> For the complete documentation index, see [llms.txt](https://web3-sec.gitbook.io/art-of-auditing/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai.md).

# @merkle\_bonsai

### <picture><source srcset="/files/yHQJGsnTKXGol7dGBFIz" media="(prefers-color-scheme: dark)"><img src="/files/iTZa4ulJWBKYtwk4Thdr" alt="" data-size="line"></picture>[ @merkle\_bonsai](https://x.com/merkle_bonsai)&#x20;

<div align="left"><figure><img src="/files/JjoIpebs2GErKAIEffsD" alt="" width="100"><figcaption></figcaption></figure></div>

## Words of Wisdom

***

<table data-card-size="large" data-view="cards" data-full-width="false"><thead><tr><th align="center"></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td align="center"><h3>"web3 is a world of white box testing<strong>"</strong></h3></td><td>This changes a lot - not only about the approach to searching things, but also about what can be considered a vulnerability.<br><br>For HTTP API you will need to prove that you can access admin dashboard. In web3, you need to explicitly show what you can do when you are this admin - because if worst thing you can do is start a proposal without paying fees, it will not be a high impact bug.<br><br>White box gives observability, and simulation gives ability to prove things - and this means that meaning of “bug” changes from “something risky” to “something really harmful”</td><td><a href="/files/gIxUcxUyUuUwzbJFmp9Z">/files/gIxUcxUyUuUwzbJFmp9Z</a></td><td></td></tr><tr><td align="center"><h3>"Stop following the known path<strong>"</strong></h3></td><td><p>There is a certain moment when you should stop following the known path. </p><p>“Hacking” is about thinking differently, looking from different perspective - at least not thinking like the developer of this contract, at most thinking not like anyone else at all. </p><p></p><p>This does not mean you should not study findings of others or read new things - but you should grow your own unique approach.</p><p></p><p>Try different ideas, mix them, combine, experiment with new things. Only way to find something everyone else didn’t notice is look at it like no one else did before</p></td><td><a href="/files/IBOSGmPKcZ74Z1gnOIKK">/files/IBOSGmPKcZ74Z1gnOIKK</a></td><td></td></tr><tr><td align="center"><h3>"Do not limit yourself<strong>"</strong></h3></td><td><p>Do not limit yourself with severity or specific area. </p><p></p><p>Sometimes it is <strong>easier</strong> to find a crit than low. </p><p></p><p>Just don’t limit yourself</p></td><td><a href="/files/3aksLf83uVhuvtJyGSTj">/files/3aksLf83uVhuvtJyGSTj</a></td><td></td></tr></tbody></table>
