How to become the Number 1 Auditor in Web3

We catch up with Or aka “Trust” and learn his process for finding bugs with Immunefi, Code4rena, and his approach to security in Web3.

Introduction

Recently, I had the luxury of being able to interview Or Cyngiser aka @trust_90 on twitter who went on a Code4rena competition rampage being the top earner back to back four times in a row winning over $67,000 just from those four.

For those unfamiliar, Code4rena is a web3 audit competition platform. Instead of going to a traditional audit company, you can open your code up to the general public to review where they can submit bugs and win money for finding bugs.

I wanted to get the scoop on how he was able to dominate so hard for a few months, and I asked him about his process.

The Process

It boiled down to three steps:

1. Understand EVM & the industry
2. Understand what the project is supposed to do
3. See where what the project is supposed to do doesn’t match up with the code

To Trust, being able to find bugs means you need to understand how everything works, solidity, the EVM, etc, from a conceptual level first. He spent a lot of time reading the solidity documentation, reading up on new DeFi concepts, and more to prepare to get into smart contract security. This includes being familiar with common bugs and errors such as reentrancy.

After that, he says people need to understand the protocol they are looking to review from a conceptual level. Most of the time, the high-vulnerability bugs just come from an issue transcribing an idea into code. Are you auditing a staking contract? Well you better understand how a contract can hold collateral, what withdrawal methods work best, etc.

Then, go line by line through the code to make sure it’s doing what the protocol’s documentation should be doing. He uses tools like Tenderly, Hardhat, Foundry, Remix, and WSL (Windows Subsystem for Linux).

Summary Video

Full Interview

Full Interview Transcript

Patrick Collins: So yeah, welcome to the podcast. How are you?

Or Cyngiser: I’m doing great. Thank you for having me here. I’m always excited to talk about security and you seem an interesting channel to talk about developers around. And I’m happy to communicate anything to make our developers like, feel a little more safe and know what they’re doing.

Patrick Collins: Excellent. So Holograph, which was around 27k value, you got paid out Juicebox around 13k, Trader Joe, 19k, Non-fungible trading $7,000. How did you go on a run of just going, back to back on Code4rena, what was the process there?

Or Cyngiser: I started my Code Arena journey about three, four months back. And I had some like smaller winnings. It came like second place, third place sometimes. And and those couple days, like I noticed that there’s going to be like two months where there’s actually a lot of contests going on at the same time.

So when volume goes up, sometimes like it’s easier to get a larger split of the prize money. So I was like, okay, I’m gonna take this next 10 days, I’m gonna work super hard and try to ace as many contests as possible, while others might not even reach and have time to do all of them. I was fortunate enough also to have some specific conditions that on these contests basically there was like a duplication penalty. Which is how the price awarding goes in Code Arena. It’s like the more of the same submissions of a particular issue there are. It really penalizes the price of this submission. . So what happened was, like I had a couple of finds that no one else got and because cause of the way like the price payout works I got much more like percentage-wise than it is right now.

So they had this experiment of changing it and making the top guys make even more than usual, and I enjoyed it. This. So yeah, I guess it’s a combination of a lot of hard work and also some like clap on our, on my side. Yeah.

Patrick Collins: Awesome. Yeah. So that kinda really worked out in your favor, the fact that you found bugs that very few other people found that gave you kinda like extra points almost.

Or Cyngiser: Yeah, exactly.

Patrick Collins: So how did you get into security? What’s your story?

Or Cyngiser: Yeah, I actually started doing security research in the Israeli military. I started in the intelligence forces almost 10 years ago.

Or Cyngiser: Doing things, comp things like completely different from web three, web three has only been around for a couple years, but started doing a lot of reverse engineering and cool security research that has to do with other technologies. And after that I moved to doing IOT security finding vulnerabilities in smart camera cameras doorbells streamers, all sorts of like funny IOT gadgets and stuff like that.

Or Cyngiser: And it was really interesting and really excited like in terms of fiddling around and seeing how like you can hack into TVs and stuff like that. It’s always pretty much it’s cooler than, just like hacking virtual devices. And from there I moved to doing more of a, like mobile-focused research, so iOS and Android security.

