Beginning of my journey
Hey, I started learning solidity in December 2022, just because I wanted to learn something new. I am a full-stack js developer for like 6 years at the time. Cryptozombies helped me a lot and also consumed How to DeFi just because I had zero knowledge about the crypto world at that time ๐
. I think it's a great book for beginners. I did a few ethernaut challenges because they were in crypto zombies links, but almost always looked at answers.
At the beginning of March 2023, I didn't know much about auditing. I stumbled upon an Andy Li interview with Pashov where they suggested just starting auditing and learning along the way. Alright, I'll give it a try, so I decided to give it all a try for a few months. Now, I already know that it can be a stable income for me and I enjoy it much more than js developing. Here are my results from code4rena and sherlock for that time. All those contests were from 5 March to 30 May 2023.
| Contest | Payout | High, Medium | nSLOC |
| Aragon Protocol | $53.96 gas report | 0 | |
| Wenwin | $81.41 gas report | 0 | |
| Neo Tokyo | $19.30 gas report | 0 | |
| Y2K | $255.64 | 1, 2 | ~1519 |
| Canto Identity | $1,992.82 | 1, 1 | 687 |
| Asymmetry | $37.07 | 0, 2 | 653 |
| Rubicon | $179.48 | 0, 4 | 1500 |
| Frankencoin | $22.67 | 0, 1 | 900 |
| EigenLayer | $12,193.66 | 2, 0 | 1560 |
| Ajna | $606.99 | 1, 0 | 1191 |
| Venus | $6,690.03 | 1, 4(first solo) | 3069 |
| Index | $4,190.16(Preliminary) | ?, ? | 4225 |
Aragon Protocol, Wenwin, Neo Tokyo ~150$
Just like Andy and Pashov recommended I've started with gas reports. Opened 2-3 best gas reports from previous contests and started to look for the same bugs while google what half of it means. It took me a whole day to write a gas report for each contest and turned out it was quite successful, with two grade B and one grade A(highest possible). I was quite happy with ~150$ due to some people messaging in the chats that their gas was not accepted. In parallel, I was trying to read reports from previous contests just to get to know what to look for in the next audit.
Y2K ~255$
Probably the first codebase that I was trying to understand. My first medium and high, hooray ๐. I was able to read submits from other people due to Sherlock allows you to do it without backstage like code4rena. Didn't understand much from other submits
Canto Identity ~ 2000$
I literally found a high by running initial tests in a contest. First, looked at NFT's SVG and then found differences in tests. In the end finding: users will be able to purchase fewer NFTs than the project had anticipated, got a medium there as well. In the morning after seeing the result I was happy throughout the whole day, even called my sister that I got $1,992.82 in two days, that's insane! ๐
Asymmetry, Rubicon, Frankencoin ~250$
There were other contests without results. In all those contests, I didn't spend enough time on each of them. Just jumping from one contest to another without understanding, spending a day or two on each of them, and jumping around. I should have followed advice from top auditors and just stick to one contest for the whole duration. That's what I did a little later. I wasn't productive at that time โน๏ธ. Tried to read reports from the past in parallel.
EigenLayer ~12200$
With every project so far, I've started with a question about what that protocol even does. Googling every word in the contest description ๐. Learned a lot about Ethereum staking. Spent all time that this contest was on. Found two out of two highs. I could not even describe how happy anyway I was on that day. Was kinda disappointed later that my report was not chosen as best for a high that only 3 people found due to that +30% to that person and his first place and I took second. Should have written a better report! Learned a lot about beacon staking and that ecosystem thankfully to that contest! In the end, there were 2 highs and 1 medium. The findings are not public yet, so I cannot give a lot of details.
Ajna ~600$
Unfortunately, I didn't spend much on this. Still, got a nice payout for one medium.
Venus ~6700$
Finally, just like Cmichel said in his article you have to know Compound is the basis for all decentralized peer-to-peer lending protocols. You should know it as a lot of DeFi primitives interact with lending protocols in some way. Spend a lot of time reading awesome compound's docs. I hope I understood the basics from it. Really enjoyed it while trying to find bugs in Venus. Found 4 Medium and 1 High. Pretty happy with the results. Took third place!
Index ~4200$(Preliminary)
Learned a little bit about how Set token and their modules work. The project is using Aave v3. So, how I get almost all of my findings for this contest? By just typing in the "aave v3" on solodit and reading a few reports. One from Spearbit helped a lot. The result is still preliminary, so it might change in the future. I hope it will not deviate much ๐. Also got around 700$ for judging on Sherlock where you literally get paid for reviewing top auditors' submissions, and kinda random if you are a beginner.
Conclusion
With those results, I got ~22000$ in May. Thats insane! They got me ranked #1 on the 60-day code4rena leaderboard and #2 on the 90-day leaderboard. I hope that someone would be able to see that it is profitable and fun to become a web3 researcher and give it a shot. Even if you just starting out, you can get 50$ for a gas report in one day and learn along the way all other aspects of web3 security. It's really fun! ๐I'm really enjoying this space.
Currently available for projects, dm me on Twitter 0xVolodya.