🎂 Today is my 1 year work anniversary as a SR! In that time, I have: - 💰 Earned ~$200k - 🏆 Won 1st place on 2 audit competitions - 🪐 Joined the Cantina fellowship - 🤝 Landed my first solo client - 👨‍⚖️ Became a judge - 🧠 Completed my first Spearbit audit - 🐛 Found my first bug in a live contract - 🧑‍💻 Learned my first programming language (solidity) - 🦀 ... and my second (rust) - 🍻 Made lots of friends (and just a few enemies) All while being able to: - 👩‍❤️‍👨 Spend quality time with my wife - 👨‍🍼 Be a present father for my son - 🐶 Walk the dog twice a day, every single day Very much looking forward to what year 2 will bring
75
24
643
39,896
~ Simplest path to web3 security ~ 🧵 I first heard about web3 security sometime in July/2024. Therefore, this is not an expert view, only what has worked for me so far! My path was the following: 1. Speedrun learning: I first learned how to read solidity (Jul - Aug / 2024) by speedrunning @PatrickAlphaC course 2. Audit: then, I audited 3. Feedback loop: simultaneously, I run a feedback loop where I understand the real knowledge gaps I face while auditing and study to fill them I am now repeating steps 2 and 3 and will continue to do just that for the foreseeable future It is as simple as that More on all that below:
50
61
432
32,970
I am now a @certora security researcher! Formal verification is the ultimate bug catcher, and I am really excited to join the team making it possible for smart contracts!
74
5
422
13,693
🏅 4/735, and my largest payout so far Hella ride. I looked at everything in the code, but looking != seeing. Once again, the gem is in the missed findings. Smol 🧵👇
37
11
403
20,697
Dear friends and enemies, Audit competitions are the best way to make a name in this industry. And if you're serious about competing, Cantina Fellowship is the best place to be. This has been my full time job since late last year, but I'm now shifting focus - and also leaving the Fellowship. It's been a pleasure and privilege to be part of the Fellowship. Thank you, @cantinaxyz 🫡
23
4
271
10,259
What I would do if I were starting to audit today with no coding and no security knowledge: - Join a contest - Upload the codebase to AI - Guide it to teach me how to understand the code - Profit If this gets 30 quote retweets I will post a detailed guide of how I would do it.
14
28
257
14,991
🥈 Silver on the leaderboard, gold in lessons learned. This was my first time auditing a DEX. Many thought I'd fail (jk, just the dog, who heard me whine every single day of this audit). But it turned out well. Can't say I love auditing DEXes, but at least now I don't fear them no mo.
24
1
254
9,274
🥈 2/759 I love stablecoins! Unfortunately I was busy and only managed to put in 6 seconds in this competition. So my payout averages at just over $1.3k per second (or roughly $42 billion per year). Which means in just 3 years I will be as rich as Satoshi. Smol 🧵
24
246
8,727
On Jul 8th, 2024, I signed up for @PatrickAlphaC's Cyfrin Updraft. Which means I will complete my first year as a security researcher in just a few days. Hard to believe so much happened in just one year. Retrospective coming soon.
13
4
227
10,851
You don't find bugs by searching for them. You find bugs by understanding the code's smallest details.
11
15
226
7,092
Thinking of writing about my path into security and what my first year looked like. 🫵 Hey sir! Would you read it?
46
2
217
7,651
What’s stopping you from auditing like this, anon?
18
2
182
6,622
👨‍🍳
14
2
180
6,584
How to be sad in 6 steps: 1. Spot extremely intricate bug 2. Be excited 3. Write a beautiful report for it 4. Read the report and think this is too complex to go without a PoC 5. Write a PoC 6. Not a bug
16
9
175
7,460
Nobody is good at the start. Nobody is bad after 10,000 attempts.
Nobody is good at the start. Nobody is bad after 10,000 attempts.