And I worked for an offensive company, which specializes in, hacking smartphones. And I worked there for about two and a half years doing some super interesting, extremely deep research in some of the like technologies in iOS. And this January I decided to take a small pause from this kind of research and try out other fields.

And in basically in May, I got really excited about web3 security and web3 in general. So I really tried like seeing what’s the best opportunities in this space and basically unifying Code4rena were super awesome to try out and yeah I started going for it, had a couple of months of bug bounty hunting and then moved to Code Arena.

And I’ve been doing both like ever since.

Patrick Collins: Awesome. Yeah. So you’ve had quite the journey to get here. So can I, can we ask a little bit about the Israeli military? Was that really where you feel like you, you cut your teeth for doing security research? Do you feel that the techniques there apply to everything? Like how was that experience?

And can you talk about any of the projects or is that Confidential information?

Or Cyngiser: So I’m definitely not able to talk about any specific projects, but I can say that in terms of giving you the tools and and the ability to learn and adapt to new technologies, it’s an amazing school or trainer training ground to really develop your skills.

Or Cyngiser: And I, I can probably say that without it, it wouldn’t allow me to get as far and as as successful as I’ve reached right now. So it’s definitely something that is an advantage if you have the chance to take a shot and do that kind of work. It’s not easy, but I think it’s definitely worth it.

Or Cyngiser: And regarding how you talked about the skills and transition from different topics. So I would say that it’s, there’s definitely overlap in the mindset and the skills required to do like the different research. So even though I just started like doing smart contract security in. The years of background really really helped and allowed me to close the gap in terms of knowledge and even start pulling ahead in terms of like my capabilities.

Or Cyngiser: Some people say that web2 and web3 don’t have anything in common, but I would say like from a securities perspective they have a lot of if you’re good at one of them, you’re probably gonna be pretty successful at the other as well.

Patrick Collins: So I’m looking at your LinkedIn here and it looks like you were in the military for around four, almost five years, maybe four and a half years.

Patrick Collins: I know in Israel the required, I think it’s, what is it, two years? You have to be, go to the military for two years in Israel? Yeah.

Or Cyngiser: It’s different between males and females. So for men its, three years, and it’s been dropped to two point to two years and eight months, a couple years.

Or Cyngiser: When I joined the military, it was three years and basically to join like special programs, you do need to add an additional like year and a half or two years, or even three, depending on the exact program. And for this kind of special cyber experience, like a training school and an interesting role.

Or Cyngiser: So it was like 1.5 more years required. That’s something I signed up for and I’m definitely happy I did because the opportunities it gives recruits are, is like definitely worth it.

Patrick Collins: Okay, gotcha. Cause I was looking at it and I was like, whoa, he stayed extra time. But okay, that makes more sense.

Patrick Collins: So you did your time, you put your time in, and then you were like, all right, time to go to do some iot, like pretty much when you’re right when it.

Or Cyngiser: Yeah, and like I, I wanted to do like iot security also because this particular job allowed me to reveal findings and do it very in a very public way.

Or Cyngiser: So I was also helping the entire security industry sharing my findings and closing down bugs. And also try to build a name and some like credibility to what I’m doing so I can then show hey I have all these abilities and I like building like a, some kind of reputation for myself.

Patrick Collins: Gotcha. Would that be like a party trick you would do if like friends came over or if like you went over to your friend’s house, you were like, oh yeah, check this out. I’m gonna hack into your TV, watch this.

Or Cyngiser: It’s something that sounds pretty amusing, but I haven’t actually ever tried doing that. Maybe I will use it to a, as a party trick, the right in the right circumstances. Yeah, it could be cool.

Patrick Collins: New Year’s is coming up. Maybe that’s your New Year’s party trick.

Or Cyngiser: We had like pretty cool showing in some conference in Barcelona in like MWC Barcelona 2019, where we showed how we , live on air, we hacked smart the Amazon Smart doorbell, and we basically showed how the the feed that is transmitted to the, to your mobile device, it shows like something completely different from what’s going on like in your house. So basically you could show them, like you can replay and show like some grandmas coming into your house and you will open the door for her. But it’s actually some burglars or robbers coming in. So it was a really interesting POC we ended up showing.

Patrick Collins: Yeah. That’s really cool. Have you ever gone to any security conferences and showed off any of those findings or anything like that at a security conference before?

