About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A year of Competitive Audits - 1303

MiloTruckPosted 2 Years Ago
  • In 2023, MiloTruck made the most money on Immunefi at 172K. In this post, he goes through the year and what they learned. I'll be going through some of their takeaways, as these provide the most value.
  • The first takeaway was that math is complicated. By getting the only medium finding via an unsafe cast, they learned this. If it's complicated to you, it's likely complicated to the developer. If it's complicated to the developer, there is likely to bugs.
  • Later down the road, they did 5 audits in one month. In this, they only spent a small amount of time in each. This was a mistake since many bugs come from a deep, deep understanding the vulnerability. During this month, they learned that contests should be chosen according to your skill level. Additionally, simple and small contests should be avoided, as there aren't many bugs and if there are bugs, they'll be dupped to hell.
  • The next big audit was Chainlinik CCIP. This had a payout of $185K for the H/M pot. For this, they went all in. They read through documentation, similar protocol audits and talks before the contest. By doing this, they understood the bugs to look for and had a deep understanding of the protocol quite quickly. This led to 3/3 highs with an 8th place finish.
  • During an audit where they found 8/8 mediums, they only reported 6. They didn't report 2 of them because they considered the issues acceptable risks. They learned to always ask the protocol team whether the behavior you described is intended. Worse case scenario, you report it as well.
  • In an audit of the Wildcat protocol, they learned to always read the documentation and whitepaper of the protocol. This allows you to understand the expected use cases of a protocol, which may not always be obvious.
  • At the end, they mention why they were able to achieve this: super competitive and a high standard. By reviewing previous misses they were able to adapt their auditing methodology to not miss bugs in the future. Second, they wrote up PoCs on every bug that was possible and wrote very, very good reports, which gave them nice bonuses. Additionally, really, really understanding the protocols and in-depth with hard edge cases is what they seem to be good at.
  • The final section might be the most interesting: Are Contests Worth It? You can't earn millions from C4 with how much competition there is. So, the top talent is moving away to other locations. Sherlock tried fixing this with a Lead Senior Watson, which takes a fixed amount of the pool. Private audits, Immunefi, auditing firms and Spearbit are much more lucrative.
  • So, should you do contests? It's a great place to learn and get opportunities. From this, they got offered from Trust Security and Spearbit. Overall, awesome post on their learnings and perspective from the year of auditing.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed