📢📢📢
I am thrilled to announce that I’ve joined
@GuardianAudits
as a full-time security researcher.
I learned a lot from their YT channel, and now I have the chance to work with them.
Thanks to
@dannygfromnyc
and
@0xOwenThurm
for this amazing opportunity.
Found 4 highs & 7 mediums, and finished 2nd in a
@cantinaxyz
competition. 🥈🎉
This is my biggest accomplishment after switching careers and starting from zero. 🦾
That tweet aged well.
My first contest on
@code4rena
: Chainlink CCIP ➡️ Another magnificent failure - 0 valid issue.
My second contest on
@code4rena
: Chainlink Administration ➡️ 2nd place 🎉😱🎉😱
Post judging process of
@Uniswap
Unistaker contest on
@code4rena
was like a roller coaster.
One second I thought I’ll win the contest and the other second I thought I’ll get nothing.
In the end, shared the 3rd place with 8 people 🥉🎉
Not bad at all😄
Yes, writing a PoC takes time.
But have you ever tried to explain a complex issue without a PoC?
I tried.
And failed.
And it took much more time.
The report can get overcomplicated/overcrowded in the blink of an eye while trying to convince the judge without a PoC.
Curves contest on
@code4rena
showed the importance of choosing the right contest.
I was planning to participate in that one, skimmed the code, realized it won’t worth the effort, submitted a few obvious H/Ms without any expectation and immediately moved to another one.
I didn’t submit an obvious issue in a contest on
@code4rena
because I thought it was a simple QA.
I just saw that everyone submitted it as a medium. If it is actually a medium, I would be really angry with myself :/
Everyday is a lesson
My first contest on
@sherlockdefi
: ajna update ➡️ an amazing failure - 0 valid issues.
My second contest on
@sherlockdefi
: dodo V3 ➡️ 2 valid highs - 6th place 🎉
When I see a person getting constant great results on audit contests, I immediately go check when they joined to the C4 discord
It’s usually early 2022, sometimes late 2021.
This makes me feel like I’m too late, but also relieves me by reminding that it’s not a sprint race.
A quote from a writeup of one of the top 10 blockchain hacking techniques 2023 by
@OpenZeppelin
“… more often than not, over-promising goes hand in hand with under-delivering.”
The funny thing is, web3sec twitter is full of over-promisers.
We make mistakes and learn from them.
Here is the mistake that led me to submit the best QA report on
@code4rena
a few months later, teaching me the importance of every single submission.👇
I didn’t submit an obvious issue in a contest on
@code4rena
because I thought it was a simple QA.
I just saw that everyone submitted it as a medium. If it is actually a medium, I would be really angry with myself :/
Everyday is a lesson
Chainlink Staking was the first contest I participated in after getting the backstage role at
@code4rena
. My only purpose when participating in this contest was to read the submissions of the best and learn a lot
The contest is over but the most important part for me starts now.
I wrapped up my submissions for the
@WildcatFi
contest on
@code4rena
It was fun to work on this project and I enjoyed while trying to break it.
Hope to get nice results 🤞
The last 2-3 contests were full of frustration.
Finally,
@WildcatFi
came to the rescue to give me some morale.
The payout was not that good, but two of my findings were selected for the report, which is enough to boost confidence.
I don’t choose a topic and study it.
I choose a contest and study what is necessary for that contest.
I can not count how many materials related to diamond proxies I have consumed in the last few days for the
@UbiquityDAO
contest on
@sherlockdefi
Day 100/100 of
#100DaysOfCode
I watched
@cs50
web development course’s fifth lesson.
Things are getting complicated logarithmically day by day, but I’ll figure it out.
#Python
#django
#SQL
@0xnevi
I just wanted to publicly say that you don’t have to train someone before leaving judging in Sherlock.
You are being too good.
You don’t need to feel obligated to do this. You raised your concerns to Sherlock tons of time. They didn’t listen. It’s their problem. Not yours.
@HollaWaldfee100
@code4rena
Unpopular counter-opinion: Most of the senior SRs are already booked for February.
Number of SRs who can actually spend 3 weeks full-time for blast is not that much.
GoodEntry audit contest result on
@code4rena
is published.
This one was not that good. I found only one high severity bug and couldn’t make it to the top 10.
It’s not a bad result but I have too much to learn.
Web3sec twitter is full of survivorship bias. You’ll mostly see amazing success stories.
