Article directory
[Smart Contract Security] Code4rena (or C4) for Smart Contract Security Audit \ How to Become a Smart Contract Auditor
Background - Blockchain Security
Why smart contract security audit is so important
Reference URL: https://www.jinse.com/news/blockchain/1666661.html
The blockchain space is developing at a very fast pace. Attacks against smart contracts occur frequently, and criminals steal more and more encrypted assets.
All kinds of hacking incidents, I believe everyone has sounded the security alarm, and constantly reminded everyone of the importance and necessity of smart contract auditing.
The blockchain industry has always been a huge temptation for criminals. Whether it is the bottom chain, exchange, wallet, or a project that has been online for a long time, or a new project that has just launched, the criminals are eyeing. Attacks are launched secretly. Once a loophole is found, these people will mercilessly steal the funds to the greatest extent, causing huge economic losses to the project party, exchanges, wallets and users. These losses are often Irreparable.
A good blockchain project must first be a security-first project, otherwise users will invest their assets in the project, and their asset security will not be guaranteed, and the security of smart contracts is the foundation of the project.
About Bug Bounties
Bug bounties are like CTFs, but with 2 differences
You're trying to find bugs on a project already deployed on mainnet, not on a "testnet" smart contract.
If you find a vulnerability or bug, you can get a lot of money.
What compensation is there for smart contract audits?
I'm no expert on the subject, but I'd say the auditor's hourly rate is roughly:
Beginner: $100/hour
Experienced: $100 − 250 -250− 250 /h
Top Auditor: 250− 1000 -1000−1000/h
I divide compensation into two categories:
- Fixed: You get a fixed (hourly) salary for your work
- Skill-based: The more or more severe bugs you find, the greater your compensation.
If you are a junior, I recommend you join an audit firm.
Note that top bug bounty hunters earn millions more for critical bugs.
What is Code4rena (or C4)
Official website: https://code4rena.com/
Official documentation: https://docs.code4rena.com/
Web3 security, on demand.
- $5MM Reward Payout
- More than 500 high-severity vulnerabilities discovered
- Start your audit within 48 hours: http://bio.link/code4rena
What are the projects that use C4 for auditing?
A recent zksync, announced to use C4 auditing:
Today we’re kicking off an audit contest with @code4rena. Contests and bounties are an important part of helping to secure the network, and we look forward to the community’s contributions to make zkSync 2.0 the #1 choice for developers.
Contest link: https://code4rena.com/contests/2022-10-zksync-v2-contest…
How to start C4
Let's take zksync as an example: Contest link: https://code4rena.com/contests/2022-10-zksync-v2-contest…
Check the description of participation in a certain project, such as:
the total prize pool is 16.55w $, the start time is October 28 and the end time is November 9
It shows currently known open issue
C4 Wardens Note: Anything contained in the C4UDIT output is a publicly known issue and is not eligible for bounties.
Next, it will explain its own projects, nouns, and specific contracts. And list all your contracts:
- L1 Smart contracts
zkSync
Other - L2 contracts
Bridges
Other
How to Become a Smart Contract Auditor
Original link: https://cmichel.io/how-to-become-a-smart-contract-auditor/
It is recommended to read the original text, here are the frameworks:
-
learn to program
-
Learning ETH Blockchain and Solidity Basics
The fastest way to learn a new language is to use it in practice, by writing code in it - just reading the docs won't solidify the knowledge (and for some reason, even after so much Years later I still find the Solidity documentation confusing and unstructured). There's no better way to combine learning Solidity and understanding ETH security than solving CTFs.
CTF (Capture the Flag/War Game) is a security challenge where there is vulnerable code and you need to write smart contracts to exploit the vulnerability.
-
Familiarize yourself with the most commonly used smart contracts
Throughout your auditing career, you will see certain contracts, patterns, and even algorithms over and over again. It's good to get familiar with them and gain a deeper understanding of how they work and their nuances. -
Learn financial basics
Sometimes when you audit a DeFi project that uses a lot of traditional financial jargon, you don't understand anything. When you look up these terms, you'll get definitions that refer to many more terms that you didn't know existed. So I find it really helpful to take a basic finance course that doesn't make any assumptions, it actually explains why people want to use that particular financial instrument with their intentions. -
Get real experience
with bug bounties on mmunefi or audit competitions on Code4rena. The big advantage here is that they are permissionless. You can be anonymous, you don't need to pass a job interview, and pay is based entirely on skills. Receiving an actual bug bounty is a great addition if you want to apply for audit firm positions.
reference
The whole story of Indexed Finance theft: 18-year-old math wizard captured DeFi platform
Reference URL: https://www.qklw.com/news/20221002/269283.html