Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=54,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Episode 19 - 0xe4669da [SPECIAL n00b EDITION]
160 Plays5 days ago
riptide & 0xe4669da discuss the challenges of breaking into bug hunting, mistakes he made when getting started, when to change your approach when it's not working, why you need to fully understand solidity inside and out, how focusing on your objective will lead to deeper bug discoveries, a LayerZero alpha drop from our guest, and much, much, more ...
Recommended
Transcript
Episode Introduction and Sponsor Shoutouts
00:00:06
riptide
Life on the blockchain, what's up? We are back with another episode of Bounty Hunters. I am your humble host, Riptide. ah We have an interesting guest on today, a little little different, but the audience demanded it.
00:00:20
riptide
ah Before we kick off, give a shout out to our sponsor, Recon. Getrecon.xyz slash Riptide. Get yourself some invariant testing going on. ah Do it. You get five grand off first-time customers for them to do invariant testing engagement with you.
00:00:37
riptide
So fuzz straight from your GitHub. These guys work with all the big projects. Alex is an LSR, knows his shit. They have a free Solidity extension, ah VS Code extension ah to basically play with their their features right from your computer. So it's it's pretty awesome what he's doing. Give it a shout.
00:00:55
riptide
Go check it out. Getrecon.xyz forward slash Riptide. Also sponsored by rareskills.io forward slash Riptide. Get yourself 10% off on some learning.
00:01:09
riptide
Learn some Solidity, ZK, Rust, Uniswap, and they're launching of course on SirCom as well. So go get a bootcamp, go see what's up, and it'll help out the podcast.
Meet the Guest: Vic's Journey from Finance to Blockchain
00:01:20
riptide
Okay, so our guest today, I guarantee you've never heard of him, ah but my man Vic is in the house here, also known as zero x e four six six nine d a Welcome, sir.
00:01:26
0xe4669da
yeah
00:01:36
0xe4669da
Thank you so much. Really nice intro. there Welcome. Like life on the blockchain and all.
00:01:40
riptide
All right. That's right.
00:01:43
0xe4669da
i really I really like it.
00:01:45
riptide
Well, thank you, sir. So ah Mr. Vic here, he is, this is our new podcast. So there was, there was a lot of demand, an overwhelming demand on the poll to have someone who's new to the space, new to the bounding hunting space and is, is trying to get that big win.
00:02:03
riptide
And so I, I heard Vic's backstory and, wanted to have him on. So tell us, give us a little background here. What's what's going on? How'd you get started?
00:02:15
riptide
And kind of where are you at now? And what have you done so far?
00:02:20
0xe4669da
Okay, so basically my story is really like, what should I say? I was a finance guy, approximately eight or nine years back. I did professional accountancy. I don't know if you have heard about ACC or something. I professional accountant.
00:02:38
0xe4669da
I spent almost six to seven years in core corporate finance sector in traditional finance. I was basically a financial analyst serving different companies.
00:02:52
0xe4669da
Then I got sick of that nine to five grind and just going daily to the office at nine o'clock like robots and all. So I just switched to IT in 2018, just six months or seven months or maybe one year before the coronavirus hit the world.
00:03:10
0xe4669da
Then I started full stack web development, did spend some time on Upwork. full-stack blockchain development there as a freelancer did some php projects i'm actually a self-taught full-time because i'm not i was not a computer science student at all so i just but i had always interest in programming because scott when i was in when i was in finance i used to do coding to like build financial models you know the excel automation using vba and all So when I got when I heard about blockchain, I said, OK, this is something that actually attracts me more because I was a finance guy and there's something like DeFi when I heard about it.
00:03:42
riptide
Mm-hmm.
00:03:53
0xe4669da
So I did a certification from an from an Indian Institute online, full stack blockchain development course. Like I learned the technology.
00:04:03
0xe4669da
My teacher was really great. he
00:04:06
riptide
and Let me let me pause you just real quick. So I'm curious. So you're yeah can you just close where you're where you're from? What country?
00:04:13
0xe4669da
i'm I'm actually from Pakistan.
00:04:15
riptide
Pakistan. Okay. Why, got to ask, why did you feel like you had to complete like a certification? It is because all the resources, and I just want to, just want to know, you know, if it's good or, or bad, it's up to you, but there's all these resources.
00:04:31
riptide
Is that, is that a cultural thing where it's like, look, I have the certification, this and that. Did you just feel like like this, this to you made you competent in the field or like why pursue the certification through a course rather than just kind of learning as as much as you can.
00:04:51
0xe4669da
ah Yeah, back in 2022, at that time, there were two things. First, that you say that I got the certification, I'm competent enough to just to show the employers. But second, like
00:05:01
riptide
So you wanted a job, you you were trying to get a job with an
Vic's Early Blockchain Experiences and Challenges
00:05:04
riptide
employer.
00:05:04
0xe4669da
yeah, exactly.
00:05:05
riptide
Okay.
00:05:06
0xe4669da
Yeah, at that time, I was 101% because at that time, I was also working in a software in a local software house as a Mernstack developer, Foodstack developer, right? So I needed a more guided way.
00:05:18
0xe4669da
At that time, there was no Cifran updraft in 2022. Right. So um I needed a guided pathway so that I can actually complete this whole journey as quickly as possible and and like b become a value adding resource for for for some company.
00:05:36
0xe4669da
That's how opted for the certification.
00:05:39
riptide
Okay, now makes sense. Okay.
00:05:42
0xe4669da
Alright, so just right after completing the certification, I just a saw some posts by Johnny Times on LinkedIn and Twitter.
00:05:53
0xe4669da
So I just I talked to him and I told him that I want to join his ah course that you know that a smart contract hacking course or something. So I actually i don't know why at that time because there was so much like hype on Twitter, at least to the connections that I followed.
00:06:13
0xe4669da
I was having all those like feeds. So i I also went for certification there and I think he It helped me to again. Again, i wanted a more guided path to just go and hit straight to the target. That's it.
00:06:31
0xe4669da
Although I was a self taught, have learned every technology by myself. OK, so even in the certification, They covered the whole slavery. They gave me the overall understanding of how the ecosystem works, how the technology works, which protocols are built, what are the use cases of defined all.
00:06:48
0xe4669da
Just flavors. Apart from that, to learn anything in depth, for example, Uniswap v3, how the Uniswap work, what is an AMM, how lending borrowing protocol works. A lot of things were actually familiar for me because my background was from finance, but I still went for the certification. I completed that certification. I started participating.
00:07:10
0xe4669da
I officially like 100% I started participating in public audit contests. ah My first contest was I think is Spectra on Code Arena back then in ah March, March March that.
