Full Time Bounty Hunter's Audit Methodology
Auditing methodology when looking for bugs in Smart Contracts, advice for bounty hunting on Code4rena and Immunefi.
100proof recently landed a bounty of 150k on Immunefi, watch the full interview below.
Full Podcast: https://www.youtube.com/watch?v=NEmwfl-zLuw
4
views
Web3 Bounty Hunter's 150k Payday
Story of how a smart contract bug earned him a bounty of 150k.
Full Podcast: https://www.youtube.com/watch?v=NEmwfl-zLuw
Bounty Acknowledgement:
https://twitter.com/NotionalFinance/status/1566089211068948480
Post Mortem:
https://blog.notional.finance/ntoken-redemption-bug-post-mortem/
PoC Code:
https://github.com/one-hundred-proof/notional-flash-attack
Follow 100proof on Twitter:
https://twitter.com/1_00_proof
Contact 100proof:
one.hundred.proof@proton.me
1
view
Web3 Bounty Hunting, Smart Contract Auditing, Computer Science and the Future of DeFi - 100proof
Receiving a 150k Bug Bounty.
100proof is a bounty hunter and independent security researcher working in the web3 security space.
In this conversation we explore decentralized finance, bounty hunting, smart contract auditing and the story of how he found a $1.5M bug on Notional, which earned him a bounty payout of 150k USD.
Bounty Acknowledgement:
https://twitter.com/NotionalFinance/status/1566089211068948480
Post Mortem:
https://blog.notional.finance/ntoken-redemption-bug-post-mortem/
PoC Code:
https://github.com/one-hundred-proof/notional-flash-attack
Follow 100proof on Twitter:
https://twitter.com/1_00_proof
Contact 100proof:
one.hundred.proof@proton.me
OUTLINE:
00:00 - Introduction
1:36 - Bitcoin
6:16 - Ethereum
7:58 - Blockchain
11:54 - PhD - Computer Science
15:58 - Developer Experience
19:09 - Mindset of a Hacker
22:26 - Formal Verification
34:13 - Code4rena
41:09 - How to Study
43:22 - Auditing Approach
48:01 - Learning Resources & Learning Approach
56:54 - Teaming up on Code4rena
1:03:43 - Bug Bounty Life
1:07:45 - Self Learning vs Learning on the Job
1:13:08 - CTFs
1:14:43 - Advice for New Wardens on Code4rena
1:18:01 - 150k Bug Bounty Payout
1:38:08 - Technical Details of the Bug
1:43:45 - Negotiating Bounty Payment
1:47:27 - Previous Bug Hunting Experience
1:52:02 - Million Dollar Bounties in Web3
1:54:28 - Hunting Bugs Full Time
1:59:54 - Web3 Salaries
2:03:52 - Bounty Hunting vs Full Time Job
2:06:50 - Web3 Job Interviews
2:11:46 - Advice for Students
2:16:04 - Balancing Family vs Work
2:22:09 - Hobbies
2:24:20 - Jujitsu/MMA
2:27:02 - $100M Mango Hack
2:31:25 - Future of Web3 Security
112
views
1
comment
I Got A Job Offer
I got a job offer as a smart contract auditor in web3 security.
Beginner roadmap to smart contract auditing
https://www.youtube.com/watch?v=-469Gcye-ZE
1
view
Should I Join An Audit Firm
I am thinking about joining a smart contract auditing firm to improve my web3 hacking skills.
https://code4rena.com/
https://spearbit.com/
https://immunefi.com/
2
views
My Study Methodology
My note taking methodology for studying previous audit findings on code4rena.
