6 minutes
3 months as a Smart Contract Auditor
During the last 3 months I’ve experimented with being a part-time, independent smart contract auditor, focused on DeFi. As I explained in my previous post the whole field was completely unknown to me. I started to gain interest when I saw how successful and widespread the whole thing was, while at the same time feeling early stage for a lot of stuff: the concepts, the developer tools, the programming languages, and so on. When an entire new sector is created from scratch, with new startups constantly trying to innovate more every day and reach the top, time-to-market is the most important metric. Consequently, bugs thrive.
Build up some knowledge
After reading up the basics of Solidity and the EVM, I went to look for techniques that could help me understand the most common pitfalls with smart contract development, as well as Solidity oddities. Capture the Ether and Ethernaut are two good places to start building up specific knowledge to understand many of these concepts, such as reentrancy, cryptography basics, etc. They also explore some Ethereum standards (ERC), the most famous being ERC20, which encodes the “token” behaviour and is probably the most common type of contract out there.
At this point I could grasp the basics, so I went to focus on the so many writings, blog posts and twitter threads regarding past vulnerabilities: either exploited in the wild by blackhats with economic damages for the affected protocols, or reported by whitehats before any possible economic damage. Some people describe how to repro some of the exploits using actual code, along with a local environment that reproduces the state of the blockchain a moment before the rogue transaction. This is amazing for many reasons: instead of theoretical/pseudocode analysis, you get real snippets and sometimes even repositories that you can use to replay the hacks on your laptop!
Meanwhile, you should go and read as many codebases as you can. As usual, start from the simple ones like OZ standards or protocols you already understand very well. Then focus on a specific area (lending, staking, etc) and study one repository very well, possibly the one that originally created the concept. For example it’s nice to understand the inner workings of MasterChef
, having being forked and reimplemented by so many different protocols.
I did all the aforementioned things while I was looking for exploits in contracts, not before. That approach may not be suitable for everybody, but I’m more of a top-down person: I get bored very fast and I can’t stand studying everything - what’s the definition of everything
by the way? - upfront. I need to get my hands dirty as soon as I understand the general idea, and learn on the go, then come back, make mistakes, rinse and repeat. If you feel overwhelmed by the amount of stuff you need to study in this field, that’s completely normal and fine. Stop when you feel uncomfortable, go back to the basics, write some code, and keep going.
I’ve been kind of active on two platforms: code4rena AKA C4 and Immunefi. They share the same principle: reward good hackers (whitehats) to find bugs in DeFi protocols. However they are based on two very different concepts, so I’ll go into each of them individually
C4
C4 offers an innovative approach for bounty hunters. A project offers an mount of money (usually ranging from $30k to $100k) to make hackers compete against each other and find as many problems as they can in the projects’ smart contracts, during a limited timespan. The project locks the said amount of money in an escrow and when the contest ends, the hackers’ reports are analyzed and they are rewarded proportionately, using a formula that takes into account the severity of the issues as well as how many other hackers reported the same issues. This is amazing because the payout is guaranteed and fair, which is a very big issue of traditional bounties. Last but not least, projects create contests focused on contracts that are not live, so C4 works as a distributed audit platform.
I’ve been involved in ~15 C4 contests, using an alias, and I got to half of the leaderboard where all the hackers are rated based on their performance. It’s been an amazing ride so far, and the entry barrier is really not high: you can report only issues you are comfortable with, and they will be taken into account. Furthermore, all the reports of the past contests are publicly available, so you can study them before actually getting involved.
I started tackling easier challenges, dealing with simple protocols, spotting informational issues and gas optimizations. Then I read more and more reports and protocols’ code, which led to more substantial findings: draining funds, locking funds, wrong accounting, and so on. It was a read-heavy gig, I swear!
Immunefi
Immunefi is a traditional bug bounty platform, focused on web3. I think it’s the biggest platform in the ecosystem, but I may be wrong. You can find a list of projects that applied, along with the type of submissions they accept (smart contracts, web, mobile apps) and a payout range based on the severity. Contrary to C4, there is no escrow here, so you have to speak directly with the project’ people, share the details with them and convince them you have a real bug in your hand. Also contrary to C4, you only deal with live contracts/websites, which is why projects are encouraged to read your reports.
I reported around ~10 issues, 3 of which have been acknowledged and led to a payout. Two of them were low severity, web vulnerabilites I found on a couple DEXes. The last one was a critical smart contract vulnerability, found on wxBTRFLY
token of the Redacted Cartel protocol, for which you can read a detailed writeup on Immunefi blog.
Generally speaking, Immunefi requires more effort than C4 on the communication side since you have to personally deal with the projects themselves. On C4 you just have to find bugs, write them down, and submit them. There is no follow up, you either get paid if the bug was valid, or you don’t if it was invalid. That’s all.
On the other hand, Immunefi’s top bounties are in the millions of dollars, and a lot of the biggest DeFi projects are up there. You may experience the thrill of finding a bug that has an actual economic damage. It’s a lot different than “synthetic” C4 contests, but also a lot harder. It’s up to you to find your place on either, or both, the two platforms.