Or Cyngiser: I’ve been to DEFCON a couple times and through my previous employee, like mobile security employee, I’ve been to Black Hat, but haven’t yet come to display or show off anything.

Or Cyngiser: But this is something I’m planning on doing. Maybe in the coming year or the next one, but I wanna prepare something pretty cool, like not just come there and [00:09:00] show, like your everyday stuff. So I’ll wait for the right moment to do that.

Patrick Collins: I haven’t been to to Defcon yet, but it’s on my to-do list I’ve been to pretty much most of the Ethereum events. But Defcon is definitely on my toto list and I feel like we as a community should start very seriously maybe integrating Defcon or yeah, the Blackhat into our network of conferences that we attend for sure.

Or Cyngiser: Yeah, I think we are need to start like merging in like into the traditional security locations.

Or Cyngiser: Also to build larger pool of people that can join and help out. Like right now we’re a little bit segregated in web3 security. And I think there’s a lot of work in that department. Also I think we can start integrating courses and like training into traditional conferences. It’s something I’m thinking about building for an upcoming conference.

Or Cyngiser: Just educate more people so they’ll be able to better prepare like smart contract platforms.

Patrick Collins: Sure. But cool. So yeah so you were doing iot. What, [00:10:00] how did you hear about web three? What got you into, oh, okay. I can maybe do this web three thing. I can maybe look into the security of this web three thing. How’d you transition there?

Or Cyngiser: I haven’t heard much about it, but like some close friends were talk like always talking about and showing off like what kind of technologies are possible using web3.

Or Cyngiser: And yeah, it’s an opportunity presented itself in about January when I wanted to leave, like my current place of work and like it, it was my current when I left my previous place of work and. I was like, okay, what’s next? And web3 was super interesting, like regardless of security, cause of the opportunities it brings to like empowering people and using technology to bring power back and I also saw like the massive gap of, in like insecurity between the traditional world and like all these new technologies which require a lot of different mindsets in order to be secure properly. So I was like, okay, this is definitely super interesting to look at [00:11:00] and like lots of lessons that we’ve already learned in traditional security, we’re just learning it now in web three.

Or Cyngiser: It’s awesome to be like in this early generation of people that can make a larger impact. That’s something that

Patrick Collins: it’s not lost on me. The fact that you come into this space so quickly and just be productive is yeah. Is awesome. So you came to this space you hadn’t heard about it too much your friends were telling you about it.

Patrick Collins: I feel like that’s how so many people get into the space. Before you fully acclimated in it, what was your process for learning web3?

Or Cyngiser: I come from a research background researchers like to read as much information as possible before diving in and starting to play with all this new technology.

Or Cyngiser: They like to know everything beforehand. So it was like all about reading and and watching a lot of YouTube tutorials. , walkthroughS. I really liked reading the Ethereum yellow book, which is a technical document of exactly, how the EVM behaves. And, we’re [00:12:00] reading all about Bitcoin and the difference between Bitcoin and E vM Blockchains. So I started by understanding first of all the fundamentals before even starting to deal with security concepts because security can only be built first on like good foundational understanding of the technology. There were a lot, like obviously there’s a lot of knowledge gaps in terms of defi protocols and.

Or Cyngiser: Con financial concepts that like most people aren’t aware of, because eventually this is how the banking system works currently, but it’s really obstructed away from us in the form of a bank account, which does all these things and institutional services and in defi everything like happens transparently.

Or Cyngiser: So there’s a a couple of weeks where you just learn about how collateral ratio works and how liquidations work. It’s exciting because it feels, some gap in your knowledge, which about how things work like behind the scenes. And I had a, I actually really enjoyed getting up to speed on all these like [00:13:00] concepts in web3.

Or Cyngiser: Nice.

Patrick Collins: So you did all the fundamentals. You read the yellow paper, which is insane. You did a ton of reading, then after that though, you started getting into the tooling, right? You started getting into some of the security side.

Patrick Collins: What are you, I guess I should ask, what are you using right now? What’s your tool set up for when you’re doing bug hunting?

