afeli

Auditing methodology when looking for bugs in Smart Contracts, advice for bounty hunting on Code4rena and Immunefi. 100proof recently landed a bounty of 150k on Immunefi, watch the full interview below. Full Podcast: https://www.youtube.com/watch?v=NEmwfl-zLuw

Story of how a smart contract bug earned him a bounty of 150k. Full Podcast: https://www.youtube.com/watch?v=NEmwfl-zLuw Bounty Acknowledgement: https://twitter.com/NotionalFinance/status/1566089211068948480 Post Mortem: https://blog.notional.finance/ntoken-redemption-bug-post-mortem/ PoC Code: https://github.com/one-hundred-proof/notional-flash-attack Follow 100proof on Twitter: https://twitter.com/1_00_proof Contact 100proof: one.hundred.proof@proton.me

Receiving a 150k Bug Bounty. 100proof is a bounty hunter and independent security researcher working in the web3 security space. In this conversation we explore decentralized finance, bounty hunting, smart contract auditing and the story of how he found a $1.5M bug on Notional, which earned him a bounty payout of 150k USD. Bounty Acknowledgement: https://twitter.com/NotionalFinance/status/1566089211068948480 Post Mortem: https://blog.notional.finance/ntoken-redemption-bug-post-mortem/ PoC Code: https://github.com/one-hundred-proof/notional-flash-attack Follow 100proof on Twitter: https://twitter.com/1_00_proof Contact 100proof: one.hundred.proof@proton.me OUTLINE: 00:00 - Introduction 1:36 - Bitcoin 6:16 - Ethereum 7:58 - Blockchain 11:54 - PhD - Computer Science 15:58 - Developer Experience 19:09 - Mindset of a Hacker 22:26 - Formal Verification 34:13 - Code4rena 41:09 - How to Study 43:22 - Auditing Approach 48:01 - Learning Resources & Learning Approach 56:54 - Teaming up on Code4rena 1:03:43 - Bug Bounty Life 1:07:45 - Self Learning vs Learning on the Job 1:13:08 - CTFs 1:14:43 - Advice for New Wardens on Code4rena 1:18:01 - 150k Bug Bounty Payout 1:38:08 - Technical Details of the Bug 1:43:45 - Negotiating Bounty Payment 1:47:27 - Previous Bug Hunting Experience 1:52:02 - Million Dollar Bounties in Web3 1:54:28 - Hunting Bugs Full Time 1:59:54 - Web3 Salaries 2:03:52 - Bounty Hunting vs Full Time Job 2:06:50 - Web3 Job Interviews 2:11:46 - Advice for Students 2:16:04 - Balancing Family vs Work 2:22:09 - Hobbies 2:24:20 - Jujitsu/MMA 2:27:02 - $100M Mango Hack 2:31:25 - Future of Web3 Security

I got a job offer as a smart contract auditor in web3 security. Beginner roadmap to smart contract auditing https://www.youtube.com/watch?v=-469Gcye-ZE

I am thinking about joining a smart contract auditing firm to improve my web3 hacking skills. https://code4rena.com/ https://spearbit.com/ https://immunefi.com/

My note taking methodology for studying previous audit findings on code4rena. Code4rena reports: https://code4rena.com/reports Tomo's Blog: https://tom-sol.notion.site/TomoLabo-755d3474528145fd95e68ee90c18495a Joplin: https://joplinapp.org/

Australian Cyber Security salaries for 2022 Salary Guide: https://github.com/andyfeili/cyber-security-salaries-2022

Sherlock is coming out with their own form of Audit Contests next week. https://app.sherlock.xyz/audits/contests https://mirror.xyz/0xE400820f3D60d77a3EC8018d44366ed0d334f93C/jLxZ-Vhg79gCWZbDVMEIyo3JWMGblw7tnt2wkTpj3Yw

Recreating a 1.7M smart contract hack with the Reaper challenge from Unhacked CTF - based on the Reaper Farm hack that occurred in Aug 2022. Links: https://unhackedctf.substack.com/p/welcome https://github.com/andyfeili/reaper

My first unique medium severity finding and passing 10k in rewards on Code4rena.

I developed a script to automatically generate Gas Optimization and QA reports for Code4rena audit contests.

My results from participating in the OpenSea Seaport audit contest on Code4rena, taking a share of the 1 million dollar prize pool.

Is it still worth it to learn web3 security now? Are the bounty rewards still good? My thoughts around whether it is still worth participating in audit contests on code4rena, and my future plans.