00:07:20
riptide
Okay. Okay.
00:07:27
0xe4669da
yes first month was
00:07:28
riptide
okay okay
00:07:30
0xe4669da
Since then, I completed i compared in many contexts. I did a lost lot of mistakes there. I think this is the point which a lot of beginners, because I regularly listen to your podcast.
00:07:43
0xe4669da
All right. So ah there are a lot of beginners who actually listen to this podcast. the The mistakes that I did, i think these are the most common and most easy to make mistakes that ah bit any beginner who is really aggressive,
00:07:59
riptide
Are you wait ah you saying big nerd?
00:08:03
0xe4669da
Sorry?
00:08:03
riptide
Did you say big nerd?
00:08:05
0xe4669da
No, no, no.
00:08:06
riptide
we
00:08:07
0xe4669da
I didn't say nerd.
00:08:08
riptide
What did you say?
00:08:11
0xe4669da
Big mistake, I said.
00:08:13
riptide
no No, no, Before that, you said there's a lot of big nerds who listen to this podcast.
00:08:17
0xe4669da
i said big nerds, big nerds.
00:08:17
riptide
Or did i Big nerds.
00:08:20
0xe4669da
yeah Sorry.
00:08:21
riptide
you're You're absolutely right.
00:08:22
0xe4669da
I said there are a lot of big neds not big nerds.
00:08:27
riptide
Okay, okay. Wait, big nerds? ah Spell this. um I'm confused.
00:08:32
0xe4669da
B E G I double N E R S beginners, newbies.
00:08:35
riptide
Oh, beginners. Okay,
Financial Struggles and Full-time Bug Hunting
00:08:37
riptide
sorry.
00:08:37
0xe4669da
Yeah. Beginners.
00:08:38
riptide
I thought you were like, it's a lot of big nerds.
00:08:38
0xe4669da
Newbies like me.
00:08:41
riptide
I like big nerds, man. All right.
00:08:46
0xe4669da
Beginners.
00:08:46
riptide
All right, all right. All right, sorry.
00:08:48
0xe4669da
yeah Yeah.
00:08:48
riptide
Okay, go ahead. All right, you think you made some major mistakes.
00:08:52
0xe4669da
Yeah. Yeah. Definitely. But then I learned like, yeah, the biggest mistake is this.
00:08:54
riptide
like Like what? Like what what kind of mistakes are making?
00:09:01
0xe4669da
ah sleeping on the docs on the documentation, trying to read each and every piece of information that is actually listed on the contest page, trying to just go through it, take notes, do highlighting and do useless stuff there.
00:09:16
0xe4669da
I did that initially.
00:09:19
riptide
Okay.
00:09:20
0xe4669da
Even though I had 11 today on my portfolio, I have, uh, um, I competed in autonomous color dollar or, um,
00:09:20
riptide
Okay.
00:09:30
0xe4669da
a lot of actually audits but I have 11 confirmed bugs including four high severity bugs right.
00:09:36
0xe4669da
so but eventually what is my ordering strategy right now i'll also share it share this with you and for and using that strategy i i can feel some improvement there right so basically i started public audit contest in 2023 in 2024 march as i was saying that i started participating in contests back to back trying to read the past reports using solidate right and Initially I was not getting succeeded at all. Okay. So my first report got the comments from the judge. He said report talks the like nonsense.
00:09:36
riptide
Okay.
00:10:16
0xe4669da
I said, okay, this is my first report. No problem. ah Then I just participated in another contest and another one, another one, another one. Finally on my first earning was $700 on CodeHawks Xeros part one competition.
00:10:32
0xe4669da
It did motivate me a bit. Then I said, OK, I must go on. One important point I must tell you here is that the moment, the month from the very month that I started participating into public audit contest, I quit my job.
00:10:51
0xe4669da
Okay, i had some saving I had some savings and and like I thought, okay, if I have vanirs of expert if i have ah enough funds for my one-year expense, I can actually perform something there.
00:11:04
riptide
hmm. Mm hmm. okay
00:11:05
0xe4669da
I actually wanted to go for bug hunting. Actually, i think bug hunting is something that is of my type. I actually wanted to go for bug hunting, but eventually just for ah like immediate care cash inflow, you can say I went for audit one s, right?
00:11:22
riptide
All right, all right. let So let me let me ask some here. So you had, I just pulled up the link you sent me on, it's it shows around 774 bucks total earnings, something around there for your your' artist audit competition bugs, right? Your contests.
00:11:38
0xe4669da
Yeah, it's exactly like, I mean, I think it's elect and near to 1200 overall, ah recall but that audit portfolio is not including one low ah finding.
00:11:45
riptide
Okay, cool, cool.
00:11:52
riptide
Uh-huh.
00:11:52
0xe4669da
It is actually, yes, because Sherlock only shows high end mediums on products for one low, I got 400 bucks.
00:11:54
riptide
All right. All right. All right.
00:11:59
riptide
right god All All right. And ah in Pakistan, what is what's like the monthly living expense?
00:12:08
0xe4669da
You can do really good in, I think, 700 bucks.
00:12:12
riptide
700 bucks a month for everything, for rent, for food, for everything.
00:12:13
0xe4669da
Yes, yeah you can. Everything, everything, everything.
00:12:18
riptide
Okay. all right
00:12:19
0xe4669da
Great.
Evolving Auditing Techniques and Time Management
00:12:20
riptide
All right. That's pretty good. Okay. So you you have a year of runway saved up and you hit some of these competitions. You're like, hey, look, I can do it. you've got You got that that dopamine hit.
00:12:32
riptide
You said, look, I got paid for reading some code and just pointing out some flaws.
00:12:35
0xe4669da
Mm-hmm.
00:12:36
riptide
you're like, yo, I could do this. I'm quitting. Fuck you, employer. I'm out. And now you're doing, you're you're saying I'm going to do bounties instead of contests. Am I right?
00:12:49
0xe4669da
Exactly. My eventual target is bug hunting because it's of my type. I do enjoy it, enjoy it more. But but there is a story behind it. OK, so when my savings, I thought my savings could last up to like one year. OK, but it happened to be I just I just make a proper financial plan.
00:13:07
0xe4669da
Because I'm married, I discussed this with my wife and asked her to just, we'll just cut out some ah extra things in our budget and all.
00:13:09
riptide
Mm hmm.
00:13:16
0xe4669da
Because I was making like good money and because ah in 2024 February or January when I left my job, I was acting as a lead blockchain dev, like right?