Or Cyngiser: So obviously it’s important to have a setup where you can experiment and try out ideas poc and this kind of like mindset of really challenging okay, I wonder what happens if I use this up code instead of that, or like, how does this behave behind the scenes? So I always try to make sure like I have a nice setup to make, like to do any testing. There’s already some pretty sophisticated tools developed in the ecosystem. So joining in 2022 is a much better experience than what was available like four years ago.

Or Cyngiser: Which is also a big reason. I can see why people are joining the space now. And there’s like a lot more progress and progress in terms of [00:14:00] security because your, the quality of life as a developer and researcher has tremendously improved. . My setup is like a Windows machine with an Ubuntu WSL too.

Or Cyngiser: And I use it to run all my hardhat and foundry tests. I usually try to do it as little as possible on the window side. And because everything works a little more smoothly on Linux a lot of my testing is on remix. Because it’s just really great to trace through and check out like a lot of different tests quickly.

Or Cyngiser: And when I need to check specific events that take place in the, like in, in some blockchains, I’ll use tenderly. Tenderly.co is really good, really great tool for debugging specific transactions and trying to deploy your own contracts and see how they behave. Usually when I fork to POC specific finding for Immunefi, for example I’ll use tenderly fork the current [00:15:00] state and do some changes and like my own transactions and show how it can lead to pretty severe issues.

Or Cyngiser: So I try to use like the different tools as like the most important and appropriate tools for the specific circumstances. It’s important to know foundry hardhat, and for code4rena of contest we wanna make use of the existing test suit that each project provides because it cuts down on like the amount of prep time you need.

Or Cyngiser: And it’s also great for developers as like to validate whatever finding you bring with their own tests. With their own tests, so it’s easy for them. Get into it and understand exactly what you’re doing.

Patrick Collins: Yeah, I a hundred percent agree. Every time I clone someone else’s project, though, I get very nervous that I’m about to run something very stupid. Opening upVSCode and restricted mode, doing a little due diligence to go through it and make sure any command I run isn’t gonna [00:16:00] blow up my computer. Is, are those Yeah.

Patrick Collins: Wanna be careful? Are those precautions that you take whenever you clone one of those project?

Or Cyngiser: I usually don’t run any projects in these kind of permissive environments. Theoretically there’s could be some like malicious code arena repository that will have access to like basically my VM, but I really hope that’s not the case. fair, I do my precautions, but it’s never a hundred percent right? There’s always a little bit of trust involved in this sort of business.

Patrick Collins: Hope, hope Code for Reina does their due diligence. And then the combination of your d diligence and their due diligence is enough so that you don’t get screwed.

Or Cyngiser: Makes a lot of sense. Yeah. Worst case, we’ll hear about it in some rekt

Patrick Collins: article, right? Yeah, yeah. Code4rena auditors get wrecked. That would be funny. So cool. So yeah, a lot of the tools I use at Hardhead found. Tenderly remix. Where did you learn those? Like where did you learn how to use, what was your process to learning these tools?

Or Cyngiser: Yeah, it’s all these tools. You can basically read the docs and try it out [00:17:00] and look it up and if you comfortable with a state of mind that, if you understand the fundamentals and basically you understand what’s going on behind the. Nothing’s really too complicated to master and use. The UIs are usually meant to give you a good enough experience.

Or Cyngiser: Tenderly, I never had a big issue understanding like how to do something. Cause it’s very like user-friendly and foundry, I’ve heard a lot of people have some issues learning it because there’s like some quirks involved and how cheat codes. I believe in taking the time to figure out how things work and have a sound understanding beforehand, and then start fiddling it, fiddling around with it.

Or Cyngiser: And there’s this great Foundry book, like the reference book that gives you all the answers to what you need. And, eventually you just you put in the hours study it and eventually you get the hang of it.

Patrick Collins: Nice. Yeah. Once you understand the fundamentals lot of the specific implications become a lot easier.

Patrick Collins: Foundry is just [00:18:00] specific implications of how to work with solidity. When you were first learning solidity though, did you use like cryptozombies, Chainshot, YouTube, like what was your process for like originally learning solidity though?

Or Cyngiser: Yeah, I, for Solidity, the best reference was like the actual like Solidity website.

