Art Of Auditing
  • 👋Preface
  • 🧙Sages
    • @lonelysloth_sec
    • @bobface16
    • @zigtur
    • @J4X_Security
    • @0xEV_om
    • @cergyk
    • @akshaysrivastv
    • @kankodu
    • @gjaldon
    • @riproprip
    • @pkqs90
    • @DadeKuma
    • @EgisSec
    • @BowTiedDravee
    • @Draiakoo
    • @windhustler
    • @santipu_
    • @winnie
    • @Guhu95
    • @_blockian
    • @neumoXX
    • @Alex the Entreprenerd
    • @bahurum
    • @__nnez
    • @0xadrii
    • @deliriusz_eth
    • @el_hajin
    • @rootedrescue
    • @merkle_bonsai
    • @n4nika_
    • @Trungore
    • @m4rio_eth
    • @iamdirky
    • @Czar102
    • @csanuragjain
    • @0xFrankCastle
    • @Al_Qa_qa
    • @Haxatron1
    • @0xMinhT
    • @0xT1MOH
    • @Said
    • @0xSorryNotSorry
    • @NonseOdion
    • @0xArzzz
    • @abarbatei
    • @tpiliposian
    • @0xjuaan
    • @MrPotatoMagic
    • @krikoeth
    • @zzykxx
    • @bauchibred
    • @00xSEV
    • @0xCiphky
    • @peak_bolt
    • @pks_
    • @Stalin_eth
    • @0xb0g0
  • 🧱THE WALL
    • 📖WALL OF WISDOM
Powered by GitBook
  1. Sages

@krikoeth

Previous@MrPotatoMagicNext@zzykxx

Last updated 5 months ago

Web3 Security SpeedRunner

Words of Wisdom

🧙
@krikoeth
Page cover image
Cover

"Maintain physical and mental energy"

It’s better to do less work on 100% than double the work on 50%. My belief is that if you do a 100% job, you get 100% result.

But if you do a 50% job, you get 25% result. You work with code every day, you use your brain to uncover sophisticated attacks. You need 100% focus. You need good sleep, good diet and a lot of energy. Take a break sometimes, work out / walk daily, go on a hike

Cover

"Embrace the failure"

This applies especially to audit contests. You work your ass off on an audit just to find out that you made a few cents in the end. That is the best thing that can happen to you!

First you can learn from the findings you did not find and make sure that you will never miss those again.

Second you can retrospect on your process and see what should be improved, maybe based on the reasons why you missed some findings.

Third this should make you want to compete more and more fiercely with the new knowledge to beat everyone the next time.

My biggest achievements started when I changed my approach after I realised I have not reported vulnerabilities worth ~$40k that I saw during the competitions:)

Cover

"Learn constantly"

There is a new attack vector everyday. There is a new technology or concept every week. You must still be ahead of the market.

Cover

"Hunt in blue oceans🌊"

There is some good in financial success that might be a good driver forward, that’s why you should hunt in blue oceans - focus where the least focus is to maximise your profit.

Why compete with thousands when you can compete with tens?:) Compete does not necessarily means audit competitions, businesses are competing for customers etc.

Cover

"Do not audit"

This means that audit to me signals some guy in suit checking if something is correct. You are not a unit test, you should not check if it is working correctly.

You should check how to exploit it for your financial gain! Or how to exploit it to hurt the users, or the protocol itself. You are the attacker!

Of course, you are the good guy, so once you uncover the bug, you responsibly report it:)

Cover

"Improve"

I changed my process several times, in the beginning after almost every audit, until I found what suits me the best.

Key insights from my process is analyse what you are doing (drawings, use case diagrams, flow charts, state machine), identify attack vectors and create threat models, and then just break the code.