7
22
187
16,424
🧵 I have found 3 solo bugs by modeling functions on excel. This has helped me finding issues related to the passing of time, such as distributing rewards or calculating yield. A short thread:
11
13
166
14,515
How to audit complex equations? I don’t know about the gigachads out there, but if the equation has anything greater than 3 steps, I’m lost. The way I go about it is breaking it down into smaller pieces, while keeping a high level view. 🧵
18
14
160
9,111
Men at 3 am: I’m gonna change my life NOW
12
9
158
5,929
While some of us are complaining about contests (myself included)… Others are making over $50k in a single contest, taking 70% of the pot Winners are busy winning
The competition results for @citrea_xyz's BitVM bridge are in. Researchers reviewed Clementine, a BitVM-based two-way peg introducing a new model for trust-minimized BTC bridges. 🥇 @n4nika_: $54,872.04 🥈 TheStryke: $4,766.01 🥉 @rhaydden: $4,413.82 Thanks to everyone that contributed.
6
5
161
6,762
I have judged a good chunk of Cantina's competitions this year. I've wanted to write about this for a while: here is what I learned as a judge 👨‍⚖️ 🧵 1/8
2
9
155
10,526
Whenever I feel anxious or worried about work, I tell myself: just read code and things will be clearer. And it works like magic.
4
4
152
3,715
Just found a bug in the onboarding call before even reading the code That was my fastest
14
1
145
4,938
Depth > breadth Rare bugs hide deeply. Don't spread yourself too thin, or you won't find them 🧵
7
12
146
6,259
Dear friends and enemies: This is the Eigenlayer model I said I would share (link in the comments). I added a few notes in the comments as well, answering the following questions: 1. Is excel fit for this job? 2. What value is there in this for the reader? 3. How did I use this particular model
13
10
166
22,893
10
11
143
5,555
Security research is creative work, like art You don’t become an artist through education alone, but by merging it with something uniquely yours Auditing is the same: education matters, but success comes from adding your own edge
6
5
139
4,074
> Baby says “papa” > I look at baby > Baby makes a funny face and laughs I swear there’s no better feeling
7
2
139
3,694
🚨 Opportunity for top auditors! We have open positions at @certora! Reach out to me if you want to: - Protect over $100 billion - Advise the most prominent protocols - Work with top security researchers - Join an amazing team
7
4
138
11,047
Becoming good at any skill is mainly about refusing to give up no matter how impossible it seems, until it does not seem impossible anymore
5
18
136
3,287
Hard workers will be rewarded
Finally reached my first 5-digit payout. Huge thanks to @cantinaxyz and @OctantApp for the opportunity — this milestone means a lot to me personally. Below is a short thread about the months that led up to it, and what this journey really taught me
2
1
139
5,039
🏆 Primev was the first contest I had a relevant result - I placed 4th on their competition almost a year ago. Feels good to look at their code again, and secure first place (tied with 4 other SRs though).
15
2
136
3,179
It's been about a month since I started writing consistently I'm not doing it for the numbers. But the numbers show me that people enjoy what I write, and that makes me want to keep writing Excited to see how this dashboard will look over the next months
10
2
128
3,440
🏆Ranked 1/363 in the StakeUp competition on @cantinaxyz 🏆 My first win, with 2 unique high severity findings! Onto the next challenge 🐛
10
3
123
4,483
Had to drop this one off because January was way too busy Still managed to find a cool bug 🐛 Cheers
14
125
3,983
Many don’t want to read this, but the most important thing one must do to succeed as SR is work It doesn’t matter how much you study or how brilliant is your roadmap, it’s all worthless if you don’t put in the hours
7
7
119
3,551
People should not base career decisions on short term earnings, especially early in the career. Earnings grow A LOT with seniority. In security, a more senior SR can easily make 50x more than a junior SR (or infinitely more if the jr SR can't find anything valuable). The challenge is how to get seniority. There is no clear career path, nobody to guide your development. Each researcher crafts their own path. This means each senior researcher has their own way of working, their own "secrets". Learning these secrets can make the difference on whether you will make $100-200k in your first year, or if you will only struggle for nothing. This is priceless - any money you can get out while doing that should be seen as a bonus.