Walkthrough of the Cally audit report from Code4rena. Learn to find more bugs by reading past audit reports. Audit Report: https://code4rena.com/reports/2022-05-cally More background on H-01 https://youtu.be/Bc4wUMlx4D4?t=265 80Million Qubit Hack - relates to finding H-03 https://halborn.com/explained-the-qubit-hack-january-2022/ Links to relevant findings: https://github.com/andyfeili/cally Smart Contract Auditing - Beginner Roadmap https://www.youtube.com/watch?v=-469Gcye-ZE Contents: 0:00 - [[H-01] no-revert-on-transfer ERC20 tokens can be drained] 2:19 - [[H-02] Inefficiency in the Dutch Auction due to lower duration] 6:38 - [[H-03] [WP-H0] Fake balances can be created for not-yet-existing ERC20 tokens, which allows attackers to set traps to steal funds from future users] 10:02 - [[M-01] Owner can modify the feeRate on existing vaults and steal the strike value on exercise] 11:21 - [[M-02] It shouldn’t be possible to create a vault with Cally’ own token] 12:57 - [[M-03] User’s may accidentally overpay in buyOption() and the excess will be paid to the vault creator] 14:07 - [[M-04] & [M-08] Support for Special Tokens] 16:43 - [[M-05] Expiration calculation overflows if call option duration ≥ 195 days] 18:20 - [[M-06] Owner can set the feeRate to be greater than 100% and cause all future calls to exercise to revert] 18:39 - [[M-07] Lack of 0 amount check allows malicious user to create infinite vaults] 19:13 - [[M-09] Use safeTransferFrom instead of transferFrom for ERC721 transfers] 19:44 - [[M-10] createVault() does not confirm whether tokenType and token’s type are the same] 21:00 - [Progress Update]

Walkthrough of the Sturdy audit report from Code4rena. Learn to find more bugs by reading past audit reports. https://code4rena.com/reports/2022-05-sturdy Links to similar findings https://github.com/andyfeili/sturdy Smart Contract Auditing - Beginner Roadmap https://www.youtube.com/watch?v=-469Gcye-ZE Contents: 0:00 - [Intro] 5:22 - [H-01 Hard-coded slippage may freeze user funds during market turbulence] 8:21 - [H-02 The check for value transfer success is made after the return statement in _withdrawFromYieldPool of LidoVault] 8:49 - [M-01 Possible lost msg.value] 10:38 - [M-02 UNISWAP_FEE is hardcoded which will lead to significant losses compared to optimal routing] 13:40 - [M-03 processYield() and distributeYield() may run out of gas and revert due to long list of extra rewards/yields] 15:01 - [M-04 ConvexCurveLPVault’s _transferYield can become stuck with zero reward transfer] 16:22 - [M-05 Withdrawing ETH collateral with max uint256 amount value reverts transaction] 17:01 - [M-06 Yield can be unfairly divided because of MEV/Just-in-time stablecoin deposits]

Walkthrough of the first two high severity findings I discovered auditing Solidity smart contracts on Code4rena. First Finding: The check for value transfer success is made after the return statement https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-05-sturdy.md#h-02-the-check-for-value-transfer-success-is-made-after-the-return-statement-in-_withdrawfromyieldpool-of-lidovault Second Finding: no-revert-on-transfer ERC20 tokens can be drained https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-05-cally.md#h-01-no-revert-on-transfer-erc20-tokens-can-be-drained Additional Reading: Return Unchecked - Low Level Calls: https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2021-11-bootfinance.md#m-02-unchecked-low-level-calls https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2021-11-malt.md#m-12-permissions---return-values-not-checked-when-sending-eth https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2021-12-nftx.md#m-08-low-level-call-return-value-not-checked ERC721 - safeTransferFrom: https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-05-cally.md#m-09-use-safetransferfrom-instead-of-transferfrom-for-erc721-transfers https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-04-backed.md#m-03-sendcollateralto-is-unchecked-in-closeloan-which-can-cause-users-collateral-nft-to-be-frozen https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-04-backed.md#m-07-mintborrowticketto-can-be-a-contract-with-no-onerc721received-method-which-may-cause-the-borrowticket-nft-to-be-frozen-and-put-users-funds-at-risk https://github.com/code-423n4/code423n4.com/blob/main/_data/reports/2022-01-sandclock.md#m-09-no-use-of-safemint-as-safe-guard-for-users- Content: 00:00 - [Intro] 0:32 - [First Finding - $14.84] 4:25 - [Second Finding - $3071.03] 12:07 - [Progress Update]

A guide for beginners to get into web3 smart contract auditing. Sharing the learning resources I used to get to this point and talking about my future goals on code4rena. Links: https://code4rena.com/ https://cmichel.io/how-to-become-a-smart-contract-auditor/ https://ethernaut.openzeppelin.com/ https://teachyourselfcrypto.com/ https://secureum.substack.com/ Slides: https://docs.google.com/presentation/d/1Zx9DoS4wTAfu7d2WSSQHuVp3c1hwO3mOS3K76EbhIAE

Results of the first month of bug hunting on Code4rena - auditing smart contracts. First medium finding confirmed + reading more audit reports https://code4rena.com/

The biggest audit contest to date on Code4rena (OpenSea Seaport), currently running with a prize pool of $1,000,000. OpenSea Seaport is a marketplace contract for creating and fulfilling orders for NFTs (ERC721) and ERC1155 items. Leaderboard update, sharing my learning progress from reading past audit reports and participating in more audit contests. https://code4rena.com/contests/2022-05-opensea-seaport-contest https://github.com/AndyFeiLi/SecureumFindings

Update from the last 20 days of participating in audit competitions on Code4rena. Another payout confirmed with more incoming, progress with learning and sharing the findings from my first audit competition. https://code4rena.com/ https://secureum.substack.com/

How I got my first bug bounty from a Code4rena solidity audit contest. https://code4rena.com/ https://cmichel.io/how-to-become-a-smart-contract-auditor/