# @merkle\_bonsai ###

[ @merkle\_bonsai](https://x.com/merkle_bonsai)

## Words of Wisdom ***


"web3 is a world of white box testing"	This changes a lot - not only about the approach to searching things, but also about what can be considered a vulnerability. For HTTP API you will need to prove that you can access admin dashboard. In web3, you need to explicitly show what you can do when you are this admin - because if worst thing you can do is start a proposal without paying fees, it will not be a high impact bug. White box gives observability, and simulation gives ability to prove things - and this means that meaning of “bug” changes from “something risky” to “something really harmful”	/files/gIxUcxUyUuUwzbJFmp9Z
"Stop following the known path"	There is a certain moment when you should stop following the known path. “Hacking” is about thinking differently, looking from different perspective - at least not thinking like the developer of this contract, at most thinking not like anyone else at all. This does not mean you should not study findings of others or read new things - but you should grow your own unique approach. Try different ideas, mix them, combine, experiment with new things. Only way to find something everyone else didn’t notice is look at it like no one else did before	/files/IBOSGmPKcZ74Z1gnOIKK
"Do not limit yourself"	Do not limit yourself with severity or specific area. Sometimes it is easier to find a crit than low. Just don’t limit yourself	/files/3aksLf83uVhuvtJyGSTj

"web3 is a world of white box testing"

This changes a lot - not only about the approach to searching things, but also about what can be considered a vulnerability.

For HTTP API you will need to prove that you can access admin dashboard. In web3, you need to explicitly show what you can do when you are this admin - because if worst thing you can do is start a proposal without paying fees, it will not be a high impact bug.

White box gives observability, and simulation gives ability to prove things - and this means that meaning of “bug” changes from “something risky” to “something really harmful”

/files/gIxUcxUyUuUwzbJFmp9Z

"Stop following the known path"

There is a certain moment when you should stop following the known path.

“Hacking” is about thinking differently, looking from different perspective - at least not thinking like the developer of this contract, at most thinking not like anyone else at all.

This does not mean you should not study findings of others or read new things - but you should grow your own unique approach.

Try different ideas, mix them, combine, experiment with new things. Only way to find something everyone else didn’t notice is look at it like no one else did before

/files/IBOSGmPKcZ74Z1gnOIKK

"Do not limit yourself"

Do not limit yourself with severity or specific area.

Sometimes it is easier to find a crit than low.

Just don’t limit yourself

/files/3aksLf83uVhuvtJyGSTj

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://web3-sec.gitbook.io/art-of-auditing/audit-sages/merkle_bonsai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.