If you want to get really good at something, do it competitively.
Be uncomfortable. Allow yourself to make mistakes. Measure your growth. Study what the best do.
That’s why
@code4rena
works and has helped grow scores of top tier auditors and bounty hunters.
When web3 exploits happen, quick coordination among good actors is essential.
SEAL 911 is a collaborative initiative by the web3 security community designed to provide support for incident response.
Please bookmark and share:
🌶️ The DSS venue and the industry is full of auditors who made their name competing on
@code4rena
.
Logically incongruent when people imply that those without a name aren’t good auditors when C4 has been one of the primary talent pipelines for the field for >2 years
#DSSspice
🌶️ Audits in general simply aren’t designed to find all bugs, but in web3 we NEED to find more bugs faster than traditional methods and keep them out of deployed contracts.
That’s what
@code4rena
’s been incentivizing for two and a half years and 231 audits.
#DSSspice
I never worry about auditor churn on
@Code4rena
.
Why?
I believe 95% of people who get exceptionally good at pure bug-finding won’t do it at that level indefinitely.
Great talent always seeks higher leverage, more meaningful impact. Bug-finding is security expert table stakes.
In the beginning, I dreamed of being constantly booked with solo and team audits. Now, I dream of getting free from any engagements and not doing any audits for a few months. Neither is easy to achieve.
“Scamming the judge” is what
@GalloDaSballo
calls it.
@code4rena
just invested $90k in three Supreme Court Judges meticulously standardizing rules to cover these scenarios based on past case law.
Take a look at their extensive work:
Audit Contests Alpha: Audit contests are a game of reporting and negotiating for medium-severity findings.
Highs are usually black and white and rarely solos, but almost all of the top researchers' findings that I've read are very nuanced and in places that no one even looks at.
Having worked alongside
@trust__90
for the better part of the last year through C4, I believe very strongly:
1. his actions were in good faith
AND
2. he will personally help make the space better in terms of processes because of this incident.
People are saying all kinds of terrible things while being uninformed so allow me to share more details.
I've initiated coordination privately with Immunefi officials 3 hours before the white-hack. 90 minutes later, I realized the asset is currently used by the frontend and
Sorry, but S-tier is being married to your cofounder so you’re never alone in whatever keeps you up at night and always having your most brilliant collaborator and advisor ready to talk through ideas and problems.
AOL Keyword:
#OddlySpecificHumblebrag
The sweetest and kindest people I’ve met in the crypto/web3 space are security auditors. I consider it a privilege to get to work alongside them in
@code4rena
.
@zachobront
Always good advice to follow what you’re fascinated by! Best long term investment is aligning what you do with what you actually *want* to do.
So, alternatively: *If you’re interested in ZKPs* it’s a v cool opportunity to audit AND learn.
(2/3 of scope’s .sol anyway)
I super love open data but pls be careful with charts based on lagging intel.
Same chart now shows July with >270 different
@code4rena
wardens finding valid high quality bugs that bots couldn't find.
SorrynotSorry to say competition remains pretty fierce on c4 :)
I super love open data but pls be careful with charts based on lagging intel.
Same chart now shows July with >270 different
@code4rena
wardens finding valid high quality bugs that bots couldn't find.
SorrynotSorry to say competition remains pretty fierce on c4 :)
For 69 minutes on Monday, this account was hijacked via sim swap and used to send a phishing link.
We hold Code4rena to high security standards: we have policies in place requiring 2FA on all staff accounts.
Unfortunately, access control for Twitter was missed based on
Real ones already know
@aramas95
is an S-tier marketer, C4 staff member, and teammate.
But she also had *literally under one minute* response time to Monday’s simswap incident. Living out a show-don’t-tell example of our principle that *everyone* is on the security team.
Personal vulnerability disclosure:
I made a stupid comment in a 3am tweet which came off as flippant and passive aggressively critical of a c4 customer.
This is against my principles and beliefs about security being a constant process and shame undermining security outcomes.
🌶️ Bottom line when comparing competitive vs trad audits:
“More auditors, more issues found” is how
@banescusebi
put it in 2021 ethcc talk—but doesn’t have to mean mo money, mo audits.
@code4rena
gives you more brains per dollar in a code review
scheduled on demand.
