Find Bugs, Get Paid

So you wanna be a bounty hunter...

The most exciting job in crypto is the whitehat hacker. It’s you vs. the bad guys, alone in the dark forest, with billions at stake.

Whitehats pull some crazy stunts, like reverse engineering an attack so they can rescue funds from a burning protocol, exploiting a vulnerability themselves to prevent malicious attack, or hunting a villain across the blockchain using on-chain data. The second they find a critical bug, its a race against the clock to fix it before a malicious entity exploits it.

Sound exciting? It is. Here’s how you can become a blockchain bounty hunter.

What is a whitehat?

There’s a spectrum of security professions on the blockchain. All have the same basic skill set, but focus on slightly different things. You can broadly class them into three bins:

• Security researchers

• Auditors

• Whitehat hackers and bounty hunters

Security researchers can be kind of a catchall term (like “software engineer”) but it generally refers to a group of people that are more concerned with the security of blockchain technology as a whole. These are the class of good actors that find bugs in compilers and cryptography libraries, build security tech, and search for errors or exploits in the blockchain infrastructure.

Security researchers tend to be computer scientists, software engineers, web2 cybersecurity professionals, or mathematicians by trade.

Auditors are the professionals looking for bugs in smart contracts and specific protocols. Audit firms or solo auditors are usually engaged by the protocols to provide these consultation services. Audits take place before the code is deployed, ensuring it’s ready for the battlefield.

The requirements to be an auditor are not very formal, and it really just depends on how good you are at finding bugs, making good recommendations, and writing reports.

Whitehat hackers are individuals poking at deployed protocols looking for weaknesses. As opposed to malicious blackhat hackers, they don’t intend to steal funds, but to preserve them. They aren’t hired by the protocols, but are instead incentivized by bug bounty programs.

Whitehatting is very feast or famine. If you’re good you could take home payouts reaching the millions. If you don’t find anything you get nothing.

Now, lets talk about how to enter the security space.

*Begin training montage*

All three groups have the same basic skillset, so you don’t need to specialize yet. Here’s what you gotta have:

• Good at the chain’s smart contract language

• Know how the blockchain tech works

• Aware of prior exploits and risky patterns

Becoming a security researcher is a little bit outside my wheelhouse, so I won’t comment on that specifically. My advice will focus on whitehats and auditors, but the base info is applicable to any path.

I also focus on EVM chains because it’s the best ROI. All my homies hate Solana. Just modify this general course as needed if you do want to work on another chain, the overall journey is the same just replace Solidity or EVM with the appropriate terms.

Here’s the roadmap:

1. Learn Solidity

2. Deep dive into the EVM

3. Read hack reports and post-mortems

4. Practice offline

5. Reps, reps, reps

6. Connect with peers and mentors

7. Expand your knowledge of patterns

8. Get comfortable with scripting

Learn Solidity

How TF do you think you’re going to find a bug in a smart contract if you can’t read smart contracts?

This is the basic, level 0 skill for anything blockchain security. Your best resources to learn Solidity are

• Buildspace

• PatrickAlphaC

• Cryptozombies

• Learn X in Y minutes

• The Solidity documentation

• Secureum

I recommend most people to start with Buildspace or PatrickAlphaC. If you need a little more handholding go with Cryptozombies. Experienced devs can do Learn X in Y minutes. Secureum is an excellent condensed resource for some important Solidity facts that are not easily gleanable from other sources.

You don’t necessarily have to be a skilled developer to be a good auditor or whitehat. But if you do need to be able to make recommendations on how to fix the stuff you find. This implies a certain level of knowledge and knowledge of common design patterns.

I’ve already posted about how to learn to write Solidity in this post, and will likely touch on it again multiple times. Subscribe so you don’t miss the alpha!

Deep dive into the EVM

A lot of real-life vulnerabilities stem from features of the EVM like msg.sender, delegate calls, etc. You have to understand control flow, how accounts work, what contracts actually are in the EVM context.

It can be a little dry to slog through opcodes, not gonna lie, but it IS important. A morbidly funny example: the legendary “I accidentally killed it” vulnerability. A user messing around with a library contract for a multisig wallet accidentally exploited a vulnerability and bricked millions in funds. He then proceeded to file a Github issue about it.

If you don’t understand delegate calls, you can’t understand library contracts, and if you don’t understand library contracts, you can’t understand the issue with that exploit. Do your EVM homework, kids.

The best place to start with this is Secureum’s Ethereum 101 post to get an overview, then do research into parts that are not clear. If you need a resource on specific opcodes, evm.codes is your friend.

Read post-mortems

Hack analyses and post mortem attacks are critical, because every one is written in blood. That is a mistake someone else paid for that you can learn from and avoid.

Real life codes and safety standards are no different. Every line in the ASME pressure vessel standards represents a boiler explosion, refinery fire, or other tragedy. There is nothing worse than an easily preventable mistake, and I assure you that it will weigh on your conscience if you miss something with historical precedent.

You should be gobbling down every report you run across. Follow important security figures on Twitter to stay abreast of real-time happenings. Everything on the Rekt News leaderboard is mandatory reading.

BowTiedPickle.eth | Solidity Shipper @BowTiedPickle

A few recommended follows to stay on top of security breaking news: @peckshield @BlockSecTeam @FrankResearcher @samczsun @RektHQ @immunefi

2:39 PM ∙ Sep 30, 2022

Practice offline

Capture the Flag challenges (CTFs), Ethernaut, Capture the Ether, Damn Vulnerable DeFi, and other security puzzles are a good way to hone your skills.

Your mileage may vary with these. I did a few levels of Ethernaut, but didn’t spend much time on CTFs personally as they’re not really how I learn. Others have found them incredibly helpful. I definitely recommend trying them and seeing if they’re helpful.