Or Cyngiser: There’s so many cool things you can learn over there. They actually even have like for every topic, some warning labels about how these, like you these concepts can be misused. So it’s already hinting at you from a security perspective. What kind of issues there? Which is like a cool little free before you, but as a developer, I believe you should always speak, first of all to get the official resources and they’re probably the most comprehensive ones.

Or Cyngiser: And. , as a developer in smart contracts, you have a much larger responsibility than in mo like most developers have. If you have a bug, it’s not this button doesn’t work for angry Birds. It’s you might actually like leak funds from the contract. So as a developer, [00:19:00] you really should know as much as you possibly can from the most trustworthy resources.

Or Cyngiser: So I would say read from the guys who develop solidity compiler. And there’s also like also if you don’t know something today, the platform allows you to check anything by yourself. So open up remix, see how it behaves for real. And it’s be better safe than sorry if you’re not sure about something.

Patrick Collins: Yeah, it makes a lot of sense. Let’s talk about this now. So you come to Code4rena, you open up a project and it says, project Y, a hundred thousand dollars bounty. Where do you start?

Or Cyngiser: Projects have it’s that it’s actually not so scary when you start looking at it because projects always repeat themselves. No one likes reinventing the wheel. And the same concepts reapply. So you’ll use your own prior experience from other projects, other audits you’ve done before.

Or Cyngiser: And where you wanna start is definitely [00:20:00] different per researcher. I like to take a top down of you top down approach, and through this approach I will. Start by having a sound understanding of what the contract’s, external service looks like, right? So as a user, what are you allowed to do with this contract?

Or Cyngiser: And also read all the docs because they may give you pretty cool understanding that you wouldn’t have otherwise. So the doc is basically preparation for diving into the code and. You start looking at it and have a better and better understanding as you go along. I start from like a zoom-out view and start digging into places where I think could be more interesting to look at.

Or Cyngiser: And in Code4rena and audits in general, there’s scope concept of scope is okay, these files are actually what we’re looking at and other files are not interesting. Like we’re not gonna accept any submissions for them. So you wanna make sure you spend your time on the code that isn’t the code that is in scope [00:21:00] and.

Or Cyngiser: Once you identify all these areas of code, you start filtering out the trivial things and you wanna focus on the more complex stuff, like what sort of code is actually new or novel in this particular project, right? They gotta have something that’s not in other projects otherwise, like what’s, what were they bringing to the table?

Or Cyngiser: So I, I like to spend my time focusing on the new stuff in each project and also if they’ve changed something on top of another project, they need to ask yourself like, why did they change it? And have they not fixed any issues that exist in the original, like in the fourth? And sometimes you’ll get, you’ll find some pretty cool conclusions about the divergences in code between new code and old ones.

Or Cyngiser: And there is basically no shortcut to understanding how the code actually works. And in order to find bugs, you need to [00:22:00] find any assumptions that the developers are making, which. Are not definitely true because if there’s no gap, there’s no, like any misunderstanding that developer did, then there won’t be bugs in the contract.

Or Cyngiser: But luckily it’s so hard, like luckily for us, for guys that submit findings, that there’s always going to be some gap in developers’ understanding of the systems they’re building and. And it’s all, it’s always about finding the more complicated areas where it’s easier to get wrong and focusing on them.

Or Cyngiser: So without see like, some sort of specific data structure that’s not commonly used. Or so that’s one way to focus. Another way to focus is on like easy mistakes that keep on being made re entrances. Or precision loss errors lots of these common mistakes that [00:23:00] we keep happening.

Or Cyngiser: Keep seeing. So you can have a pretty you can take a wide view of all the projects, like what the project is doing and see if there’s like any of the simple things going on wrong. But usually these bugs will get reported by a lot of others. So the. The submissions that really make you the big bucks are gonna be like the special ones that require the most logical understanding of the project.

Or Cyngiser: And that’s usually the ones that actually take you the longest time to find, because on the surface level they aren’t even visible. And sometimes these bugs aren’t even to do with anything about solidity. It’s only about the thought process. It’s about what are you logically allowed to do? And it’s not, it could have been written in English and the bug would still be there.