2
5
123
5,549
I couldn’t imagine living without believing I’m as capable as anyone out there That I have as much potential as anyone else That I can reach any goal I truly set myself to
6
9
119
3,513
I love auditing
10
4
116
6,341
Plans for November: Spread security knowledge in person See you on DSS!
9
116
2,879
1% daily improvement leads to 37x growth in a single year. Don't fade compound growth - show up daily, pay the price, do the work. It's what I did so far and I will continue doing it🫡
1% daily improvement leads to 37x growth in a single year. Don't fade compound growth - show up daily, pay the price, do the work. It's what I did so far and I will continue doing it🫡
5
5
115
6,788
Stubbornness can take you far. People love to say hard things are impossible. Let them doubt, but don’t fall for it. Set your hard goals, be a stubborn optimist. You are gonna make it, anon.
2
7
110
2,565
🥉 3/263 More contests, more learnings Now onto the next
11
112
3,031
Being a self learner is a fundamental skill for security researchers
5
9
109
3,144
My backlog: - How to audit complex equations - Auditing step by step part 2 - From zero to auditor with AI roadmap - (Have I forgotten anything?) Meanwhile, starting one of my most important audits so far Am I cooked yes or no
11
1
111
3,909
Some people asked how I choose contests It's simple: - Initially, I always picked the easiest contest, regardless of payout: the simplest codebase with the lowest nsLOC count - With experience, I prioritized contests with the highest EV if I found them interesting This means: large prize pools || familiar tech || contests with dedicated pots I always made my decision after exploring. For each contest I chose to take, there were 2-3 I chose to skip
5
110
4,918
I used to feel insecure about whether I was “auditing correctly” I wondered: am I doing this efficiently? Am I doing anything stupid? Am I stupidly not doing something I should? I never got validation for these questions. But I did work on my auditing process until it became a proven method. Nowadays I’m 100% confident in how I audit. I still ask some of the same questions. Only now focused on growth, not on insecurity. I am thinking of writing about this extremely intricate process.
12
2
112
3,809
When I have a very complex code to audit, I usually spend more time procrastinating than actually reading it It's never as bad as I anticipated Stop procrastinating and read the code, anon
5
2
107
2,471
what a privilege to be tired from work you once prayed for. what a privilege to feel overwhelmed by growth you used to dream about. what a privilege to be challenged by a life you created on purpose. what a privilege to outgrow things you used to settle for.
what a privilege to be tired from work you once prayed for. what a privilege to feel overwhelmed by growth you used to dream about. what a privilege to be challenged by a life you created on purpose. what a privilege to outgrow things you used to settle for.
3
6
105
4,368
Most of the trickier bugs derive from logic, not from technical aspects. To write safe code: make sure your logic is solid before writing the code. To find logic bugs: reconstruct the logic and check if all paths are addressed.
3
6
104
3,632
So how can you find bugs if not by looking for vulnerability types? By following 2 straightforward steps: 1. Understand the code in detail 2. Find ways to break it I will cover understanding the code in another thread. Here is how I find ways to break codebases: 🧵
6
9
104
5,080
Sunday night affirmations. Over the next week: - I will find bugs - I will spread security knowledge - I will create loving memories with my family - I will take good care of myself
1
5
103
3,253
I’ve been told Nigeria also has a strong community of security researchers. What (or who) has sparked this interest there?
22
6
104
5,791
POV: starting the night shift after the baby is asleep
4
1
102
2,983
‼️ Help me choose a codebase to audit in public for my next article I usually write articles focused on the principles behind my work. That’s fine, but it’s not very tangible Next time, I’ll do a step by step audit of a real contract, following the methodology I published recently Help me choose a codebase for it. It needs to be small to medium size (<1,000 nsLOC) and not overly complex, so it fits in a single article
12
1
98
4,521
Auditing complex codebases feels like trying to comprehend an unknown creature while blindfolded. It's challenging, but not impossible. 99% of success comes from believing you *can* make sense of it, and refusing to give up until you do.
