# Table of Contents - [Preface | Art Of Auditing](#preface-art-of-auditing) - [@zigtur | Art Of Auditing](#-zigtur-art-of-auditing) - [@bobface16 | Art Of Auditing](#-bobface16-art-of-auditing) - [@lonelysloth_sec | Art Of Auditing](#-lonelysloth-sec-art-of-auditing) - [@kankodu | Art Of Auditing](#-kankodu-art-of-auditing) - [@cergyk1337 | Art Of Auditing](#-cergyk1337-art-of-auditing) - [@0xEV_om | Art Of Auditing](#-0xev-om-art-of-auditing) - [@riproprip | Art Of Auditing](#-riproprip-art-of-auditing) - [@akshaysrivastv | Art Of Auditing](#-akshaysrivastv-art-of-auditing) - [@J4X_Security | Art Of Auditing](#-j4x-security-art-of-auditing) - [@pkqs90 | Art Of Auditing](#-pkqs90-art-of-auditing) - [@EgisSec | Art Of Auditing](#-egissec-art-of-auditing) - [@gjaldon | Art Of Auditing](#-gjaldon-art-of-auditing) - [@DadeKuma | Art Of Auditing](#-dadekuma-art-of-auditing) - [@Draiakoo | Art Of Auditing](#-draiakoo-art-of-auditing) - [@windhustler | Art Of Auditing](#-windhustler-art-of-auditing) - [@neumoXX | Art Of Auditing](#-neumoxx-art-of-auditing) - [@santipu_ | Art Of Auditing](#-santipu-art-of-auditing) - [@_blockian | Art Of Auditing](#-blockian-art-of-auditing) - [@n4nika_ | Art Of Auditing](#-n4nika-art-of-auditing) - [@Guhu95 | Art Of Auditing](#-guhu95-art-of-auditing) - [@Alex the Entreprenerd | Art Of Auditing](#-alex-the-entreprenerd-art-of-auditing) - [@winnie | Art Of Auditing](#-winnie-art-of-auditing) - [@BowTiedDravee | Art Of Auditing](#-bowtieddravee-art-of-auditing) - [@bahurum | Art Of Auditing](#-bahurum-art-of-auditing) - [@el_hajin | Art Of Auditing](#-el-hajin-art-of-auditing) - [@rootedrescue | Art Of Auditing](#-rootedrescue-art-of-auditing) - [@0xadrii | Art Of Auditing](#-0xadrii-art-of-auditing) - [@deliriusz_eth | Art Of Auditing](#-deliriusz-eth-art-of-auditing) - [@0xFrankCastle | Art Of Auditing](#-0xfrankcastle-art-of-auditing) - [@merkle_bonsai | Art Of Auditing](#-merkle-bonsai-art-of-auditing) - [@__nnez | Art Of Auditing](#-nnez-art-of-auditing) - [@csanuragjain | Art Of Auditing](#-csanuragjain-art-of-auditing) - [@iamdirky | Art Of Auditing](#-iamdirky-art-of-auditing) - [@Trungore | Art Of Auditing](#-trungore-art-of-auditing) - [@m4rio_eth | Art Of Auditing](#-m4rio-eth-art-of-auditing) - [@Al_Qa_qa | Art Of Auditing](#-al-qa-qa-art-of-auditing) - [@Haxatron1 | Art Of Auditing](#-haxatron1-art-of-auditing) - [@Czar102 | Art Of Auditing](#-czar102-art-of-auditing) - [@Said | Art Of Auditing](#-said-art-of-auditing) - [@0xjuaan | Art Of Auditing](#-0xjuaan-art-of-auditing) - [@0xMinhT | Art Of Auditing](#-0xminht-art-of-auditing) - [@0xSorryNotSorry | Art Of Auditing](#-0xsorrynotsorry-art-of-auditing) - [@zzykxx | Art Of Auditing](#-zzykxx-art-of-auditing) - [@0xT1MOH | Art Of Auditing](#-0xt1moh-art-of-auditing) - [@bauchibred | Art Of Auditing](#-bauchibred-art-of-auditing) - [@tpiliposian | Art Of Auditing](#-tpiliposian-art-of-auditing) - [@abarbatei | Art Of Auditing](#-abarbatei-art-of-auditing) - [@0xArzzz | Art Of Auditing](#-0xarzzz-art-of-auditing) - [@krikoeth | Art Of Auditing](#-krikoeth-art-of-auditing) - [@MrPotatoMagic | Art Of Auditing](#-mrpotatomagic-art-of-auditing) - [@peak_bolt | Art Of Auditing](#-peak-bolt-art-of-auditing) - [@NonseOdion | Art Of Auditing](#-nonseodion-art-of-auditing) - [@pks_ | Art Of Auditing](#-pks-art-of-auditing) - [@0xCiphky | Art Of Auditing](#-0xciphky-art-of-auditing) - [@00xSEV | Art Of Auditing](#-00xsev-art-of-auditing) - [@Stalin_eth | Art Of Auditing](#-stalin-eth-art-of-auditing) - [@0xb0g0 | Art Of Auditing](#-0xb0g0-art-of-auditing) - [WALL OF WISDOM | Art Of Auditing](#wall-of-wisdom-art-of-auditing) - [Template | Art Of Auditing](#template-art-of-auditing) --- # Preface | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F8etDGNTxXKIONqvLt2yV%252Fimage%2520%2829%29.png%3Falt%3Dmedia%26token%3D8bcd56a1-a668-4760-9880-f24c861b9f10&width=768&dpr=4&quality=100&sign=dd3d30b0&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FWqcXCX36MT9997VQXxdd%252Fimage-%2829%29-trans1.png%3Falt%3Dmedia%26token%3D19b48936-94b6-47fc-8c26-5386cd352873&width=768&dpr=4&quality=100&sign=35377a00&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing#what-is-this-resource-and-why-does-it-exist) What is this resource and why does it exist ? _**The Art of Auditing**_ is a community-driven resource that brings together the knowledge and battle-tested expertise of top-performing, reputable experts in web3 security. This resource is a **carefully curated** collection of insights from the best web3 security experts, designed to serve as a **repository of collective wisdom** built on **thousands of hours** of hands-on auditing experience. Each contributor has been **carefully handpicked** from the leaderboards of contest and bug bounty platforms to make sure the end result represents the `creme de la creme` of accumulated web3 security knowledge. ### [](https://web3-sec.gitbook.io/art-of-auditing#who-is-the-author) Who is the author? This is a **community-driven resource** designed to bring together the **expertise of top auditors** in one place, empowering everyone in the web3 security space to learn, progress, get inspired and improve. This resource is **NOT** owned by any individual, it is also **NOT** a book (it just looks fancy). **Every contributor** retains **full authorship, ownership** and **credit** for their unique contributions. ### [](https://web3-sec.gitbook.io/art-of-auditing#who-maintains-this) Who maintains this ? I'm [**b0g0**](https://twitter.com/xb0g0) , the initiator and maintainer of this public resource. I do **NOT** claim any ownership or authorship - each contributor is fully credited for their own insights. My mission in this is simply to unify the individual expertise of top auditors and hunters in one single place and make it accessible so that everyone can benefit from that collective wisdom. ### [](https://web3-sec.gitbook.io/art-of-auditing#how-to-contribute) How to contribute ? If you're an experienced auditor with proven achievements and would like to contribute to the **collective web3 knowledge**, feel free to reach out to me on [X](https://x.com/xb0g0) or [Telegram](https://t.me/xb0g0) and I'll make sure to add your insights. [Next@lonelysloth\_sec](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec) Last updated 8 months ago This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the [privacy policy](https://policies.gitbook.com/privacy/cookies) . AcceptReject --- # @zigtur | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#zigtur) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@zigtur](https://x.com/zigtur) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#id-2-on-cantina-2024-or-greater-than-170kusd-in-contest-payouts) 🏅2 on Cantina 2024 | > 170K$ in contest payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FZWuBN6hayMS6VmrYhVq1%252Fimage.png%3Falt%3Dmedia%26token%3D3db99411-2a32-42b3-bc3e-5cb1dffd786f&width=768&dpr=4&quality=100&sign=91fd093a&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#learn-by-doing) "Learn by doing**"** Stop wasting time trying to learn some concepts up-front. Learn as you do, especially in security reviews. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#setup-that-feedback-loop) "Setup that feedback loop**"** * Failing by missing vulnerabilities is normal. You can’t do without it. * But failing multiple times on the same issues is not acceptable. * Get that feedback loop up, be sure to never miss this issue again. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#question-everything) "Question everything**"** Question, question, question. Don’t take assumptions, or if you do you should question them too! Then look for the answer, you may be surprised! ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F9xljHNy3fDsgksobLb1v%252Fimage.png%3Falt%3Dmedia%26token%3Dc85fe962-da1f-4481-a730-e9a9d1b6349f&width=376&dpr=4&quality=100&sign=8138bfed&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#cut-the-abstraction-down) "Cut the abstraction down" “This should work like this, I’m not checking it!” Are you sure about that anon? ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#interpret-that-small-line-of-code) "Interpret that small line of code" What does this line of code means on the whole protocol? What consequences does it have on other workflows? Interpret the small lines within the project’s big picture! ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F8ik6XqO9CiAvvJiUuUCZ%252Fimage.png%3Falt%3Dmedia%26token%3D6c4d0afa-bae7-4465-bc43-02ffdab47e1f&width=376&dpr=4&quality=100&sign=944e24cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur#have-fun) "Have fun!" It’s OK to not enjoy a codebase. With competitions, you can just wrap-up and go with another you enjoy! I’ve done it in the past, I will do it in the future. Because competitions allow it! [Previous@bobface16](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16) [Next@J4X\_Security](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security) Last updated 8 months ago --- # @bobface16 | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16#bobface16) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@bobface16](https://x.com/bobface16) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FWPoXBamv1sjFyfoyrrK7%252Fimage.png%3Falt%3Dmedia%26token%3D27e18fba-4754-4fcd-bda1-62c1f2d45b09&width=768&dpr=4&quality=100&sign=5906fb55&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16#audited-codebases) "Audited codebases**"** Regarding bug bounties, almost all codebases have been previously audited, often by leading security firms. Don’t let that fool you into thinking they are bug-free. Some of my biggest bounties have been in projects that have been audited extensively and yet still were vulnerable. Approach each codebase as if it came fresh from the developers. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16#be-prepared-to-negotiate) "Be prepared to negotiate**"** Identifying a bug, writing up a PoC, and reporting it is only the first half. The second half commonly involves quite a bit of discussion and negotiation. Learn how to express complex technical situations, how to present a well-founded case, and how to professionally negotiate. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16#when-to-stop-searching) "When to stop searching**"** At which point do you stop searching a codebase for bugs? Try to understand the system to the point where you could reimplement it from scratch without looking at the original codebase. Not from remembering the code, but from having understood what the application is supposed to do. If you have examined a project that far and have not found a bug, the chances of finding one by continuing is low. On the other hand, if there was a bug in there, you would have most likely found it. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16#how-to-improve-your-skills) "How to improve your skills" Theoretical knowledge is important, but nothing trumps practical experience. Develop your own projects and observe areas of security concern, participate in CTFs, and build PoCs for past exploits. [Previous@lonelysloth\_sec](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec) [Next@zigtur](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur) Last updated 2 months ago --- # @lonelysloth_sec | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec#lonelysloth_sec) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@lonelysloth\_sec](https://x.com/lonelysloth_sec) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec#ranked-5-on-immunefi) Ranked #5 on [@immunefi](https://x.com/immunefi) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FmV6Y7uR74Tq5Z4QlCCQv%252Fimage.png%3Falt%3Dmedia%26token%3D2ebc2179-34fb-4219-80b8-375c1607a114&width=768&dpr=4&quality=100&sign=3c22bc07&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec#have-faith-that-youll-find-bugs) "Have faith that you’ll find bugs**"** The number one thing you need to succeed at hunting bugs, for bounties or contests, is having faith that you’ll find bugs. Statistically every code base will have bugs, but that’s not how it feels when you haven’t found one in a long time. Find out what gets you excited and hopeful, and nurture it. Consistent effort beats pretty much everything else in predicting success. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec#try-to-learn-hard-things) "Try to learn hard things**"** Try to learn hard things. Don’t limit yourself to the low-hanging fruit. If you learn something that most people don’t know you’ll find bugs most people miss. That can be a weird detail of the EVM or an entire field like ZK proofs. Keep pushing the boundaries of your knowledge, and collecting information on different things. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec#expect-unexpected-results) "Expect unexpected results**"** After a certain skill level pretty much anyone could find most bugs — but how do you know what targets to focus on? And for how long? That’s the hardest part of hunting bugs, and more art than science. You might find a gold mine of bugs and report 10 in a single week, then not find any in multiple targets for months. That’s normal. It sucks, but is normal. Try to learn with your hits and misses but don’t stress over it — it’s always unpredictable to some extent. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwnxpJSNiJtLcSBqZG8Sk%252Fimage.png%3Falt%3Dmedia%26token%3Df3cd861c-d70f-4e43-ad5d-87aadb298075&width=376&dpr=4&quality=100&sign=db2438cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec#learn-to-negotiate) "Learn to negotiate" Bounty negotiations are hard — and often heartbreaking. Don’t just let projects lowball your bounties, but also keep your focus on the next one. Don’t let the anxiety of the process take your time and energy away from your bug hunting. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FbOAIpnoxRCLtL7S7xZy9%252Fimage.png%3Falt%3Dmedia%26token%3Dd29c0b1f-5313-42ec-9122-77bf573e5dd3&width=376&dpr=4&quality=100&sign=45456660&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec#know-everything-about-your-target) "Know everything about your target" I like to start with code, others focus first on documentation: use both resources extensively. But that is still just the basics, you should go the extra mile. **Pro tip**: watch the target’s GitHub activity. [PreviousPreface](https://web3-sec.gitbook.io/art-of-auditing) [Next@bobface16](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16) Last updated 8 months ago --- # @kankodu | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu#kankodu) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@kankodu](https://x.com/kankodu) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu#whitehat-ranked-18-immunefi-or-sr-spearbitdao) Whitehat ranked #18 [@immunefi](https://x.com/immunefi) | SR [SpearbitDAO](https://x.com/SpearbitDAO) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FxBCNgtkTyim7214pt6py%252Fimage.png%3Falt%3Dmedia%26token%3Dfab00112-a1bd-4a08-8b7d-a93b033a6c8e&width=768&dpr=4&quality=100&sign=62bbb979&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu#the-programming-language-is-not-a-blocker) "The Programming Language is Not a Blocker**"** Understanding the application logic and being able to read a bit of the specific programming language is sufficient for finding bugs; Expertise in that language is not mandatory. You don’t need to stick exclusively to Solidity to hunt for bugs. Although I lack expertise outside of Solidity, I've successfully reported bugs in Vyper, Rust, Cairo, Move, and other languages. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu#consider-the-dilution-effect-when-describing-bug-impact) "Consider the Dilution Effect When Describing Bug Impact**"** When evaluating the impact of a bug, keep the _Dilution Effect_ in mind. Suppose you identify two possible impacts of an exploit: one with high impact and the other with low. As a bounty hunter, you may feel inclined to mention both, but this can backfire. The weaker impact can dilute the stronger one, as people tend to average the effects rather than summing them up. You're better off emphasizing the higher impact alone. Source: [The Counterintuitive Way to Be More Persuasive by Niro Sivanathan (TED Talk)](https://t.co/jOaqaYrPR9) [Previous@akshaysrivastv](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) [Next@gjaldon](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon) Last updated 9 months ago --- # @cergyk1337 | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337#cergyk1337) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@cergyk1337](https://x.com/cergyk1337) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337#lsw-at-sherlock-or-top-5-on-cantina-or-top-100-immunefi-or-creator-of-https-upgradehub.xyz) LSW at Sherlock | Top 5 on Cantina | Top 100 Immunefi | Creator of [https://upgradehub.xyz](https://t.co/6B6ZG6RQb6) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FA0S3jCMddkaOdIY01YOY%252Fimage.png%3Falt%3Dmedia%26token%3D7b7b3e8b-fc61-4066-8819-2459cffd9682&width=768&dpr=4&quality=100&sign=6435f19b&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337#words-of-wisdom) Words of Wisdom ----------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337#the-end-is-only-the-beginning) "The end is only the beginning**"** Keep pushing after thinking you have found everything. After some time, you get a good gut feeling for when to stop. This is a reminder to keep pushing even after that feeling still, once in a while ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337#see-the-code-through-many-lens) "See the code through many lens**"** Get as many views of the code as possible- (history, coverage, run tests), a contract is never unidimensional The goal of a security review is to get insights overlooked by the developer. Reading the code directly is the most obvious way to do it but is also the way the developer thinks about the code. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337#the-power-of-comparison) "The power of comparison**"** Use the power of comparison, whether inside of a contract, or comparing a protocol design to a similar one. Even without understanding the purpose of a piece of code, if we know that two different implementations are supposed to do the same thing, we can check for inconsistencies. Also as SRs we see a lot of different implementations for a similar projects so that is an advantage [Previous@0xEV\_om](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om) [Next@akshaysrivastv](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) Last updated 2 months ago --- # @0xEV_om | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om#id-0xev_om) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xEV\_om](https://x.com/0xEV_om) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om#greater-than-usd250k-in-contest-payouts) \> $250k in contest payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FZCuvlkQyw2eKugVR8jA7%252Fimage.png%3Falt%3Dmedia%26token%3D9c7a9e4b-5871-4d9a-9145-406e997dda5f&width=768&dpr=4&quality=100&sign=7d14b699&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om#be-unwavering-in-your-conviction) "Be unwavering in your conviction**"** Never believe there are no vulnerabilities left to find, or that you will not be able to find them. If you catch yourself thinking that, you are not competing to win. There is always a way for you to discover the next vulnerability - you just have to find it. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om#dive-deep-when-needed) "Dive deep, when needed**"** Always welcome the opportunity to dive one step deeper, to understand the code at an even lower level, to develop an even more precise understanding of the whole stack. But do it with a purpose - also accept that it is simply infeasible to learn and retain all there is to know about any single blockchain. So pick your battles, and fight. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om#skill-comes-with-practice) "Skill comes with practice**"** Good auditing skills come from auditing. You need some reference material to get started, but after that, learning by doing is how you improve. Contest platforms provide a feedback loop, community, scheduling, the right incentives and most importantly, a payout. Make use of the structures available to you. [Previous@J4X\_Security](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security) [Next@cergyk1337](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337) Last updated 8 months ago --- # @riproprip | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip#riproprip) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@riproprip](https://x.com/riproprip) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip#greater-than-1m-in-bug-bounties-or-connoisseur-of-weird-incentives) \> 1M in bug bounties | Connoisseur of weird incentives ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FUqMig8PmeZPifTFgeDIi%252Fimage.png%3Falt%3Dmedia%26token%3D05cd3130-7030-4102-8fed-9a2157007833&width=768&dpr=4&quality=100&sign=72e1e652&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip#you-can-just-do-things) "You can just do things" No matter how much you want to read docs or listen to somebody else teach, fucking around and finding out is always best. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip#do-what-seems-most-fun-to-you) "Do what seems most fun to you" Burnout is real, if you have to force yourself to a path, it's not going to be sustainable. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip#time-is-your-most-valuable-resource) "Time is your most valuable resource" Spend it well. Observe the meta. Having a decent understanding of your skills compared to others allows you to spend your time where it's least -ev for you. [Previous@gjaldon](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon) [Next@pkqs90](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90) Last updated 2 months ago --- # @akshaysrivastv | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#akshaysrivastv) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@akshaysrivastv](https://x.com/akshaysrivastv) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#sr-at-spearbit-or-top-auditor-on-code4rena-2023) SR at Spearbit | Top auditor on Code4rena 2023 ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FpgCpR3fiXuqnDuuaQDYT%252Fimage.png%3Falt%3Dmedia%26token%3Dd4d78a38-d3fb-4b81-904e-09ec907c3c8c&width=768&dpr=4&quality=100&sign=87702a7c&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#for-newbies-learn-the-basics) "For newbies: Learn the basics**"** * Learn the basics of blockchain, ethereum and solidity. You should have a basic idea of how these things work under the hood. * Learn about basic smart contract/blochchain bugs * Do some CTFs and other available challenges ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#for-newbies-do-shadow-audits) "For newbies: Do shadow audits **"** Do shadow audits. Choose any past audit with small codebase and try to find bugs in it, then compare your found bugs with the actual audit contest result. Pay special attention to the bugs you missed as that's the key for improvement. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#for-newbies-compete-in-a-live-contest) "For newbies: Compete in a live contest **"** Compete in a live contest - preferably a smaller codebase one. Analyze your findings against the contest top rankers. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#for-the-experienced-choose-less-crowded-contests) "For the experienced: Choose less crowded contests" To maximize payouts choose less crowded contests (complex codebases, new languages, new platforms, heavy math codebase, etc). ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F8ik6XqO9CiAvvJiUuUCZ%252Fimage.png%3Falt%3Dmedia%26token%3D6c4d0afa-bae7-4465-bc43-02ffdab47e1f&width=376&dpr=4&quality=100&sign=944e24cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#for-the-experienced-ask) "For the experienced: Ask" Question every business logic. Asking `what if ...?` is the way to go. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FOVYTQxXUhm5JOqli3peZ%252Fimage.png%3Falt%3Dmedia%26token%3Da376844f-266a-4282-87cd-e3ca7ca262d1&width=376&dpr=4&quality=100&sign=5bdfed5e&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#for-the-experienced-go-deep) "For the experienced: Go deep" Go deep into the codebase that you audit. Understand the protocol flow & all its state transitions. Diagrams/charts can be helpful here. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwnxpJSNiJtLcSBqZG8Sk%252Fimage.png%3Falt%3Dmedia%26token%3Df3cd861c-d70f-4e43-ad5d-87aadb298075&width=376&dpr=4&quality=100&sign=db2438cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv#for-the-experienced-understand-your-top-competitors) "For the experienced: Understand your top competitors" Try to understand the mindset of your fellow top competitors in the contest. Read all their findings to understand how they were seeing and approaching the codebase. [Previous@cergyk1337](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337) [Next@kankodu](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu) Last updated 8 months ago --- # @J4X_Security | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#j4x_security) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@J4X\_Security](https://x.com/J4X_Security) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#id-3-on-cantina-2024-or-greater-than-160kusd-in-contest-payouts) 🏅3 on Cantina 2024 | > 160K$ in contest payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FL3gSgmNcAsNODNLsSs6Q%252Fimage.png%3Falt%3Dmedia%26token%3D39b1ccaf-fda1-47b1-a70b-0f561f1aa1fd&width=768&dpr=4&quality=100&sign=9aa6882&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#stay-away-from-the-crowd) "Stay away from the crowd**"** I always try to do the most unattractive contest currently offered. It's usually either a very complex codebase, or a language no one wants to learn. This way I always keep myself challenged (avoiding fatigue) and get the minimum of competition which leads to a way less diluted pot. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#check-for-3-signs-that-will-tell-you-that-this-is-a-good-contest-to-do) "Check for 3 signs that will tell you that this is a good contest to do:**"** 1. New language / protocol type 2. Complex Math 3. Gigantic codebase ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#predict-highs) "Predict highs**"** When deciding on what contest to look at, nowadays its becoming more and more important to know if a contest will contain highs, due to scaled pots. You can usually predict the chances of this pretty well by looking at 3 metrics: * **Prior audits** -> Who audited it before? In case of no one or a low quality company we can be pretty sure to find stuff * **Code quality** \-> If there is almost no testcases or documentation, we can usually expect highs * **Size** -> The bigger the codebase is the better as the chance of highs increases exponentially ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=376&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#favor-big-codebases) "Favor big codebases" So if I do a scaled pot, in the best case I want those 3 to align. A big codebase, that is badly documented / tested and had no or only low quality audits before. In that case you can be almost sure that the pot is unlocked, but competition will still be a lot lower due to the pot being scaled. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwnxpJSNiJtLcSBqZG8Sk%252Fimage.png%3Falt%3Dmedia%26token%3Df3cd861c-d70f-4e43-ad5d-87aadb298075&width=376&dpr=4&quality=100&sign=db2438cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#meet-everyone) "Meet Everyone" I always try to meet as many people in the industry as possible. First of all you will find a lot of friends that have a similar mindset to you which is awesome. Second of all these friends can be helpful all along the way. I have gotten many opportunities or clients referred to me by friends I met along the way. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F9xljHNy3fDsgksobLb1v%252Fimage.png%3Falt%3Dmedia%26token%3Dc85fe962-da1f-4481-a730-e9a9d1b6349f&width=376&dpr=4&quality=100&sign=8138bfed&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security#dont-be-a-leech) "Don't be a leech [🐛](https://emojipedia.org/bug) " If you just want others to help you but not do anything for them no one will want to be your friend. Try to help and support each of your friends whenever you can. It might be referring a client to them, it might be putting a good word in for them with someone you know etc. This way you can build lasting friendships out of which both sides profit. [Previous@zigtur](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur) [Next@0xEV\_om](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om) Last updated 8 months ago --- # @pkqs90 | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90#pkqs90) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@pkqs90](https://x.com/pkqs90) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90#id-8-on-sherlock-or-greater-than-200kusd-in-payouts) 🏅8 on Sherlock | đŸ”„đŸ”„ > 200k$ in payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FPyagOPxBYRVI6M20mojR%252Fimage.png%3Falt%3Dmedia%26token%3D0f102347-77b5-4ada-9b6d-7f28dae7ec48&width=768&dpr=4&quality=100&sign=fbd32c09&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90#use-contests-as-a-method-to-improve) "Use contests as a method to improve**"** Don't be afraid to work on contests that has new concepts you are unfamiliar with. Instead, use the contest to push yourself to learn new things (e.g. Protocol heavily uses UniV3 but you didn't know UniV3 before). ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90#prioritize-contests-with-larger-codebases) "Prioritize contests with larger codebases**"** Bigger than 3k+ loc, rather than small ones. Two reasons: 1\. The ability to work on large codebases with complicated logic is a must for going deeper in this space 2\. Smaller contests tend to have more noise, which may be distracting. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90#spent-time-reading-aside-from-auditing) "Spent time reading aside from auditing**"** Aside from normal audit work, leave some time for reading articles/write-ups and researching every once in a while. New tech and new issues are popping out every day, it is important to keep track, especially in such a fast evolving space. [Previous@riproprip](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip) [Next@DadeKuma](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma) Last updated 2 months ago --- # @EgisSec | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec#egissec) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@EgisSec](https://x.com/EgisSec) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec#id-14-contests-top-3-finishes-or-greater-than-usd220k-in-payouts) 14 contests top 3 finishes | > $220K in payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FHq6HfeTitxv4kLb1stZy%252Fimage.png%3Falt%3Dmedia%26token%3D69ec4df4-e151-4325-89ff-e9fac88d964b&width=768&dpr=4&quality=100&sign=fccdbb&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec#focus-is-your-best-ally.-make-sure-you-know-how-to-work-well-with-it) "Focus is your best ally. Make sure you know how to work well with it.**"** What sets the best researchers apart from the average ones is their ability to focus and the time they spend in a deeply concentrated state. Human focus is like a car's fuel tank—you need to know when it needs refilling and how to use it efficiently when it's full. Self-reflection can help you understand the conditions under which you perform at your best. Use that understanding to improve consistently and effectively. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec#dont-stop-until-you-have-achieved-your-goal) "Don't stop until you have achieved your goal**"** If your goal is to uncover a high-severity bug in the X codebase and you're committed to it, your focus will naturally guide you toward success. Approach it with the mindset of a warrior—relentless and determined—and don't give up until you're certain you've explored every possible angle to achieve your goal. [Previous@DadeKuma](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma) [Next@BowTiedDravee](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee) Last updated 8 months ago --- # @gjaldon | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon#gjaldon) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@gjaldon](https://x.com/gjaldon) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon#sherlock-lsw-or-blackthorn-founding-member-or-usd100k-contest-rewards) Sherlock LSW | Blackthorn Founding Member | $100K+ Contest Rewards ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FXbc5CQFflGJwinDK5g3n%252Fimage.png%3Falt%3Dmedia%26token%3Db7bddce3-8b4f-4982-a7ed-4874af2a428f&width=768&dpr=4&quality=100&sign=848a02b5&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon#productivity-is-about-energy-management-rather-than-time-management) "Productivity is about energy management rather than time management**"** As knowledge workers, our most important resource is focus. There is no point putting in more hours when your brain is tired. That time is better spent resting. Productivity shoots up after resting. It’s easier to parse code and learn new concepts than when your brain is tired ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon#the-larger-the-audit-scope-and-the-more-complicated-the-protocol-the-more-critical-your-notes-will-b) "The larger the audit scope and the more complicated the protocol, the more critical your notes will be.**"** Note-taking is a skill that also needs to be developed to be great at auditing. Personally, I prefer handwritten notes as my “compressed knowledge” of the codebase. It is written as a quick reference for me. There are no huge blocks of text. It is a collection of terms, concepts, flows, and their relationships. [Previous@kankodu](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu) [Next@riproprip](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip) Last updated 8 months ago --- # @DadeKuma | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma#dadekuma) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@DadeKuma](https://x.com/DadeKuma) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma#greater-than-usd70k-rewards-in-public-competitions-or-20-on-c4-2024) \> $70K rewards in public competitions | #20 on C4 2024 ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FKBnJqSxfRcHfcyvncEuK%252Fimage.png%3Falt%3Dmedia%26token%3Dcb5ca615-ec5a-4af4-add3-7f7bb26ef423&width=768&dpr=4&quality=100&sign=e774fd8&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma#choose-what-is-interesting-to-you) "**Choose what is interesting to you"** In competitions, choose protocols that seem fun or interesting to you for the best results. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma#complexity-is-your-ally) "Complexity is your ally**"** Generally, the more complex the project or language, the less competition you'll face. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma#understand-code-deeply) "Understand code deeply**"** The best way to succeed is to understand a codebase deeply. Focus on comprehension first; bugs will reveal themselves naturally as you go. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F9xljHNy3fDsgksobLb1v%252Fimage.png%3Falt%3Dmedia%26token%3Dc85fe962-da1f-4481-a730-e9a9d1b6349f&width=376&dpr=4&quality=100&sign=8138bfed&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma#push-until-the-end) "Push until the end" Most interesting or unique bugs are usually found in the final days of an audit, so stay focused and keep trying until the end. [Previous@pkqs90](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90) [Next@EgisSec](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec) Last updated 9 months ago --- # @Draiakoo | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/draiakoo#draiakoo) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@Draiakoo](https://x.com/Draiakoo) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/draiakoo#id-1-on-codehawks-all-time-leaderboard) 🏅1 on CodeHawks all-time leaderboard ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FrafZ3Idb33CBYyqEQ2U5%252Fimage.png%3Falt%3Dmedia%26token%3D91adf23c-cca5-43de-a1d3-5be870a6b0d4&width=768&dpr=4&quality=100&sign=219227f0&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/draiakoo#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/draiakoo#mastering-focus) "Mastering Focus**"** Discover the importance of dedicated focus time, identify your peak productivity hours, and learn strategies to avoid distractions, ensuring the highest quality audits. By improving focus, you can consistently produce accurate and thorough results. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/draiakoo#challenge-yourself) "Challenge Yourself**"** Skip the easy tasks and focus on the complex ones. By tackling difficult challenges, you’ll stay ahead of the crowd and sharpen your auditing skills. Conquering hard problems leads to deeper expertise. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/draiakoo#strategic-planning) "Strategic Planning**"** Set clear goals and break them into manageable steps, avoiding distractions that hinder progress. A focused plan will guide you toward audit success. With a structured approach, you’ll stay on track and achieve your desired outcomes efficiently [Previous@BowTiedDravee](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee) [Next@windhustler](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler) Last updated 6 months ago --- # @windhustler | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler#windhustler) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@windhustler](https://x.com/windhustler) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler#ex-petroleum-engineer-and-smart-contract-developer-or-sr-spearbit-or-sr-sherlock) Ex-Petroleum Engineer & Smart Contract Developer | SR @Spearbit | SR @Sherlock ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FtUFdwbJ2yFixUdFLBWRc%252Fimage.png%3Falt%3Dmedia%26token%3Dc3dee013-9315-4607-b45c-f1eabc417536&width=768&dpr=4&quality=100&sign=1c5baca5&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------------ * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler#breaking-versus-understanding) "**Breaking Versus Understanding"** Focus on breaking the codebase rather than understanding it. Many bugs are slight logical inconsistencies that don’t even require understanding the whole picture. Many times focusing too much on the bigger picture will yield some high-level, economical attacks but might miss out on function-specific edge cases. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler#dont-run-in-circles) "Don't Run in Circles**"** It’s very common for auditors to keep on checking the same scenarios. If you're doing this, just remind yourself that this is a form of procrastination, and the only added value is in checking those 1% complex scenarios that are hard to grasp. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler#inspire-yourself) "Inspire Yourself**"** Go over all the bugs that are found in similar protocols on Solodit to direct your thinking and get ideas flowing. It is the hardest to find any bugs when you don't know what you're looking for. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler#use-ai) "Use AI" Use AI tools to speed up the understanding of the codebase and to generate ideas. If you don’t have a co-auditor on a project AI can be extremely useful. Just don’t expect it to give you accurate answers every time, it’s only a tool and it’s up to you to make sense of its suggestions. [Previous@Draiakoo](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/draiakoo) [Next@santipu\_](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_) Last updated 8 months ago --- # @neumoXX | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx#neumoxx) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@neumoXX](https://x.com/neumoXX) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx#whitehat-bounty-hunter-or-13-in-immunefi-2024) Whitehat bounty hunter | #13 in Immunefi 2024 ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FQXpdtWG1PSju2PbLREXj%252Fimage.png%3Falt%3Dmedia%26token%3D44d5da05-db14-40e8-8120-3c02a01360b6&width=768&dpr=4&quality=100&sign=19659f69&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx#know-when-to-move-on) "Know When to Move On**"** When reviewing a codebase, it's important to recognize when it's time to stop exploring and move on to the next one. If a certain amount of time passes without discovering any new leads or rabbit holes to jump into, it might be time to leave and look for greener pastures. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx#go-hard-or-go-home) "Go Hard or Go Home**"** The more complex a project is, the greater the chances you'll find bugs in it. Don't spend too much time on simple codebases. Focus on protocols that implement intricate algorithms or have convoluted code flows—these are often closer to yielding your next Crit. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx#dont-be-afraid-of-the-unknown) "Don't Be Afraid of the Unknown**"** You don't need to be an expert in a language or technology to find bugs in it. Getting up to speed on something new might take less time than you expect. Explore niche technologies and emerging languages; sometimes, hidden gems can be found there. [Previous@\_blockian](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian) [Next@Alex the Entreprenerd](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd) Last updated 8 months ago --- # @santipu_ | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_#santipu) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@santipu\_](https://x.com/santipu_) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_#lsw-at-sherlock-or-100k-in-payouts) LSW at Sherlock | đŸ”„100K+ in payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FHvwCbF00rW1dEixw2WBm%252Fimage.png%3Falt%3Dmedia%26token%3D8e673de6-38be-4f3f-bb41-69468ef09ddf&width=768&dpr=4&quality=100&sign=80c1c2bb&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_#time-and-focus) "Time and Focus**"** This is a common tip, but it's one of the truest: the time and focus you invest directly influence the number of bugs you uncover. Like they say, the 10,000 hours themselves are more important than the actual strategies used in that time. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_#one-detail-at-a-time) "One Detail at a Time**"** Once you understand the structure and flow of a system, narrow your focus to a single variable. Identify all the changes it undergoes and assess whether these changes are intended. Tools like "Ctrl+F" are key for tracking variables efficiently. I’ve seen **0xSimao** mention this strategy on X. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_#bug-variations) "Bug Variations**"** When you identify a bug, consider possible variations that might lead to other impacts or scenarios. These variations can often spark insights into additional, unrelated bugs. A single complex bug might open the door to a host of new issues. [Previous@windhustler](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler) [Next@winnie](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie) Last updated 9 months ago --- # @_blockian | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian#blockian) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@\_blockian](https://x.com/_blockian) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian#immunefi-42-all-time-or-a-team-of-independent-security-researchers-or-blockian.xyz) [@immunefi](https://x.com/immunefi) #42 all-time | A team of independent security researchers | [blockian.xyz](https://t.co/gjWz53PBFJ) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FrMvS9CRgwiugZCbcWtEs%252Fimage.png%3Falt%3Dmedia%26token%3D9cec1103-0006-4265-a9d0-1356c4a8a6c7&width=768&dpr=4&quality=100&sign=adc83175&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian#there-are-always-more-bugs) "**There are always more bugs"** No such thing as “safe code”, no matter how many auditors looked at it ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian#debug) "Debug**"** Don’t underestimate the importance of a working debug setup ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian#connect-the-dots) "Connect the dots**"** Remember all the little oddities and issues that weren’t bugs, eventually they’ll be useful for something larger [Previous@Guhu95](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95) [Next@neumoXX](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx) Last updated 8 months ago --- # @n4nika_ | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_#n4nika) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@n4nika\_](https://x.com/n4nika_) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_#id-10-on-cantina-2024-or-greater-than-100k-in-payouts) #10 on Cantina 2024 | > 100K in payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FfzVKyJaJ5H7kqlyqWEqh%252Fimage.png%3Falt%3Dmedia%26token%3D77e3f86d-3cb4-40a7-b2ff-03eedd847757&width=768&dpr=4&quality=100&sign=d899c57c&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_#understand-well-what-the-code-is-supposed-to-do) "**Understand well what the code is supposed to do"** For me, one key aspect of finding tricky bugs is getting a very good understanding of what the code is supposed to do on a higher level by reading the documentation. Once I have that, I can start at an important part of the code and jump through the codebase following the flow of logic instead of going over a single file line by line. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_#analyze-reports-of-code-you-have-context-about) "Analyze reports of code you have context about**"** The best way to continue learning is to look at all the confirmed findings I missed, after a contest. I don't like going over old reports where I did not compete since I don't have the context of that codebase. If I review findings from codebases I spent a lot of time on, I can more easily identify why I missed a certain issue and learn from that. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_#take-care-of-yourself) "Take care of yourself**"** What I also realized, is that treating myself as well as possible in life translates to better results in contests. When I am not stressed and feel good physically, that directly impacts my auditing performance. Working out also helps a lot with mental clarity [Previous@merkle\_bonsai](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai) [Next@Trungore](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore) Last updated 8 months ago --- # @Guhu95 | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95#guhu95) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@Guhu95](https://x.com/Guhu95) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FpDEhDq2iq7Nd71JwJeDU%252Fimage.png%3Falt%3Dmedia%26token%3Dcce1d2f4-54fd-4a00-8af0-51d7ba700e86&width=768&dpr=4&quality=100&sign=72dae4d0&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95#go-slow) "Go slow**"** Slower than you feel you need. Slower is better, better is faster. In auditing, slower also means you'll have observations, questions, and ideas that others reviewers didn't let themselves the time to have - and find missed bugs. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95#clusters-of-understanding-first) "Clusters of understanding first**"** Understanding the code thoroughly is 90% of the work and the results. The other 90% (the creative work) depends on the first part fully. Yes, 90-90 applies to auditing as well. Clusters: try to find the natural division into logical components, or "clusters" of understanding. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95#go-deep) "Go deep**"** The better bugs are in the end of the review (or after), if limited in time, focus on fewer areas, but ensure depth. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F8ik6XqO9CiAvvJiUuUCZ%252Fimage.png%3Falt%3Dmedia%26token%3D6c4d0afa-bae7-4465-bc43-02ffdab47e1f&width=376&dpr=4&quality=100&sign=944e24cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95#most-deals-are-bad-deals) "Most deals are bad deals" Learn to say no to FOMO! Most bounties are marketing scams, most contests aren't worth the time and effort. Crypto has plenty of bad, greedy, scammy actors, and crypto-security is not an exception to this. Expect and adapt! ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FbOAIpnoxRCLtL7S7xZy9%252Fimage.png%3Falt%3Dmedia%26token%3Dd29c0b1f-5313-42ec-9122-77bf573e5dd3&width=376&dpr=4&quality=100&sign=45456660&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95#motivation-is-hard-learn-yourself) "Motivation is hard, learn yourself" Expect the first few days on a new codebase to be confused and struggle. Choose easier tasks to break the motivation barrier. Escalations and bounty negotiations are distracting and soul-draining, aim to have fewer by choosing better bounties, platforms, and projects. [Previous@winnie](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie) [Next@\_blockian](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian) Last updated 8 months ago --- # @Alex the Entreprenerd | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd#gallodasballo) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@GalloDaSballo](https://x.com/GalloDaSballo) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd#co-founder-of-recon-or-sr-at-spearbit-or-formerly-judge-at-c4-over-25-contests-or-dev-at-badger) Co-founder of [Recon](https://t.co/xZFBO0MO3U) | SR at Spearbit | Formerly Judge at C4 (over 25 contests) | Dev at Badger ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F0xI8bGS9JWUpn1xe2cCZ%252Fimage.png%3Falt%3Dmedia%26token%3Db12ff72d-dd2a-4a6b-ae55-509ec3a0fa41&width=768&dpr=4&quality=100&sign=37f81d21&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd#learn-to-reverse-engineer) "**Learn to reverse engineer"** You must learn to reverse engineer exploits, you should not need to wait for someone else to write a thread explaining what happened. There's tons of old exploits you can start with and Phalcon is free to use ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd#understand-the-code-deeply-enough-that-you-could-implement-it-yourself) "Understand the code deeply enough that you could implement it yourself.