Web3 BBP Journal: Oct.24, 2024

I have a sense of how to approach BBP, but no valid reports yet.

To simplify my workflow, my plan is to casually looking around the projects, codebases, news, technical articles. Generally use 70% of time for learning, and 30% of time for auditing.

I looked into Anvil audit contest for a bit, and submitted 2 invalid reports. 1st because I only considered the code, but not how it is meant to deploy. 2nd to see how insight bugs work.

I went through a lot of actual hacks and bug bounty reports.

As I am now doing things in a less scheduled way, there aren’t huge things that I did except for the Anvil audit. Basically looking at code, learning about whatever I find interesting.

Realize that web3 bug bounty lifestyle is different then web2. I did some research on web2 BBP lifestyle. In web2, there are more assets to hack on, and more things can go wrong. However each bounty is smaller. Web3 is the opposite. Which means that you can’t reliably become a digital nomad for web3 BBP the same way as web2. Becoming an auditor might be inevitably the better path, and I think many firms allow auditors to do bug bounty.

One observation about BBP itself is that, audit contests often does not have critical bugs found. When there are, it is often found by many auditors in the same time, and the reward is splitted. A critical with many duplicates can reward less than a unique medium.

Although this makes the audit space seem crowed, and finding unique bugs seems to be the way to go, I think it is better to still have a solid understanding about everything, and try to be the absolute expert on some specific aspect.

Seeing the past exploits and bug bounty reports, I think web3 security is a lot simpler than web2. I need to figure out how I can create my own advantage for web3.

I think about the hacker who invented reentrancy attack and exploited MakerDAO. She is definitely a genius. Why the whitehats did not find it first? Something to think about.