It’s extremely easy to get discouraged. Don’t. Be aware of it is full of failures too, you just don’t see them.
Submitting tens of issues in a contest and sharing the screenshot of your submissions doesn’t mean anything.
How many of them are valid?
Share it when they got validated.
Today’s menu: submissions written by
@GalloDaSballo
,
@iamdirky
and
@0xHE1M
There are more than 60 submissions just from those three authors. I’ll try to understand and internalize all of them.
Chainlink Staking was the first contest I participated in after getting the backstage role at
@code4rena
. My only purpose when participating in this contest was to read the submissions of the best and learn a lot
The contest is over but the most important part for me starts now.
Next hack analysis is out. It's interesting how in this case two secure libs used together resulted in damn unsafe code. Ladies and gentlemen, TIME token hack analysis: 🎇
Day 89/100 of
#100DaysOfCode
I have to create a simplified google search page for the first project of
@cs50
web programming course.
Finished it today and submitted. That is my low budget, low quality google.
Day 10/100 of
#100DaysOfCode
Finally submitted pset 3 “runoff” of
@cs50
. I was stuck at one point. After managing that, all the rest is gone fast.
Now starting to watch week 4.
@davidjmalan
Day 41/100 of
#100DaysOfCode
Suffering from procrastination.
I know I will finish it in a few hours if I can start but I keep postponing my
@cs50
and
#javascript
work.
Day 70/100 of
#100DaysOfCode
I finished the functional programming part of
@freeCodeCamp
’s
#javascript
course.
I’ll be working on intermediate algorithm scripting part in the next few days.
Than I’ll repeat and repeat.
@BowTiedDravee
I was planning to write a blog series called “What did I miss? Why did I miss?”
I didn’t write and publish as a blog but questioned it internally 🫡
🚨 The 6th yAcademy Fellowship application is now open! 🚨
🗓️ You have 1 week to apply, this block starts on March 4 2023. Acceptance emails go out before Feb 27
✏️ Already applied? Check your inbox and buckle up...
@nisedo_
The thing is that an experienced SR team will most likely earn more by doing a private audit.
Why would they spend time in a 2 weeks-long contest with uncertain gains?
They can quote close to the whole contest pot and get the job. They might even quote higher.
For my final project I've built a healthcare dApp that brings NFTs to surgical consents.
I also created a blog series that covers every week of this course, and here is the blog post about my final project if you want to check
Day 80/100 of
#100DaysOfCode
I’ve finally finished the intermediate algorithm scripting part of the
@freeCodeCamp
. It took quite some time for me to manage it.
@14si20
I believe there won’t be a “general auditor” in a few years of time. Everyone will be specialized in some topic.
The issue is that we can’t know which area to specialize in the beginning of our journey. We need to participate in wide range of contests, and find what suits us.
Day 34/100 of
#100DaysOfCode
I uploaded both
#sql
problems of pset7. The “fiftyville” problem of
@cs50
was quite entertaining to solve.
Now it’s time to move to week 8.
Day 59/100 of
#100DaysOfCode
@freeCodeCamp
’s javascript course has multiple subtitles. After the basic javascript, today I learned additional features like arrow functions and destructuring.
Day 56/100 of
#100DaysOfCode
I’ve finished everything from
@cs50
except the final project. I won’t do it right away because I want to learn javascript better before starting the final project.
Today I am starting
@freeCodeCamp
’s
#javascript
course.
How much money do you need to spend on gas to call a function type(uint256).max times just to DoS a protocol?
Is the world have that much money?
How long will it take to call a function that many times?
@Afriauditor
@code4rena
I don’t use specific metrics.
I mostly choose a contest based on my schedule/availability and stick to it.
Normally, I don’t switch between contests but I didn’t stick to my decision in the Curves case, and immediately switched.
@0xnevi
@sherlockdefi
Sherlock’s judge payments are extremely low compared to other platforms. I don’t know how you keep doing it in almost every contest 😅
Day 38/100 of
#100DaysOfCode
I have to create a basic webpage with
#html
#css
and
#javascript
for pset 8 of
@cs50
.
I am watching previous lessons again and again to make it correct.
Try, watch, read, try again. Repeat!
@0xT1MOH
It is more like a mock exam for me.
Only reason I’m participating in this contest is just to read the top auditors’ submissions right after it.