00:13:30
0xe4669da
So I was like making good money, but my wife said, okay, go ahead, you can do it. yeah so what did i do is i just quit and that saving actually lasted for 1.5 years all right i was still struggling with content i was struggling another mistake that i made is that i wanted what i do is i said okay let's go for 100 course coverage first to understand the protocol each and every line of code each and every logic of the protocol okay so what i did
00:13:42
riptide
Okay. Mm-hmm.
00:14:05
0xe4669da
ah Apart from code only, I started to dive deep into deployment scripts to see which values are actually initialized for every smart contract.
00:14:12
riptide
Mm-hmm.
00:14:14
0xe4669da
I started to pay more attention on the configuration initial configurations, all right initializations, the existing test setup and all. what And i I don't know why it took me so long.
00:14:28
0xe4669da
too late okay i to understand what I'm actually doing wrong. But i was actually doing it back to back the same mistake I was going this way. And what was the positive the result is that more than 80% of the time was spent in just understanding the setup, the code, the logic and the deployment.
00:14:46
0xe4669da
So I only get hardly 20% to 25% of the time to break that code.
00:14:53
riptide
and And how much time, how much time are we talking about that you spent on, let's, you're you're talking about a bounty project that you looked at, right?
00:14:53
0xe4669da
Only this is the reason
00:15:03
0xe4669da
ah Yeah, exactly. For example, there is a there is an audit contest of 15 days. Okay. It starts on 1st and ends on 15.
00:15:09
riptide
Okay, okay.
00:15:12
0xe4669da
So, approximately 11 to 12 days, I used to spend on understanding the docs, each and every word, going deep into the code, not not from the perspective of breaking the logic.
00:15:24
0xe4669da
I do not think of any attacking attack factor or some attack knob or something. No, I just understand the protocol from top to bottom. and then all the test cases so that i can apply mutation test but i was not even able to do that only only the like when i adopted this methodology i was able to just spot 11 these bugs but now i have actually changed my overall method one more thing i want to tell you here is that if you remember i asked you that
00:15:56
0xe4669da
uh sorry i'm going for bug hunting all right full-time bug hunting i started with layer zero target finance i don't know if
00:16:03
riptide
Right. Very, very easy targets.
00:16:06
0xe4669da
ah those were not easy targets but i was pretty much confident that i can actually find something in it all right so still i know one problem there still i know ah I'll just tell that in, if you, I don't know if, if you think that I can give some alpha here, and ah co according to my experience, I have something.
00:16:26
riptide
Go ahead. The noob alpha drop. I want to hear the noob alpha drop on two of two heavily audited protocols with massive bounties. All right. is This should be good, man. I want to hear some juicy alpha.
00:16:40
0xe4669da
Yeah, yeah, exactly. So ah basically I went for Bhaganting and, um, Just when my ah savings completely exhausted, I had just two and a half months, maybe two months.
00:16:53
0xe4669da
Then I thought, ah and then I sit in in my office. Basically, my office is separate from my home. It's a complete professionally set up office. I just sat here and just thought, gay what should I do? Like, I'm getting exhausted.
00:17:08
0xe4669da
I have one very easy option is to go back to job to a local software house. Maybe next week if I just tell them I'm available, they will just hire me on the spot. But I don't want to do that.
00:17:20
0xe4669da
Okay. So as I told you, my eventual target is to be a hunter like you, obviously. So I want opt this option. Second option is to go back to audit contest. Right. So I approach 10 or 15 days back. I decided, OK, I need to go back to audit contest.
00:17:39
0xe4669da
OK, so I almost work 10 hours per day, 10 to 9 hours per day. So I said, okay, initial five days of my first half, I'll do audit contests.
00:17:51
0xe4669da
And in the second half, I'll do some research work. And also I'll just like groom my resume me and and start aggressive job hunting ah remotely. Okay.
00:18:01
0xe4669da
So internationally, like US, UK, China, UAE, whatever country, to India, maybe. So I just, ah today I had an interview. or ah at I had an interview at 1 am. m okay That was a one hour interview.
00:18:19
0xe4669da
so i had the I thought of this possible option. Contest in the first half and job hunting and do some research work to groom myself, professional development second half.
00:18:30
riptide
All right, hold hold on so hold on.
00:18:31
0xe4669da
and
00:18:32
riptide
So just to keep us on track. So you're you're kind of facing some financial pressures here. And so now and now you're not able to devote full time to it.
00:18:38
0xe4669da
Exactly.
00:18:42
riptide
And so you're looking at anything to get some cash and your you're looking back into the dark side, working for a company to earn a salary, right?
00:18:51
0xe4669da
Yeah. Yeah.
00:18:52
riptide
Okay,
Transition from Developer to Auditor Mindset
00:18:54
riptide
all right, let's let let me just ask couple questions here.
00:18:54
0xe4669da
yeah
00:18:57
riptide
um When you were doing this, you said you were a lead blockchain dev, so you were developing, like what were you doing? Was this for any any protocols that we know? Is just, are you doing contract work on Solidity contracts?
00:19:13
0xe4669da
So basically I was working in a local software house and there was a large sales team and they used to hunt the jobs on different freelance platforms.
00:19:25
0xe4669da
Right. So ah basically one project that I that I can I think I can discuss here with you ah is that we actually built a complete blockchain ecosystem. I don't know if I can take the name because that project is still live.
00:19:40
0xe4669da
We actually built a complete blockchain ecosystem. Okay, so I personally spin up a local, ah sorry, not local, a custom blockchain on AWS EC2 instance and also configured some boot nodes.
00:19:54
0xe4669da
I used Gap.
00:19:54
riptide
Okay, all right, but but were you were you coding Solidity? Were you deploying contracts?
00:20:00
0xe4669da
Yeah, exactly. I deployed for that. I ah i wrote the smart contract for Web3 domains for that project.
00:20:07
riptide
Okay, so i'm I'm just trying to think about like the what the gap is here.
00:20:08
0xe4669da
Right? It wasn't complete.
00:20:12
riptide
So if like you have you have knowledge of solidity, right? You know the language.
00:20:17
0xe4669da
Exactly.
00:20:18
riptide
Okay, you can you can write a contract.
00:20:18
0xe4669da
Yep. Mm hmm.
00:20:21
riptide
um I mean, there's different ways to kind of look at this. Like you can you can know solidity, but do you know... all the gotchas, all the pitfalls.
00:20:31
riptide
And then how do you think about when you're looking at a contract? um Another thing you you highlighted was like you're doing an audit competition two weeks and you spent, did you say about 12 days just going over the ah structure in the docs, is that right?