Code4rena reports:
https://code4rena.com/reports
Tomo's Blog:
https://tom-sol.notion.site/TomoLabo-755d3474528145fd95e68ee90c18495a
Joplin:
https://joplinapp.org/
1
view
Cyber Security Salaries 2022
Australian Cyber Security salaries for 2022
Salary Guide:
https://github.com/andyfeili/cyber-security-salaries-2022
1
view
New Bounty Platform on Sherlock
Sherlock is coming out with their own form of Audit Contests next week.
https://app.sherlock.xyz/audits/contests
https://mirror.xyz/0xE400820f3D60d77a3EC8018d44366ed0d334f93C/jLxZ-Vhg79gCWZbDVMEIyo3JWMGblw7tnt2wkTpj3Yw
1
view
Unhacked CTF - Reaper
Recreating a 1.7M smart contract hack with the Reaper challenge from Unhacked CTF - based on the Reaper Farm hack that occurred in Aug 2022.
Links:
https://unhackedctf.substack.com/p/welcome
https://github.com/andyfeili/reaper
6
views
Over 10k Achieved in Web3 Bounties
My first unique medium severity finding and passing 10k in rewards on Code4rena.
Script to Generate Audit Reports on Code4rena
I developed a script to automatically generate Gas Optimization and QA reports for Code4rena audit contests.
OpenSea - Million Dollar Audit Contest
My results from participating in the OpenSea Seaport audit contest on Code4rena, taking a share of the 1 million dollar prize pool.
1
view
Too Late to Learn Web3 Security
Is it still worth it to learn web3 security now? Are the bounty rewards still good? My thoughts around whether it is still worth participating in audit contests on code4rena, and my future plans.
1
view
Reading Audit Reports - Cally
Walkthrough of the Cally audit report from Code4rena. Learn to find more bugs by reading past audit reports.
Audit Report:
https://code4rena.com/reports/2022-05-cally
More background on H-01
https://youtu.be/Bc4wUMlx4D4?t=265
80Million Qubit Hack - relates to finding H-03
https://halborn.com/explained-the-qubit-hack-january-2022/
Links to relevant findings:
https://github.com/andyfeili/cally
Smart Contract Auditing - Beginner Roadmap
https://www.youtube.com/watch?v=-469Gcye-ZE
Contents:
0:00 - [[H-01] no-revert-on-transfer ERC20 tokens can be drained]
2:19 - [[H-02] Inefficiency in the Dutch Auction due to lower duration]
6:38 - [[H-03] [WP-H0] Fake balances can be created for not-yet-existing ERC20 tokens, which allows attackers to set traps to steal funds from future users]
10:02 - [[M-01] Owner can modify the feeRate on existing vaults and steal the strike value on exercise]
11:21 - [[M-02] It shouldn’t be possible to create a vault with Cally’ own token]
12:57 - [[M-03] User’s may accidentally overpay in buyOption() and the excess will be paid to the vault creator]
14:07 - [[M-04] & [M-08] Support for Special Tokens]
16:43 - [[M-05] Expiration calculation overflows if call option duration ≥ 195 days]
18:20 - [[M-06] Owner can set the feeRate to be greater than 100% and cause all future calls to exercise to revert]
18:39 - [[M-07] Lack of 0 amount check allows malicious user to create infinite vaults]
19:13 - [[M-09] Use safeTransferFrom instead of transferFrom for ERC721 transfers]
19:44 - [[M-10] createVault() does not confirm whether tokenType and token’s type are the same]
21:00 - [Progress Update]
2
views
Learn from Reading Audit Reports (Sturdy Report)
Walkthrough of the Sturdy audit report from Code4rena. Learn to find more bugs by reading past audit reports.
