How to become the #1 Auditor in Web3

Patrick Collins

8 Jan 202308:11

Summary

TLDRIn this insightful interview, Trust90, a top earner in Code Arena's security audits, shares his strategies for identifying vulnerabilities in smart contracts. He emphasizes the importance of understanding the fundamentals of EVM, Solidity, and DeFi protocols before delving into code analysis. Trust90 advocates a top-down approach, starting with the project's architecture and external interactions, then focusing on novel code and developer assumptions. He also discusses the significance of using the right tools like Remix, Hardhat, and Foundry for testing and debugging. Trust90's approach has led to significant earnings and a top spot in the leaderboard, inspiring others to compete in Code Arena.

Takeaways

🏆 Trust90 has been a top earner four times in a row on Code Arena, securing the number one spot in the leaderboard and earning over $67,000 in the past 90 days.
💡 Success in security audits relies on a strong foundational understanding of the technology, including EVM, Solidity, smart contracts, and the protocols involved.
📚 Trust90 emphasizes the importance of learning financial concepts and DeFi protocols, as understanding the underlying banking system is crucial for auditing.
🔎 The first step in auditing a project is to understand the architecture and external surface of the protocol, which involves a top-down approach and reading all documentation.
🚫 Trust90 advises focusing on the in-scope code for Code Arena and other security audits, as out-of-scope vulnerabilities will not be rewarded.
🔍 He suggests filtering out trivial issues and concentrating on more complex, novel aspects of the project, as well as changes made from the original or forked projects.
🤔 Trust90 believes that finding bugs requires identifying gaps in developers' understanding and assumptions that are not definitively true.
👀 He recommends looking for common mistakes like re-entrancy and precision loss errors, which are often overlooked but frequently occur.
📝 Trust90's process involves going over the entire contract, understanding dependencies, and how different contracts interact, which can introduce risks.
🛠️ The tools of the trade include a setup with Windows and Ubuntu WSL for running tests, using Remix for tracing, and Tenderly for debugging specific transactions.
📝 Trust90 also highlights the importance of using the existing test suite provided by each project in Code Arena contests to validate findings and reduce preparation time.
📢 Trust90 can be found on Twitter, Discord channels, and his website, offering a direct line of communication for those interested in his approach to security auditing.

Q & A

Who is Trust_90 and what is their achievement in the field of security audits?
-Trust_90 is a top earner in security audits on Code for Arena, having secured the number one spot in the leaderboard for the past 90 days, earning over $67,000. They have also won around $110-115k in other contests, demonstrating their expertise in finding vulnerabilities in smart contracts.
What is the significance of Code for Arena in the context of security audits?
-Code for Arena is a platform where code is opened up to independent researchers to compete in finding vulnerabilities. It offers an alternative to traditional code audits by incentivizing researchers to discover the most novel vulnerabilities, with rewards for those who find the most critical issues.
What is the first step Trust_90 suggests in understanding security concepts?
-Trust_90 suggests that the first step is to understand the fundamentals, including the basics of EVM, Solidity, smart contracts, as well as the protocols and financial concepts that underpin the projects being audited.
How does Trust_90 approach the process of auditing a project on Code for Arena?
-Trust_90 takes a top-down approach, starting with understanding the architecture of the protocol and its external surface, reading all the documentation, and then focusing on the in-scope code to identify potential vulnerabilities.
What is the importance of understanding the scope in a security audit?
-Understanding the scope is crucial because it defines what areas of the code are eligible for review and reward. Submitting findings for out-of-scope areas will not result in payment, so it's important to focus on the areas that are relevant to the audit.
What strategies does Trust_90 use to identify novel vulnerabilities in smart contracts?
-Trust_90 focuses on new or novel code in each project, questioning any changes made from a forked project, and looking for assumptions made by developers that may not hold true. They also pay attention to common mistakes like re-entrancy and precision loss errors.
How does Trust_90 ensure a comprehensive review of the smart contract code?
-Trust_90 goes over the entire contract at least once to understand what it should and does do. They may also document the number of passes they do per contract to increase confidence in their findings.
What tools does Trust_90 use for their security audits?
-Trust_90 uses a setup with a Windows machine and an Ubuntu WSL for running Hardhat and Foundry tests. They also use Remix for tracing and checking different tests quickly, and Tenderly for debugging specific transactions and deploying contracts.
Why is it important to use the existing test suite provided by each project in Code for Arena contests?
-Using the existing test suite cuts down on preparation time and helps validate findings with the developers' own tests, making it easier for them to understand and confirm the issues identified.
How can people get in touch with Trust_90 to learn more about their process or collaborate?
-People can find Trust_90 on Twitter at @trust_for_90, in the C4 Discord Channel, on the Unified channel, or visit their website at distrust.com.
What is the key takeaway from Trust_90's approach to finding bugs in smart contracts?
-The key takeaway is the importance of a deep understanding of the protocol's logic and the developers' thought process. Trust_90 emphasizes that bugs often stem from gaps in developers' understanding, which can be identified through a thorough review of the code and its intended functionality.