Or Cyngiser: This is like some of the more elegant findings you can find, right? So it’s about thought process has gone wrong, not the translation of thought [00:24:00] into code. So we want to have like enough attention and focus ability to figure out like all these different potential avenues of where things could go wrong and eventually the probability is that like some, at some point you’ll find something and you have to come to the with the right mindset of coming to find something and not giving up in the first place because that will definitely affect how you will be able to spot new bugs if you come with the, this like determination to succeed. It’ll actually help.

Patrick Collins: So it almost sounds like it’s just the, there’s so much to look at, right? You gotta understand the contrast. You gotta look for the classic solidity, bugs the cooler bugs probably don’t have nothing to do with solidity.

Patrick Collins: Is there is there like a first step that you take? Okay. You look at the project, you say, okay, I’m gonna tackle this first thing I need to do. It almost sounds like the first thing you need to do. Understand what the contract is doing. Do you go through, every single line [00:25:00] until you have a good idea of what the contract’s doing before you start looking for bugs or what’s step 1?

Or Cyngiser: Yeah. So step one is looking at the documentation and even be like, sometimes it goes beyond documentation, like understanding the concepts behind the documentation, right? So if I have no idea what perpetuals look like, I would first read in Investopedia or some other website about them. Then see how they are looked at from a contract perspective in the docs.

Or Cyngiser: And then see their implementation of these concepts. And when you build these like blocks of understanding on top of each other, then you can see like where are there, like some gaps where the blocks aren’t correctly built on top of each other, right? So this could be somewhere to foc to find like where to focus on once you get a good enough understanding.

Patrick Collins: So the docs are really just a tool for you building your understanding. So you read the docs so that you can understand what the whole project is supposed to do, and then [00:26:00] with that knowledge, then you can start going in. So if you read the docs, you say, Hey, this is an application for staking.

Patrick Collins: You’re saying once you get that, once you understand what’s staking is locking up collateral, then you can go to the docs and say, okay, where’s the stake function? Okay, it’s here. Is it doing, is it match up with what I conceptually think they’re trying to do? And then you just keep doing that for the whole contract.

Or Cyngiser: Yeah.

Or Cyngiser: And eventually you want to go over the whole contract, at least as a first pass. And sometimes I even document the number of passes I do per contract in order to increase my confidence that this part is legit. You definitely want to go over everything separately. And then after that you also want to have another pass where you try to understand the dependencies and the ways in which two the different contracts interact together, because that may introduce lots of risks as well.

Or Cyngiser: So I would say you start with the, like getting a good understanding of the whole system. Then you go into the block level, then you start adding those blocks [00:27:00] together in your mind. And as in, if you can like, see how these different blocks are connected in lots of different ways than this, like multiplies your percentage of finding anything.

Or Cyngiser: There’s like way more combinations that the state can find itself in, right? If there’s like lots of different ways that this code can interact.

Patrick Collins: Yeah. I really like that just as a baseline. Hey, number one, step number one, always make sure you understand what the code is supposed to.

Patrick Collins: Because going through and just looking for the regular solidity bugs, pretty much anyone’s gonna be able to find that. But it’s having that base of knowledge is where the real bugs are and where the real exploits will are gonna be. It makes a lot of sense. Let me ask you this too.

Patrick Collins: So you use tenderly, used Foundry. In the back of my mind, I’m always like, why is there no like cli for tenderly? Why is there no, like, why can’t I run tenderly locally? Because with Foundry you can fork the blockchain and you foundry has forged debug where you can trace your your transaction.

Patrick Collins: Do you feel like the forged a bug [00:28:00] transaction tracing is a little too hard right now? How do you compare the tenderly kind of debugging versus like foundries, forking, debugging. I

Or Cyngiser: think in tenderly you can still like get a node RPC and interact with it in whichever way you want through a local web3 library.

Or Cyngiser: we can do that. But there’s different use cases for each of them. I think eventually, if you like, going to go the full depth and like really be able to do whatever you want, you’d want to use like a foundry, it’s a little bit more powerful. But if you wanna use if you wanna de debug mostly the surface level and don’t have very specific use cases in mind.

Or Cyngiser: I think using tenderly will give you pretty much what you’re looking for. I think that like tenderly keeps on developing and there’s going to be like more cli life features integrated into tenderly. But right now I would say the debug functionality of Foundry a little better and more comprehensive.

Patrick Collins: Gotcha. But you said you’re still using tenderly though a lot of the times.