00:20:48
0xe4669da
Yeah, this is the actual problem with me. I had that developer mindset in my, in my brain.
00:20:55
riptide
which Which is what, what do you think that is?
00:20:57
0xe4669da
Yeah, basically the mindset of the developer, like when I, when I was a developer, for example, I am building some functionality into a smart contract.
00:20:58
riptide
The developer mindset.
00:21:06
0xe4669da
I did a functionality, I write the test. I did a functionality, write the test. I did the functionality and write a test.
00:21:10
riptide
Mm-hmm.
00:21:11
0xe4669da
Okay. So I, I did this or like, This practice for ah maybe two to three years I was doing maybe two or to two and a half years I was like doing the same.
00:21:24
0xe4669da
Alright, so when I jump to like auditing, I think somewhere in my mind, unconsciously or something, i always, I don't know why I always attracted more towards the test suits.
00:21:37
0xe4669da
What the developer was thinking, how did he design the test suits and all, you know, and this is why my success, ah my success rate was really great.
00:21:41
riptide
Mm-hmm. Mm-hmm. Mm-hmm.
00:21:45
0xe4669da
Like, for example, if I submit uh as i told you i got really little time in the end but whenever i submit maybe three bugs two of them were verified okay so a lot of time majority of the times i was not able to submit any okay but when i submitted majority of them were actually verified
00:22:08
riptide
Okay, so a few things. Yeah, obviously you're spending way too much time looking at if it takes you 90% of the time allotted for a competition and you're still understanding the, and I don't know, you said you're doing 10 hours a day?
00:22:26
0xe4669da
Yep, six hours a day, ah purely staring at the court focus sessions for six hours, just five minutes walk in between. Okay, and then ah another four, three to four hours, just reading past incidents, past reports, scrolling Twitter, listening to podcasts.
00:22:44
riptide
All right, all right. I think that's that's one of the big problems. I think i think you noted that too. It's just, um i and everyone's got a different method, right? I'll just contrast that to like how would I approach that is ah first the first thing I would do is open up the code base and not look at the docs.
00:23:04
riptide
And just just from kind of muscle memory to see if I identify any commonalities or do I even know what the protocol does just by looking at the code? That's how I would dive in.
00:23:14
0xe4669da
Yeah.
00:23:16
riptide
The docs are going to be verbose and sometimes they're helpful. Sometimes I don't even bother. And everyone's got a different method, right? I think they're good to refer to, but I can't say I've spent...
00:23:31
riptide
too much time reading the docs on a project. I think obviously the code is more important.
00:23:36
0xe4669da
yeah
00:23:36
riptide
um Sometimes I remove the comments. I know other guys do that as well. Just so you're looking at the flow and the logic and the code. But you don't really have to know the purpose or the functionality of a project.
00:23:48
riptide
to comb the high level bugs, right? So that should be, I think number one, I mean, you should do maybe some static analysis, run slither, ah just go over the code at a high level, go poke in all the contracts and just say, what does this do? Is there high level stuff that's obvious?
00:24:06
riptide
Like, you know, is there, um are they not checking for duplicates on an array or is there modifiers missing? Just really high level stuff and just say, is there any easy bugs out there?
00:24:17
0xe4669da
Yeah.
00:24:17
riptide
And then if there's not, say okay well, let's go a little deeper.
00:24:17
0xe4669da
Yeah.
00:24:21
riptide
And obviously that's when it gets more fun and you need to understand the project a bit more. But I would then go, well, I'll pick one contract that looks interesting.
00:24:32
riptide
Maybe like if I've been, because I think you have to have that interest in whatever you're looking at. Maybe there's one called staking.
00:24:38
0xe4669da
yeah
00:24:42
riptide
Okay, cool.
00:24:42
0xe4669da
yeah
00:24:43
riptide
Staking. All right. how How does their staking system work? And just start going through it and just stick on maybe that contract. does that interact with a library or something like that?
00:24:55
riptide
And just kind of, you know i pick a flow to start with and then try to trace that down to the end where I try to look at every method to exploit that functionality.
00:25:10
riptide
So instead of saying if it's a complex protocol that does staking, that does vesting, that's a DEX, it's an AM, all these things, just say it has staking functionality. I wonder if, and maybe write a few questions, I wonder if I can stake with no time lock allowed, or can I stake from another account, or Aaron Can unstate before I could stay good just kind of write some questions, but just focus on one piece of the protocols functionality, because a lot of it might not directly Shaw, Have control or influence over certain funds that that could be impactful. So like
00:25:49
riptide
I think number one, people would go to vaults because all right, the money's here, but everything it interacts with the vaults would also be a ah primary target. and
00:25:58
0xe4669da
Yes. Mm-hmm.
00:25:59
riptide
certain things might not be looked at by my auditors well as as intense as like the main targets like a vault. So it could be like a governance contract or staking or vesting or ah Honestly, like, you just never know, right? But I would trace off one pathway, instead of like, what you kind of did, whereas like, I need to understand the whole protocol, and then you end up you're like, fuck, I have two days left.
00:26:28
riptide
Like, where do I even go from here?
00:26:31
0xe4669da
Yeah, so exactly, exactly. In two days, I think another point I want to ah just just highlight here, in the last two days, there was a lot of pressure on me that, okay, ah even even though ah just like spending that much time on that protocol, I was not even not able, for example, if if the slog is maybe 2000 plus lines of okay if if it's 2k plus if the slog is 2k plus i was not even in spite of ah spending that much time i was not able to actually just look at all the functionalities or all the logic no still there's something remaining but in the end two days three days four days another thing that was killing me is that i had to submit okay i had to find a bug i had to
00:26:59
riptide
Mm-hmm.
00:27:25
0xe4669da
less time is remaining clock clock starts ticking every day morning i said there was a pressure that was my mistake as you said sir as you said just now just docs are verbose now i realize that yes yes docs are too verbose sometimes in some cases basically when ah for example when i refer back from the code to the docs i have search it
00:27:29
riptide
Yeah.
00:27:33
riptide
Yeah.
00:27:51
0xe4669da
on a log of lot of pages. i don't I don't know where this problem is actually documented out there. Okay, i have I have to scan the docs, search the docs, if it's on Gitbook or on their website or something else. So yes, exactly. Now I understand.
Streamlined Protocol Analysis Methods
00:28:06
0xe4669da
Now shall I tell you my auditing methodology that I have started to implementing in like before 10 days? And that is actually, I think, working for me. Right, sir?
00:28:16
riptide
Okay.
00:28:17
0xe4669da
What I do is now...
00:28:18
riptide
Well, hold on. are are you going to drop Are you going to drop this alpha you were talking about?