Pro tip, the Paradigm CTFs are murderously hard, so only do them if you’re the kind of freak that likes Dark Souls.

Reps, Reps, Reps

Now comes the grind. You have to practice finding bugs in real code. Two great ways to do this are Secureum and Code4rena.

I have participated in multiple Code4rena challenges. They’re an excellent way to expose yourself to a variety of codebases, and you can earn some money for your trouble. The one downside is that the feedback cycle is a little long, although they are working towards fixing that.

This is when I would also recommend reviewing or trying to replicate historical hacks. Any good development environment allows mainnet forking. You can use a local dev chain to fork the historical mainnet state before an attack occurs, and try to execute it yourself.

Scour existing protocols. Deep dive into your favorite lending platform. Write unit tests to prove that a codebase works the way you expect it to (I know an anon who found a bug and got a bounty by doing that). Read audit reports. Roast a terrible NFT contract on Twitter.

BowTiedPickle.eth | Solidity Shipper @BowTiedPickle

Today we have a hotly-requested bag inspection - @moonbirds This NFT project has been one of the big winners of the cycle, with a floor of 26.5 ETH at time of writing. Let's dive in to the smart contract!

7:57 PM ∙ Jul 14, 2022

---

Explore and build your knowledge. Every rep makes you stronger. Every piece of information is something you can build off of.

Connections

There are levels to this game - and the fastest way to level up is by working with people at a higher level. Find a group of competent peers to bounce things off of, and find skilled mentors to help guide you.

There’s not a roadmap to networking. Have at it, champ. Make yourself useful, don’t send stupid DMs to important people, and if someone skilled gives you advice take action on it.

Patterns

In a shocking turn of events, the best way to get an “I’ve seen this before” level of skill… is to actually have seen it before. There is a treasure trove of information in the ways protocols have attempted to solve problems. Dig into common architectures, especially ones which are commonly forked.

Here are a few high ROI patterns to understand:

• Uniswap V2 router and pools

• Compound Finance cToken/Comptroller pattern

• Masterchef staking contract

• Synthetix staking contract

• Olympus DAO’s OHM token (rebase tokens have fallen out of vogue, but if you find one it’s probably an OHM fork)

Get curious, get digging!

Here’s part 1 of 2 I did over for DeFi Education on the Uniswap V2 architecture. Part 2 has a line-by-line walkthrough of a pool contract.

How to Read Smart Contracts Part 1

Scripting

Along the way, you’re probably going to have to get good at blockchain automation and writing attack contracts. You’ll need them for proof of concept exploits, performing a whitehat exploit to save a protocol, or just scanning through stuff.

You don’t want to be trying to save millions of dollars writing txns on Etherscan.

For all your blockchain automation needs, there’s no better resource than Degen Code, written by my good friend and certified turbo autist BowTiedDevil.

Degen Code

Build automated crypto bots, write smart contracts, MEV, arbitrage and make money while you sleep.

By BowTiedDevil

Bounty Hunting for Fun and Profit

Okay, now that you’ve had your Rocky training montage and you’re competent enough to find bugs, how do we get that cheddar?

Many times, the answer is ImmuneFi.

ImmuneFi is a bug bounty provider. They triage submitted vulnerabilities, and see if they are actually vulnerabilities. If they are, they work with the team to correct the issue, and handle payout of bounties.

If the protocol does not have an ImmuneFi program, they may have their own, or you can try to get ahold of the team in Discord. However. You should take a moment to consider your options. It is possible the bug could be a backdoor, or a team member could have a moment of weakness and exploit it.

This article from OpenZeppelin, describing just how delicately they had to approach disclosing a vulnerability with $15 billion at risk, is required reading for all bug hunters.

I’ve also personally faced backlash when I posted a Twitter thread exposing some dirty laundry in the contract of the GMX token. Luckily, the impact was limited to a minor kerfuffle on the timeline, some angry Discord shouting, and a temporary 10% haircut to the GMX token price. (The issues were addressed by the dev team don’t go panic-dump your bags mkay?)

Point being, you gotta be careful when revealing issues with contracts.

When looking for bounties on ImmuneFi, you have lots of filters and options.

When you open a bounty, you can see all the fine print - is KYC required to claim, what’s in scope and what’s not, how exploits are graded and paid out. For example, here’s the details on GMX’s program.

Payouts, again, are feast or famine. While 10k is still some decent money, you only get the big bucks if you find something crippling.

Wrapping Up And a Word On Strategy

Bug hunting strategy is largely going to be up to you, your methods, and what gives you an acceptable ROI. I can’t give recommendations, you have to cook that secret sauce yourself. Try things and see what works - you’re going to have to be curious if you want to succeed no matter the path.

I’ll warn you again - don’t go off half-cocked and disclose something carelessly.

While you’re learning, you’ll probably get discouraged - chin up and keep after it. It’s a grind. You’re not just learning to code Solidity - you’re learning to code Solidity so well you can tell where other people fucked up. You’re learning historical exploits. You’re getting to the point where you can have an informed opinion about the quality of any given codebase. It’s not a trivial undertaking, so don’t expect it to happen overnight!

Most importantly - be ethical. If you are not absolutely sure that you could walk away from a multimillion dollar haul where no one would know who did it, do not go down this path.

I mean it. In the process of verifying the vulnerability, you will have built a proof of concept exploit. All you would have to do would be to put that little —network mainnet flag to the script execute command and hit Enter.

If you cannot absolutely, beyond a fraction of a doubt, know that you would not hit that button, you have no business becoming a whitehat. Go find your wifi money somewhere else.

Comments

[Avatar Z]

A great read! Thanks for the content!