I like the shift that happens a couple of days into a complex codebase You start out overwhelmed, having no clue how everything fits together. Towers of abstraction everywhere. Continuous confusion. Then suddenly it clicks and you're actually seeing how everything fits together.
3
5
97
5,046
selfie
7
97
3,112
Goals for the week - Find bugs - Spread security knowledge - Spend quality time with the family - Take good care of self
6
1
92
2,572
"Yeah, $20k per month as internship salary is not bad" Today a long time friend I met while working at McKinsey visited me. We hadn't spoken for almost two years because we were living on opposite parts of the planet. The last time we spoke, I was still a management consultant. When I told him today I was doing web3 sec as an independent auditor, he asked me if I saw this as a long term career. I told him the industry looks good and is getting better. Also that I made $20k on the 4th month after I first heard about web3 sec. His reaction: "yeah, $20k per month as internship salary is not bad".
8
2
90
11,558
Leaking a secret the pros don't want you to know 🫵: If I could give an advice that works for *anyone* in auditing, it would be: adopt a strength-based approach. 🧵👇
8
5
96
6,240
Why is security research so popular in Bulgaria?
16
1
95
6,778
It's official, we're doomed
Moment of truth: every finding I submitted in @code4rena contests came from a method I built using AI. Over 7 contests my method earned 🥇🥈🥈🥈🥉 with a valid/invalid ratio >1 and multiple solo ands duo High/Medium findings.
10
93
7,168
Very excited to join this group of extremely talented people 🪐
The Fellowship never stops growing: say hello to our newest Resident, @philbugcatcher 🪐
13
2
92
12,751
It's very encouraging to see so many people interested in this. I will post it over the next days I will write about my routine, what I studied, how much I made each month, the roller coaster of feelings, and some more things What else should I include in it?
Thinking of writing about my path into security and what my first year looked like. 🫵 Hey sir! Would you read it?
15
2
89
3,010
Your lending protocol might be underestimating the risk of debt assets Most lending protocols implement only one measure of asset risk: LTV LTV limits the amount one can borrow based on the risk of the provided collateral: - If you provide $1,000 in USDC (a very stable asset), you should be able to borrow at least $700-$800 - Whereas if you provide $1,000 in a random memecoin (a volatile asset), you should be able to borrow at most $200-$300 The reason for this is: the volatile asset can change in value too quickly. If that happens, any loans backed by it might become undercollateralized, leaving the protocol in bad debt However, one thing this design doesn't consider is that borrowing the volatile asset provides the same risk! Volatility is not only for when the price goes down. It means price can swing either way, down or up Consider this scenario: - User provides randomMEME as collateral and borrows USDC - When randomMEME tanks in value, the position's collateral becomes lower than the debt, leaving the protocol in bad debt 👉 This is mitigated by setting a low LTV to randomMEME, such that liquidators have enough room to liquidate the loan prior to it becoming bad debt But the opposite scenario is not addressed: - User provides USDC as collateral and borrows randomMEME - When randomMEME surges in value, the position's debt becomes greater than the collateral, also leaving the protocol in bad debt The first scenario is mitigated by setting a low LTV to risky assets, by the second scenario cannot be mitigated with LTV alone! This happens because protocols only consider the volatility of the collateral, and not that of the debt token The solution to this is implementing debt weight, which is the mirror concept of LTV, applied to debt Differently from LTV, which is always less than or equal to 100%, debt weight is always equal to or greater than 100%. Check this example out: - ETH (relatively stable asset) has a debt weight of 110%, and randomMEME (very volatile asset) has a debt weight of 200% - A user provides $1,000 USDC as collateral, with a LTV of 80%. This allows them to borrow up to $800 Current design: - On most lending protocols, the user would be able to borrow $800 of either ETH or randomMEME Suggested design, with applied debt weights: - If the user borrows ETH, they will be able to borrow at most ($800 / 1.1) = $727 worth of ETH - If they borrow randomMEME, they will be able to borrow at most ($800 / 2.0) = $400 worth of randomMEME This is a much safer approach than just letting the user borrow $800 of any asset, as it accounts for the debt asset risk
