Interview with Legendary Bug Bounty Hunter Alexander Schlindwein

Alexander Schlindwein has quickly become one of the top players in DeFi security after claiming some of the biggest bounties in the world from ArmorFi and Fei Protocol. He works as CTO of Ideamarkets, but moonlights as a bug bounty hunter in his spare time. We sat down with Alexander to talk about how he got into the blockchain space and how he developed his security craft.

What inspired you to get into blockchain development? What’s your origin story?

I have been interested in and experimenting with computers and programming since a young age. However, I didn’t discover blockchain by myself. Back in early 2013 when I was still in school, I met with my dad at a local café during lunch break. He told me about this new thing he read about on the internet called Bitcoin. I was fascinated by the concept and began spending time reading up on the topic.

A few months later, I finished building the prototype of an application that would accompany me for years to come — a custom trading bot for arbitrage opportunities between centralized exchanges. The initial version was rough, could only trade BTC/USD, and supported a limited number of exchanges. Yet, it generated returns, and combined with my increasing interest in Bitcoin, I further extended the application to the point where it supported lots of exchanges and arbitrary trading pairs while utilizing commercial MILP solvers for calculating complex arbitrage trades.

Up to this point, my crypto exposure was mostly limited to trading. That was to change, however, when I met again with my dad for another coffee in mid-2015 and he told me about Ethereum, which had recently launched. This day marked the beginning of my journey down the crypto rabbit hole and effort to really understand how and why it works on a fundamental level.

From here on, my interest kept shifting towards Ethereum and smart contracts. I gathered as much knowledge and experience about smart contracts and Ethereum as I could on my own before starting to freelance on Gitcoin. The time on Gitcoin was exceptionally valuable to me as I worked on an extremely diverse set of tasks, from the F# compiler to lightning network integrations and smart contracts. On Gitcoin, I also got to know Mike who at the time was building the prototype of Ideamarket. After working on various bounties for Ideamarket, I later went on to join Ideamarket full-time as CTO.

How long did it take for you to learn Solidity? What resources did you find most helpful?

I learned Solidity pretty quickly. I think for most people with prior coding knowledge it should be quite quick to pick up, as it is a language with a small feature set.

I think most of the time when developers are new to crypto and have a hard time learning Solidity, it is not due to the complexity of the language itself, but rather many skip learning about the fundamental inner workings of a blockchain like blocks, transactions, signatures, mining, etc. and try to approach writing a smart contract as you would write traditional software, which ends in confusion. Should you find yourself in this position, ask yourself some questions of this type:

who executes smart contract code?when is a smart contract executed?where is a smart contract’s data (storage) stored?why can a smart contract not call an API?

If you can reason about these questions with reasonable technical depth and nuance, you are ready for a deep dive into Solidity. Otherwise, I would suggest spending some more time on the fundamentals. I found Andreas Antonopoulos’ books to be a great start and can highly recommend them for this purpose:

Mastering Bitcoin: Programming the Open Blockchain (2nd Edition): Explains the basic building blocks of a blockchain as mentioned aboveMastering Ethereum: Building Smart Contracts and Dapps: Builds on the previous book and mainly focuses on smart contract concepts

What’s your development environment like? What tools do you use?

I use Visual Studio Code as my main code editor with Consensys’ Solidity Visual Developer extension. Gitlens is another valuable extension to look at changes made post-audit. When I have the choice, I prefer Hardhat over Truffle as Ethereum framework. Some of the most important external tools include Etherscan, Infura / Alchemy, Tenderly, and Eth95. I do not usually use any automated analysis tools like Mythril for bug bounties, since when working with audited contracts the results of such automated tools are almost always included in the audit report.

Pretty basic — and that is what I like about bug bounty hunting with smart contracts. There really are not any highly sophisticated tools — just you and the code.

How did you find the ArmorFi bug?

While skimming over the code and getting a first impression of the contracts I noticed the following two lines:

// Put Ether into 18 decimal format.uint256 payment = _amount * 10 ** 18;

This appeared suspicious to me, as such a multiplication is usually seen in frontends when user input is converted to integer format and not in smart contracts. I began investigating the surrounding and related code and shortly after concluded that this is indeed a bug. Shortly after I submitted the PoC, the bug was confirmed by Immunefi and ArmorFi.

How did you find the Fei Protocol bug?

While I was looking at how the Fei contracts manage the deposited ETH (referred to as PCV or Protocol Controlled Value by Fei) I noticed that the protocol deposits unallocated PCV into the FEI/WETH Uniswap pool without any prior checks on the state of the pool. The basic idea was to first dump a lot of ETH into the pool, purchase Fei from the bonding curve contract, allocate PCV into the Uniswap pool, and finally buy the pool back up. This will net a significant profit in ETH, especially since this attack was possible with a flash loan.

The math behind calculating optimal amounts for this exploit, how much to dump on the pool vs. how much to spend on the bonding curve, quickly turned out to be highly complicated. I decided to calculate optimal amounts by using a MINLP solver which resulted in accurate values.

What tips or tricks about blockchain development or bounty hunting would you give?

I think when it comes to bug bounty hunting many people struggle with the question “where do I start, when do I end?” when examining a project. The approach which works best for me is to set myself the goal of fully understanding the system to the point where I could reimplement it from scratch without being allowed a look at the original codebase. Not from remembering the code, but from having understood what the application is supposed to do. If you have examined a project that far and have not found a bug, the chances of finding one by continuing is low. However, if there is a bug in there, your chances of finding it with this method are high.

What general advice would you give to aspiring blockchain bug bounty hunters?

A great way to get started learning about smart contract exploits is to practice by participating in wargames and CTFs. You can find some good ones in this repository.

Also, do not get discouraged if you haven’t found a bug yet, even though you have spent a lot of time searching. Often you will be working with code that has been audited by world-class security experts and put through extensive testing. That does not mean that there are no bugs, though — an audit is no guarantee for security and the list of audited projects which have been exploited is long enough.

In fact, both ArmorFi and Fei Protocol were audited. This is the reason Immunefi exists in the first place. Yet, it is easy to get lost in the fallacy of feeling like you are wasting your time when you spend hours upon hours while apparently not achieving any result. In these moments, it is good to remember yourself that even in periods of low or no findings, the knowledge and insight you are gaining by studying and trying to exploit smart contracts will in the long run equip you with a skillset only very few people have, which in itself will be more than rewarding.