Web3 BBP journal:

I am officially starting web3 bug bounty part-time. This will be my journal, recording my thoughts, findings and such.

I have little bug bounty experience and just started in web3. Right now there is a lot of things that I don’t know, so I will have a bug bounty oriented learning plan, along with actual hunting. I will learn from past reports and maybe mimic a CTF style hacking environment but for bug bounty. The time I can make for BB is about 1 hour per weekday, and 4 hours per weekend.

For niche, I am choosing DeFI auditing, as I might also consider investing it in the future.

Learned more about Certora and Kontrol. Tried Certora on a wargame and kind of worked but with limitations. Read articles on Kontrol and realize I need to learn a lot more things about k framework to understand some harder topics of Kontrol.

Skimmed through a dozen reports from Immunefi boosts. My plan is to figure out the common vulnerabilities in bug bounty, and learn how to look for them.

Used the random target picker from Immunefi, and was able to read through a simple contract. I find it similar to the wargames and CTFs that I played before.

I also participated in Tcp1p CTF for a few hours. I solved 5/6 Blockchain challenges. If I spend more time, I think I solve the last one as well. Maybe there were more challenges released after, but I didn’t check.

First, I want to talk about the niche picking. I am familiar with DeFI. But DeFI seems to have a lot of auditors, so somewhat competitive. There are more technical niche like bridges, but I will make a conscious decision to stick to DeFI for now.

What I lack right now is not really the technical code auditing skills, but to understand DeFI in an abstract level. Why some protocols exist? Who benefits from them? What does some concepts and jargons mean, etc. I will need to read up on that more.

Then let’s think about my advantage in bug bounty. What skills do I have that makes me competitive? Right now I feel like none. Some people know symbolic execution, some does fuzzing, and some knows web3 development by heart. I have none of that. It will take me some time to learn a new skill like fuzzing or formal methods, so not realistic. So I figure that I will first have a solid understanding of web3 and DeFI, and then see. Basically, I want to understand everything that I see.

One thing to look out for when learning like this, is to not overfit my skills on the small samples of materials that I am learning. I will beware of that, and choose some different things to learn from different programs.

Tools are 100% very important, and might distinguish hunters. I thought I need to learn some tools and use that as my advantage. However after some research, I now feel like it is not what I need right now.

Short term

Study 10 more reports from a different Immunefi Audit Contest (formerly called Boost) .Repeat 1 report about insolvency.Try to hack 1 bug myself, given what the type of vulnerability is.Post blogs and reflect upon myself once in a while.Learn more about concepts like AMM, DAO organzied DeFI, etc.Goal: Hack on real audit contests, and have valid bugs.

Mid term (in 3 months-ish)

Pick a tool after evaluating the market and myself.Goal: Able to understand completely and repeat most critical and high bugs given reports.

Long term

Connect with other professionals.Build a public portfolio, and connect with potential clients.Follow up on newest trends in web3. Don’t need to be an expert on newest trends, but at least know what they are.Keep playing blockchain CTFs.Goal: Be creative about bug bounty, expert level freestyle audit, and have clients for private audits.