6
5
93
6,862
If you ever complain that judging takes long, it is because judges have to waste time with clowns like this: Researcher: there should be price bounds to the oracle price Me: the oracle is the source of truth, not an arbitrary price bound Researcher: *AI slop saying Aave uses price bounds* Me: share link to AaveOracle (v3), showing there are no price bounds Researcher: *AI slop saying they dropped it on v3 but had it before* Me: share link to Aave oracles from v1 and v2, no price bounds in sight
10
1
94
7,845
I have many goals in life, but the single thing that determines whether or not I'm succesfull is if my family is happy
2
8
89
3,882
Note to self: resist the urge to do many contests at the same time. I gave in to the FOMO of trying to compete on more than one contest at the same time. I'm working much more than before because I want to do them all well, but even with 2x the hours I won't get to the depth I usually go while focusing on only one. Might end well anyways because I am compensating with more hours, but: - It is exhaustive - Exhaustion impairs my creative mind (which is required to find the rare/ out of the box stuff)
4
3
85
2,902
Forget vulnerability types. Vulnerabilities are unique for each codebase. You don’t find vulnerabilities by thinking about their types. You find them by figuring out how to break each specific codebase.
3
8
83
2,663
My setup: - Aeron chair - Standing desk - 49" Odyssey G9 - Logitech MX mechanical - Magic trackpad - Airpods pro - Macbook pro m4 max Would you add or change anything?
14
1
84
4,189
Judging has been taking the best of me lately, but I did manage to squeeze in a few hours to dive into this private competition, which rendered a not so bad payout. Planning to share more of these as I shift my focus back to competitions. Watch out 🫵
2
1
83
1,991
In the beginning it’s hard for everyone Those considered good today are only there because they didn’t quit until it became easy Do not quit anon, wagmi
Why Researchers Quit Most researchers don’t quit because they lack skill. They quit because they lose patience. This space is high variance. Some people get lucky, land a big payout early, and that fuels their grind for months. Most don’t. So when weeks or months go by without results, self-doubt creeps in. The grind feels endless, and quitting looks easier than continuing. It’s not unique to security. The same thing happens with actors, writers, or entrepreneurs: it’s a mix of skill, luck, and persistence. Web3 security sits in Taleb’s Extremistan. A few capture outsized rewards. Most scrape by. Many give up. The real test isn’t just technical skill. It’s the mental game of showing up even when you’re getting nothing back. If you can survive that, your odds of making it go way up.
4
4
79
3,653
“Sleep is your superpower” Many people asked me how many hours I sleep Short answer: 8 hours a night Long answer: I would never compromise on sleep. I used to have this idea of maximizing my waking hours, but I completely changed my mind after studying about it. The real alpha is: study @sleepdiplomat. If you’re short on time, listen to his ted talk “Sleep is your superpower”. If you have more time, read his book “Why we sleep”. I read the book. It’s a long and dense read, but I learned a lot about how the mind and memory works, and how to make the best use of it when it comes to resting and sleeping.
6
3
76
5,428
Impressive write up. This made me realize just how deep attackers go in the code and the creativity of their hacks. We need to go further than that.