00:28:22
0xe4669da
no no no no that alpha pertains to stargate and layer zero right yes yes yes i am gonna in that alpha drop like phase when you say alpha drop
00:28:26
riptide
I know. I thought you were going to drop the alpha. I'm waiting for it.
00:28:37
riptide
Okay. All right. ah it Sounds good. All right. so So tell me. So you've adjusted your method. Tell me what you're doing different now.
00:28:44
0xe4669da
yes i have actually simplified it a lot okay so instead of paying attach attention to the useless system stuff that I was doing, I actually tried to i actually made it really simple.
00:28:59
0xe4669da
Initial steps are exactly 100% as you said, literally. So first of all, i said, okay, Just get an idea what the protocol is about. If it's staking, farming, governance, lending, borrowing, NFT marketplace, what is it?
00:29:15
0xe4669da
what value does it trying to What value is it trying to deliver? Simple is that. Just reading the intro, maybe on the contest page or on the docs. Just do not spend more than half an hour for that.
00:29:29
0xe4669da
I just wrote it down on the whiteboard in my office.
00:29:29
riptide
Mm-hmm. Mm-hmm.
00:29:32
0xe4669da
Just don't spend more than 30 minutes on that. Okay. Then after that, I'm actually looking back at that. Then after that, I just like understand the overall structure of the protocol.
00:29:46
0xe4669da
Okay. So where are the lips placed? Okay, which ah like which are main contracts? How are they actually interacting with the utils? Okay, then going through file by file, just having an idea. I'm not even reading the code right now.
00:30:02
0xe4669da
Just looking at the like inherited inherited contracts, which contracts are imported. Okay, and all. If something clicks, then I'll just add a comment on that line. Otherwise, I'll just move on.
00:30:15
0xe4669da
then just understanding the functionalities having a rough idea of ah the external functions and interesting functions like for example claim reward distribute reward or you may say calculate reward update reward like these sort of functionalities i say okay i keep them in mind
00:30:29
riptide
Mm-hmm.
00:30:33
0xe4669da
Then what I do is I use clock CLOC. This is a CLI tool. I use clock and do some and bypassing some like options like buy file and exclude file to just exclude empty then JSON and everything else. I just I just calculate this clock and using clock.
00:30:53
0xe4669da
Then I have ah lines of code for each smart contract. I actually exclude all the directories that are not in the scope and I include all the directories that are actually in scope. right So I get an idea.
00:31:05
0xe4669da
Okay, all these files, it actually by default sorts the biggest stock contract on the top and lowest ah like lock contract on the bottom.
00:31:17
riptide
Okay.
00:31:18
0xe4669da
So I start with the bottom.
00:31:18
riptide
Okay. Okay.
00:31:20
0xe4669da
Now I read each like each contract from the pragma statement till the end line by line, but I don't dig that deep. Okay. I just read it. i try to understand what's going on. If there is something like fishy, then I just Write a comment.
00:31:38
0xe4669da
but Basically at that time, I'm screening the whole protocol line by line really quickly just to ah like a spot any low hanging fruit. As you said, high level issues like some modifier is missing.
00:31:50
0xe4669da
Okay. If there is some unbounded area, if we are taking any user input and we are not validating it and all, like we are are we giving any arbitrary call or something?
00:31:56
riptide
ah let me ask Let me ask you this, Vic. Let me ask you this. Vic, pause for second. Well, let me ask you this. can you Are you confident that you can identify the majority of bugs if you see them?
00:32:12
0xe4669da
uh i don't know right now maybe 50 40 of the times maybe
00:32:18
riptide
because Because if you see something, if if you're looking at a contract, and I think this is core knowledge that you have to you have.
00:32:18
0xe4669da
maybe
00:32:25
riptide
to have So if you look at a contract and you see, let's let's just put, um maybe you see a ah bid operation. There's a bit shift going on.
00:32:36
riptide
And bit shifts, it's not technically an overflow, but it has overflow behavior even in after 0.8.0.
00:32:36
0xe4669da
and me
00:32:48
riptide
if you should be able to spot like red flags with ah say bit shifting is one, ah let's say there's an ABI encode pact that has two adjacent dynamic types, hard casts, assembly blocks.
00:32:48
0xe4669da
Mm-hmm.
00:33:09
riptide
you know These are things where if you're reading the contracts, and you can't spot these things, you're just you're kind of going to just skip them and they could have a vulnerability there and you just wouldn't you wouldn't really note to yourself or or make a note on your code to say, oh, you know let me check this out.
00:33:29
riptide
I think the fundamental start is you should just be reading audit reports and contracts on the chain to build up that base knowledge so you can, number one, identify
00:33:41
0xe4669da
Thank you.
00:33:43
riptide
you know hopefully 90% of the bugs out there. So then when you do see it, when you're, because if you're as disciplined as you say you are, where you're going line by line, this and that, and I believe you are, ah if you up your your knowledge base, well, shit, man, you should find, you should be finding some bugs.
00:34:03
riptide
But you have to be able to, that pattern has to match in your brain where you're like, oh, hey, wait, you know, why are why are they doing this? This doesn't make any sense. You can't do that. And that's what you want to flag. But if you just don't have that knowledge base, I think you're going to be missing bugs.
00:34:18
0xe4669da
Yes, exactly. 100%. This is a valid point. Actually, you know what, as the time passes and you have the experience, you do the contest, you read the past reports, you actually revisit all the findings that I missed, but the senior security researchers spotted that. I do all that.
00:34:37
0xe4669da
Okay, but there is a capacity for everyone and it this is skill skill or your knowledge base actually grows with but by time, right? So for example, your library right now in your mind, it's far, far, far huge and bigger than mine right now.
00:34:56
0xe4669da
Right. So for that part, I call i call it a toolbox. Right. so all sort of attack factors and possible like pitfalls ah there are are there in an a in a security researcher's toolbox.
00:35:11
0xe4669da
And whenever he's reviewing the code, he keeps associating those vulnerabilities as and when he's reading the code line by line.
00:35:19
0xe4669da
right So right now, as you said, the bitwise operations and all, maybe I won't spot those in um like in the first glance.
00:35:19
riptide
Mm-hmm.
Learning from Past Audits to Improve Skills
00:35:32
0xe4669da
ah Probably i I miss these sort of stuff, but I can actually spot some the like sort of issues like ah overflowing something if it's underflows or overflows something that error or user input is not validated ah missing access control or something like really common bugs which anyone can i think spot so basically at that level I actually right now I only look for those even though I also look for deeper bugs in this same
00:36:06
0xe4669da
line by line scan but you are absolutely 100% correct that when we read a lot of past reports and actually I think reading past report and getting maximum out of it and retaining the actual crux of how the senior security researcher actually what was his mindset that he used to identify that bug this is really important So instead of just ah for for example, previously what I, what I used to do is just open solid it.
