Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Web3 has three key steps that almost every serious project does: write good tests, get audits/contests on the codebase, and start a bug bounty program. This has substantially reduced the number of vulnerabilities in recent years.

Every once in a while, one of these projects with a significant bug bounty program gets hacked. Yearn and BalancerV2 are great examples of this. They are battle-tested and have large bounties. How can we prevent this from happening? Some folks suggest that higher bounties would have protected the protocols. The blog post dives into why this isn't the case.

At times, a bad actor will return the funds but keep a small portion, like 10%. There's a difference between the total value locked (TVL) and the treasury. TVL is usually user funds, and treasury is protocol funds. The protocol has legal authority to spend funds from the treasury but not the TVL. Unfortunately, the risk scales with TVL, but the security budget doesn't; the amount of funds at risk doesn't directly correlate with how much a protocol can pay out because they don't own the money themselves.

The second issue is around capital efficiency. How do we allocate funds for a bug bounty program? Raising the bounty makes it inefficient because this money will just sit around. Protocols would need to keep this on hand in case of a critical vulnerability, instead of using the money on other things, like more audits.

Raising the bounty creates a perverted relationship between the whitehat and the protocol. If there's a horrible vulnerability at launch that is unlikely to be duplicated, then the whitehat is incentivized to hold onto the bug until there's a lot of TVL at risk to maximize their bounty. Whitehats that do this full-time are unlikely to look at very battle-tested code because the rate of return is very low. There's really no dollar amount that would make this effort worthwhile.

So, what can we do? Reaudits. Get the code looked at again and again. In other industries, audits are conducted annually to ensure compliance. So, why not do that here as well? Having a bug bounty program is part of the process. But, raising it from $5M to 10% of funds at risk wouldn't have the positive effect that people think it would. Overall, a great article on the state of security in crypto.