**"** Once you understand a system so well, you can explain it back and write it from scratch, you will most likely find all the bugs, barring some gotchas ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd#become-really-good) "Become really good**"** There is no competition once you are good enough, focus on your own progress and ignore the noise [Previous@neumoXX](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx) [Next@bahurum](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum) Last updated 9 months ago --- # @winnie | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie#xuwinniexu) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@xuwinniexu](https://x.com/xuwinniexu) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie#https-xuwinnie.review) [https://xuwinnie.review/](https://xuwinnie.review/) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fm9V3d1yOJrtUw9oQHqIF%252Fimage.png%3Falt%3Dmedia%26token%3D50324b31-7c46-49f1-aaba-4f3b12bf523f&width=768&dpr=4&quality=100&sign=e46150db&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie#understand-the-flow) "Understand the flow**"** Imagine how each party interacts with the protocol, and try hard to break ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie#pay-attention-to-details) "Pay attention to details**"** Keep record of every little weak points and try to combine them ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie#select-larger-and-harder-codebase) "Select larger and harder codebase**"** Keep learning new things ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FD0SxsUDa177iioZb5gCh%252Fimage.png%3Falt%3Dmedia%26token%3Df30ad64e-af96-4937-ab71-07a127c2a14a&width=376&dpr=4&quality=100&sign=7ce5ff07&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie#critical-thinking) "Critical thinking" Don't read other's reports without independent thinking first. [Previous@santipu\_](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_) [Next@Guhu95](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95) Last updated 9 months ago --- # @BowTiedDravee | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#bowtieddravee) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@BowTiedDravee](https://x.com/BowTiedDravee) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#lead-security-researcher-at-certora-or-judge-on-code4rena) Lead Security Researcher at Certora | Judge on code4rena ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fwr8SsIAJW4lYZxLD1KMY%252Fimage.png%3Falt%3Dmedia%26token%3Db3837bdd-086d-4396-894c-dba801fe8fa4&width=768&dpr=4&quality=100&sign=2edb678d&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#accountability-turns-pressure-into-diamonds) "Accountability Turns Pressure Into Diamonds**"** The second _someone else is watching_—or a clock starts ticking—your brain sharpens. Only when something’s at stake (a deadline, a public tweet, a $2 bet with a friend about doing what you said you would): suddenly, every minute matters. You stop getting lost in distractions and start focusing—because there are consequences now. Time is precious, and a huge amount of it gets lost to time wasters (phone, social media, etc.). Usually, you don’t need more time—you need more focus Want to prep yourself for focus? Don’t wait for motivation. **Create consequence. Create urgency. Then watch yourself perform like you did the night before that exam years ago.** ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#testing-isnt-just-for-checking-its-a-weapon-for-learning) "Testing Isn’t Just for Checking—It’s a Weapon for Learning**"** Reading something four times makes you _feel_ smart and confident. But reading it once and testing yourself _actually_ makes you smart (though not confident). Huberman mentioned the experience: kids who read once and got tested outperformed by far those who reread four times, all while being much less confident. The principle behind it is **active recall**, which some believe is the only way to rewire your brain. Don’t just stare at the codebase. Test yourself. Ask AI to make you a quiz. Explain it to someone (ever heard of a rubber duck? or Professor Feynman?). Struggle with it. **That’s how you carve knowledge into your brain.** ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#speak-to-hear-yourself-because-the-noise-is-real) "Speak to Hear Yourself—Because the Noise Is Real**"** Sometimes your mind is racing. It’s chaotic. You may experience a storm of ideas—but you remain stuck. Ever realized that the moment you talk to someone—even just a rubber duck, an AI, or by recording yourself—**you start to hear your ideas clearly?** That's because the noise is real. You need to either calm it down (take a shower, a walk, meditate...) or speak louder than it to hear your thoughts. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=376&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#friction-is-growth) "Friction Is Growth" When something feels heavy—the task you avoid, the message you don’t want to write, the bug you don’t want to dig into—**that’s a weight you’re meant to lift**. That tension you feel? It’s your brain trying to rewire itself. Most people walk away. Numb it. Scroll past it. But if you lean in and stay with the discomfort, you don’t just move forward—you grow. **Bonus:** In a competition, this is where most people stop. But the ones who are able to keep pushing? They find gold. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwnxpJSNiJtLcSBqZG8Sk%252Fimage.png%3Falt%3Dmedia%26token%3Df3cd861c-d70f-4e43-ad5d-87aadb298075&width=376&dpr=4&quality=100&sign=db2438cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#frustration-from-failure-triggers-brain-plasticity) "Frustration from Failure triggers Brain Plasticity**"** That moment when you try, fail, and feel like rage-quitting? **That’s not the end—it’s the beginning.** Frustration is the _spark of neuroplasticity_. It’s your brain telling you, "This matters—change is happening." And change is painful. As you age: this becomes even more painful and harder to handle, but the rewards of pushing through are extreme. Don’t waste your spark by being a quitter. **You need to see failure as a teacher for growth.** ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F9xljHNy3fDsgksobLb1v%252Fimage.png%3Falt%3Dmedia%26token%3Dc85fe962-da1f-4481-a730-e9a9d1b6349f&width=376&dpr=4&quality=100&sign=8138bfed&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#mental-load-is-real.-respect-it) "Mental Load Is Real. Respect It**"** Sometimes it’s not laziness—it’s bandwidth. **Too much is going on.** There are cognitive loads everywhere that you might not even notice: unfinished tasks, emotional weight, background stress, unread messages, context switching, that meeting in 2 hours with a difficult customer. **Clear space before you blame yourself.** A foggy mind isn’t a weak one—it’s a full one. You're a human being, not a machine. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F8ik6XqO9CiAvvJiUuUCZ%252Fimage.png%3Falt%3Dmedia%26token%3D6c4d0afa-bae7-4465-bc43-02ffdab47e1f&width=376&dpr=4&quality=100&sign=944e24cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#willpower-is-the-only-stat-that-levels-up-forever) "Willpower Is the Only Stat That Levels Up Forever**"** You don’t need to be the smartest, the strongest, or the most talented. What you can be—is **relentlessly better than you were yesterday**. Every time you choose discomfort over ease, your willpower stat levels up. You've defeated your current self, and unlocked the next version. Slowly. Painfully. Permanently. Spot a weakness. Win against it. Enjoy becoming a bit better. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#without-feedback-theres-no-growth-just-repetition) "Without Feedback, There’s No Growth—Just Repetition**"** Doing more doesn’t mean getting better. Without a feedback loop, you’re just **repeating** and reinforcing a behavior, not improving. Growth only happens when you pause, reflect, and ponder: _“Did that work? Did I learn? Did I miss something? How can I improve?”_ **Progress requires course correction, not just motion.** ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=376&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#one-hunts-typos.-the-other-is-like-a-shark-following-blood-in-the-water) "One hunts typos. The other is like a shark following blood in the water**"** Some misunderstand "line by line" as checking sequences of instructions. Others see the paths leading to each line, and the effects each line has on the codebase. They follow the levers an attacker could pull to draw blood — on the line, or from it. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwnxpJSNiJtLcSBqZG8Sk%252Fimage.png%3Falt%3Dmedia%26token%3Df3cd861c-d70f-4e43-ad5d-87aadb298075&width=376&dpr=4&quality=100&sign=db2438cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bowtieddravee#zeigarnik-effect) "Zeigarnik Effect**"** There's pain in the implicit, the incomplete and the unfinished. They trigger a compulsive "I must know!" effect. Open mysteries don’t just attract you - they haunt you, making you crave clarity. Click baits abuse this mechanism. Try to leverage it too, for learning and for finding more bugs. Funny brain tease: if I tell you "In this function from a 1M$ live contest, there's a critical bug I found, that you will never find, I will get a unique finding" : What happens to you? [Previous@EgisSec](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec) [Next@Draiakoo](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/draiakoo) Last updated 4 months ago --- # @bahurum | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum#bahurum) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@bahurum](https://x.com/bahurum) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum#top-100-on-immunefi) Top 100 on Immunefi ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FO8dDPDyk1IomQwOnbQfL%252Fimage.png%3Falt%3Dmedia%26token%3D88a6d6c7-fa1b-4588-bc45-f1f6d6e96205&width=768&dpr=4&quality=100&sign=6abee984&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum#go-for-the-kill) "Go for the kill**"** For time efficiency while hunting, concentrate on critical paths and assets, while leaving aside secondary assets. Understand the risk model of the project to decide where to focus. This will help you find the right attack vectors. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum#turn-copper-into-gold) "Turn copper into gold**"** Often the impact of a bug is not immediately identified. Make sure to understand the project in detail before submitting a report. With the right context, or combining the bug found with another bug, the severity level could be raised. Always double check to make sure you are not underestimating a bug's impact, and tune the PoC for maximum impact. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum#multiply-the-effect-of-your-efforts) "Multiply the effect of your efforts**"** Sometimes you'll find a bug general enough that it could exist on other projects. Check all other similar projects where you could find it as well. Look through BBPs, repos, onchain contracts. While doing this, think of the possible variants of the bug as well. With some luck you could capitalize on the original bug and get some extra rewards. [Previous@Alex the Entreprenerd](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd) [Next@\_\_nnez](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) Last updated 9 months ago --- # @el_hajin | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin#el_hajin) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@el\_hajin](https://x.com/el_hajin) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin#co-founder-a2security-or-lsw-at-sherlock-or-portfolio) co-founder [A2Security](http://a2sec.io/) | LSW at Sherlock | [Portfolio](https://github.com/elhajin/Audits) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FQqVMuXv5oUguwPxauwZH%252Fimage.png%3Falt%3Dmedia%26token%3D238cb1a5-2612-4efc-81cc-71ef16aee52a&width=768&dpr=4&quality=100&sign=77935db8&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin#if-its-hard-youre-on-the-right-path) "If it's hard, you're on the right path**"** It's hard for everyone, and those who persevere through the struggle will reap the rewards later... it's your choice. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin#if-youre-just-starting-curiosity-is-your-fuel) "If you're just starting, curiosity is your fuel**"** Keep going down the rabbit hole so you don't run out of fuel. And that's the only motivation you really need. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin#dont-chase-money-chase-knowledge) "Don't chase money, chase knowledge**"** It will pay off—don't worry. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FbOAIpnoxRCLtL7S7xZy9%252Fimage.png%3Falt%3Dmedia%26token%3Dd29c0b1f-5313-42ec-9122-77bf573e5dd3&width=376&dpr=4&quality=100&sign=45456660&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin#auditing-is-about-answering-three-questions) "Auditing is about answering three questions" * How should it work? * How does it work? * What if (x)? [Previous@deliriusz\_eth](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth) [Next@rootedrescue](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/rootedrescue) Last updated 8 months ago --- # @rootedrescue | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/rootedrescue#rootedrescue) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@rootedrescue](https://x.com/rootedrescue) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FZrdFCiJNYrAKCoNmEr0p%252Fimage.png%3Falt%3Dmedia%26token%3D40acfb3c-aca3-4a0e-9c54-6d0b63e215e5&width=768&dpr=4&quality=100&sign=27a6bb59&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/rootedrescue#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/rootedrescue#consider-sources-and-sinks) "Consider Sources and Sinks**"** **Source**: a point in code where an attacker supplied input enters the execution flow. **Sink**: a point in code where malicious state change can occur. Map the program for all **Sources** and trace the execution flow to determine which of them provide a path where a **Sink** can be reached. What safeguards are present and what would be required to bypass them? Respectively, map the program for all **Sinks** and retrace the steps required to reach them to identify relevant **Sources**. Is it possible to craft a valid transaction to reach the **Sink** from the **Source**? [Previous@el\_hajin](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin) [Next@merkle\_bonsai](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai) Last updated 9 months ago --- # @0xadrii | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii#id-0xadrii) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xadrii](https://x.com/0xadrii) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii#lsw-at-sherlock-or-zenith-at-code4rena) LSW at Sherlock | Zenith at Code4rena ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FRD6hpQMRLmp4LvkR23NY%252Fimage.png%3Falt%3Dmedia%26token%3D1bee2051-3bb0-4684-a62d-36af6b700bbb&width=768&dpr=4&quality=100&sign=d005caa3&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii#focus-on-understanding-100-of-the-system) "Focus on understanding 100% of the system**"** It is compulsory to know how everything should behave. Once you get that kind of understanding of the protocol, you'll be able to understand how tweaking certain values or pushing the system to unexpected states might lead to vulnerabilities. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii#put-on-the-developers-shoes) "Put on the developer's shoes**"** This has worked like a charm to me. The idea here is to be able to think how everything should behave prior to actually diving in the implementation. This will allow you to identify things missing in the protocol, or to check unexpected behaviors that might lead to bugs. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii#have-patience-and-learn-from-each-contest) "Have patience and learn from each contest**"** Although it might seem that the auditing part of the contest brings you the most learnings, it is in the escalations and results phase where you'll actually grow. See what you missed and incorporate that knowledge. [Previous@\_\_nnez](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) [Next@deliriusz\_eth](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth) Last updated 9 months ago --- # @deliriusz_eth | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth#deliriusz_eth) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2)[@deliriusz\_eth](https://x.com/deliriusz_eth) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FapOZV0di9g5Bv0YxY3pM%252Fimage.png%3Falt%3Dmedia%26token%3Dd80e69ed-b8be-4e8d-87bb-9d0a99b40d18&width=768&dpr=4&quality=100&sign=94d4bf46&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth#smart-contract-is-a-state-machine) "Smart contract is a state machine**"** To understand it fully you need to master state variables and know the contract's state machine by heart ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth#code-on-your-computer-is-your-playground) "Code on your computer is your playground**"** Create branches, experiment with the code, modify it, write comments and see where it leads you. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth#the-best-bugs-are-where-no-one-looks) "The best bugs are where no one looks**"** Each time challenge your approach to auditing. Do you look where everyone looks? Do you skip hard parts that others will likely skip? What is that you can do differently that will set you apart from others? [Previous@0xadrii](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii) [Next@el\_hajin](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin) Last updated 2 months ago --- # @0xFrankCastle | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xfrankcastle#id-0xcastle_chain) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xcastle\_chain](https://x.com/0xcastle_chain) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xfrankcastle#id-20-rust-audits-or-usd100k-in-rewards-from-auditing) \+ 20 Rust Audits🩀 | +$100k in rewards from auditing ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FLCtuYjOBaCi6575aqyOd%252Fimage.png%3Falt%3Dmedia%26token%3Dd7005bc3-93e3-4ebd-90fe-47f0bae28599&width=768&dpr=4&quality=100&sign=b6ebef9c&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xfrankcastle#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xfrankcastle#if-your-wind-blows-seize-it) "If your wind blows, seize it.**"** If you make a great achievement like winning a contest or a bug bounty, you should seize this hype and make the most benefits from it, such as joining invitational audits or marketing to yourself to get more opportunities such as private audits and build your experience. Do not stop or take a rest after making good results. [Previous@csanuragjain](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/csanuragjain) [Next@Al\_Qa\_qa](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa) Last updated 9 months ago --- # @merkle_bonsai | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai#merkle_bonsai) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@merkle\_bonsai](https://x.com/merkle_bonsai) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FYAQ38jh5JX7CsjEsjKBn%252Fimage.png%3Falt%3Dmedia%26token%3D66906434-a349-4cb7-ac29-adf04f933b2b&width=768&dpr=4&quality=100&sign=6b4e9d6&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai#web3-is-a-world-of-white-box-testing) "web3 is a world of white box testing**"** This changes a lot - not only about the approach to searching things, but also about what can be considered a vulnerability. For HTTP API you will need to prove that you can access admin dashboard. In web3, you need to explicitly show what you can do when you are this admin - because if worst thing you can do is start a proposal without paying fees, it will not be a high impact bug. White box gives observability, and simulation gives ability to prove things - and this means that meaning of “bug” changes from “something risky” to “something really harmful” ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai#stop-following-the-known-path) "Stop following the known path**"** There is a certain moment when you should stop following the known path. “Hacking” is about thinking differently, looking from different perspective - at least not thinking like the developer of this contract, at most thinking not like anyone else at all. This does not mean you should not study findings of others or read new things - but you should grow your own unique approach. Try different ideas, mix them, combine, experiment with new things. Only way to find something everyone else didn’t notice is look at it like no one else did before ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai#do-not-limit-yourself) "Do not limit yourself**"** Do not limit yourself with severity or specific area. Sometimes it is **easier** to find a crit than low. Just don’t limit yourself [Previous@rootedrescue](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/rootedrescue) [Next@n4nika\_](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_) Last updated 8 months ago --- # @__nnez | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#nnez) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@\_\_nnez](https://x.com/__nnez) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#top-50-immunefi-leaderboard) Top 50 Immunefi Leaderboard ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FpPslNf4x4dH4GXGAEiO8%252Fimage.png%3Falt%3Dmedia%26token%3D00ae592d-ee9b-4b36-9fe2-def5383549f4&width=768&dpr=4&quality=100&sign=f4d20fb8&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#choose-your-target-wisely) "Choose Your Target Wisely**"** It doesn't matter how fancy the bug is - if the project you chose doesn't pay you, nothing matters. Choose wisely where you want to put your effort. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#dont-get-tempted-by-code-that-smells-bad) "Don't get tempted by _code that smells bad_**"** It's tempting to pick an easy target with "code smell" because it has a higher chance of being vulnerable. However, remember that such projects might not take security seriously. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#checklist-on-picking-bb-targets) "Checklist on picking BB targets**"** * They project pays in stablecoin or hard assets (ETH, BTC) * If they pay with their own token, make sure they have enough liquidity * They are active—you're likely to be ghosted on inactive projects * Check their Discord, X (formerly Twitter), or other social platforms * Check their GitHub ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FOVYTQxXUhm5JOqli3peZ%252Fimage.png%3Falt%3Dmedia%26token%3Da376844f-266a-4282-87cd-e3ca7ca262d1&width=376&dpr=4&quality=100&sign=5bdfed5e&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#dont-fear-the-complexity) "Don't Fear the Complexity" Complexity goes both ways: if it's complex for you, it's also complex for developers. Complexity often leads to mistakes, and mistakes lead to bugs. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#dont-skip-the-fundamentals-fill-your-knowledge-gaps) "Don't Skip the Fundamentals, Fill Your Knowledge Gaps" While it's partly true that you can earn in this space knowing only Solidity, you might not be able to improve without understanding how blockchain works, how EVM operates, or even how Solidity is compiled to bytecodes. Expand your repertoire to other languages. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwnxpJSNiJtLcSBqZG8Sk%252Fimage.png%3Falt%3Dmedia%26token%3Df3cd861c-d70f-4e43-ad5d-87aadb298075&width=376&dpr=4&quality=100&sign=db2438cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#dont-rely-on-luck) "Don't rely on luck" Bridge your knowledge gaps. You can't expect to compete with knowledgeable security researchers if you couldn’t match their level of expertise. Luck plays a role in winning, but don't let it be your only factor of winning. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwL2n21CPUK8gfTq72dXB%252Fimage.png%3Falt%3Dmedia%26token%3D667227f7-20cb-46f8-beab-1841084245b4&width=376&dpr=4&quality=100&sign=aae0eb88&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#persistence-is-key) "Persistence is Key" What you see on the surface of this space is people's success—you don't see failed attempts. Stories of successful white hats often sound like they came from nothing, but that's unrealistic. Everyone faces hardships before becoming successful. What they have in common though is persistence! They keep going, they keep doing, and that's what actually makes them distinctly successful. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F9xljHNy3fDsgksobLb1v%252Fimage.png%3Falt%3Dmedia%26token%3Dc85fe962-da1f-4481-a730-e9a9d1b6349f&width=376&dpr=4&quality=100&sign=8138bfed&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez#persistence-is-key...