#DSSspice
@shunduquar
Builder team would’ve prolly been able to ship this like a year ago if they weren’t having to clean up my slammed-together JSON / CSV and awkward GitHub-as-database ball of mud architecture while still making everything keep working lol
“This is the true joy in life, being used for a purpose recognized by yourself as a mighty one.
Being a force of nature instead of a feverish, selfish little clod of ailments and grievances, complaining that the world will not devote itself to making you happy.
I am of the
🌶️ There’s poor allocation of security budgets cos of immaturity of the space + high stakes
Success as an industry looks like projects spending LESS on audits
/ bounties BECAUSE they invest MORE in process / consulting / dev education / architecture review early on
#DSSspice
WOW. In November’s
@feiprotocol
@code4rena
contest, 21 wardens competed and NO high or medium severity issues were found—that’s never happened even with a half-dozen wardens competing. Just seriously wow. Hats off to the Fei team,
@joey__santoro
.
@pashovkrum
@CharlesWangP
Yeah, C4 makes it pretty hard for common exploits to get through.
It’s just untenable to expect any single auditor to find everything, but the average auditor can miss 60% of common HMs in C4 and the diversity of perspectives / volume of auditors makes for a fat safety net.
Yes. Often, HMs = Ls + creativity
Tonnnns of evidence in
@code4rena
results for this☝️
Also why you want many unique perspectives involved in auditing your code.
If you got an audit done for your project - fix ALL the vulnerabilities not only the high/medium ones
Just because the auditor marked a vulnerability as Low doesn't mean it is not important
It may mean that he just didn't know how to exploit it but a blackhat could know🤷♂️
@hake_stake
That’s very kind of you.
My contribution is less from me *personally* and more me being a “human insight aggregator” that’s resulted from prioritizing building high-trust, high-candor relationships with a ton of amazing people I’m constantly learning from.
There’s a lot I love about
@rainbowdotme
but my absolute favorite feature is that they don’t use red for negative 24h. Second favorite feature is the ability to hide balances that make you feel a bit ill when you look at them. Mental health features A++++
Yes. The idea that humans will ever run out of work is kind of hilarious. We’ll just keep inventing more todos.
Just as much as AI has the potential to eliminate jobs if also has the potential to turn every person into Da Vinci who creates whole worlds of new work to be done.
What the “AI will only destroy jobs” pundits don’t understand: Higher IPP “Ingenuity Per Person” leads to hiring more people as companies become more ambitious.
Amidst time with customers, journalists, and industry analysts discussing the implications of AI, a common stream of
@pashovkrum
I absolutely respect the intent but I don’t super love it as a policy because it effectively implies auditors bear liability for vulnerabilities.
You are responsible for what you deploy.
Good faith teams know this and rely on rigorous review, but don’t look to pass the buck.
@colleenklein
Out of curiosity, have you sent letters articulating this viewpoint to progressive dems? Or are you part of any lobbying groups? This message is so smart, compelling, and clear. Thank you.
@cmichelio
In all seriousness, my theory is the incentive to identify the highest arguable impact for a given issue leads to much better security outcomes, which is the ultimate goal.
security is the most inherently human among all tech domains.
fear and shame are the two most visceral human emotions and almost everything in security is dominated by the interplay of these two in one way or another.
I've been looking forward to sharing this news for a long time!
@NascentSecurity
is a new type of security team incubated by
@nascentxyz
It does NOT do:
❌ portfolio services
❌ private bookings
It DOES do:
✅ public competitions (e.g.
@code4rena
@immunefi
)
✅ public goods
I joined but I am still old
Not financial advice: idk if I am a security or a commodity or a currency or a secret fourth thing
Some codes:
ft-1hn84f4a
ft-mzl0o1y4
ft-gg28lo8u
ft-74kbor6p
ft-otktkz34
ft-p1x2e7q3
ft-qqswqgm6
ft-09bcydm3
ft-twv4qww0
🌶️ We need to drive down the price of known bugs and make complex bugs cost less than 10% of user funds so we can solve harder problems.
Pushing things this direction is one of
@code4rena
’s key contributions to the space. We’re gonna go ahead and keep doing that.
