I analyzed the report of a contest I participated in on @code4rena . One specific finding by @milotruck taught me a LOT. It was so simple, yet only 3 out of 125 auditors found it. WHY ? - They asked the right questions!! I'm doing a breakdown of the mental model that empowered…

A short summary of the exploit: 📌 It's a p2p lending protocol, that has the functionality to sanction lenders/borrowers 📌 When sanctioned an escrow vault is deployed for that account to hold it's funds. If sanction is lifted funds get returned to the account 📌…

Check the full finding (3 min read time). It's short & you don't need to know the codebase in order to understand it :

My main goal here is to explain why I missed the bug and analyze the proper approach of those awesome auditors. 📌Make sure you've red the finding first

This is what I was thinking when going through the above code logic: 💬"Hmm, this contract uses .codehash to check if an escrow vault was already deployed for this account. Wait what is .codehash ?" Then I googled it and red the first definition I stumbled upon: - & I though:…

So ignorant and naive of me! I just considered everything is fine and did not doubt it for a second!

Now let's see what the rockstar auditors did

As you can see, there is nothing complex about the exploit, it's dead simple actually. Yet ONLY 2% found it. Let that sink in - 2% PERCENT! WHY? Because they asked the right questions and questioned everything, all the time!

What's the morale of the story? ✅ ALWAYS DOUBT EVERY ASSUMPTION made in the code you audit ✅KEEP ASKING QUESTIONS, until you find one that sparks your creativity ✅BE CRITICAL and take nothing for granted, research it

@xb0g0 recommend reading code instead of eips. e.g. look up and see in what cases 0 is returned

@r0bre Good recommendation! Thanks!

@xb0g0 Man that was really interesting! Thanks for this breakdown! No wonder you will kill it soon Was thinking of sharing my post contest review too

@InfectedCrypto I appreciate the motivating words🙏 Most of all I’m grateful for the opportunity to provide value for all fellow auditors🛡