Yesterday's complete hack of Wise Lending was far more complex than reported. Very worth examining. The protocol had added explicit defenses against this style of attack, which the attack then either bypassed or used against the protocol. 🧵 1/21
8
3
70
4,942
No one knows what it means, but it's provocative
7
75
3,454
Here is the _true_ analysis of the Balancer v2 exploit:
Since Monday’s @Balancer v2 exploit, we’ve worked hand in hand with their team to develop the first root-cause analysis of the issue, identify all affected and potentially vulnerable pools, and determine whether v3 was susceptible to the same attack. Our analysis breaks down what happened, how v3’s redesign prevents it, and key takeaways for DeFi security. certora.com/blog/breaking-do…
3
75
11,555
Sunday night, planning the week ahead: - Find bugs - Spread security knowledge - Spend quality time with the family - Take good care of self All else is a bonus.
2
72
2,343
Modeling state transitions makes them transparent, clearly showing the bugs hidden within Excited to share this at DSS!
Modeling how each function reads and writes state can reveal overlooked bugs in complex protocols. @philbugcatcher, Security Researcher at @certora, will speak at DSS on “Modeling State Transitions to Find Unique Bugs”, presenting a visual method to validate bug hypotheses.
4
4
75
3,806
Still sad I didn’t claim my card But thanks @monad (and @cantinaxyz) for including me in the airdrop anyways!
6
1
72
2,964
Funny that the ones doing the least have the most to say. Winners are busy winning.
3
4
72
6,175
I'm travelling to Argentina for DevConnect + DSS soon The dog was supposed to come, but the airline I'm flying with doesn't allow dogs onboard So I sent him to a dog hotel that was recommended to me. I took him there for 1 day to adapt, so he'd already know the place before staying longer He came back home with an eye hemorrhage. His eye was swollen, and the entire white part of the eye was blood red The hotel says the vet check before checkout didn't notice anything, and nothing happened to him I took him to my trusted vet immediately. She said it was certainly caused by a strong hit and could never go unnoticed by a professional We are all heartbroken
6
1
71
3,687
I don't know who needs to hear this, but selling hours won't make you rich The only way to get rich is through equity and investments (except for perhaps 0.01% of hour-sellers)
6
70
3,314
Timeline playing mind games
7
2
70
3,452
Judging
11
1
69
3,249
I finished a security review for @CollarProtocol yesterday 🔎🐛 Auditing is hard, but understanding their protocol was as smooth as it can be. I've literally never seen a protocol so well documented It was clear to me that they are truly committed to security: multiple audits, + their dev is a true security boss
1
5
70
3,744
Sunday night Feeling energized after spending the weekend out in nature Planning the week ahead: - Find bugs - Spread security knowledge - Spend quality time with the family - Take good care of self
4
1
68
2,355
Wow, what a journey!
Milestone down: Final results from the $2,500,000 @eigencloud competition are in. 🪐 Your top-ranked researchers: 🥇 @10xhash: $136,958.55 🥈 @Audittens: $96,101.02 🥉 @Aamirusmani1552: $68,668.11 Honorable mentions: @philbugcatcher: $52,531.10 @el_hajin: $40,610.32 Thanks to all who contributed to securing the slashing release. Full leaderboard below.
7
70
3,289
The cleaning lady asked me if I’m a computer technician
6
69
3,410
If you have too much energy but not enough work to do, you get bored If you have too much work to do but not enough energy, you burn out Balance these out and you get in a flow state
2
1
67
2,524
I don’t love the current state of audit competitions. If I weren’t doing private audits, I would focus on BBP instead This is exactly how I would do it:
Here is my personal Top 4 tips for anyone transitioning from Audit Contests to BBP. 1. Hunt mainly for criticals and highs. Mediums are not usually worth it in BBP. 2. Audit both the on-chain state of the smart contracts as well as the contracts in the GitHub repo. 3. Think of critical/high impacts that an attacker may wish to cause. And audit the code such that you would like to cause such an impact. 4. Look for recent upgrades done to the contract. Let me know if you would like a detailed article on this topic.
7
5
69
4,889
Extremely cringe to see security researchers fall for phishing scams
11
67
4,629