00:36:39
0xe4669da
Okay. Set the filter to high medium and sources to like all the contest, all these platforms, Sherlock Cantina and all.
00:36:41
riptide
Mm-hmm.
00:36:47
0xe4669da
And just start reading them one by one. Okay. I read someone, I read one, like finding, I just mark it, mark it as read. Okay.
00:36:58
0xe4669da
But Then what I did is I started to go on the leaderboards of these platforms. For example, initially I selected Penprog on Sherlock.
00:37:10
0xe4669da
he's number one He was number one at that time, I think.
00:37:11
riptide
Mm-hmm.
00:37:13
0xe4669da
so i just clicked on on his profile and i just saw all his findings in the contest he just ranked one two and three i just focused on his findings and tried to adopt his mindset what was he actually trying to do one thing i observed there sir is that for any single submission he didn't write the poc he just said the root cause the impact a really simple linear one or two or three steps attack path even no mitigation sometime and that's it move forward so by reading this i was actually trying to get into and like get my fee into his shoe but definitely it also it also needed some time right when i saw when i see someone he is he has submitted 60 bugs
00:37:48
riptide
Mm-hmm.
00:38:08
0xe4669da
There is a guy who is the lead senior Watson on Chadlock right now. His handle is 0x7336 something so long extension, right? He submitted for one contest, if I'm not wrong, maybe I'm just, I don't remember the name. He submitted 60 bugs, 60 bugs.
00:38:27
0xe4669da
And out of those 60, 45 bugs were actually validated by the judges. So I said,
00:38:33
riptide
60 bucks. It's a lot.
00:38:35
0xe4669da
So I said, I said, like, is it a team working or what is it? Then I went into his findings. i started reading reading them one by one.
00:38:45
0xe4669da
I'm not reading. started studying them one by one because I also worked on that code base. Right.
00:38:51
0xe4669da
So I had maybe three, two out of three findings when I did it. I said, but yes, 45 out of 60 findings, ah so that protocol included the omni chain protocol ah the omni chain ecosystem right so the i said okay what did he actually do so he what he did is he identified a vulnerability a really simple submission again i i think he just copied panprop maybe really simple submission root cause line reference from the github wrapper
00:38:51
riptide
Mm-hmm.
00:39:06
riptide
Uh,
00:39:23
0xe4669da
the impact, the really really simple attack path, giving examples like if this is equal to one and this is equal to 100 and this is equal to 50, 50 is less than 100. It is going to be that.
00:39:34
0xe4669da
OK, just these sort of submissions. But when he found bug in one at at one point, he also reported all the bugs that were actually affected from that bug as well.
00:39:48
0xe4669da
i
00:39:49
riptide
Okay. Okay.
00:39:49
0xe4669da
I don't know if I'm clear or not.
00:39:49
riptide
okay
00:39:52
0xe4669da
So really connected bugs one by one, one by one. For example, if one variable in an omni-chain data is not updated, for example, we have omni-chain.data, there is a struct, okay. And that particular variable is not updated in omni-chain.data.
00:40:10
0xe4669da
Okay. Now he has reported all other, the instances were not same. This is his level he is pro the instances were not the same but actually using that variable in in some other scenario so he just find out those assessed the impact and reported those issues as well so
00:40:31
riptide
All
Challenges and Strategies in Bug Reporting
00:40:32
riptide
right. All right. Let me me pause. vi let me pause So, all right. these These guys have a method to their madness, but they they do. You do have to be able to identify the bugs and they clearly do.
00:40:45
riptide
if if you're at the top of the leaderboards of any of these platforms. um you know I know guys that don't do BOCs. Sometimes I don't do them. if if it's If you can understand the logic in your head, and sometimes you could just you don't need to verify it, it's as clear as day.
00:41:06
riptide
um so Don't waste time on POC sometimes unless it's it's mandatory, but yeah, some of these bugs, it's pretty obvious, you know, and I'm sure your findings could get rejected if you're wrong and all that stuff, but some are are obvious where you don't really need to POC.
00:41:12
0xe4669da
Mm-hmm.
00:41:26
riptide
And then kind of touching on the same thing I said before, I mean, you take a path and if you if you see it goes somewhere, well, you know, are there chain reactions to that? Maybe you can uncover other bugs, but...
00:41:41
riptide
Dude, I think i think the the base part, man, like I feel you on on your experience here. and And now you have this money pressure, which I know, man it makes it harder.
00:41:53
riptide
It makes it harder than anything.
00:41:53
0xe4669da
Yes, exactly. Exactly.
00:41:55
riptide
You're like, oh, fuck. and and it And it can make the whole thing not fun. Because you you feel pressure, you know you go home at the end of the day and you don't find anything, you've made no money and you feel like you've made no progress.
00:42:08
riptide
And it's it's a fucking pressure cooker, especially when you got people relying on you. I totally get it.
00:42:14
0xe4669da
exactly
00:42:14
riptide
ah Let me ask you, why do you think, and it's not for everyone, man. And I don't want to i don't want to you know dissuade you from ah being a bounty hunter or doing this at all. I think it's a great, great field.
00:42:28
0xe4669da
Exactly.
00:42:28
riptide
But The audit contest, private audits, all that stuff, it's very different from bounty hunting in a way that the work is the same, but the outcomes and the day-to-day have a specific impact on you as a human.
00:42:46
riptide
like It'll put you in the depths, the depths of hell. And when you don't find shit, you feel like you feel like you'll never find a bug again. You feel like you're down in the dumps and It just sucks.
00:42:59
riptide
And you have to be able to push through that and and come out the other end and find a bug.
00:43:02
0xe4669da
Yeah. Okay.
00:43:04
riptide
But it can go for months. Like it can go, i don't think people get it. People see these big numbers and it happens, man.
00:43:10
0xe4669da
yeah
00:43:12
riptide
Like, but you'll see the arcs in different hunters. Some guy's famous this month. next month or you don't hear from him for a while. And he's like, fuck, like I've gone cold. I'm not finding anything.
00:43:24
riptide
And they'll start to doubt themselves, but hopefully they have a good runway. They haven't spent it and they can keep doing the same thing that they're doing, but it's not easy, man. So do you think you have, uh, you know, can you, can you handle the pressure of doing this line of work?
