As far as I understand, you don't just index the errors you find in the reports on Joplin. You also try to understand and learn from mistakes. Joplin actually becomes a checklist for your own audits.
Combine QA/Gas findings into a single report, submit medium and highs individually. There is no set guideline, refer to the previous reports for how other people are formatting it
Hi, sorry for bothering you again, In Contest, under the Attack Surface section they list down a no. Of possible hacks for a .Sol file, Is that means when auditor try to auditing that perticular .Sol file he have to take extra concern about those bugs.
Hi Andy, I'm bigginer to SmartContract Auditing, i have previous experience as a contract developer but not that much, When i try to audit contract especially which are very large where many Sol file interacts with each other, I got more confused, at a point all my energy drain out. At this point of time i only able to find gas optimization and some low level, some or all popular findings that mentioned on secureum, I want to learn how to find vulnerabilities related core functionality of contract, like high and medium findings listed on reports on Codearena, Can you guide me, what should my approch to find those high and medium when i got a large contract ?? Thank you .
I know what code base you are talking about😂 I would recommend some visualization tools to help understand the project. A lot of experienced auditors talk about reading the base contract first then the derived contracts that inherit from it. Sol2uml helps with that: github.com/naddison36/sol2uml Another tool you can use to understand call flows is: github.com/ConsenSys/surya
Hi Andy. Are you still doing traditional penetration testing as your day job? Or have you transitioned towards Web3? Like you’ve mentioned in your previous videos, Web3 security is becoming (just as) saturated as traditional pentesting. I’ve been avoiding Web3 because I’m worried it’s just an industry phase… but now I’m not too sure. What are your thoughts? Perhaps a video on this would be great. Love your videos, thanks very much! :)
Yeah I am still working as a traditional pentester, honestly I am thinking about transitioning though. It is getting saturated in terms of getting a quick buck from these bounties, but long-term it is still going to pay massive dividends. I also used to think web3 it was a fad too due to the scammy nature of the space, but realized there are legit work being done as well.