Full Report
In 2023, MiloTruck made the most money on Immunefi at 172K. In this post, he goes through the year and what they learned. I'll be going through some of their takeaways, as these provide the most value. The first takeaway was that math is complicated. By getting the only medium finding via an unsafe cast, they learned this. If it's complicated to you, it's likely complicated to the developer. If it's complicated to the developer, there is likely to bugs. Later down the road, they did 5 audits in one month. In this, they only spent a small amount of time in each. This was a mistake since many bugs come from a deep, deep understanding the vulnerability. During this month, they learned that contests should be chosen according to your skill level. Additionally, simple and small contests should be avoided, as there aren't many bugs and if there are bugs, they'll be dupped to hell. The next big audit was Chainlinik CCIP. This had a payout of $185K for the H/M pot. For this, they went all in. They read through documentation, similar protocol audits and talks before the contest. By doing this, they understood the bugs to look for and had a deep understanding of the protocol quite quickly. This led to 3/3 highs with an 8th place finish. During an audit where they found 8/8 mediums, they only reported 6. They didn't report 2 of them because they considered the issues acceptable risks. They learned to always ask the protocol team whether the behavior you described is intended. Worse case scenario, you report it as well. In an audit of the Wildcat protocol, they learned to always read the documentation and whitepaper of the protocol. This allows you to understand the expected use cases of a protocol, which may not always be obvious. At the end, they mention why they were able to achieve this: super competitive and a high standard. By reviewing previous misses they were able to adapt their auditing methodology to not miss bugs in the future. Second, they wrote up PoCs on every bug that was possible and wrote very, very good reports, which gave them nice bonuses. Additionally, really, really understanding the protocols and in-depth with hard edge cases is what they seem to be good at. The final section might be the most interesting: Are Contests Worth It? You can't earn millions from C4 with how much competition there is. So, the top talent is moving away to other locations. Sherlock tried fixing this with a Lead Senior Watson, which takes a fixed amount of the pool. Private audits, Immunefi, auditing firms and Spearbit are much more lucrative. So, should you do contests? It's a great place to learn and get opportunities. From this, they got offered from Trust Security and Spearbit. Overall, awesome post on their learnings and perspective from the year of auditing.
Analysis Summary
# Best Practices: Competitive Smart Contract Auditing
## Overview
These practices address the methodology and strategic approach required to identify high-impact vulnerabilities in decentralized protocols. They focus on moving beyond automated scanning toward deep logical analysis and rigorous reporting to ensure protocol security and auditor success.
## Key Recommendations
### Immediate Actions
1. **Mandatory Documentation Review:** Before touching code, read the whitepaper and technical docs to understand the "intended" business logic.
2. **Clarify Intent:** If a code behavior seems suspicious but potentially deliberate, ask the protocol team immediately if it is intended. Do not assume it is an "acceptable risk" without confirmation.
3. **Validate Math Safety:** Manually inspect all arithmetic operations, specifically looking for unsafe type casting (e.g., `uint256` to `uint64`) and precision loss.
4. **Defensive Reporting:** Write high-quality Proof of Concepts (PoCs) for every potential bug to eliminate ambiguity and secure performance bonuses.
### Short-term Improvements (1-3 months)
1. **Scope Selection Filter:** Avoid "simple" or small contests (low SLOC) as they lead to high "duplication" (multiple auditors finding the same bug) and lower payouts.
2. **Audit Retrospectives:** After every contest, review the "missed" bugs found by other auditors. Update your internal checklist/methodology to ensure those patterns are caught next time.
3. **Deep-Dive Allocation:** Shift from doing many "shallow" audits (high quantity) to a few "deep" audits. Spend significant time on a single protocol to understand complex edge cases that surface only after days of study.
### Long-term Strategy (3+ months)
1. **Transition to High-Value Platforms:** Use contest platforms (Code4rena/Sherlock) as a training ground and portfolio builder to transition into private audits, Immunefi bug bounties, or specialized firms (e.g., Spearbit, Trust Security).
2. **Specialization:** Develop deep expertise in specific niches (e.g., Cross-chain protocols like CCIP, Liquid Staking, or AMMs) to reduce the learning curve for future audits in those sectors.
## Implementation Guidance
### For Junior Auditors / Small Teams
- **Focus:** CTFs (Ethernaut, Damn Vulnerable DeFi) and CryptoZombies for foundational syntax.
- **Action:** Start with contest platforms to gain "real-life" experience and build a public GitHub portfolio of findings.
### For Established Auditors / Medium Teams
- **Focus:** Efficiency and report quality.
- **Action:** Develop or use custom static analyzers (like *Regast*) to automate "low-hanging fruit" (gas/QA), freeing up time for complex logic "High" severity bugs.
### For Protocol Teams / Large Enterprises
- **Focus:** Multi-layered security.
- **Action:** Do not rely solely on public contests. Use a combination of a private audit (for high-touch review) followed by a public contest or a bug bounty on Immunefi to catch edge cases.
## Configuration Examples
While the article is focused on methodology, it highlights a specific technical pitfall:
* **Unsafe Casting Example:**
solidity
// AVOID THIS: Unsafe cast can lead to overflow/data loss
uint256 amount = 2**256 - 1;
uint64 smallAmount = uint64(amount);
// RECOMMENDATION: Use OpenZeppelin's SafeCast or manual checks
import "@openzeppelin/contracts/utils/math/SafeCast.sol";
uint64 smallAmount = SafeCast.toUint64(amount); // Reverts on overflow
## Compliance Alignment
- **NIST Cybersecurity Framework:** Aligns with **Protect (PR.AS)** and **Detect (DE.AE)** by validating that software is free of known vulnerabilities.
- **SWC Registry (Smart Contract Weakness Classification):** Recommendations align with identifying SWC-101 (Integer Overflow) and SWC-112 (Delegatecall to Untrusted Callee).
## Common Pitfalls to Avoid
- **The "Acceptable Risk" Trap:** Never ignore a bug because you think the team won't care. Report it or ask; otherwise, you lose the reward and the protocol remains vulnerable.
- **Shallow Auditing:** Spending only a few hours on multiple contests ("spray and pray") usually results in zero high-severity findings.
- **Ignoring the "Why":** Auditing code without reading the whitepaper leads to missing "logic bombs" where the code works but the underlying economic model is flawed.
## Resources
- **Learning Platforms:** `cryptozombies[.]io`, `damnvulnerabledefi[.]xyz`, `ethernaut[.]openzeppelin[.]com`
- **Audit Platforms:** `code4rena[.]com`, `immunefi[.]com`, `sherlock[.]xyz`
- **Security Tools:** Foundry (for PoCs), Regast (static analysis)