https://code4rena.com/reports/2022-05-sturdy
Links to similar findings
https://github.com/andyfeili/sturdy
Smart Contract Auditing - Beginner Roadmap
https://www.youtube.com/watch?v=-469Gcye-ZE
Contents:
0:00 - [Intro]
5:22 - [H-01 Hard-coded slippage may freeze user funds during market turbulence]
8:21 - [H-02 The check for value transfer success is made after the return statement in _withdrawFromYieldPool of LidoVault]
8:49 - [M-01 Possible lost msg.value]
10:38 - [M-02 UNISWAP_FEE is hardcoded which will lead to significant losses compared to optimal routing]
13:40 - [M-03 processYield() and distributeYield() may run out of gas and revert due to long list of extra rewards/yields]
15:01 - [M-04 ConvexCurveLPVault’s _transferYield can become stuck with zero reward transfer]
16:22 - [M-05 Withdrawing ETH collateral with max uint256 amount value reverts transaction]
17:01 - [M-06 Yield can be unfairly divided because of MEV/Just-in-time stablecoin deposits]
1
view
My BIGGEST Bounty Yet
Walkthrough of the first two high severity findings I discovered auditing Solidity smart contracts on Code4rena.
First Finding: The check for value transfer success is made after the return statement
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-05-sturdy.md#h-02-the-check-for-value-transfer-success-is-made-after-the-return-statement-in-_withdrawfromyieldpool-of-lidovault
Second Finding: no-revert-on-transfer ERC20 tokens can be drained
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-05-cally.md#h-01-no-revert-on-transfer-erc20-tokens-can-be-drained
Additional Reading:
Return Unchecked - Low Level Calls:
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2021-11-bootfinance.md#m-02-unchecked-low-level-calls
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2021-11-malt.md#m-12-permissions---return-values-not-checked-when-sending-eth
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2021-12-nftx.md#m-08-low-level-call-return-value-not-checked
ERC721 - safeTransferFrom:
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-05-cally.md#m-09-use-safetransferfrom-instead-of-transferfrom-for-erc721-transfers
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-04-backed.md#m-03-sendcollateralto-is-unchecked-in-closeloan-which-can-cause-users-collateral-nft-to-be-frozen
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-04-backed.md#m-07-mintborrowticketto-can-be-a-contract-with-no-onerc721received-method-which-may-cause-the-borrowticket-nft-to-be-frozen-and-put-users-funds-at-risk
https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-01-sandclock.md#m-09-no-use-of-safemint-as-safe-guard-for-users-
Content:
00:00 - [Intro]
0:32 - [First Finding - $14.84]
4:25 - [Second Finding - $3071.03]
12:07 - [Progress Update]
11
views
Beginner Roadmap to Smart Contract Auditing
A guide for beginners to get into web3 smart contract auditing. Sharing the learning resources I used to get to this point and talking about my future goals on code4rena.
Links:
https://code4rena.com/
https://cmichel.io/how-to-become-a-smart-contract-auditor/
https://ethernaut.openzeppelin.com/
https://teachyourselfcrypto.com/
https://secureum.substack.com/
Slides:
https://docs.google.com/presentation/d/1Zx9DoS4wTAfu7d2WSSQHuVp3c1hwO3mOS3K76EbhIAE
3
views
First Month of Bug Hunting
Results of the first month of bug hunting on Code4rena - auditing smart contracts.
First medium finding confirmed + reading more audit reports
https://code4rena.com/
1
view
1M Audit Contest Running
The biggest audit contest to date on Code4rena (OpenSea Seaport), currently running with a prize pool of $1,000,000.
OpenSea Seaport is a marketplace contract for creating and fulfilling orders for NFTs (ERC721) and ERC1155 items.
Leaderboard update, sharing my learning progress from reading past audit reports and participating in more audit contests.
https://code4rena.com/contests/2022-05-opensea-seaport-contest
https://github.com/AndyFeiLi/SecureumFindings
3
views
My Progress on Code4rena
Update from the last 20 days of participating in audit competitions on Code4rena.
Another payout confirmed with more incoming, progress with learning and sharing the findings from my first audit competition.
https://code4rena.com/
https://secureum.substack.com/
1
view
My First Bug Bounty
How I got my first bug bounty from a Code4rena solidity audit contest.
https://code4rena.com/
https://cmichel.io/how-to-become-a-smart-contract-auditor/
5
views