#DSSspice
@jacksondame
Our 16yo son is a very web native creator (has a YT channel with 2000 subscribers and a bunch of projects earning Roblox $) and he doesn’t think the NFT criticism is valid BUT won’t touch it because creators in his world who do get punished by mobs.
@KoolexC
@code4rena
The competitive audit model and formula was designed by C4 cofounder
@scott_lew_is
, one of the best mechanism designers in crypto :)
Is having an auditing process overrated?
Tune in to brake the mould with
@0xleastwood
, an LSR at
@SpearbitDAO
, and top
@code4rena
warden who has no auditing process and just follows his curiosity.
Follow
@web3sec_news
to get exclusive summaries of this podcast 🗒️
Link for
@blessThisMoney
@TheBirdHouseNFT
Great way to kick off that run. A heck of a buy. You got some other nice birds, too. Come by the discord and say hi. Good people.
imo 10% of **user funds** as the presumptive default commonly advocated as the golden rule by security researchers is primarily an indicator of the immaturity of the overall space
send ransom bounties to zero*
———
* by building better processes, tools, education, and incentives
Do we agree offering a 10% bounty AFTER the hack has happened is probably a wrong precedent?
How many Immunefi critical reports are paid at ~10% amount in risk? Perhaps we may need to reconsider the incentives if you can turn whitehat anyway
To be a part of a team that genuinely acts out its values through its culture, processes, and everyday team/community interactions is a dream. Each day I learn something new, and that alone makes me so enthusiastic about the next.
@akshaysrivastv
@0xDaksh
@code4rena
<3 All credit to the hardworking team behind the scenes, judges, and exceptional wardens like yourself for sure. It’s been one of the coolest and most gratifying experiences of my life to be along for the ride and watching so many amazing people get the opportunities they
@deadrosesxyz
Trivial to do, but haven’t ever seen anyone complain that C4 judges are expressly biased for/against individuals, and there is real utility for transparency and for participants to names to be discoverable.
Seems like a defensive response to someone else’s marketing point.
@agfviggiano
@RedTigerAuditor
@code4rena
My background is open source and open standards, so I agree with a lot of that in theory.
One of my personal core principles comes from the Picasso quote: “To begin, you should have an idea of what you want to do, but it should be a vague idea.”
To that end, the missing piece
@realgmhacker
Wait for the absolutely humbling experience of having teenagers. Nothing like the crushing sense of your own powerlessness in the face of their adversities and trauma.
@danielvf
Check out what we’re doing at
@code423n4
. We run audit contests, not spec work bounties. Contests pay for valid bugs even if multiple people report the same one. Recently one top auditor told me it’s the best “job” they’ve ever had :)
@bytes032
@code4rena
In general our team’s
#1
goal is to add considerably more value than our fee.
I believe in every solo C4 has booked we have gotten the warden paid their full requested rate.
We’ve also advised auditors on market pricing and gotten several paid more than they quoted.
I just re-read this, and I want to clarify that by “level” I meant “sustained volume”
Obviously people only get better at identifying bugs; the point is not that they get worse—that would be silly.
It’s that they inevitably want to deploy insight they’ve gained differently.
Meanwhile
@code4rena
adds hundreds of new auditors per month, new heroes end up on top, and projects keep coming back saying the results perform.
#DSSspice
The term "audit" has sparked controversy, and while alternatives like "Web3 security reviews" are clear, "Web3 security reviews contests" don't have the same catch to it. Until a better alternative comes along the way, we are probably gonna stick to audit.
1/ One day, I believe $LINK will flip $ETH both in terms of market cap and value proposition.
I don’t believe this based on hype, or because I’m awesome - which I am.
I believe this based on evidence and logic.
Crazy? Maybe. Possible? Definitely. Here’s how.
My sweetie is a wiser, more experienced investor than me and today she’s gone from dipping her toe in crypto in a CEX to putting her spare change into
#DeFi
thanks to
@rainbowdotme
.
Her picks:
— $DEFI++ from
@PieDAO_DeFi
— $ALPHA
— $RSR
— $ETH
@CharlesWangP
@HollaWaldfee100
3-5% is my guess as well. High Twitter visibility certainly but it really can’t be more than a sliver of the full market.