Or Cyngiser: Because a [00:29:00] lot of the, like eventually for the POC, you’d wanna do it in takes you the least amount of time in to do it on tenderly because you can fork mainnet and do some, any activities you would like the craft new transactions.

Or Cyngiser: And basically you can build the transactions on top of one another and it’s pretty visual. and if you need to do something very specific with call data or something more complex, then you can always do it behind the scenes like yourself and paste whatever calculation you came up with into the actual arguments you’re passing to each transaction. Yeah, so I’ve never had a once you understand the fundamentals, then it doesn’t really impose too much of a challenge.

Or Cyngiser: Even as a researcher, like you like having all the control by yourself, but you, there’s some kind of view that likes the guilty pleasure of just doing something very simply and having it work the first time.

Or Cyngiser: And generally gives you that feel that you forgot how it fell beforehand.

Patrick Collins: So what are you working on now?

Or Cyngiser: [00:30:00] I’m trying to do like a couple of things at once, so let me give you like a quick rundown.

Or Cyngiser: So I have five mentees that I’m currently training them to find bugs and Immunefi we have some weekly meetings and I try to help them and give them the guidance they need to successfully try to find bugs and if they have good leads and something like that, then I help them report them as well.

Or Cyngiser: So I try to help and reach a more, a larger volume. Projects this way because five people are, it’s always gonna be better than one, right? In terms of capacity. Another thing I’m trying to do is doing like booking some private audits. I recently booked two audits and I’m trying to book some more and we’ll try to bring the, to improve the trust security brand and have more products coming my way [00:31:00] directly. And I’m also choosing some nice Code4rena contest, which I think I have some edge in. And they’re pretty challenging. And. Are new in terms of some of the innovations they bring.

Or Cyngiser: So I might focus on them as well. And I just got accepted to be a judge at Code Arena, so I will be able to see how others are submitting their reports and. Grade them. And this way I can also have greater impact on the ecosystem, right? So to be able to surface up to the project level the most interesting issues, and also to grade and assign score to wardens encode arena will will definitely be interesting and be a positive impact on the space.

Or Cyngiser: And finally, I’m also trying to get a course set up for smart contract security. Hopefully [00:32:00] I’ll be able to to run like a train additional people in Blackhat. So this could be a really cool way to get into smart contract security building a four day course, and hopefully it’ll run in the coming Blackhat.

Or Cyngiser: And I plan to have this course take you from an intermediate level to an expert level, like almost master level. And hopefully like I can get developers which aren’t yet very sharp on their security skills, but have some understanding of blockchain technology to be good enough and have enough understanding.

Or Cyngiser: Really address all the issues even before they come up to to become a major threat to their projects.

Patrick Collins: Nice. And so you mentioned that you’re doing smart contract audits privately as well. What do you think the optimal path for a project should be? Should they do? I’ve seen like a pretty common [00:33:00] theme emerging more recently where they’ll do a private audit, then they’ll do Code4rena.

Patrick Collins: And then they’ll kind of ship, maybe not ship and then also have a bug bounty on Immunefi. And that’s the security suite that they take. What do you see as being the best process for these projects to get security help?

Or Cyngiser: Security is something that you don’t want to leave to the end. It’s not one of those okay, let’s do it at the end of the game, like in football in the 19th minute, right? We don’t wanna wait to the end because security is, should be addressed in the architecture level and at every stage in the development life cycle.

Or Cyngiser: It’ll actually help so much because it’ll really spare a lot of refactoring that you’ll need to do after the audit finds whatever findings they have and might make you change the code base in a pretty big way. So you wanna basically fix the bugs before they’re even [00:34:00] created. Created potentially, and.

Or Cyngiser: For this, you want to have developers which have good security understanding, and you might want to like, get consultation from, lots of web3 experts that you can find on Twitter. And in audit firms, they will help you set up the project on the way to becoming secure even before launch.

Or Cyngiser: Even before you’re gonna get your final audit. And in terms of auditing, Code Arena is going to be probably the place where you’ll get, you’re gonna get the most vari like varied and like in terms of amounts of findings, because there’s a lot of different people in Code Arena that have backgrounds in specific disciplines.

