Art Of Auditing
  • đź‘‹Preface
  • 🧙Sages
    • @lonelysloth_sec
    • @bobface16
    • @zigtur
    • @J4X_Security
    • @0xEV_om
    • @cergyk
    • @akshaysrivastv
    • @kankodu
    • @gjaldon
    • @riproprip
    • @pkqs90
    • @DadeKuma
    • @EgisSec
    • @BowTiedDravee
    • @Draiakoo
    • @windhustler
    • @santipu_
    • @winnie
    • @Guhu95
    • @_blockian
    • @neumoXX
    • @Alex the Entreprenerd
    • @bahurum
    • @__nnez
    • @0xadrii
    • @deliriusz_eth
    • @el_hajin
    • @rootedrescue
    • @merkle_bonsai
    • @n4nika_
    • @Trungore
    • @m4rio_eth
    • @iamdirky
    • @Czar102
    • @csanuragjain
    • @0xFrankCastle
    • @Al_Qa_qa
    • @Haxatron1
    • @0xMinhT
    • @0xT1MOH
    • @Said
    • @0xSorryNotSorry
    • @NonseOdion
    • @0xArzzz
    • @abarbatei
    • @tpiliposian
    • @0xjuaan
    • @MrPotatoMagic
    • @krikoeth
    • @zzykxx
    • @bauchibred
    • @00xSEV
    • @0xCiphky
    • @peak_bolt
    • @pks_
    • @Stalin_eth
    • @0xb0g0
  • 🧱THE WALL
    • đź“–WALL OF WISDOM
Powered by GitBook
  1. Sages

@lonelysloth_sec

PreviousPrefaceNext@bobface16

Last updated 4 months ago

Ranked #5 on

Words of Wisdom

🧙
@lonelysloth_sec
@immunefi
Page cover image
Cover

"Have faith that you’ll find bugs"

The number one thing you need to succeed at hunting bugs, for bounties or contests, is having faith that you’ll find bugs.

Statistically every code base will have bugs, but that’s not how it feels when you haven’t found one in a long time.

Find out what gets you excited and hopeful, and nurture it. Consistent effort beats pretty much everything else in predicting success.

Cover

"Try to learn hard things"

Try to learn hard things. Don’t limit yourself to the low-hanging fruit. If you learn something that most people don’t know you’ll find bugs most people miss. That can be a weird detail of the EVM or an entire field like ZK proofs. Keep pushing the boundaries of your knowledge, and collecting information on different things.

Cover

"Expect unexpected results"

After a certain skill level pretty much anyone could find most bugs — but how do you know what targets to focus on? And for how long?

That’s the hardest part of hunting bugs, and more art than science. You might find a gold mine of bugs and report 10 in a single week, then not find any in multiple targets for months.

That’s normal. It sucks, but is normal. Try to learn with your hits and misses but don’t stress over it — it’s always unpredictable to some extent.

Cover

"Learn to negotiate"

Bounty negotiations are hard — and often heartbreaking. Don’t just let projects lowball your bounties, but also keep your focus on the next one. Don’t let the anxiety of the process take your time and energy away from your bug hunting.

Cover

"Know everything about your target"

I like to start with code, others focus first on documentation: use both resources extensively. But that is still just the basics, you should go the extra mile.

Pro tip: watch the target’s GitHub activity.