Entering the competition
My auditing journey started by competing on Code4rena and Sherlock from the 20th of September to the 14th of November, 2022.
Here’s a quick summary of my results:
| Project | Hours | H | M | Payout | SLOC |
|---|---|---|---|---|---|
| VTVL | 12 | 0 | 1 | 19$ | ~240 |
| Art Gobblers | 35 | 1 | 2 | 5299$ | ~1500 |
| Blur Exchange | 18 | 0 | 3 | 164$ | ~800 |
| Trader Joe | 57 | 1 | 1 | 13521$ | ~4500 |
| Astaria | 45 | 3 | 4 | 1400$ | ~2000 |
| Chainlink Staking | 60 | ? | ? | 19328$ | ~1500 |
The boring analysis
I took part in 6 different contests earning a total amount of ~40k$ in rewards.
I audited code for a total of 227 hours during a 55 days timeframe, working an average of ~4 hours a day for an hourly rate of ~175$ per hour.
The beginnings
I learn best while doing, so I started the Ethernaut and Damn Vulnerable Defi CTFs right away, just to get a sense of what a vulnerability even looks like. After that I jumped straight in the codearena pit. This might sound like an easy step, but it was an incredibly difficult one. I never feel ready for anything. Never. And for sure I wasn’t ready this time. I was scared, what If I tried my best and failed?
I tought about a possible strategy I could adopt, and I came up with one fairly quickly. My best shot was trying to fully understand a codebase and look for logical bugs that lead to less obvious highs and mediums. I had a sense few people were willing to go deep, so that was my edge.
It turns out it’s true, not many are willing to go deep. And now I know why. It’s hard. It’s really hard. For the first multiple hours it feels like you are fighting a monster you could possibly never defeat. Trying to climb a mountain nobody ever climbed. It feels hopeless. Then it clicks, and all of a sudden you get it. Now the codebase it’s your playground, so let the game begin.
VTVL
| Hours | H | M | Payout | SLOC |
|---|---|---|---|---|
| 12 | 0 | 1 | 19$ | ~240 |
As I feared, my first audit was a complete disappointment. All I was able to find was a very simple medium vulnerability out of 10, 2 highs were also found.
Art Gobblers
| Hours | H | M | Payout | SLOC |
|---|---|---|---|---|
| 35 | 1 | 2 | 5299$ | ~1500 |
I knew the codebase was going to be well written and with few bugs, after all it’s a Paradigm project.
How nice would it be for a newbie like me to spot a high vulnerability in codebase written by industry leaders? I went into it with the mindset of a warrior. If there was a high I WAS going to find it.
To my surprise I ended up actually doing it. Not only that, but I identified all the issues that, in my opinion, mattered. I catched 1 high out of 1 and 2 mediums out of 3. I’m honestly impressed by what I did here.
Blur Exchange
| Hours | H | M | Payout | SLOC |
|---|---|---|---|---|
| 18 | 1 | 0 | 164$ | ~800 |
Another project by Paradigm. I jumped into it with same mentality as Art Gobblers.
There were 2 total findings in this project, a high and a medium. I was able to catch the high, but not the medium. Happy with my performance, a bit annoyed by the payout.
Trader Joe
| Hours | H | M | Payout | SLOC |
|---|---|---|---|---|
| 57 | 1 | 1 | 13521$ | ~4500 |
My first big codebase. My first big payout. It’s counterintuitive, but I’m very disappointed with this one. I missed 4 highs and 7 mediums, of which some were very easy to spot.
Luckly my strategy of looking deep played a helpful role in terms of payout, allowing me to spot a tough logical bug. It’s a vicious way of stealing funds that only me and another warden (@trust__90) were able to spot. Worth a read.
Astaria
| Hours | H | M | Payout | SLOC |
|---|---|---|---|---|
| 45 | 3 | 4 | 1400$ | ~2000 |
This one was tough. The codebase was buggy, and I really dislike buggy codebases. I can’t make sense of them, I’m not even sure what the code is supposed to do.
I will end up quitting before auditing the whole project, out of irritation. Of the 45 hours a big chunk was spent writing reports for the 3 highs and 4 mediums I was able to catch.
The project would end up with 27 highs and 26 mediums findings.
Chainlink Staking
| Hours | H | M | Payout | SLOC |
|---|---|---|---|---|
| 60 | ? | ? | 19328$ | ~1500 |
This was my best performance, by far. I spent a lot of time on it, which lead to me getting first in the final rankings. I believe what gave me a real edge here was the length of the contest, 14 days, and the fact that for the whole time I was 100% focused on it.
Unfortunately it’s a classified audit for which I cannot give any extra details.