00:43:39
0xe4669da
Yes, straight yes. Straight yes. I'm built for that. You know what?
00:43:44
riptide
How do you know you're built for it?
00:43:46
0xe4669da
Because because i feel I feel more exciting when I'm when i'm hunting a bug on a live smart
Balancing Financial Stability with Bug Hunting Passion
00:43:52
0xe4669da
contract. i I experienced this with like Stargate Finance and all. i was I was really much exciting, man. i ah I said, okay, I'm i'm doing something real.
00:44:01
0xe4669da
There is something real value on chain. I don't know why. I was i was motivated a lot. I was 2x motivated or maybe 3x motivated. I don't know why.
00:44:07
riptide
and
00:44:09
0xe4669da
This is the reason.
00:44:10
riptide
I know why. I know why. It's those dollar figures, right?
00:44:13
0xe4669da
yellow Yeah, yeah, yeah. Actually, like you I am adding real value. I don't know why, if you understand my mindset or not, but I really enjoy doing stuff on chain. Like using, I started using Tenderly a lot.
00:44:30
0xe4669da
all right I started using my template there to understand the fund flow within the from the address to address and all.
00:44:36
riptide
Good, good.
00:44:37
0xe4669da
i won I was actually enjoying that stuff a lot and I will still come back to it. i'm It's just that for now, I just want some sort of, even if it's a small, some sort of, as I said, in 700 works in Pakistan, you can actually, monthly, you you can actually like live a good life, reasonable life, right?
00:44:58
riptide
Mm-hmm.
00:44:59
0xe4669da
So even for per month, I just do $1,500 or $1,000 or $2,000, no matter. Eventually what I'm going to do is bug bounty is something, honestly speaking, sir, bug bounty is something that I think that I can do for life maybe, right?
00:45:15
0xe4669da
So I just need a stable income there. So no matter if I spend two months, three months, four months and on um particular protocol and I don't find anything,
00:45:27
0xe4669da
So that thing doesn't actually, ah like, you know, pressurize me.
00:45:31
riptide
Mm-hmm.
00:45:31
0xe4669da
I need to find it. I need to find it. If if I have, if you, anyone, anyone, if anyone has some stable, like, a really rational approach would be to set some sort of stable passive income, right? If you have that, then I think this is actually my mindset. I'm gonna just...
00:45:54
0xe4669da
do a job, maybe it's part time for four hours, five hours, six hours, and a lot of time, maybe another five to six hours, I'll just do bug hunting because my mental energy doesn't train when I'm hunting.
00:46:02
riptide
It's a good idea. It's a good idea. it it relieves some pressure.
00:46:07
0xe4669da
I'm sorry. What did you say, sir? Sorry, I just interrupted you.
00:46:09
riptide
I know I say i say what you're saying is a good idea because it relieves some pressure and it probably allows you to bug hunt just, you know, without thinking, oh, shit, if I don't earn anything.
00:46:22
riptide
We could be out on the streets at the end of the month. So I think that is a ah very good direction you're taking.
00:46:30
0xe4669da
Yeah, exactly. Exactly. That's what I'm i'm actually saying. Because bug hunting is something for everyone maybe. I think audit contests are boring straight away. or the Audit contests are boring. But bug hunting is actually something really like indulging for me. I really enjoy it My brain energy doesn't drain in bug hunting. I don't know why.
00:46:53
0xe4669da
i was If I show you my Miro board, Then for layer 0, I started from the Stargate Finance and I just follow the send tokens function.
00:47:05
0xe4669da
the It used the LZ send function.
00:47:06
riptide
hold
Potential Bug in Layer Zero Protocol and Reporting Strategies
00:47:07
riptide
Hold on hold on all right alpha drop right here.
00:47:07
0xe4669da
and
00:47:09
riptide
I think we're getting the alpha all alpha drop Layer zero Vic coming in hot.
00:47:12
0xe4669da
ah
00:47:15
riptide
What do we got?
00:47:15
0xe4669da
and Okay, this is a really simple one, but you need to give me some time so that I can go to my Miro board. Can you please give me a second?
00:47:25
riptide
What what is a myro board?
00:47:27
0xe4669da
Miro you don't know Miro come on
00:47:29
riptide
I've never heard of that. What is I have a notes dot MD file. What is myro?
00:47:33
0xe4669da
ah yeah yeah ah yeah be basically i do what i take the screenshots of the functions along with the smart contract name and just build the flow right for so i use Miro it's M-I-R-O M-I-R-O okay it's um it's simply Miro.com you can go there you know as Caledro
00:47:43
riptide
Okay.
00:47:49
riptide
I've never heard of these. Okay.
00:47:56
riptide
I have no idea what that is.
00:47:57
0xe4669da
Oh, great, man. you That's why I say you are a legend.
00:48:01
riptide
Dude, I just, I just, all right, let let me throw some commonalities here that that now I'm realizing some more is we had lonely sloth on it and he just, he just reads the code.
00:48:01
0xe4669da
but if
00:48:14
riptide
A lot of the guys I talked to just read the code and they really don't use any tools. And I'm just thinking about like, I just have the notes file and, um, Like it's pretty minimal and you're, and you're over complicating things, man.
00:48:27
riptide
Look like this, this is all right.
00:48:27
0xe4669da
Yeah, yeah. Point, point.
00:48:29
riptide
This is, this is a mindset different thing. Okay. So you're building, I don't know how much time you're spending building this on, on this Miro, which is probably very elegant. it It looks cool and all that stuff. And other people use notion. And I always found that to be like,
00:48:47
riptide
I just, that's what my brain's for. I keep everything in my brain and that's exactly what it's for. And if I start writing anything down, um you know, or or designing whiteboards, I feel like I'm offloading that onto there and then I'm not going to remember it and then I'll have to constantly refer to it versus if I just kind of load it in my brain,
00:49:08
riptide
I could think about it like that. ah So you're you're kind of offloading it. I don't know if this, everyone's different. Maybe it helps you, maybe it doesn't, but I just kind of slam it all into my brain and that works better for me.
00:49:23
0xe4669da
This, that makes actually sense. Like, as you said, that over complicating things and we are actually using our energy on those things as well. Right.
00:49:34
0xe4669da
So
00:49:34
riptide
Because it takes a lot of time, right? What you're doing this, Myra?
00:49:37
0xe4669da
yeah, yeah, yeah, yeah. it It takes some time. It takes some time. It helps a lot in and and in and understanding the flow. I don't need to actually go back and forth in the VS code, ah but definitely from your perspective, the point that you raised is that like It takes your time.
00:49:57
0xe4669da
Okay. And it's, I think, uh, it, this is making the things over complicated.