-but-madness-is-not) "Persistence is key... but madness is not" Don't forget to take a break. What I also observe in this space is an excess of positivity. The value of your work is often equated with the time and effort you put into it. It might sound cool to always be working on a target, spending countless nights looking for a bug. However, that's not healthy. Don't fall into this trap and pressure. Everybody needs breaks. Remember, you'll only get the best results when you're well-rested. [Previous@bahurum](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum) [Next@0xadrii](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii) Last updated 8 months ago --- # @csanuragjain | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/csanuragjain#csanuragjain) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@csanuragjain](https://x.com/csanuragjain) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FB0xKEPiLWX2LYU8VDDu5%252Fimage.png%3Falt%3Dmedia%26token%3D7620a59a-53c5-42fe-8bf4-d278ae360a74&width=768&dpr=4&quality=100&sign=ee6957d1&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/csanuragjain#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/csanuragjain#focus-on-difficult-codes) "Focus on difficult codes**"** While reviewing many auditors leave the difficult part of codes. That is someplace most of the bug lies ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/csanuragjain#read-what-you-missed) "Read what you missed**"** After completing the audit, read other auditor finding to know what you missed [Previous@Czar102](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102) [Next@0xFrankCastle](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xfrankcastle) Last updated 9 months ago --- # @iamdirky | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky#iamdirky) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@iamdirky](https://x.com/iamdirky) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky#previously-placed-4-in-c4-90-day-leaderboard-or-security-engineer-asymmetric-research) Previously placed #4 in C4 90 day leaderboard | Security Engineer [@Asymmetric Research](https://x.com/asymmetric_re) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FyTNYQbZwlolRmlMmbH8K%252Fimage.png%3Falt%3Dmedia%26token%3Ddac44765-6efe-44d0-8ef3-3e404de61739&width=768&dpr=4&quality=100&sign=98d4437d&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky#look-one-more-time) "Look one more time**"** Some of my most interesting bugs have come from times where I've exhausted all my hypotheses and am about to give up. But I decide to look at something one more time and a bug jumps out at me. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky#diversify-but-also-play-to-your-strengths) "Diversify but also play to your strengths**"** Some people are just going to be better than you at finding certain types of bugs. Understand your weaknesses and try to improve, but equally don't discard what you're good at, sometimes it pays to play to your strengths. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky#focus-on-the-important-bugs) "Focus on the important bugs**"** Don't waste time on low/informational severity bugs. There are bigger fish to fry, taking the time to write up reports for low severity bugs isn't a good use of your time when you could instead be finding the more impactful bugs. [Previous@m4rio\_eth](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth) [Next@Czar102](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102) Last updated 9 months ago --- # @Trungore | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore#trungore) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@Trungore](https://x.com/Trungore) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fd6Gl9FrxTWG76kuUM9aW%252Fimage.png%3Falt%3Dmedia%26token%3D01f57b1d-bb62-4131-ab83-a03389392a80&width=768&dpr=4&quality=100&sign=77afd30d&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore#collaboration) "Collaboration**"** Joining forces has been one of my best decisions since I started auditing. The benefits of collaboration are significant: * **Enhanced Findings**: Working with partners has raised the quality and quantity of our findings. We combine our ideas, transforming them into a fully developed issue. One sophisticated discovery resulted from merging two ideas: * _**My partner’s insight**_**:** "If we disrupt the list order, we could then employ strategy Y to potentially cause users to lose funds." * _**My idea**_**:** "Implementing strategy X might let us break the list order." ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore#learn-by-sharing) "Learn by sharing**"** By sharing ideas, I also get the chance to understand different perspectives, which is one of the most valuable aspects of working with a partner. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore#taking-breaks) "Taking Breaks**"** Taking breaks during audits is essential for me. A quick reset in the middle of a project refreshes the mind, making it easier to approach the contract from a new angle and often sparking ideas that weren’t apparent before. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FOVYTQxXUhm5JOqli3peZ%252Fimage.png%3Falt%3Dmedia%26token%3Da376844f-266a-4282-87cd-e3ca7ca262d1&width=376&dpr=4&quality=100&sign=5bdfed5e&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore#using-a-checklist) "Using a Checklist" A critical lesson I learned in auditing is to maintain a personal checklist for each category. Until every box on the checklist is ticked, the audit isn’t complete. In the past, missing a simple access control check cost me a critical finding and, ultimately, the top spot. [Previous@n4nika\_](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_) [Next@m4rio\_eth](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth) Last updated 9 months ago --- # @m4rio_eth | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth#m4rio_eth) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@m4rio\_eth](https://x.com/m4rio_eth) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth#over-200-reviews-to-date-or-creator-of-soldeer.xyz-or-cantina-profile-cantina.xyz-u-m4rio) Over 200 reviews to date | Creator of [soldeer.xyz](https://t.co/t9IDGnxbAR) | Cantina profile: [cantina.xyz/u/m4rio](https://t.co/UhQlb2wfXu) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fr3rwi3DHN1SojUAokFcF%252Fimage.png%3Falt%3Dmedia%26token%3D461dc043-a31c-4e19-b782-c0c9481f4605&width=768&dpr=4&quality=100&sign=53c51c77&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth#look-twice-before-looking-again) "Look twice before looking again**"** Even if you have high confidence on a certain function/part of the code, give it one more look, it always pays off ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth#the-most-complicated-bugs-are-the-simplest) "The most complicated bugs are the simplest**"** Sometimes we have the urge to try to come up with very complicated/weird edge-cases forgetting to approach everyone from first principle approach ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth#do-not-overdo-your-issues) "Do not overdo your issues**"** I've seen an urge on various occasions where researchers like to overwork their issues which might cause the client to lose the meaning of the issue. Keep it simple, do not forget, your goal is to help the client secure their code [Previous@Trungore](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore) [Next@iamdirky](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky) Last updated 9 months ago --- # @Al_Qa_qa | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa#al_qa_qa) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2)[@Al\_Qa\_qa](https://x.com/Al_Qa_qa) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa#id-13-on-codehawks) 🏅#13 on Codehawks ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FWuPaKr6ShNvwKXybTjLr%252Fimage.png%3Falt%3Dmedia%26token%3D0eac9737-b5ee-4053-8f02-9792eb583c46&width=768&dpr=4&quality=100&sign=3b5be128&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa#you-dont-know-a-lot) "You don't know a lot**"** You reach a point where you fully understand the codebase, but the results come with a lot of bugs you miss. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa#time-management) "Time Management**"** Studying, doing contests besides escalations, and learning new concepts. Each task should take its time without neglecting the other task. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa#patience) "Patience**"** You can spend weeks working hard without any progress, but you should keep working to reach your goals. [Previous@0xFrankCastle](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xfrankcastle) [Next@Haxatron1](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1) Last updated 2 months ago --- # @Haxatron1 | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1#haxatron1) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@Haxatron1](https://x.com/Haxatron1) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FnFu6b9IErhFLXmD4GqEL%252Fimage.png%3Falt%3Dmedia%26token%3Dc90d9bf6-5908-4288-8567-c8c95bcdfaf1&width=768&dpr=4&quality=100&sign=514abd3d&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1#be-organized-in-your-approach) "Be organized in your approach**"** I like to keep track of contracts I have reviewed, so that I don't miss out on anything and it is easier for me to do a systematic review of all the contracts. This is especially helpful if there is alot of stuff to review. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1#dont-be-afraid-to-tackle-hard-codebases) "Don't be afraid to tackle hard codebases**"** The harder the contest, the lesser number of people and the greater chance of winning. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1#choose-a-niche-and-focus-on-it) "Choose a niche and focus on it**"** With the huge number of contests lately, there is enough to go around for everbody. As for me I chose cross-chain and L2s but some rockstars like A2Security specialize in lending. [Previous@Al\_Qa\_qa](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa) [Next@0xMinhT](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht) Last updated 9 months ago --- # @Czar102 | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102#czar102) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@\_Czar102](https://x.com/_Czar102) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102#blueprints-founder-or-security-researcher-or-prev.-head-of-judging-at-sherlock) ["Blueprints" founder](https://blueprints.finance/) | Security Researcher | prev. Head of Judging at Sherlock ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FFuNoHIrjqXyu3wg5ASno%252Fimage.png%3Falt%3Dmedia%26token%3Db3fed3d1-b7a1-44c4-9a8f-60e5f54bf233&width=768&dpr=4&quality=100&sign=fec33f8b&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102#think-in-properties) "Think in properties**"** Whenever you see any behavior in code, try to think what properties it is trying to enforce and what properties you'd imagine the code should have that it would break. For example, think in invariants: what should always be true about the contract? ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102#ask-yourself-whats-missing) "Ask yourself what's missing**"** Checking that some code does what it should is usually relatively easy. It's easy to notice what's wrong, but it's difficult to notice what's missing. Always consider whether any other action should be executed or a check done. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102#audit-restrictions) "Audit restrictions**"** In some reviews you'll do, you will find a lot of bugs and your client's fixes will be so huge, that it will require you to do a multiple of the work of the audit. Make sure you set the timeline for receiving fixes and that there is an upper limitation on how large the fix diff is. If any requirement is not fulfilled, the review requires a renegotiation. But don't be too strict about it. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102#a-arch-architecture) "A-, Arch-, Architecture!" Architecture is the most important thing about the codebase. If the developers thought about it enough, the codebase would be minimal. There will be few places to introduce bugs. If the contracts are large, it usually means that the architecture wasn't well done and it can pay off to look from the higher level: what is wrong with the current design? [Previous@iamdirky](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky) [Next@csanuragjain](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/csanuragjain) Last updated 8 months ago --- # @Said | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said#saidamdev) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@saidamdev](https://x.com/saidamdev) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said#greater-than-usd100k-in-contest-payouts) \>$100K in contest payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FOCD4e6ozKroL2fGn1plH%252Fimage.png%3Falt%3Dmedia%26token%3D42a6aebb-72a9-493d-89a3-c72870873c95&width=768&dpr=4&quality=100&sign=ed6abdb2&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said#words-of-wisdom) Words of Wisdom ----------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said#never-accept-protocol-design-decisions-without-question) "Never accept protocol design decisions without question**"** Always ask why they were designed and implemented that way. I have seen unique findings that aren't immediately apparent in the codebase but only become clear after digging deep into the design and questioning it. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said#dont-try-to-be-the-jack-of-all-trades) "Don't try to be the jack of all trades**"** Currently, there are far more opportunities in Web3 security than anyone could have imagined even a year ago. Pick one niche and excel at it, capitalize on it as much as possible. Then, you can expand your knowledge afterward. Don't try to chase and master everything early in your journey [Previous@0xT1MOH](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh) [Next@0xSorryNotSorry](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry) Last updated 9 months ago --- # @0xjuaan | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xjuaan#id-0xjuaan) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xjuaan](https://x.com/0xjuaan) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FJNtpXerueQWFyBl55aJr%252Fimage.png%3Falt%3Dmedia%26token%3Dde5ddb93-84e2-40d3-9623-d0f8bb5d4425&width=768&dpr=4&quality=100&sign=9341557a&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xjuaan#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xjuaan#transact-with-the-protocol-in-different-ways) "**Transact with the protocol in different ways"** A great way to understand a live protocol at a high level is to just transact with it in different ways (via the frontend), and then analyse the transaction trace on tenderly, or the blocksec explorer. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FOVYTQxXUhm5JOqli3peZ%252Fimage.png%3Falt%3Dmedia%26token%3Da376844f-266a-4282-87cd-e3ca7ca262d1&width=376&dpr=4&quality=100&sign=5bdfed5e&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xjuaan#auditing-skill-greater-than-technical-knowledge-generally) "Auditing skill > technical knowledge (generally)" The vast majority of vulnerabilities are due to logical flaws or a lack of constraints and don't require a deep understanding of the EVM's inner workings. These are found by training your auditing skill through deliberate practice. So in terms of technical knowledge, you can achieve great results if you just learn the basics thoroughly (e.g as much as [@CyfrinUpdraft](https://x.com/CyfrinUpdraft) teaches). [Previous@tpiliposian](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian) [Next@MrPotatoMagic](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic) Last updated 9 months ago --- # @0xMinhT | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht#id-0xminht) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xMinhT](https://x.com/0xMinhT) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F40rmffUeS5If3MGx5BZZ%252Fimage.png%3Falt%3Dmedia%26token%3D3e490bd7-e949-47c1-8fd4-41a4d88bb95b&width=768&dpr=4&quality=100&sign=34e87c59&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht#work-harder) "Work harder**"** A wise person once said: work, work, work, work, work, work It was Rihanna. "Idk man, you just need to put in the work" is like the most generic thing you could tell someone who wants advice on how to get gud (at anything), but sadly the answer is as true as it is unsexy. I like to consider myself fairly smart. I had an easy time in school and university, I could half-ass most of it and still get very good grades. I had to learn the hard way that this mentality does not transfer to the security research space. This place is filled with giga-brains, and the only option for most people to get anywhere close in terms of skill is to outwork them. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht#focus-on-one-thing-at-a-time-and-do-it-properly) "Focus on one thing at a time and do it properly**"** I am a massive sucker for FOMO. I can not count the times where I tried to do contests in parallel or when I was planning to do a contest in the final third of the time available just so I could do another one before that, for which I also only allocated a fraction of the time I should have. Needless to say I did not perform well doing this, ever. Remember how I said earlier that I consider myself smart? It's moments like these that make me question if I don't have a learning disability instead (like in the Simpsons episode where Lisa tests if her brother is [dumber than a hamster](https://t.co/M7wBaypF5r) ) Learn from my mistakes and dedicate yourself to one codebase at a time for as much time as necessary until you understand how everything works. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FOVYTQxXUhm5JOqli3peZ%252Fimage.png%3Falt%3Dmedia%26token%3Da376844f-266a-4282-87cd-e3ca7ca262d1&width=376&dpr=4&quality=100&sign=5bdfed5e&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht#just-read-the-code) "Just read the code" [_**This is a funny meme**_](https://pbs.twimg.com/media/GYUIRnmW0AAiypB?format=jpg&name=medium) , but it's just that. If you are you are far enough to the right of the intelligence curve you may be able to get away with it, but for most people I don't believe its an efficient way to go. Obviously reading code is the majority of the job, but for those who are not blessed with extraordinay mental RAM, there is no shame in: * reading the docs to get a high-level understanding first * taking notes and drawing diagrams * using an IDE and learning to use it properly * (especially in regards to navigating and searching code) [Previous@Haxatron1](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1) [Next@0xT1MOH](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh) Last updated 9 months ago --- # @0xSorryNotSorry | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry#id-0xsorrynotsorry) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xSorryNotSorry](https://x.com/0xSorryNotSorry) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry#member-of-0xdup1337) Member of [@0xDup1337](https://x.com/0xDup1337) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoYLoW6MLy0vnxhgKdRZc%252Fimage.png%3Falt%3Dmedia%26token%3D3c94b66e-a9ed-4a52-b4c5-23af60c8a0f3&width=768&dpr=4&quality=100&sign=903a66ca&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry#dont-lose-situational-awareness) "Don't lose situational awareness**"** It's one of the worst things that can happen. It can occur especially in very large codebases. Once it made us lose the only spotted High vulnerability in a public C4 contest which awarded the solo spotter a 6 figure prize. I had the risk in my notes, I highlighted the code snippet with the audit tag before, and failed to validate it as I lost the code logic at the end of the contest. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry#dont-force-yourself-to-find-the-bugs) "Don't force yourself to find the bugs**"** It creates unnecessary pressure and a burden when you do it. I’ve realized that whenever I approach code with this mindset, I often come up empty-handed. However, when I explore codebases out of curiosity and simply for the joy of understanding them, that’s when I find success. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry#dont-lose-time-on-codebases-you-dont-like) "Don't lose time on codebases you don't like**"** While this could be subjective - as many people suggest that it leverages Game Theory by not doing so - I observe that I don't see any flaws in the codebases that I disliked. This often leads to simply passing time without purpose and can deepen feelings of imposter syndrome once those flaws become apparent. [Previous@Said](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said) [Next@NonseOdion](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion) Last updated 9 months ago --- # @zzykxx | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zzykxx#zzykxx) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@zzykxx](https://x.com/zzykxx) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F1SvdqFiiDMC8e9RWM8du%252Fimage.png%3Falt%3Dmedia%26token%3D06b4db21-d5bf-4009-a17c-344c8eebecc6&width=768&dpr=4&quality=100&sign=1ee41919&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zzykxx#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zzykxx#theres-always-and-i-mean-always-another-bug) "There's always (and I mean always) another bug**"** Most of my decisions regarding an audit are based on this one-liner, for instance I never quit before the time is over and I rarely fool myself into thinking I found everything [Previous@krikoeth](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth) [Next@bauchibred](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred) Last updated 9 months ago --- # @0xT1MOH | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh#id-0xt1moh) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xT1MOH](https://x.com/0xT1MOH) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh#id-1-on-codehawks) đŸ„‡#1 on Codehawks ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FE4YGFJNlCl12vfkTv8cS%252Fimage.png%3Falt%3Dmedia%26token%3Ddab967af-7a0e-407a-8f87-811b6a138a8e&width=768&dpr=4&quality=100&sign=4b49324a&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh#pure-curiosity-and-discipline-is-everything-in-security-research) "**Pure curiosity and discipline is everything in Security Research"** đŸ’Ș ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh#less-than-2k-nsloc-contests-are-to-learn-basics-of-security-research-where-you-just-train-skills.-re) " less than **2k nSLoC contests are to learn basics of Security Research where you just train skills. Real work starts later on big complex projects"** đŸ’Ș [Previous@0xMinhT](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht) [Next@Said](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said) Last updated 2 months ago --- # @bauchibred | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred#bauchibred) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@bauchibred](https://x.com/bauchibred) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred#id-150--h-ms-found-and-counting-or-multiple-top-spot-and-runner-up-finishes-among-others-or-full-portf) 150 + H/Ms found (and counting) | Multiple top spot and runner up finishes among others | Full portfolio : [github.com/Bauchibred/portfolio](https://github.com/Bauchibred/portfolio) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FUd211PLJhDvDnU60RiYl%252Fimage.png%3Falt%3Dmedia%26token%3D1abd26c9-c218-453d-9d4e-e2d5917ff278&width=768&dpr=4&quality=100&sign=5a0ae49f&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred#words-of-wisdom) Words of Wisdom ----------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred#do-not-be-afraid-to-take-on-a-new-challenge) "**Do not be afraid to take on a new challenge"** That’s from trying to audit a new language or trying the 5000+nsloc contest or even going for a Blockchain/DLT level contest from classic solidity Defi. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred#security-research-is-a-mindset) "Security research is a mindset**"** As some people say _security research is a mindset,_ so regardless of the size of the protocol or the language, there are always bug cases that apply to it, and if you don’t find any during that audit, you’d definitely learn from the report and apply it on your next audit. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred#stay-consistent) "**Stay** consistent**"** Just show up everyday and do something. [Previous@zzykxx](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zzykxx) [Next@00xSEV](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev) Last updated 8 months ago --- # @tpiliposian | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian#tpiliposian) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@tpiliposian](https://x.com/tpiliposian) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian#security-researcher-hexensio) Security Researcher [@hexensio](https://x.com/hexensio) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FPIMPKvKWe2jGJCP8hwJk%252Fimage.png%3Falt%3Dmedia%26token%3D821b7793-4b85-40fc-9803-27ec601acadb&width=768&dpr=4&quality=100&sign=326c827d&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------------ * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian#just-do-it) "Just do it**"** The difference between doers and dreamers is that doers started DOING one day. Today is a great day to be your day one. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian#set-your-goals-high) "Set your goals high**"** When your goals are set too low, it's so easy to quit or lose interest after some success. Your goals should be so high that reaching them will truly change your life. There are so many memes about BJJ people leaving training after getting their blue belt, but when your goal is to be the most badass grappler in the world, no belt will make you quit the game. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian#give-before-you-take) "**Give before you take"** As I strongly believe that we’re put here to give more to this earth than to receive, hoping to get everything we’re dreaming of without giving back at least equally, it won’t happen. If your dreams are high, you need to be ready to pay more. And the right way to be able to give more is by working on YOU every day, being a greater version of YOU! ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwnxpJSNiJtLcSBqZG8Sk%252Fimage.png%3Falt%3Dmedia%26token%3Df3cd861c-d70f-4e43-ad5d-87aadb298075&width=376&dpr=4&quality=100&sign=db2438cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian#consistency-is-key) "Consistency is key" When someone's performance seems unreachable, it doesn't mean it is. All you need to reach that level is consistency. You'll level up without even realizing how much you've grown with just consistent work. For example, when I started jiu-jitsu, blue belts seemed so powerful and untouchable. I felt unprotected and thought I'd never reach their level. But now, I can play with newcomers and submit them easily. All it took was 8-9 months of consistent training [Previous@abarbatei](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei) [Next@0xjuaan](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xjuaan) Last updated 8 months ago --- # @abarbatei | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei#abarbatei) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@abarbatei](https://x.com/abarbatei) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei#abarbatei.xyz-or-veteran-auditor-since-the-time-of-approvals-can-be-front-run-valid-as-a-medium-issu) [abarbatei.xyz](https://abarbatei.xyz/) | Veteran auditor since the time of "approvals can be front-run"—valid as a medium issue | Working both in EVM-land and in the Stacks ecosystem. ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FzBqclVaOI2YEDNTjQuO2%252Fimage.png%3Falt%3Dmedia%26token%3Dfb2d8685-a584-430e-93fa-36d5968aabf9&width=768&dpr=4&quality=100&sign=5b5b975b&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei#do-not-avoid-the-cracks-while-looking-for-the-entrance) "Do Not Avoid the Cracks While Looking for the Entrance**"** A bit controversial, but also include informational and low issues when possible. The act of putting into writing a potential low issue both solidifies your understanding of the codebase and provides a slight benefit for the protocol. Countless times, while thinking about how to report an informational issue on a part of the code, I realized there were more issues there. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei#the-hunter-should-not-be-jealous-of-the-builders-hammer-and-the-builder-should-not-envy-the-hunters) "The Hunter Should Not Be Jealous of the Builder's Hammer, and the Builder Should Not Envy the Hunter's Bow**"** What works when hunting on bug bounties may not be as relevant when doing private engagements or contests. Although similar, different applications of auditing require different approaches. Remember this and do not try to apply a bug bounty hunter mindset to a private engagement, or vice-versa. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei#balance-focus-with-flow) "Balance Focus With Flow**"** Your resource is your brain, but it has its quirks. You may focus for hours on a codebase only to find an issue later while showering. Why? Because you entered a diffuse thinking mode. Relax your thinking intentionally to allow the pieces to fall into place and the issue to reveal itself to you. Plan walks, long baths, or other such activities in between focus sessions. [Previous@0xArzzz](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xarzzz) [Next@tpiliposian](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian) Last updated 8 months ago --- # @0xArzzz | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xarzzz#id-0xarzzz) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xArzzz](https://x.com/0xArzzz) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FQ2qYvoz9iELFuenOm4pS%252Fimage.png%3Falt%3Dmedia%26token%3D1ec2e437-f954-469c-84e8-0e55a0745fee&width=768&dpr=4&quality=100&sign=ab008eac&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xarzzz#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xarzzz#look-in-places-that-you-know-better-than-the-devs) "Look in places that you know better than the devs**"** The devs don't know all the edge cases of the protocol that they are built on top of or forked from. A lot of bugs that I found on Immunefi were bugs where you needed to do something in these deeper layers first to achieve the bad end state. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xarzzz#have-fun-and-follow-your-curiosity) "Have fun and follow your curiosity**"** It's a completely different focus when you're doing it out of your curiosity instead of forcing yourself to work. There is a lot to choose from so choose whatever interests you and have fun. [Previous@NonseOdion](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion) [Next@abarbatei](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei) Last updated 8 months ago --- # @krikoeth | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#krikoeth) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@krikoeth](https://x.com/krikoeth) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#web3-security-speedrunner) Web3 Security SpeedRunner ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FpxYFwf4Tx5hcd0zfmwyF%252Fimage.png%3Falt%3Dmedia%26token%3Dcd4cfe64-0daf-40c9-be24-7eb802ca2229&width=768&dpr=4&quality=100&sign=1be459e0&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#maintain-physical-and-mental-energy) "Maintain physical and mental energy**"** It’s better to do less work on 100% than double the work on 50%. My belief is that if you do a 100% job, you get 100% result. But if you do a 50% job, you get 25% result. You work with code every day, you use your brain to uncover sophisticated attacks. You need 100% focus. You need good sleep, good diet and a lot of energy. Take a break sometimes, work out / walk daily, go on a hike ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#embrace-the-failure) "Embrace the failure**"** This applies especially to audit contests. You work your ass off on an audit just to find out that you made a few cents in the end. That is the best thing that can happen to you! First you can learn from the findings you did not find and make sure that you will never miss those again. Second you can retrospect on your process and see what should be improved, maybe based on the reasons why you missed some findings. Third this should make you want to compete more and more fiercely with the new knowledge to beat everyone the next time. My biggest achievements started when I changed my approach after I realised I have not reported vulnerabilities worth **~$40k** that I saw during the competitions:) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#learn-constantly) "Learn constantly**"** There is a new attack vector everyday. There is a new technology or concept every week. You must still be ahead of the market. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#hunt-in-blue-oceans) "Hunt in blue oceans🌊" There is some good in financial success that might be a good driver forward, that’s why you should hunt in blue oceans - focus where the least focus is to maximise your profit. Why compete with thousands when you can compete with tens?:) Compete does not necessarily means audit competitions, businesses are competing for customers etc. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F8ik6XqO9CiAvvJiUuUCZ%252Fimage.png%3Falt%3Dmedia%26token%3D6c4d0afa-bae7-4465-bc43-02ffdab47e1f&width=376&dpr=4&quality=100&sign=944e24cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#do-not-audit) "Do not audit" This means that audit to me signals some guy in suit checking if something is correct. You are not a unit test, you should not check if it is working correctly. You should check how to exploit it for your financial gain! Or how to exploit it to hurt the users, or the protocol itself. You are the attacker! Of course, you are the good guy, so once you uncover the bug, you responsibly report it:) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F9xljHNy3fDsgksobLb1v%252Fimage.png%3Falt%3Dmedia%26token%3Dc85fe962-da1f-4481-a730-e9a9d1b6349f&width=376&dpr=4&quality=100&sign=8138bfed&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth#improve) "Improve" I changed my process several times, in the beginning after almost every audit, until I found what suits me the best. Key insights from my process is analyse what you are doing (drawings, use case diagrams, flow charts, state machine), identify attack vectors and create threat models, and then just break the code. [Previous@MrPotatoMagic](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic) [Next@zzykxx](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zzykxx) Last updated 9 months ago --- # @MrPotatoMagic | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic#mrpotatomagic) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@MrPotatoMagic](https://x.com/MrPotatoMagic) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic#top-70-c4-all-time-or-validator-at-c4-or-greater-than-usd100k-in-payouts) Top #70 C4 All-Time | Validator at C4 | >$100k in payouts ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FEmkPOr8gNfaKQQmMXcS0%252Fimage.png%3Falt%3Dmedia%26token%3D46ba0cce-3d0e-4dcc-9ef7-c98eced08c9b&width=768&dpr=4&quality=100&sign=4a62a8fa&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic#words-of-wisdom) Words of Wisdom -------------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic#fail-fast) "Fail fast**"** The fastest way you’re going to progress is by making mistakes early and learning from them. Have the humility to fail! ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic#become-the-product-of-your-efforts-not-the-sum-of-your-earnings) "Become the Product of Your Efforts, Not the Sum of Your Earnings**"** Avoid evaluating and comparing your progress/skill level based on earnings. You are the product of your efforts, not the sum of your earnings. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic#depth-over-breadth) "Depth over breadth**"** Pick depth over breadth most of the times. Focusing on one codebase at a time provides higher ROI than performing multiple reviews at the same time. [Previous@0xjuaan](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xjuaan) [Next@krikoeth](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth) Last updated 9 months ago --- # @peak_bolt | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt#peak_bolt) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@peak\_bolt](https://x.com/peak_bolt) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FPvFQ6miIzd4pib9JeVwP%252Fimage.png%3Falt%3Dmedia%26token%3D4a443c58-24b7-433a-9eca-2aa10888371d&width=768&dpr=4&quality=100&sign=4a6efe65&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt#words-of-wisdom) Words of Wisdom ---------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt#speed-is-crucial-in-the-initial-audit-phase) "Speed is crucial in the initial audit phase**"** Build a mental model of the code base quickly by speed-reading the contracts and avoid deep-diving at this point. You can note down the low hanging bugs and put TODO tags for complex logic to review at the subsequent passes. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt#maintain-the-momentum) "Maintain the momentum**"** Maintain momentum and save time by working on the easy tasks first and not be slowed down by the complex issues that require deep thoughts. At the same time, you will gain confidence on the code base and not be overwhelmed by the details. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt#spend-bulk-of-the-time-on-reasoning-complex-attack-vectors) "Spend bulk of the time on reasoning complex attack vectors**"** Allocate as much time as possible to review the complex logic (math, multi-contracts interactions, novel design, etc). You need creativity, knowledge and a good mental model to find the most complex bugs. These are the ones that are not obvious and typically involves multiple step or specific edge case to exploit. With the saved time from the initial phase, you increase your odds of spotting the more complicated issues. [Previous@0xCiphky](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky) [Next@pks\_](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pks_) Last updated 9 months ago --- # @NonseOdion | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion#nonseodion) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@NonseOdion](https://x.com/NonseOdion) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F38wJhMdRfasM4M0EiN7m%252Fimage.png%3Falt%3Dmedia%26token%3D9c548ba0-f1c5-4600-b7c3-4363811187f2&width=768&dpr=4&quality=100&sign=b956b62c&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion#words-of-wisdom) Words of Wisdom ----------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion#you-can-earn-big-payouts-from-contests-by-simply-doing-manual-analysis) "You can earn big payouts from contests by simply doing manual analysis.**"** You don't need to set up tools to run complex tests during a contest as there's barely any time for that. Taking your time to manually review the code is enough. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion#mitigations-are-a-good-place-to-start-looking-for-bugs) "Mitigations are a good place to start looking for bugs.**"** A mitigation can fix a bug, partially fix a bug, not fix a bug or expose another vulnerability in the code. It can also do a combination of these. You can always check if a mitigation does any of these. I've seen a mitigation to a problem I reported partially fix a problem and allow me still exploit the vulnerability. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion#leverage-previous-reports) "Leverage previous reports**"** Reading former audit report also gives you deeper insight about the protocol, allowing you to reason about the code in multiple ways to find bugs somewhat related to the old finding. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion#understand-the-code-deeply-before-actively-searching-for-bugs) "Understand the code deeply before actively searching for bugs" This might not always be possible, but try to understand the code deeply before trying to exploit it for bugs. In the process of understanding the protocol, you may find bugs, you can filter out genuine findings, and you can transfer your new-found knowledge to other competitions. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F9xljHNy3fDsgksobLb1v%252Fimage.png%3Falt%3Dmedia%26token%3Dc85fe962-da1f-4481-a730-e9a9d1b6349f&width=376&dpr=4&quality=100&sign=8138bfed&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion#always-review-all-the-valid-findings-in-a-competition-you-participated-in) "Always review all the valid findings in a competition you participated in" Reviewing the findings will allow you know how and why you missed these findings during the competitions. This will equip you with the needed knowledge and mindset to ensure you don't miss similar bugs in the future. [Previous@0xSorryNotSorry](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry) [Next@0xArzzz](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xarzzz) Last updated 9 months ago --- # @pks_ | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pks_#pks) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2)[@pks\_](https://x.com/pks_eth) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fb1NsYHc8HBDDTM0UiqQl%252Fimage.png%3Falt%3Dmedia%26token%3Dadd07d88-fd87-490c-a05f-f40f42b09a27&width=768&dpr=4&quality=100&sign=8ba5d500&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pks_#words-of-wisdom) Words of Wisdom ----------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pks_#thoroughly-review-related-third-party-codebases-first) "Thoroughly review related third-party codebases first**"** When auditing an unfamiliar codebase, it's essential to thoroughly review related third-party codebases first. For instance, when auditing a new chain based on Cosmos SDK and Geth, you should: * Study key APIs like Cosmos SDK's PrepareProposal/ProcessProposal/FinalizeBlock/ExtendVote/VerifyVoteExtension functions. * Understand Geth's block generation/verification/processing steps. * Research known vulnerabilities discovered by other security experts. This approach helps you understand both the complete code flow and potential security risks, providing valuable insights for your audit ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pks_#when-identifying-a-potential-vulnerability) "When identifying a potential vulnerability:**"** * Thoroughly review the attack path firstly. * Take a break, then review it again with fresh eyes. * If the vulnerability still holds after double review, develop a Proof of Concept (PoC). Remember that ideas often rely on assumptions that may be incorrect, especially in complex codebases. Following this systematic approach helps build experience and reduces errors in future audits. [Previous@peak\_bolt](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt) [Next@Stalin\_eth](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth) Last updated 2 months ago --- # @0xCiphky | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky#id-0xciphky) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xCiphky](https://x.com/0xCiphky) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoynxlbdWK7Y2KG5t7NRq%252Fimage.png%3Falt%3Dmedia%26token%3D8532d04d-c4a6-4492-9a24-dc311db67579&width=768&dpr=4&quality=100&sign=eab5a32f&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky#focus-on-complex-areas) "Focus on Complex Areas**"** Complex code often presents roadblocks, but these are precisely where many vulnerabilities reside. Instead of avoiding these challenges, dive deeper. These areas often yield high-value findings that others might miss or skip over. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky#revisit-previous-sections) "Revisit Previous Sections**"** After gaining a clearer understanding of a code section, revisit earlier parts you’ve examined. Analyze the connections between these sections and any potential edge cases; often, unique bugs are buried beneath multiple layers. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky#previous-findings-as-opportunities) "Previous Findings as Opportunities**"** Previous findings can present valuable opportunities. Always review past audits and analyze the fixes; often, less time is spent auditing these corrections. Remember that fixes can create new problems or may not be implemented correctly, leading to potential vulnerabilities. [Previous@00xSEV](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev) [Next@peak\_bolt](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt) Last updated 9 months ago --- # @00xSEV | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev#id-00xsev) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@00xSEV](https://x.com/00xSEV) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev#winner-of-euler-competition-or-audits.sherlock.xyz-watson-00xsev) 🏆 Winner of Euler competition | [audits.sherlock.xyz/watson/00xSEV](https://t.co/tDL6MVKBEh) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FFkKXXcr9cAf7IlQYKRZa%252Fimage.png%3Falt%3Dmedia%26token%3D320459f1-9fd5-4147-ad46-8e7591fd2134&width=768&dpr=4&quality=100&sign=1557d41b&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev#have-fun) "Have fun**"** Staying motivated is easier when you enjoy what you do. It also helps prevent burnout ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev#build-solid-routines) "Build solid routines**"** * ~4 hours of deep work (like reading code, analyzing the project) each day. * 1–2 hours of shallow work. * Stick to a 5-day work week. * Exercise at the gym 3+ times a week. * Prioritize rest to stay sharp. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev#results-improve-with-experience) "Results improve with experience**"** Over time, you’ll recognize problem areas and know where to dive in first ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwnxpJSNiJtLcSBqZG8Sk%252Fimage.png%3Falt%3Dmedia%26token%3Df3cd861c-d70f-4e43-ad5d-87aadb298075&width=376&dpr=4&quality=100&sign=db2438cb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev#keep-learning-and-use-checklists) "Keep learning and use checklists" Helps to spark new ideas during audits. [Previous@bauchibred](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred) [Next@0xCiphky](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky) Last updated 9 months ago --- # @Stalin_eth | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth#stalin_eth) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@Stalin\_eth](https://x.com/Stalin_eth) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth#helped-over-40-protocols-to-prevent-deploying-to-mainnet-100-h-m-vulnerabilities) Helped over 40 protocols to prevent deploying to mainnet 100+ H/M vulnerabilities ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fok5PnLCzizzlBnE8Ev3j%252Fimage.png%3Falt%3Dmedia%26token%3D132e49f5-4918-413c-98e4-749cb691e8e6&width=768&dpr=4&quality=100&sign=f9bc481c&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth#words-of-wisdom) Words of Wisdom ----------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth#how-to-tackle-a-codebase) "How to tackle a codebase?**"** * Explore the entire codebase before diving into the details of each contract. * Once exploring in-depth the codebase, leave no path unexplored. Explore every path that comes to your mind, and think of sequences that could cause the state of the contracts to fall into an unexpected state. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F2HLO8lmRHJojYnxE57wN%252Fimage.png%3Falt%3Dmedia%26token%3Dc837f3e7-0d31-4bfd-bd6a-faf9721af2c4&width=376&dpr=4&quality=100&sign=9a9ece40&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth#leverage-the-test-suite) "Leverage the test suite" Leverage the test suite to explore edge cases not considered on the tests. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth#document-everything-even-your-thoughts) "Document everything, even your thoughts**"** Take notes about everything, from how a tricky function works, to all the attack vectors I’ve already thought about while exploring the contracts. Write all the doubts and ideas of potential attack vectors/bugs and always return to them once you’ve understood every detail of the codebase. Save all the articles (EIPs, deep downs of X protocol) you consulted for future reference. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth#attackers-mindset-first) "Attacker’s mindset first**"** While auditing, focus your attention on exploring paths that would allow an attacker to steal assets from the contracts. More often than not you’ll get false positives/dead-ends, but, in the process of exploring these paths you’ll end up understanding the codebase from top to bottom and the non-critical bugs will pop up right in front of you. [Previous@pks\_](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pks_) [Next@0xb0g0](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0) Last updated 9 months ago --- # @0xb0g0 | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0#id-0xb0g0) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) [@0xb0g0](https://x.com/xb0g0) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0#greater-than-130kusd-in-payouts-or-sr-paladinsec-or-14-cantina-2024-or-b0g0.xyz) đŸ”„đŸ”„ > 130K$ in payouts | SR @PaladinSec | #14 Cantina 2024 | [b0g0.xyz](https://b0g0.xyz/) [](https://b0g0.xyz/) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FlGDKE1IBeQWS5F70z5VC%252Fimage.png%3Falt%3Dmedia%26token%3D73629124-425d-4c7b-8556-34ff37bfd9ad&width=768&dpr=4&quality=100&sign=ebb498c&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0#words-of-wisdom) Words of Wisdom ------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0#prepare-well-before-your-first-contest) "**Prepare well before your first contest"** If you're just starting out and planning to participate in your first contest, make sure to properly equip yourself before stepping into the battlefield. One of the main reasons many newcomers give up early is that they jump straight into a contest without preparation. Often, they struggle to find anything, feel overwhelmed, and conclude that success is impossible- leading them to quit. On the other hand, auditors who spend a few weeks preparing by conducting shadow audits, reading reports, and actively practicing finding bugs, tend to perform reasonably well in their first contest. This initial success is what you need to ignite the motivation needed to persevere and continue until you truly "make it." ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0#go-deeeeep) "**Go deeeeep"** This is where unique and less duplicated findings hide. If you stay on the surface, where everyone else is, you'll uncover the same issues as everyone else. But if you're bold enough to dive deeper, you can win Big. The deeper you go, the less competition you'll face. Going deep means that once you understand how a protocol works, you focus on its most critical flows, break them down into smaller components, and start exploring: * **are there any external integrations** -> study the external integration code * check tests for a particular flow -> **are there any spots left untested** -> explore them * **are there any exotic scenarios to this flow** -> try to think of them and see if they brake the logic ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0#focus) "**Focus"** Remaining focused is one of the most essential principles to grasp in this industry, and it applies on multiple levels: * **Commit to one contest at a time and give it your all** - It's far better to win a single contest than to perform moderately well in several. * **Dedicate yourself to one goal** \- Whether it's becoming an LSR/LSW, building a business, or excelling at bug bounties, choose a single goal and channel all your efforts into achieving meaningful results. ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F9xljHNy3fDsgksobLb1v%252Fimage.png%3Falt%3Dmedia%26token%3Dc85fe962-da1f-4481-a730-e9a9d1b6349f&width=376&dpr=4&quality=100&sign=8138bfed&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0#knowledge-is-power) "Knowledge is power" Once you’ve built some initial recognition (achieving a few milestones helps break the ice quickly), start connecting with other auditors. Share your opinions, expectations, and experiences with them—this can help you identify false assumptions and recalibrate your approach to make more informed and effective decisions This is one of the best ways to stay updated on real trends and opportunities in the industry—those that lie behind the glossy marketing facade. [Previous@Stalin\_eth](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth) [NextWALL OF WISDOM](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom) Last updated 2 months ago --- # WALL OF WISDOM | Art Of Auditing [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#know-when-to-move-on) "Know When to Move On**"** When reviewing a codebase, it's important to recognize when it's time to stop exploring and move on to the next one. If a certain amount of time passes without discovering any new leads or rabbit holes to jump into, it might be [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#go-hard-or-go-home) "Go Hard or Go Home**"** The more complex a project is, the greater the chances you'll find bugs in it. Don't spend too much time on simple codebases. Focus on protocols that implement intricate algorithms or have convoluted code flows—these are often closer to yielding your next Crit. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/neumoxx) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-be-afraid-of-the-unknown) "Don't Be Afraid of the Unknown**"** You don't need to be an expert in a language or technology to find bugs in it. Getting up to speed on something new might take less time than you expect. Explore niche technologies and emerging languages; sometimes, hidden gems can be found there. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#think-in-properties) "Think in properties**"** Whenever you see any behavior in code, try to think what properties it is trying to enforce and what properties you'd imagine the code should have that it would break. For example, think in invariants: what should always be true about the contract? [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#ask-yourself-whats-missing) "Ask yourself what's missing**"** Checking that some code does what it should is usually relatively easy. It's easy to notice what's wrong, but it's difficult to notice what's missing. Always consider whether any other action should be executed or a check done. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#audit-restrictions) "Audit restrictions**"** In some reviews you'll do, you will find a lot of bugs and your client's fixes will be so huge, that it will require you to do a multiple of the work of the audit. Make sure you set the timeline for receiving fixes and that there is an upper limitation on how large the fix diff is. If any requirement is not fulfilled, the review requires a renegotiation. But don't be too strict about it. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/czar102) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#a-arch-architecture) "A-, Arch-, Architecture!" Architecture is the most important thing about the codebase. If the developers thought about it enough, the codebase would be minimal. There will be few places to introduce bugs. If the contracts are large, it usually means that the architecture wasn't well done and it can pay off to look from the higher level: what is wrong with the current design? [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#keep-pushing-after-thinking-you-have-found-everything) "Keep pushing after thinking you have found everything**"** After some time, you get a good gut feeling for when to stop. This is a reminder to keep pushing even after that feeling still, once in a while [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#get-as-many-views-of-the-code-as-possible) "Get as many views of the code as possible**"** (history, coverage, run tests), a contract is never unidimensional The goal of a security review is to get insights overlooked by the developer. Reading the code directly is the most obvious way to do it but is also the way the developer thinks about the code. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/cergyk1337) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#use-the-power-of-comparison-whether-inside-of-a-contract-or-comparing-a-protocol-design-to-a-similar) "Use the power of comparison, whether inside of a contract, or comparing a protocol design to a similar one**"** Even without understanding the purpose of a piece of code, if we know that two different implementations are supposed to do the same thing, we can check for inconsistencies. Also as SRs we see a lot of different implementations for a similar projects so that is an advantage [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#go-slow) "Go slow**"** Slower than you feel you need. Slower is better, better is faster. In auditing, slower also means you'll have observations, questions, and ideas that others reviewers didn't let themselves the time to have - and find missed bugs. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#clusters-of-understanding-first) "Clusters of understanding first**"** Understanding the code thoroughly is 90% of the work and the results. The other 90% (the creative work) depends on the first part fully. Yes, 90-90 applies to auditing as well. Clusters: try to find the natural division into logical components, or "clusters" of understanding. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#go-deep) "Go deep**"** The better bugs are in the end of the review (or after), if limited in time, focus on fewer areas, but ensure depth. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#most-deals-are-bad-deals) "Most deals are bad deals" Learn to say no to FOMO! Most bounties are marketing scams, most contests aren't worth the time and effort. Crypto has plenty of bad, greedy, scammy actors, and crypto-security is not an exception to this. Expect and adapt. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/guhu95) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#motivation-is-hard-learn-yourself) "Motivation is hard, learn yourself:" Expect the first few days on a new codebase to be confused and struggle. Choose easier tasks to break the motivation barrier. Escalations and bounty negotiations are distracting and soul-draining, aim to have fewer by choosing better bounties, platforms, and projects. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#choose-your-target-wisely) "Choose Your Target Wisely**"** It doesn't matter how fancy the bug is—if the project you chose doesn't pay you, nothing matters. Choose wisely where you want to put your effort. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-get-tempted-by-code-that-smells-bad) "Don't get tempted by _code that smells bad_**"** It's tempting to pick an easy target with "code smell" because it has a higher chance of being vulnerable. However, remember that such projects might not take security seriously. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#checklist-on-picking-bb-targets) "Checklist on picking BB targets**"** * They project pays in stablecoin or hard assets (ETH, BTC) * If they pay with their own token, make sure they have enough liquidity * They are active—you're likely to be ghosted on inactive projects * Check their Discord, X (formerly Twitter), or other social platforms * Check their GitHub [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-fear-the-complexity) "Don't Fear the Complexity" Complexity goes both ways: if it's complex for you, it's also complex for developers. Complexity often leads to mistakes, and mistakes lead to bugs. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-skip-the-fundamentals-fill-your-knowledge-gaps) "Don't Skip the Fundamentals, Fill Your Knowledge Gaps" While it's partly true that you can earn in this space knowing only Solidity, you might not be able to improve without understanding how blockchain works, how EVM operates, or even how Solidity is compiled to bytecodes. Expand your repertoire to other languages. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-rely-on-luck) "Don't rely on luck" Bridge your knowledge gaps. You can't expect to compete with knowledgeable security researchers if you couldn’t match their level of expertise. Luck plays a role in winning, but don't let it be your only factor of winning. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#persistence-is-key) "Persistence is Key!" What you see on the surface of this space is people's success—you don't see failed attempts. Stories of successful white hats often sound like they came from nothing, but that's unrealistic. Everyone faces hardships before becoming successful. What they have in common though is persistence! They keep going, they keep doing, and that's what actually makes them distinctly successful. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/__nnez) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#persistence-is-key...-but-madness-is-not) "Persistence is key... but madness is not." Don't forget to take a break. What I also observe in this space is an excess of positivity. The value of your work is often equated with the time and effort you put into it. It might sound cool to always be working on a target, spending countless nights looking for a bug. However, that's not healthy. Don't fall into this trap and pressure. Everybody needs breaks. Remember, you'll only get the best results when you're well-rested. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#go-for-the-kill) "Go for the kill**"** For time efficiency while hunting, concentrate on critical paths and assets, while leaving aside secondary assets. Understand the risk model of the project to decide where to focus. This will help you find the right attack vectors. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#turn-copper-into-gold) "Turn copper into gold:**"** Often the impact of a bug is not immediately identified. Make sure to understand the project in detail before submitting a report. With the right context, or combining the bug found with another bug, the severity level could be raised. Always double check to make sure you are not underestimating a bug's impact, and tune the PoC for maximum impact. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bahurum) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#multiply-the-effect-of-your-efforts) "Multiply the effect of your efforts**"** Sometimes you'll find a bug that is general enough that it could exist on other projects. Check all other similar projects where you could find it as well. Look through BBPs, repos, onchain contracts. While doing this, think of the possible variants of the bug as well. With some luck you could capitalize on the original bug and get some extra rewards. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#smart-contract-is-a-state-machine) "Smart contract is a state machine**"** To understand it fully you need to master state variables and know the contract's state machine by heart [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#code-on-your-computer-is-your-playground) "Code on your computer is your playground**"** Create branches, experiment with the code, modify it, write comments and see where it leads you. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/deliriusz_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#the-best-bugs-are-where-no-one-looks) "The best bugs are where no one looks**"** Each time challenge your approach to auditing. Do you look where everyone looks? Do you skip hard parts that others will likely skip? What is that you can do differently that will set you apart from others? [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#productivity-is-about-energy-management-rather-than-time-management) "Productivity is about energy management rather than time management**"** As knowledge workers, our most important resource is focus. There is no point putting in more hours when your brain is tired. That time is better spent resting. Productivity shoots up after resting. It’s easier to parse code and learn new concepts than when your brain is tired [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/gjaldon) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#the-larger-the-audit-scope-and-the-more-complicated-the-protocol-the-more-critical-your-notes-will-b) "The larger the audit scope and the more complicated the protocol, the more critical your notes will be.**"** Note-taking is a skill that also needs to be developed to be great at auditing. Personally, I prefer handwritten notes as my “compressed knowledge” of the codebase. It is written as a quick reference for me. There are no huge blocks of text. It is a collection of terms, concepts, flows, and their relationships. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#there-are-always-more-bugs) "**There are always more bugs"** No such thing as “safe code”, no matter how many auditors looked at it [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#debug) "Debug**"** Don’t underestimate the importance of a working debug setup [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/_blockian) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#connect-the-dots) "Connect the dots**"** Remember all the little oddities and issues that weren’t bugs, eventually they’ll be useful for something larger [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#choose-what-is-interesting-to-you) "**Choose what is interesting to you"** In competitions, choose protocols that seem fun or interesting to you for the best results. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#complexity-is-your-ally) "Complexity is your ally**"** Generally, the more complex the project or language, the less competition you'll face. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#understand-code-deeply) "Understand code deeply**"** The best way to succeed is to understand a codebase deeply. Focus on comprehension first; bugs will reveal themselves naturally as you go. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/dadekuma) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#push-until-the-end) "Push until the end" Most interesting or unique bugs are usually found in the final days of an audit, so stay focused and keep trying until the end. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#look-one-more-time) "Look one more time**"** Some of my most interesting bugs have come from times where I've exhausted all my hypotheses and am about to give up. But I decide to look at something one more time and a bug jumps out at me. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#diversify-but-also-play-to-your-strengths) "Diversify but also play to your strengths**"** Some people are just going to be better than you at finding certain types of bugs. Understand your weaknesses and try to improve, but equally don't discard what you're good at, sometimes it pays to play to your strengths. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/iamdirky) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#focus-on-the-important-bugs) "Focus on the important bugs**"** Don't waste time on low/informational severity bugs. There are bigger fish to fry, taking the time to write up reports for low severity bugs isn't a good use of your time when you could instead be finding the more impactful bugs. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#understand-well-what-the-code-is-supposed-to-do) "**Understand well what the code is supposed to do"** For me, one key aspect of finding tricky bugs is getting a very good understanding of what the code is supposed to do on a higher level by reading the documentation. Once I have that, I can start at an important part of the code and jump through the codebase following the flow of logic instead of going over a single file line by line. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#analyze-reports-of-code-you-have-context-about) "Analyze reports of code you have context about**"** The best way to continue learning is to look at all the confirmed findings I missed, after a contest. I don't like going over old reports where I did not compete since I don't have the context of that codebase. If I review findings from codebases I spent a lot of time on, I can more easily identify why I missed a certain issue and learn from that. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/n4nika_) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#take-care-of-yourself) "Take care of yourself**"** What I also realized, is that treating myself as well as possible in life translates to better results in contests. When I am not stressed and feel good physically, that directly impacts my auditing performance. Working out also helps a lot with mental clarity [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#audited-codebases) "Audited codebases**"** Regarding bug bounties, almost all codebases have been previously audited, often by leading security firms. Don’t let that fool you into thinking they are bug-free. Some of my biggest bounties have been in projects that have been audited extensively and yet still were vulnerable. Approach each codebase as if it came fresh from the developers. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#be-prepared-to-negotiate) "Be prepared to negotiate**"** Identifying a bug, writing up a PoC, and reporting it is only the first half. The second half commonly involves quite a bit of discussion and negotiation. Learn how to express complex technical situations, how to present a well-founded case, and how to professionally negotiate. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#when-to-stop-searching) "When to stop searching**"** At which point do you stop searching a codebase for bugs? Try to understand the system to the point where you could reimplement it from scratch without looking at the original codebase. Not from remembering the code, but from having understood what the application is supposed to do. If you have examined a project that far and have not found a bug, the chances of finding one by continuing is low. On the other hand, if there was a bug in there, you would have most likely found it. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bobface16) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#how-to-improve-your-skills) "How to improve your skills" Theoretical knowledge is important, but nothing trumps practical experience. Develop your own projects and observe areas of security concern, participate in CTFs, and build PoCs for past exploits. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#focus-is-your-best-ally.-make-sure-you-know-how-to-work-well-with-it) "Focus is your best ally. Make sure you know how to work well with it**"** What sets the best researchers apart from the average ones is their ability to focus and the time they spend in a deeply concentrated state. Human focus is like a car's fuel tank—you need to know when it needs refilling and how to use it efficiently when it's full. Self-reflection can help you understand the conditions under which you perform at your best. Use that understanding to improve consistently and effectively. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/egissec) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-stop-until-you-have-achieved-your-goal) "Don't stop until you have achieved your goal**"** If your goal is to uncover a high-severity bug in the X codebase and you're committed to it, your focus will naturally guide you toward success. Approach it with the mindset of a warrior—relentless and determined—and don't give up until you're certain you've explored every possible angle to achieve your goal. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#breaking-versus-understanding) "**Breaking Versus Understanding**" Focus on breaking the codebase rather than understanding it. Many bugs are slight logical inconsistencies that don’t even require understanding the whole picture. Many times focusing too much on the bigger picture will yield some high-level, economical attacks but might miss out on function-specific edge cases. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-run-in-circles) "Don't Run in Circles**"** It’s very common for auditors to keep on checking the same scenarios. If you're doing this, just remind yourself that this is a form of procrastination, and the only added value is in checking those 1% complex scenarios that are hard to grasp. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#inspire-yourself) "Inspire Yourself**"** Go over all the bugs that are found in similar protocols on Solodit to direct your thinking and get ideas flowing. It is the hardest to find any bugs when you don't know what you're looking for. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/windhustler) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#use-ai) "Use AI" Use AI tools to speed up the understanding of the codebase and to generate ideas. If you don’t have a co-auditor on a project AI can be extremely useful. Just don’t expect it to give you accurate answers every time, it’s only a tool and it’s up to you to make sense of its suggestions. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#have-faith-that-youll-find-bugs) "Have faith that you’ll find bugs**"** The number one thing you need to succeed at hunting bugs, for bounties or contests, is having faith that you’ll find bugs. Statistically every code base will have bugs, but that’s not how it feels when you haven’t found one in a long time. Find out what gets you excited and hopeful, and nurture it. Consistent effort beats pretty much everything else in predicting success. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#try-to-learn-hard-things) "Try to learn hard things**"** Try to learn hard things. Don’t limit yourself to the low-hanging fruit. If you learn something that most people don’t know you’ll find bugs most people miss. That can be a weird detail of the EVM or an entire field like ZK proofs. Keep pushing the boundaries of your knowledge, and collecting information on different things. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#expect-unexpected-results) "Expect unexpected results**"** After a certain skill level pretty much anyone could find most bugs — but how do you know what targets to focus on? And for how long? That’s the hardest part of hunting bugs, and more art than science. You might find a gold mine of bugs and report 10 in a single week, then not find any in multiple targets for months. That’s normal. It sucks, but is normal. Try to learn with your hits and misses but don’t stress over it — it’s always unpredictable to some extent. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#learn-to-negotiate) "Learn to negotiate" Bounty negotiations are hard — and often heartbreaking. Don’t just let projects lowball your bounties, but also keep your focus on the next one. Don’t let the anxiety of the process take your time and energy away from your bug hunting. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/lonelysloth_sec) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#know-everything-about-your-target) "Know everything about your target" I like to start with code, others focus first on documentation: use both resources extensively. But that is still just the basics, you should go the extra mile. **Pro tip**: watch the target’s GitHub activity. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#look-twice-before-looking-again) "Look twice before looking again**"** Even if you have high confidence on a certain function/part of the code, give it one more look, it always pays off [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#the-most-complicated-bugs-are-the-simplest) "The most complicated bugs are the simplest**"** Sometimes we have the urge to try to come up with very complicated/weird edge-cases forgetting to approach everyone from first principle approach [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/m4rio_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#do-not-overdo-your-issues) "Do not overdo your issues**"** I've seen an urge on various occasions where researchers like to overwork their issues which might cause the client to lose the meaning of the issue. Keep it simple, do not forget, your goal is to help the client secure their code [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#web3-is-a-world-of-white-box-testing) "web3 is a world of white box testing**"** This changes a lot - not only about the approach to searching things, but also about what can be considered a vulnerability. For HTTP API you will need to prove that you can access admin dashboard. In web3, you need to explicitly show what you can do when you are this admin - because if worst thing you can do is start a proposal without paying fees, it will not be a high impact bug. White box gives observability, and simulation gives ability to prove things - and this means that meaning of “bug” changes from “something risky” to “something really harmful” [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#stop-following-the-known-path) "Stop following the known path**"** There is a certain moment when you should stop following the known path. “Hacking” is about thinking differently, looking from different perspective - at least not thinking like the developer of this contract, at most thinking not like anyone else at all. This does not mean you should not study findings of others or read new things - but you should grow your own unique approach. Try different ideas, mix them, combine, experiment with new things. Only way to find something everyone else didn’t notice is look at it like no one else did before [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#do-not-limit-yourself) "Do not limit yourself**"** Do not limit yourself with severity or specific area. Sometimes it is **easier** to find a crit than low. Just don’t limit yourself [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#you-can-just-do-things) "You can just do things**"** No matter how much you want to read docs or listen to somebody else teach, fucking around and finding out is always best. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#do-what-seems-most-fun-to-you) "Do what seems most fun to you**"** Burnout is real, if you have to force yourself to a path, it's not going to be sustainable. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/riproprip) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#time-is-your-most-valuable-resource) "Time is your most valuable resource**"** Spend it well. Observe the meta. Having a decent understanding of your skills compared to others allows you to spend your time where it's least -ev for you. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/rootedrescue) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#consider-sources-and-sinks) "Consider Sources and Sinks**"** **Source**: a point in code where an attacker supplied input enters the execution flow. **Sink**: a point in code where malicious state change can occur. Map the program for all **Sources** and trace the execution flow to determine which of them provide a path where a **Sink** can be reached. What safeguards are present and what would be required to bypass them? Respectively, map the program for all **Sinks** and retrace the steps required to reach them to identify relevant **Sources**. Is it possible to craft a valid transaction to reach the **Sink** from the **Source**? [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#collaboration) "Collaboration**"** Joining forces has been one of my best decisions since I started auditing. The benefits of collaboration are significant: * **Enhanced Findings**: Working with partners has raised the quality and quantity of our findings. We combine our ideas, transforming them into a fully developed issue. One sophisticated discovery resulted from merging two ideas: * _**My partner’s insight**_**:** "If we disrupt the list order, we could then employ strategy Y to potentially cause users to lose funds." * _**My idea**_**:** "Implementing strategy X might let us break the list order." [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#learn-by-sharing) "Learn by sharing**"** By sharing ideas, I also get the chance to understand different perspectives, which is one of the most valuable aspects of working with a partner. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#taking-breaks) "Taking Breaks**"** Taking breaks during audits is essential for me. A quick reset in the middle of a project refreshes the mind, making it easier to approach the contract from a new angle and often sparking ideas that weren’t apparent before. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/trungore) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#using-a-checklist) "Using a Checklist" A critical lesson I learned in auditing is to maintain a personal checklist for each category. Until every box on the checklist is ticked, the audit isn’t complete. In the past, missing a simple access control check cost me a critical finding and, ultimately, the top spot. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#the-programming-language-is-not-a-blocker) "The Programming Language is Not a Blocker**"** Understanding the application logic and being able to read a bit of the specific programming language is sufficient for finding bugs; Expertise in that language is not mandatory. You don’t need to stick exclusively to Solidity to hunt for bugs. Although I lack expertise outside of Solidity, I've successfully reported bugs in Vyper, Rust, Cairo, Move, and other languages. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/kankodu) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#consider-the-dilution-effect-when-describing-bug-impact) "Consider the Dilution Effect When Describing Bug Impact**"** When evaluating the impact of a bug, keep the _Dilution Effect_ in mind. Suppose you identify two possible impacts of an exploit: one with high impact and the other with low. As a bounty hunter, you may feel inclined to mention both, but this can backfire. The weaker impact can dilute the stronger one, as people tend to average the effects rather than summing them up. You're better off emphasizing the higher impact alone. Source: [The Counterintuitive Way to Be More Persuasive by Niro Sivanathan (TED Talk)](https://t.co/jOaqaYrPR9) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pks_) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#thoroughly-review-related-third-party-codebases-first) "Thoroughly review related third-party codebases first**"** When auditing an unfamiliar codebase, it's essential to thoroughly review related third-party codebases first. For instance, when auditing a new chain based on Cosmos SDK and Geth, you should: * Study key APIs like Cosmos SDK's PrepareProposal/ProcessProposal/FinalizeBlock/ExtendVote/VerifyVoteExtension functions. * Understand Geth's block generation/verification/processing steps. * Research known vulnerabilities discovered by other security experts. This approach helps you understand both the complete code flow and potential security risks, providing valuable insights for your audit [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pks_) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#when-identifying-a-potential-vulnerability) "When identifying a potential vulnerability:**"** * Thoroughly review the attack path firstly. * Take a break, then review it again with fresh eyes. * If the vulnerability still holds after double review, develop a Proof of Concept (PoC). Remember that ideas often rely on assumptions that may be incorrect, especially in complex codebases. Following this systematic approach helps build experience and reduces errors in future audits. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#focus-on-understanding-100-of-the-system) "Focus on understanding 100% of the system**"** It is compulsory to know how everything should behave. Once you get that kind of understanding of the protocol, you'll be able to understand how tweaking certain values or pushing the system to unexpected states might lead to vulnerabilities. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#put-on-the-developers-shoes) "Put on the developer's shoes**"** This has worked like a charm to me. The idea here is to be able to think how everything should behave prior to actually diving in the implementation. This will allow you to identify things missing in the protocol, or to check unexpected behaviors that might lead to bugs. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xadrii) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#have-patience-and-learn-from-each-contest) "Have patience and learn from each contest**"** Although it might seem that the auditing part of the contest brings you the most learnings, it is in the escalations and results phase where you'll actually grow. See what you missed and incorporate that knowledge. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#learn-to-reverse-engineer) "**Learn to reverse engineer"** You must learn to reverse engineer exploits, you should not need to wait for someone else to write a thread explaining what happened. There's tons of old exploits you can start with and Phalcon is free to use [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#understand-the-code-deeply-enough-that-you-could-implement-it-yourself) "Understand the code deeply enough that you could implement it yourself.**"** Once you understand a system so well, you can explain it back and write it from scratch, you will most likely find all the bugs, barring some gotchas [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/alex-the-entreprenerd) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#become-really-good) "Become really good**"** There is no competition once you are good enough, focus on your own progress and ignore the noise [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#never-accept-protocol-design-decisions-without-question) "Never accept protocol design decisions without question**"** Always ask why they were designed and implemented that way. I have seen unique findings that aren't immediately apparent in the codebase but only become clear after digging deep into the design and questioning it. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/said) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-try-to-be-the-jack-of-all-trades) "Don't try to be the jack of all trades**"** Currently, there are far more opportunities in Web3 security than anyone could have imagined even a year ago. Pick one niche and excel at it, capitalize on it as much as possible. Then, you can expand your knowledge afterward. Don't try to chase and master everything early in your journey [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-lose-situational-awareness) "Don't lose situational awareness**"** It's one of the worst things that can happen. It can occur especially in very large codebases. Once it made us lose the only spotted High vulnerability in a public C4 contest which awarded the solo spotter a 6 figure prize. I had the risk in my notes, I highlighted the code snippet with the audit tag before, and failed to validate it as I lost the code logic at the end of the contest. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-force-yourself-to-find-the-bugs) "Don't force yourself to find the bugs**"** It creates unnecessary pressure and a burden when you do it. I’ve realized that whenever I approach code with this mindset, I often come up empty-handed. However, when I explore codebases out of curiosity and simply for the joy of understanding them, that’s when I find success. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xsorrynotsorry) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-lose-time-on-codebases-you-dont-like) "Don't lose time on codebases you don't like**"** While this could be subjective - as many people suggest that it leverages Game Theory by not doing so - I observe that I don't see any flaws in the codebases that I disliked. This often leads to simply passing time without purpose and can deepen feelings of imposter syndrome once those flaws become apparent. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#you-can-earn-big-payouts-from-contests-by-simply-doing-manual-analysis) "You can earn big payouts from contests by simply doing manual analysis.**"** You don't need to set up tools to run complex tests during a contest as there's barely any time for that. Taking your time to manually review the code is enough. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#mitigations-are-a-good-place-to-start-looking-for-bugs) "Mitigations are a good place to start looking for bugs.**"** A mitigation can fix a bug, partially fix a bug, not fix a bug or expose another vulnerability in the code. It can also do a combination of these. You can always check if a mitigation does any of these. I've seen a mitigation to a problem I reported partially fix a problem and allow me still exploit the vulnerability. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#leverage-previous-reports) "Leverage previous reports**"** Reading former audit report also gives you deeper insight about the protocol, allowing you to reason about the code in multiple ways to find bugs somewhat related to the old finding. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#understand-the-code-deeply-before-actively-searching-for-bugs) "Understand the code deeply before actively searching for bugs" This might not always be possible, but try to understand the code deeply before trying to exploit it for bugs. In the process of understanding the protocol, you may find bugs, you can filter out genuine findings, and you can transfer your new-found knowledge to other competitions. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/nonseodion) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#always-review-all-the-valid-findings-in-a-competition-you-participated-in) "Always review all the valid findings in a competition you participated in" Reviewing the findings will allow you know how and why you missed these findings during the competitions. This will equip you with the needed knowledge and mindset to ensure you don't miss similar bugs in the future. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/csanuragjain) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#focus-on-difficult-codes) "Focus on difficult codes**"** While reviewing many auditors leave the difficult part of codes. That is someplace most of the bug lies [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/csanuragjain) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#read-what-you-missed) "Read what you missed**"** After completing the audit, read other auditor finding to know what you missed [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#time-and-focus) "Time and Focus**"** This is a common tip, but it's one of the truest: the time and focus you invest directly influence the number of bugs you uncover. Like they say, the 10,000 hours themselves are more important than the actual strategies used in that time. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#one-detail-at-a-time) "One Detail at a Time**"** Once you understand the structure and flow of a system, narrow your focus to a single variable. Identify all the changes it undergoes and assess whether these changes are intended. Tools like "Ctrl+F" are key for tracking variables efficiently. I’ve seen **0xSimao** mention this strategy on X. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/santipu_) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#bug-variations) "Bug Variations**"** When you identify a bug, consider possible variations that might lead to other impacts or scenarios. These variations can often spark insights into additional, unrelated bugs. A single complex bug might open the door to a host of new issues. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#if-its-hard-youre-on-the-right-path) "If it's hard, you're on the right path**"** It's hard for everyone, and those who persevere through the struggle will reap the rewards later... it's your choice. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#if-youre-just-starting-curiosity-is-your-fuel) "If you're just starting, curiosity is your fuel**"** Keep going down the rabbit hole so you don't run out of fuel. And that's the only motivation you really need. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-chase-money-chase-knowledge) "Don't chase money; chase knowledge**"** It will pay off—don't worry. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/el_hajin) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#auditing-is-about-answering-three-questions) "Auditing is about answering three questions" * How should it work? * How does it work? * What if (x)? [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xjuaan) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#transact-with-the-protocol-in-different-ways) "**Transact with the protocol in different ways"** A great way to understand a live protocol at a high level is to just transact with it in different ways (via the frontend), and then analyse the transaction trace on tenderly, or the blocksec explorer. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xjuaan) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#auditing-skill-greater-than-technical-knowledge-generally) "Auditing skill > technical knowledge (generally)" The vast majority of vulnerabilities are due to logical flaws or a lack of constraints and don't require a deep understanding of the EVM's inner workings. These are found by training your auditing skill through deliberate practice. So in terms of technical knowledge, you can achieve great results if you just learn the basics thoroughly (e.g as much as [@CyfrinUpdraft](https://x.com/CyfrinUpdraft) teaches). [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#fail-fast) "Fail fast**"** The fastest way you’re going to progress is by making mistakes early and learning from them. Have the humility to fail! [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#become-the-product-of-your-efforts-not-the-sum-of-your-earnings) "Become the Product of Your Efforts, Not the Sum of Your Earnings**"** Avoid evaluating and comparing your progress/skill level based on earnings. You are the product of your efforts, not the sum of your earnings. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/mrpotatomagic) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#depth-over-breadth) "Depth over breadth**"** Pick depth over breadth most of the times. Focusing on one codebase at a time provides higher ROI than performing multiple reviews at the same time. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#maintain-physical-and-mental-energy) "Maintain physical and mental energy**"** It’s better to do less work on 100% than double the work on 50%. My belief is that if you do a 100% job, you get 100% result. But if you do a 50% job, you get 25% result. You work with code every day, you use your brain to uncover sophisticated attacks. You need 100% focus. You need good sleep, good diet and a lot of energy. Take a break sometimes, work out / walk daily, go on a hike [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#embrace-the-failure) "Embrace the failure**"** This applies especially to audit contests. You work your ass off on an audit just to find out that you made a few cents in the end. That is the best thing that can happen to you! First you can learn from the findings you did not find and make sure that you will never miss those again. Second you can retrospect on your process and see what should be improved, maybe based on the reasons why you missed some findings. Third this should make you want to compete more and more fiercely with the new knowledge to beat everyone the next time. My biggest achievements started when I changed my approach after I realised I have not reported vulnerabilities worth **~$40k** that I saw during the competitions:) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#learn-constantly) "Learn constantly**"** There is a new attack vector everyday. There is a new technology or concept every week. You must still be ahead of the market. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#hunt-in-blue-oceans) "Hunt in blue oceans🌊" There is some good in financial success that might be a good driver forward, that’s why you should hunt in blue oceans - focus where the least focus is to maximise your profit. Why compete with thousands when you can compete with tens?:) Compete does not necessarily means audit competitions, businesses are competing for customers etc. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#do-not-audit) "Do not audit" This means that audit to me signals some guy in suit checking if something is correct. You are not a unit test, you should not check if it is working correctly. You should check how to exploit it for your financial gain! Or how to exploit it to hurt the users, or the protocol itself. You are the attacker! Of course, you are the good guy, so once you uncover the bug, you responsibly report it:) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/krikoeth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#improve) "Improve" I changed my process several times, in the beginning after almost every audit, until I found what suits me the best. Key insights from my process is analyse what you are doing (drawings, use case diagrams, flow charts, state machine), identify attack vectors and create threat models, and then just break the code. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zzykxx) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#theres-always-and-i-mean-always-another-bug) "There's always (and I mean always) another bug**"** Most of my decisions regarding an audit are based on this one-liner, for instance I never quit before the time is over and I rarely fool myself into thinking I found everything [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#have-fun) "Have fun**"** Staying motivated is easier when you enjoy what you do. It also helps prevent burnout [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#build-solid-routines) "Build solid routines**"** * ~4 hours of deep work (like reading code, analyzing the project) each day. * 1–2 hours of shallow work. * Stick to a 5-day work week. * Exercise at the gym 3+ times a week. * Prioritize rest to stay sharp. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#results-improve-with-experience) "Results improve with experience**"** Over time, you’ll recognize problem areas and know where to dive in first [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/00xsev) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#keep-learning-and-use-checklists) "Keep learning and use checklists" Helps to spark new ideas during audits. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#work-harder) "Work harder**"** A wise person once said: work, work, work, work, work, work It was Rihanna. "Idk man, you just need to put in the work" is like the most generic thing you could tell someone who wants advice on how to get gud (at anything), but sadly the answer is as true as it is unsexy. I like to consider myself fairly smart. I had an easy time in school and university, I could half-ass most of it and still get very good grades. I had to learn the hard way that this mentality does not transfer to the security research space. This place is filled with giga-brains, and the only option for most people to get anywhere close in terms of skill is to outwork them. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#focus-on-one-thing-at-a-time-and-do-it-properly) "Focus on one thing at a time and do it properly**"** I am a massive sucker for FOMO. I can not count the times where I tried to do contests in parallel or when I was planning to do a contest in the final third of the time available just so I could do another one before that, for which I also only allocated a fraction of the time I should have. Needless to say I did not perform well doing this, ever. Remember how I said earlier that I consider myself smart? It's moments like these that make me question if I don't have a learning disability instead (like in the Simpsons episode where Lisa tests if her brother is [dumber than a hamster](https://t.co/M7wBaypF5r) ) Learn from my mistakes and dedicate yourself to one codebase at a time for as much time as necessary until you understand how everything works. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xminht) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#just-read-the-code) "Just read the code" [_**This is a funny meme**_](https://pbs.twimg.com/media/GYUIRnmW0AAiypB?format=jpg&name=medium) , but it's just that. If you are you are far enough to the right of the intelligence curve you may be able to get away with it, but for most people I don't believe its an efficient way to go. Obviously reading code is the majority of the job, but for those who are not blessed with extraordinay mental RAM, there is no shame in: * reading the docs to get a high-level understanding first * taking notes and drawing diagrams * using an IDE and learning to use it properly * (especially in regards to navigating and searching code) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#focus-on-complex-areas) "Focus on Complex Areas**"** Complex code often presents roadblocks, but these are precisely where many vulnerabilities reside. Instead of avoiding these challenges, dive deeper. These areas often yield high-value findings that others might miss or skip over. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#revisit-previous-sections) "Revisit Previous Sections**"** After gaining a clearer understanding of a code section, revisit earlier parts you’ve examined. Analyze the connections between these sections and any potential edge cases; often, unique bugs are buried beneath multiple layers. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xciphky) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#previous-findings-as-opportunities) "Previous Findings as Opportunities**"** Previous findings can present valuable opportunities. Always review past audits and analyze the fixes; often, less time is spent auditing these corrections. Remember that fixes can create new problems or may not be implemented correctly, leading to potential vulnerabilities. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#use-contests-as-a-method-to-improve) "Use contests as a method to improve**"** Don't be afraid to work on contests that has new concepts you are unfamiliar with. Instead, use the contest to push yourself to learn new things (e.g. Protocol heavily uses UniV3 but you didn't know UniV3 before). [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#prioritize-contests-with-larger-codebases) "Prioritize contests with larger codebases**"** Bigger than 3k+ loc, rather than small ones. Two reasons: 1\. The ability to work on large codebases with complicated logic is a must for going deeper in this space 2\. Smaller contests tend to have more noise, which may be distracting. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/pkqs90) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#spent-time-reading-aside-from-auditing) "Spent time reading aside from auditing**"** Aside from normal audit work, leave some time for reading articles/write-ups and researching every once in a while. New tech and new issues are popping out every day, it is important to keep track, especially in such a fast evolving space. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#understand-the-flow) "Understand the flow**"** Imagine how each party interacts with the protocol, and try hard to break [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#pay-attention-to-details) "Pay attention to details**"** Keep record of every little weak points and try to combine them [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#select-larger-and-harder-codebase) "Select larger and harder codebase**"** Keep learning new things [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/winnie) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#critical-thinking) "Critical thinking" Don't read other's reports without independent thinking first. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#speed-is-crucial-in-the-initial-audit-phase) "Speed is crucial in the initial audit phase**"** Build a mental model of the code base quickly by speed-reading the contracts and avoid deep-diving at this point. You can note down the low hanging bugs and put TODO tags for complex logic to review at the subsequent passes. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#maintain-the-momentum) "Maintain the momentum**"** Maintain momentum and save time by working on the easy tasks first and not be slowed down by the complex issues that require deep thoughts. At the same time, you will gain confidence on the code base and not be overwhelmed by the details. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/peak_bolt) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#spend-bulk-of-the-time-on-reasoning-complex-attack-vectors) "Spend bulk of the time on reasoning complex attack vectors**"** Allocate as much time as possible to review the complex logic (math, multi-contracts interactions, novel design, etc). You need creativity, knowledge and a good mental model to find the most complex bugs. These are the ones that are not obvious and typically involves multiple step or specific edge case to exploit. With the saved time from the initial phase, you increase your odds of spotting the more complicated issues. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#how-to-tackle-a-codebase) "How to tackle a codebase?**"** * Explore the entire codebase before diving into the details of each contract. * Once exploring in-depth the codebase, leave no path unexplored. Explore every path that comes to your mind, and think of sequences that could cause the state of the contracts to fall into an unexpected state. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#leverage-the-test-suite) "Leverage the test suite" Leverage the test suite to explore edge cases not considered on the tests. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#document-everything-even-your-thoughts) "Document everything, even your thoughts**"** Take notes about everything, from how a tricky function works, to all the attack vectors I’ve already thought about while exploring the contracts. Write all the doubts and ideas of potential attack vectors/bugs and always return to them once you’ve understood every detail of the codebase. Save all the articles (EIPs, deep downs of X protocol) you consulted for future reference. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/stalin_eth) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#attackers-mindset-first) "Attacker’s mindset first**"** While auditing, focus your attention on exploring paths that would allow an attacker to steal assets from the contracts. More often than not you’ll get false positives/dead-ends, but, in the process of exploring these paths you’ll end up understanding the codebase from top to bottom and the non-critical bugs will pop up right in front of you. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xfrankcastle) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#if-your-wind-blows-seize-it) "If your wind blows, seize it.**"** If you make a great achievement like winning a contest or a bug bounty, you should seize this hype and make the most benefits from it, such as joining invitational audits or marketing to yourself to get more opportunities such as private audits and build your experience. Do not stop or take a rest after making good results. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#be-organized-in-your-approach) "Be organized in your approach**"** I like to keep track of contracts I have reviewed, so that I don't miss out on anything and it is easier for me to do a systematic review of all the contracts. This is especially helpful if there is alot of stuff to review. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-be-afraid-to-tackle-hard-codebases) "Don't be afraid to tackle hard codebases**"** The harder the contest, the lesser number of people and the greater chance of winning. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/haxatron1) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#choose-a-niche-and-focus-on-it) "Choose a niche and focus on it**"** With the huge number of contests lately, there is enough to go around for everbody. As for me I chose cross-chain and L2s but some rockstars like A2Security specialize in lending. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#you-dont-know-a-lot) "You don't know a lot**"** You reach a point where you fully understand the codebase, but the results come with a lot of bugs you miss. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#time-management) "Time Management**"** Studying, doing contests besides escalations, and learning new concepts. Each task should take its time without neglecting the other task. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/al_qa_qa) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#patience) "Patience**"** You can spend weeks working hard without any progress, but you should keep working to reach your goals. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#do-not-be-afraid-to-take-on-a-new-challenge) "**Do not be afraid to take on a new challenge"** That’s from trying to audit a new language or trying the 5000+nsloc contest or even going for a Blockchain/DLT level contest from classic solidity Defi. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#security-research-is-a-mindset) "Security research is a mindset**"** As some people say _security research is a mindset,_ so regardless of the size of the protocol or the language, there are always bug cases that apply to it, and if you don’t find any during that audit, you’d definitely learn from the report and apply it on your next audit. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/bauchibred) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#stay-consistent) "**Stay** consistent**"** Just show up everyday and do something. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#stay-away-from-the-crowd) "Stay away from the crowd**"** I always try to do the most unattractive contest currently offered. It's usually either a very complex codebase, or a language no one wants to learn. This way I always keep myself challenged (avoiding fatigue) and get the minimum of competition which leads to a way less diluted pot. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#check-for-3-signs-that-will-tell-you-that-this-is-a-good-contest-to-do) "Check for 3 signs that will tell you that this is a good contest to do:**"** * New language / protocol type * Complex Math * Gigantic codebase [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#predict-highs) "Predict highs**"** When deciding on what contest to look at, nowadays its becoming more and more important to know if a contest will contain highs, due to scaled pots. You can usually predict the chances of this pretty well by looking at 3 metrics: * **Prior audits** -> Who audited it before? In case of no one or a low quality company we can be pretty sure to find stuff * **Code quality** \-> If there is almost no testcases or documentation, we can usually expect highs * **Size** -> The bigger the codebase is the better as the chance of highs increases exponentially [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#favor-big-codebases) "Favor big codebases" So if I do a scaled pot, in the best case I want those 3 to align. A big codebase, that is badly documented / tested and had no or only low quality audits before. In that case you can be almost sure that the pot is unlocked, but competition will still be a lot lower due to the pot being scaled. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#meet-everyone) "Meet Everyone" I always try to meet as many people in the industry as possible. First of all you will find a lot of friends that have a similar mindset to you which is awesome. Second of all these friends can be helpful all along the way. I have gotten many opportunities or clients referred to me by friends I met along the way. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/j4x_security) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dont-be-a-leech) "Don't be a leech [🐛](https://emojipedia.org/bug) " If you just want others to help you but not do anything for them no one will want to be your friend. Try to help and support each of your friends whenever you can. It might be referring a client to them, it might be putting a good word in for them with someone you know etc. This way you can build lasting friendships out of which both sides profit. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#prepare-well-before-your-first-contest) "**Prepare well before your first contest"** If you're just starting out and planning to participate in your first contest, make sure to properly equip yourself before stepping into the battlefield. One of the main reasons many newcomers give up early is that they jump straight into a contest without preparation. Often, they struggle to find anything, feel overwhelmed, and conclude that success is impossible- leading them to quit. On the other hand, auditors who spend a few weeks preparing by conducting shadow audits, reading reports, and actively practicing finding bugs, tend to perform reasonably well in their first contest. This initial success is what you need to ignite the motivation needed to persevere and continue until you truly "make it." [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#go-deeeeep) "**Go deeeeep"** This is where unique and less duplicated findings hide. If you stay on the surface, where everyone else is, you'll uncover the same issues as everyone else. But if you're bold enough to dive deeper, you can win Big. The deeper you go, the less competition you'll face. Going deep means that once you understand how a protocol works, you focus on its most critical flows, break them down into smaller components, and start exploring: * **are there any external integrations** -> study the external integration code * check tests for a particular flow -> **are there any spots left untested** -> explore them * **are there any exotic scenarios to this flow** -> try to think of them and see if they brake the logic [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#focus) "**Focus"** Remaining focused is one of the most essential principles to grasp in this industry, and it applies on multiple levels: * **Commit to one contest at a time and give it your all** - It's far better to win a single contest than to perform moderately well in several. * **Dedicate yourself to one goal** \- Whether it's becoming an LSR/LSW, building a business, or excelling at bug bounties, choose a single goal and channel all your efforts into achieving meaningful results. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#knowledge-is-power) "Knowledge is power" Once you’ve built some initial recognition (achieving a few milestones helps break the ice quickly), start connecting with other auditors. Share your opinions, expectations, and experiences with them—this can help you identify false assumptions and recalibrate your approach to make more informed and effective decisions This is one of the best ways to stay updated on real trends and opportunities in the industry—those that lie behind the glossy marketing facade. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#pure-curiosity-and-discipline-is-everything-in-security-research) "**Pure curiosity and discipline is everything in Security Research"** [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#for-newbies-learn-the-basics) "For newbies: Learn the basics**"** * Learn the basics of blockchain, ethereum and solidity. You should have a basic idea of how these things work under the hood. * Learn about basic smart contract/blochchain bugs * Do some CTFs and other available challenges [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#for-newbies-do-shadow-audits) "For newbies: Do shadow audits **"** Do shadow audits. Choose any past audit with small codebase and try to find bugs in it, then compare your found bugs with the actual audit contest result. Pay special attention to the bugs you missed as that's the key for improvement. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#for-newbies-compete-in-a-live-contest) "For newbies: Compete in a live contest **"** Compete in a live contest - preferably a smaller codebase one. Analyze your findings against the contest top rankers. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#for-the-experienced-choose-less-crowded-contests) "For the experienced: Choose less crowded contests" To maximize payouts choose less crowded contests (complex codebases, new languages, new platforms, heavy math codebase, etc). [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#for-the-experienced-ask) "For the experienced: Ask" Question every business logic. Asking `what if ...?` is the way to go. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#for-the-experienced-go-deep) "For the experienced: Go deep" Go deep into the codebase that you audit. Understand the protocol flow & all its state transitions. Diagrams/charts can be helpful here. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/akshaysrivastv) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#for-the-experienced-understand-your-top-competitors) "For the experienced: Understand your top competitors" Try to understand the mindset of your fellow top competitors in the contest. Read all their findings to understand how they were seeing and approaching the codebase. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xt1moh) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#less-than-2k-nsloc-contests-are-to-learn-basics-of-security-research-where-you-just-train-skills.-re) "< **2k nSLoC contests are to learn basics of Security Research where you just train skills. Real work starts later on big complex projects"** [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#learn-by-doing) "Learn by doing**"** Stop wasting time trying to learn some concepts up-front. Learn as you do, especially in security reviews. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#setup-that-feedback-loop) "Setup that feedback loop**"** * Failing by missing vulnerabilities is normal. You can’t do without it. * But failing multiple times on the same issues is not acceptable. * Get that feedback loop up, be sure to never miss this issue again. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#question-everything) "Question everything**"** Question, question, question. Don’t take assumptions, or if you do you should question them too! Then look for the answer, you may be surprised! [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#cut-the-abstraction-down) "Cut the abstraction down" “This should work like this, I’m not checking it!” Are you sure about that anon? [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#interpret-that-small-line-of-code) "Interpret that small line of code" What does this line of code means on the whole protocol? What consequences does it have on other workflows? Interpret the small lines within the project’s big picture! [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/zigtur) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#have-fun-1) "Have fun!" It’s OK to not enjoy a codebase. With competitions, you can just wrap-up and go with another you enjoy! I’ve done it in the past, I will do it in the future. Because competitions allow it! [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#be-unwavering-in-your-conviction) "Be unwavering in your conviction**"** Never believe there are no vulnerabilities left to find, or that you will not be able to find them. If you catch yourself thinking that, you are not competing to win. There is always a way for you to discover the next vulnerability - you just have to find it. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#dive-deep-when-needed) "Dive deep, when needed**"** Always welcome the opportunity to dive one step deeper, to understand the code at an even lower level, to develop an even more precise understanding of the whole stack. But do it with a purpose - also accept that it is simply infeasible to learn and retain all there is to know about any single blockchain. So pick your battles, and fight. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xev_om) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#skill-comes-with-practice) "Skill comes with practice**"** Good auditing skills come from auditing. You need some reference material to get started, but after that, learning by doing is how you improve. Contest platforms provide a feedback loop, community, scheduling, the right incentives and most importantly, a payout. Make use of the structures available to you. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#just-do-it) "Just do it**"** The difference between doers and dreamers is that doers started DOING one day. Today is a great day to be your day one. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#set-your-goals-high) "Set your goals high**"** When your goals are set too low, it's so easy to quit or lose interest after some success. Your goals should be so high that reaching them will truly change your life. There are so many memes about BJJ people leaving training after getting their blue belt, but when your goal is to be the most badass grappler in the world, no belt will make you quit the game. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#give-before-you-take) "**Give before you take"** As I strongly believe that we’re put here to give more to this earth than to receive, hoping to get everything we’re dreaming of without giving back at least equally, it won’t happen. If your dreams are high, you need to be ready to pay more. And the right way to be able to give more is by working on YOU every day, being a greater version of YOU! [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/tpiliposian) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#consistency-is-key) "Consistency is key" When someone's performance seems unreachable, it doesn't mean it is. All you need to reach that level is consistency. You'll level up without even realizing how much you've grown with just consistent work. For example, when I started jiu-jitsu, blue belts seemed so powerful and untouchable. I felt unprotected and thought I'd never reach their level. But now, I can play with newcomers and submit them easily. All it took was 8-9 months of consistent training [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#do-not-avoid-the-cracks-while-looking-for-the-entrance) "Do Not Avoid the Cracks While Looking for the Entrance**"** A bit controversial, but also include informational and low issues when possible. The act of putting into writing a potential low issue both solidifies your understanding of the codebase and provides a slight benefit for the protocol. Countless times, while thinking about how to report an informational issue on a part of the code, I realized there were more issues there. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#the-hunter-should-not-be-jealous-of-the-builders-hammer-and-the-builder-should-not-envy-the-hunters) "The Hunter Should Not Be Jealous of the Builder's Hammer, and the Builder Should Not Envy the Hunter's Bow**"** What works when hunting on bug bounties may not be as relevant when doing private engagements or contests. Although similar, different applications of auditing require different approaches. Remember this and do not try to apply a bug bounty hunter mindset to a private engagement, or vice-versa. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/abarbatei) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#balance-focus-with-flow) "Balance Focus With Flow**"** Your resource is your brain, but it has its quirks. You may focus for hours on a codebase only to find an issue later while showering. Why? Because you entered a diffuse thinking mode. Relax your thinking intentionally to allow the pieces to fall into place and the issue to reveal itself to you. Plan walks, long baths, or other such activities in between focus sessions. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xarzzz) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#look-in-places-that-you-know-better-than-the-devs) "Look in places that you know better than the devs**"** The devs don't know all the edge cases of the protocol that they are built on top of or forked from. A lot of bugs that I found on Immunefi were bugs where you needed to do something in these deeper layers first to achieve the bad end state. [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xarzzz) ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FMDL3AD33IaCa74FIYNVY%252Fimage.png%3Falt%3Dmedia%26token%3Dacbbc3a1-317d-4bc9-8f6b-ff2f9688801a&width=245&dpr=4&quality=100&sign=7103f202&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/the-wall/wall-of-wisdom#have-fun-and-follow-your-curiosity) "Have fun and follow your curiosity**"** It's a completely different focus when you're doing it out of your curiosity instead of forcing yourself to work. There is a lot to choose from so choose whatever interests you and have fun. [Previous@0xb0g0](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/0xb0g0) Last updated 8 months ago --- # Template | Art Of Auditing ![Page cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FwHOEhhyDWtYlAxxPVmt8%252FUntitled-1.jpg%3Falt%3Dmedia%26token%3D53a418bb-3ef0-4ec3-984a-8a7fa343f140&width=1248&dpr=4&quality=100&sign=94255264&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/template#id-0xb0g0) ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252F6UuX7506T6D6jWfc9mI0%252Fimage.png%3Falt%3Dmedia%26token%3D07518bf0-fb67-4824-afc5-d83972c322ac&width=40&dpr=4&quality=100&sign=54d0e948&sv=2)![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FoexTy0YLirZNUEtBi9hl%252Fimage.png%3Falt%3Dmedia%26token%3D37136669-4ffa-4e5c-8b1b-37ce3a42855c&width=40&dpr=4&quality=100&sign=4ad0305&sv=2) 0xb0g0 ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/template#about-or-info) About | Info ![](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FlGDKE1IBeQWS5F70z5VC%252Fimage.png%3Falt%3Dmedia%26token%3D73629124-425d-4c7b-8556-34ff37bfd9ad&width=768&dpr=4&quality=100&sign=ebb498c&sv=2) [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/template#words-of-wisdom) Words of Wisdom --------------------------------------------------------------------------------------------------------- * * * ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252FBBYe9agZ6JGsSwSH4nnc%252Fimage.png%3Falt%3Dmedia%26token%3D73104116-b3e2-4991-97e2-c4ad31c367e8&width=376&dpr=4&quality=100&sign=f7dd77bb&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/template#text) "**Text"** Text ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Ft6dCiKeQgNJLUil8gANs%252Fimage.png%3Falt%3Dmedia%26token%3D75248950-f93b-444b-9cac-96459703eec7&width=376&dpr=4&quality=100&sign=eaced8b9&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/template#text-1) "Text**"** Text ![Cover](https://web3-sec.gitbook.io/art-of-auditing/~gitbook/image?url=https%3A%2F%2F67142634-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FVDeQxk13w6LLaqk8VRNs%252Fuploads%252Fg7H3UxcFBk1qDzD9ov6u%252Fimage.png%3Falt%3Dmedia%26token%3D152c591c-9bff-417c-8a2d-e20f0fc21bb5&width=376&dpr=4&quality=100&sign=758bad0c&sv=2) ### [](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/template#text-2) "T**ext"** Text Last updated 9 months ago ---