The eye-watering sums paid to white hat hackers can seem like manna from heaven. Yet unlike lottery winners, bug hunters actually put in a lot of work to earn their million-dollar bounties. Spotting vulnerabilities in smart contracts is time-intensive and takes the right personality with the right background. Nevertheless, since billions are at stake in Web3 applications, organizations are happy to pay the top dollar if it helps secure their projects.
In our latest edition of DeFi 101, we take a look at what it takes to start hunting for bugs in smart contracts and provide you with some of the best resources if you are just getting into it. If you need a few words of encouragement before getting started, remember that the technology is still relatively new and that there are plenty of lucrative opportunities to make a difference in smart contract security.
Dreaming in green on black
Before you go on to discover a “critical” level smart contract bug to claim that $10m bounty, you will need to learn the basics. Experienced Solidity developers already know common mistakes and what critical functions are prone to exploits. A bug hunter without such foundational knowledge is a blind man stumbling in the dark, unaware of the possible vulnerabilities or where to find them.
If you’re interested in hunting for bugs on the Ethereum blockchain, you will undoubtedly need a solid grasp of blockchain concepts, good foundations in Solidity programming, and probably at least a basic understanding of EVM. For smart contract development in general, you’ll also want to read up on best practices and security considerations. That is because while it is relatively simple to get the smart contract to work as intended, it is far more complicated to ensure that nobody can make it work in unintended ways. Once you know how to spot such vulnerabilities, you’ll know how to break them.
To get started with Solidity, you will want to check out CryptoZombies for interactive coding lessons. You will also want to pore over Solidity documentation and the list of known bugs and past mistakes. You will also want to go through a few Solidity guides before you feel comfortable independently inspecting contracts from random repositories yourself. Finally, you will want to try running contracts of your own. If you are just starting out, do not make the mistake of assuming that you will be able to break a sophisticated system without understanding how to build one yourself first.
More generally, other great learning resources include audit reports, which are great for not only learning about the different kinds of vulnerabilities common in the industry but also the tools and approaches used by security auditors. Post-mortems are also great for learning about the novel ways smart contracts have been exploited in the past. They can also teach you how to structure your own reports better. Twitter is also a trove of insights directly from the project, explaining how things went wrong and could teach you how to tactfully discuss critical vulnerabilities.
Although such research is important, you can also cut your learning curve by opting for a hands-on approach. After all, practice makes perfect. You may want to explore DVESC and not-so-smart-contracts repositories to try to exploit known vulnerabilities, with hints available. There are also plenty of capture-the-flag competitions and challenges for you to play around with. Remember to keep it light and not to get too agitated if you do not get them on the first try. Motivating yourself with small wins and avoiding burnout is the only sure way to mastery.
Obviously, no simulated environment can replace the real deal. Once you warm up, give actual bug hunting a go. You may want to start with lesser-known projects, scanning for some of the lower-tier vulnerabilities. Finding a few small bugs may not allow you to quit your day job just yet, but it will reward you with a healthy dopamine hit that will enable you to persevere. Many projects offer bug bounty programs. You can usually find information on their websites. Alternatively, platforms like Hackenproof and Immunefi serve as hubs for white hat hackers and provide information on some of the most lucrative bug bounty programs out there.
Finally, if you would like to take a swing at Lossless, you are more than welcome to. We have a bug bounty program on Immunefi and offer a reward of up to $50,000 to anyone who reports a “Critical” level bug in the protocol’s core contracts. If you spot a security vulnerability, please submit a report to claim your bounty.
Restoring trust in web3 security. Lossless incorporates a new layer of blockchain transaction security, protecting projects and their communities from malicious exploits and associated financial loss.
Lossless protocol implements an additional layer of blockchain transaction security for ERC-20 standard tokens, mitigating the financial impact of smart contract exploits and private key theft. Lossless protocol utilizes community-driven threat identification tools and a unique stake-based reporting system to identify suspicious transactions, providing real-time protection.