Entering the competition

My auditing journey started by competing on Code4rena and Sherlock from the 20th of September to the 14th of November, 2022.

Here’s a quick summary of my results:

Project Hours H M Payout SLOC
VTVL 12 0 1 19$ ~240
Art Gobblers 35 1 2 5299$ ~1500
Blur Exchange 18 0 3 164$ ~800
Trader Joe 57 1 1 13521$ ~4500
Astaria 45 3 4 1400$ ~2000
Chainlink Staking 60 ? ? 19328$ ~1500

The boring analysis

I took part in 6 different contests earning a total amount of ~40k$ in rewards.

I audited code for a total of 227 hours during a 55 days timeframe, working an average of ~4 hours a day for an hourly rate of ~175$ per hour.

The beginnings

I learn best while doing, so I started the Ethernaut and Damn Vulnerable Defi CTFs right away, just to get a sense of what a vulnerability even looks like. After that I jumped straight in the codearena pit. This might sound like an easy step, but it was an incredibly difficult one. I never feel ready for anything. Never. And for sure I wasn’t ready this time. I was scared, what If I tried my best and failed?

I tought about a possible strategy I could adopt, and I came up with one fairly quickly. My best shot was trying to fully understand a codebase and look for logical bugs that lead to less obvious highs and mediums. I had a sense few people were willing to go deep, so that was my edge.

It turns out it’s true, not many are willing to go deep. And now I know why. It’s hard. It’s really hard. For the first multiple hours it feels like you are fighting a monster you could possibly never defeat. Trying to climb a mountain nobody ever climbed. It feels hopeless. Then it clicks, and all of a sudden you get it. Now the codebase it’s your playground, so let the game begin.


Hours H M Payout SLOC
12 0 1 19$ ~240

As I feared, my first audit was a complete disappointment. All I was able to find was a very simple medium vulnerability out of 10, 2 highs were also found.

Art Gobblers

Hours H M Payout SLOC
35 1 2 5299$ ~1500

I knew the codebase was going to be well written and with few bugs, after all it’s a Paradigm project.

How nice would it be for a newbie like me to spot a high vulnerability in codebase written by industry leaders? I went into it with the mindset of a warrior. If there was a high I WAS going to find it.

To my surprise I ended up actually doing it. Not only that, but I identified all the issues that, in my opinion, mattered. I catched 1 high out of 1 and 2 mediums out of 3. I’m honestly impressed by what I did here.

Blur Exchange

Hours H M Payout SLOC
18 1 0 164$ ~800

Another project by Paradigm. I jumped into it with same mentality as Art Gobblers.

There were 2 total findings in this project, a high and a medium. I was able to catch the high, but not the medium. Happy with my performance, a bit annoyed by the payout.

Trader Joe

Hours H M Payout SLOC
57 1 1 13521$ ~4500

My first big codebase. My first big payout. It’s counterintuitive, but I’m very disappointed with this one. I missed 4 highs and 7 mediums, of which some were very easy to spot.

Luckly my strategy of looking deep played a helpful role in terms of payout, allowing me to spot a tough logical bug. It’s a vicious way of stealing funds that only me and another warden (@trust__90) were able to spot. Worth a read.


Hours H M Payout SLOC
45 3 4 1400$ ~2000

This one was tough. The codebase was buggy, and I really dislike buggy codebases. I can’t make sense of them, I’m not even sure what the code is supposed to do.

I will end up quitting before auditing the whole project, out of irritation. Of the 45 hours a big chunk was spent writing reports for the 3 highs and 4 mediums I was able to catch.

The project would end up with 27 highs and 26 mediums findings.

Hours H M Payout SLOC
60 ? ? 19328$ ~1500

This was my best performance, by far. I spent a lot of time on it, which lead to me getting first in the final rankings. I believe what gave me a real edge here was the length of the contest, 14 days, and the fact that for the whole time I was 100% focused on it.

Unfortunately it’s a classified audit for which I cannot give any extra details.