Or Cyngiser: So you might find some warden will find very specific oracle bugs. Another warden will find deep, logical bugs like I try to focus on. And also you get all the easy ones that appear in every contest, but still developers can [00:35:00] often miss them. So you’re gonna get a lot of different bugs and the, there’s gonna be a lot of changes you’ll probably need to apply to your code.

Or Cyngiser: And after that, Code Arena actually offers another round of like mitigation review. This round will basically make sure you didn’t introduce new bug and that you fixed all the existing, like the findings in a successful way. I think this might give you the best chances of shipping the secure product simply because there’s more eyes on the code using code arena or share lock platforms than going to, your big tier one, tier two audit firms, which, You actually don’t even know who are the a who are the auditors, which will look at the code.

Or Cyngiser: They might be interns, they might be experienced guys, we don’t know. And you’ll get a better sense of trust in your code once there’s gonna be like 50, 60 people looking at it in Code4rena. I do think that it makes sense to have more than one audit before [00:36:00] shipping because. There’s still going to be like some things that are potentially missing from one audit to another.

Or Cyngiser: From that perspective, I would say if you’re gonna have a Trail of Bits audit and then an Openzeppelin audit, then you should, you choose, you should just have one folder in audit because you’re gonna have basically 50 audit firms do the same thing, like on your code and you’re getting, you’re paying just for like maybe a couple of audit firms.

Or Cyngiser: This is like the equivalent in Code Arena. One more thing that is important to, to say is that you cannot assume like a code is secure and after any additional changes to it. So if you have any sort of upgrade going into the the code. You need to be aware of a full security cycle that needs to be done.

Or Cyngiser: So we’ve seen hacks happen before because just like small changes are appearing. So I would say try to focus on not rolling out a lot of different upgrades. Like you don’t wanna be like iOS 15.0 0.1 0.2. [00:37:00] This will only increase your chances of inserting bugs because you don’t necessarily have a budget to audit every single minor.

Or Cyngiser: So I think this is the correct security-aware stance is to ship out less frequent but very secure updates. And each update of the will be audited by a brand new trust.

Patrick Collins: Awesome. So just one more question and then we’ll wrap up. Should individual audits be just replaced by Code4rena?

Or Cyngiser: I would say you’re gonna get better value for your money in Code Arena because, you’re getting the talented guys, which are incentivized to find bugs to get their own money, right? Otherwise like basically if in Code Arena you’re gonna get a lot more people and a lot more talent than, probably you’ll get in other brands which don’t have the same workforce necessarily.

Or Cyngiser: You don’t know like the actual auditors which are doing the work, who they are, but you’re basically paying for the brands for the stamp of these firms. [00:38:00] I would say when you have a chance, do it. And I’m not getting paid for by Code Arena to say this and like obviously I’ll be, I’ll always be happy to audit more stuff in c4, but like from an objective perspective it’s historically proven that in C4 we find stuff that’s missed in, in previous audits and we, I don’t know if we ever missed and necessarily like some bug which ended up getting exploited.

Or Cyngiser: From a track record point of view, I think Code4rena offers the best experience for projects that are sticking to secure the code, the products.

Patrick Collins: Do both then do an individual audit and code farina or you’re just saying No, just do Code4rena?

Or Cyngiser: I would say if you’re doing it on different uh, versions of your code, then that makes sense.

Or Cyngiser: If you have some development, but you still want to have a final audit. Then you can have an intermediate audit done by some specific firm or independent auditors. And then like in the final stage before you wanna shift, then [00:39:00] that’s the time where you really want to have as many eyes on the code as possible.

Or Cyngiser: So if you’re gonna have a C4 audit, do it at the end when it’s just left for lunch, and that’ll give you the kind of trust you need on in the code to ship.

Patrick Collins: Or where can people find you?

Or Cyngiser: You can find me on Twitter on @trust_90. And I’m usually hanging out and retweeting cool new findings and bugs and also my own bug submission sometimes nice unify findings. And also I’ll be available. I hand around in the c4 discord channel a lot and on the Immunefi channel. So you can find me over there and also on my website, trustindistrust.com.

Patrick Collins: Awesome. All right, Or. Thank you so much for being here. And go follow Or go follow @trust_90, learn more about security, and we’ll see you all in Code4rena.