deep knowledge of Solidity. Let's look at one of them below 🧵👇
When doing an audit on
@code4rena
these are the lowest paying findings.
-Use safeTransfer, safeTransferFrom instead of transfer, transferFrom when transferring
-Use call() instead of transfer() when transferring ETH
-First depositor issue
-Silent overflow
-Did not Approve to
1/ Found a neat big recently when doing a
@code4rena
report. Check out the code below to see how downcasting can lead to precision loss and ulitmately loss of users funds. Every Smart Contract Auditor should know this.
Are you a new auditor and looking for a layup in your next contest?
Here's an issue that isn't too hard to find when you're just starting out but depending on impact can get you that Medium or High.
Let's dive in! 🧵
Just finished a private audit for a client for a codebase that was 2000 SLOC.
Was one of my favorite projects to work on and the clients seemed extremely happy with the work I did.
If you're a skilled auditor who's looking to generate more leads for your private auditing business here's a secret tip that I don't see many people discussing.
Conferences are filled with clients looking for quality auditors at "affordable" rates.
Our team just completed what
Every Smart Contract Auditor should know about rounding errors and precision loss issues.
I wrote about a recent finding that I found in a
@CodeHawks
related to rounding issues. Check it out.
Check out some of the previous
@zksync
audits while you're studying this next week. These tend to be a goldmine for finding bugs as devs tend to make the same mistakes. Especially when it comes to codebases as large and complex as this one.
Locked in our biggest private audit last week all through word of mouth and referrals. Team and I have been drowning in complex code but we’re definitely on to finding some interesting bugs.
Also received three leads in my inbox this weekend alone for potential new clients. This
Private audits are the easiest way to make big bucks in this industry. If you think c4 audits have picked up then you don't even know how many private audits are picking up steam. Want more private audits? Read, write, and breathe Smart Contract Security.
Had a few of my reports selected for the recent Beedle contests on
@CodeHawks
. Feels good to know my writing is improving. Six months ago I couldn't even get a gas report validated cause my submissions were so bad.
If you're doing the
@zksync
audit here are some common zk bugs to look out for.
✅Under-constrained Circuits
✅Nondeterministic Circuits
✅Arithmetic Over/Under Flows
✅Mismatching Bit Lengths
✅Unused Public Inputs Optimized Out
✅Frozen Heart: Forging of Zero Knowledge Proofs
1/
@code4rena
Audit analysis is a great way to make some extra bucks as an auditor.
As I mentioned before there's some auditors getting three digit payouts for a quality Analysis report.
Let's dive in together and see how you can take advantage of this amazing feature.
Understanding the EVM is essential to level up as a Smart Contract Auditor.
I've seen this EVM Handbook shared a few times here but wanted to share it again since it's packed with some much alpha.
Take a look!
1/ 1/ Gas Optimization⛽️🔥🚨
Here's a quick gas op from a recent report on
@code4rena
. These are easy wins that you can get when submitting private reports and just getting into auditing.
Over $500,000 in rewards coming up this next week.
It's about to be a HUGE month for auditors. Hope everyone took some time off during the lull these past two weeks.
If your bank account is looking a little bleak let's get to work and get to this money! No excuses, just bug
1/ Gas Optimization⛽️🔥🚨
Here's a quick gas op when dealing with functions marked with modifiers such as onlyOwner. These are easy wins that you can get when submitting private reports and just getting into auditing.
Made a quick video on how to improve your report submissions on
@CodeHawks
.
This video will walk you through one of my selected reports and explain how to increase your chances of getting your issues validated by judges!
This is the audit contest I always recommend to newer Smart Contract auditors who are looking for a decent-sized contest to shadow audit. You can compare your results to the final report.
DON'T CHEAT
It's pretty wild but just getting really good at auditing/developing and shilling your wins or things you've built on Twitter can get you a lot of new work and make you some decent money. Learning how to write is an invaluable skill that I see a lot of SRs look over.