00:50:01
riptide
your Your time should be spent reading. Yeah, just reading code. Your time should be spent on that. Anything else I think is a distraction. It's like if you set up a company and the first thing you do is worry about legal structure and taxes and all that stuff when you haven't made a dime.
00:50:17
riptide
Well, your body is just pushing you to work on something that's less of a challenge that you know you can accomplish, but you're not actually focusing on what you should be doing, which is making revenue for your new company to see if it's even viable.
00:50:31
0xe4669da
Exactly.
00:50:32
riptide
So you're building all this stuff and yeah you have this reference material, all this, I've read all the docs and that, but it's like, hey, you know you need to be reading the code and finding the bugs.
00:50:43
0xe4669da
exactly Exactly. That's the point. So ah just let me like ah tell you about the the alpha drop, it is say I think, if if it is or not.
00:50:51
riptide
All right, go ahead.
00:50:53
0xe4669da
and like in
00:50:56
0xe4669da
okay so basically when you are allowed to pay the gas fees if you are allowed to pay the gas fees of like using the lg token let me let me verify this here like you are not paid paying in the native coin right get that gas fees just a moment please
00:51:22
riptide
Are you zooming around the mural board right now?
00:51:25
0xe4669da
Yes, so this is actually something. that Okay, here it is. So maybe.
00:51:33
0xe4669da
So one thing was that target financing was pulling the payment from the message sender twice, like the whole protocol. Okay, once this target finance was pulling the payment.
00:51:46
0xe4669da
All right. And second, the layer zero protocol was pulling the payment. in case if the token fees is paid in a known non-native token in LG token.
00:52:01
0xe4669da
Okay, so basically
00:52:01
riptide
But did does the user get refunded at the end?
00:52:05
0xe4669da
Yes, user get refunded in the end. But the thing is user will give the approval for that amount only once he's not going to give the approval for a amount into two.
00:52:14
0xe4669da
It's but this is full mechanism, right? It is doing safe transfer from
00:52:21
riptide
So what's the bug though?
00:52:21
0xe4669da
and this
00:52:22
riptide
is Is the transaction going to revert? Is he going to lose tokens?
00:52:26
0xe4669da
Definitely it is going to revert but for now they are not, ah they haven't enabled that the LD token fee in in native token.
00:52:33
riptide
Ah, okay. So if they enable it, then you're looking at a revert. So which, which, well, all right.
00:52:39
0xe4669da
Yeah, yeah, exactly.
00:52:42
riptide
Interesting. I mean, it'll probably get picked up when they, you know, when they find out it doesn't work, but you know, when they enable this, they fuck, it doesn't work.
00:52:49
0xe4669da
Yes, but for now you see nothing thing is at risk right now.
00:52:54
riptide
It is what? Say it
00:52:56
0xe4669da
Like they might say nothing is at risk for now.
00:53:00
riptide
Mm-hmm.
00:53:02
0xe4669da
Will they accept this?
00:53:02
riptide
Okay. I don't know. and That's a good question. Um, yeah those bugs. So these bugs, which, you know, if, it if it reverts, you're breaking the contracts functionality.
00:53:16
riptide
I think it's bug. If, if it's something supposed to work, it doesn't work.
00:53:21
0xe4669da
Yes, the function is redeem and send.
00:53:21
riptide
And, um, mm-hmm.
00:53:24
0xe4669da
The function is redeem and send. In this target pool smart contract, the function is redeem send.
00:53:29
riptide
Okay.
00:53:32
riptide
All right, so what what you would do is either you know report it now on this feature.
00:53:32
0xe4669da
Right?
00:53:38
riptide
It's not enabled yet. That's honestly what I'd do unless instead of just waiting for them to to go and pull the trigger. Because maybe when they pull the trigger, yeah they realize, oh yeah, no, we already caught that, but it didn't work.
00:53:50
riptide
So I would actually report it now and just say, hey, look, and And I'm not going to publish this podcast for a week, so you've got plenty of time. But I would report it. i would say, hey, it's low severity, but yeah look, this is this is broken if you enable this. And just see how they go.
00:54:04
riptide
Okay.
00:54:05
0xe4669da
All right. So right after this call, I'm going to report it but
00:54:08
riptide
Good stuff, man. And I just looked up this. I remember that name, Johnny Time. You said you took a course from this guy.
00:54:16
0xe4669da
I also worked with him. i also worked with him on a Web3 security fundamental course. I prepared that.
00:54:23
riptide
huh Do you like this guy? Is he a good guy?
00:54:26
0xe4669da
Yes, absolutely. is a good guy.
00:54:27
riptide
i i just I never followed this guy because I don't like his profile picture. He's got his head, pixelated head, and I've seen, he follows me and I just, I can't stand this profile picture.
00:54:41
riptide
I refuse to follow back just because maybe he's a great guy, I don't know.
00:54:43
0xe4669da
great guy. Yes, yes, he's exactly the great guy.
00:54:45
riptide
I don't like his profile picture though. Johnny, I don't know if you're watching Johnny, I'm sorry. I
Concluding Advice on Bug Hunting Skills
00:54:51
riptide
just can't handle that guy, man.
00:54:51
0xe4669da
He's a great guy.
00:54:53
riptide
Cool. Well, hey, ah Vic, we hit an hour, man. it's been It's been a pleasure.
00:54:58
0xe4669da
Yeah.
00:54:59
riptide
This is very interesting. We also had some live alpha drop, which will already be submitted when when yeah this goes to to be published. But I think it's good, man.
00:55:10
riptide
I think... the The ultimate thing here is you have to get a deep, deep knowledge of all the bugs. And these high-level bugs, I think, are going to be more and more harder and harder to find, especially as LLMs are improving. And a lot of this stuff just gets caught now. Unless you're very lucky and you see some high-level thing, which happens.
00:55:31
riptide
But I wouldn't bet your career on it. I would look at it like I have to be able to identify everything and I'm willing to go very, very deep. And you can't do that without knowing all the pitfalls of Solidity or or any language that you're looking in.
00:55:47
0xe4669da
Exactly.
00:55:47
riptide
So my advice to you, sir, is to hit the Solidity docs and read all the warnings. And if you haven't done that yet, I that's a great, great spot to do it.
00:55:58
riptide
Read more audit reports, read more contracts, browse the blockchain and keep at it, man.
00:56:05
0xe4669da
Yeah, yeah. Thank you so much, sir. Thank you so much.
00:56:07
riptide
All right. All right. Well, thanks for coming and we'll see you next time on the blockchain.
00:56:08
0xe4669da
and