00:00:00
this is ore AKA trust underscore 90 on
00:00:03
Twitter and this is or being the top
00:00:05
earner four times in a row on code for
00:00:07
Arena's security audits Landing him the
00:00:09
number one spot in the past 90 days in
00:00:11
the leaderboard and totaling over 67
00:00:13
thousand dollars and actually before
00:00:15
that also like a couple of other
00:00:16
contests a total about like 110 and 115k
00:00:20
code free in this platform where instead
00:00:22
of going to a traditional auditor to get
00:00:24
your code reviewed you actually open it
00:00:25
up to Independent researchers to compete
00:00:28
to find the most amount of
00:00:29
vulnerabilities and those who find the
00:00:30
most and the most novel vulnerabilities
00:00:32
get paid and Trust has been killing it
00:00:34
and I wanted to find out how he was able
00:00:36
to do this so I invited him to an
00:00:37
interview to learn more about his
00:00:39
process in finding these bugs so I
00:00:42
started by understanding first of all
00:00:44
the fundamentals before even starting to
00:00:46
deal with security concept because
00:00:49
security can only be built first on like
00:00:51
good foundational understanding of the
00:00:53
technology step one understand the
00:00:55
basics now this is both the basics of
00:00:57
evm and solidity and smart contracts but
00:00:59
also the basics of the whole space and
00:01:01
the protocols that you're going to be
00:01:02
working with there were a lot like
00:01:04
obviously there's a lot of knowledge
00:01:06
gaps in terms of D5 protocols and like
00:01:09
Financial Concepts that like most people
00:01:12
aren't aware of because eventually this
00:01:14
is how the banking system works
00:01:15
currently but it's really abstracted
00:01:17
away from us in the form of a bank
00:01:19
account which does all these things and
00:01:21
institutional services and in defy
00:01:24
everything like happens transparently
00:01:27
there's a couple of weeks where you just
00:01:29
learn about how collateral ratio works
00:01:31
and how liquidations work and I actually
00:01:34
really enjoyed getting up to speed on
00:01:35
all these like Concepts in web 3. for
00:01:38
solidity the best reference was like the
00:01:41
the actual like solidity website so then
00:01:43
I asked what's the first thing you do
00:01:45
when you start auditing a project in
00:01:46
code for arena to that he gave us step
00:01:48
two which is understand the architecture
00:01:51
of the protocol you're working with not
00:01:53
just the code but the actual project I
00:01:55
like to take a top-down approach and
00:01:58
through this approach I will start by
00:02:00
having a sound understanding of like
00:02:02
what the contracts external surface
00:02:05
looks like all right so as a user what
00:02:08
are you allowed to do with this contract
00:02:09
and also read all the docs because they
00:02:12
may give you pretty cool understanding
00:02:15
that you wouldn't have otherwise so the
00:02:17
docs is basically preparation for diving
00:02:19
into the code I start from like a zoom
00:02:21
out View and start digging into places
00:02:24
where I think it could be more
00:02:26
interesting to look at and encode Arena
00:02:28
and audits in general there's scope so
00:02:30
you want to make sure you spend your
00:02:32
time on the code that isn't the code
00:02:33
that is in scope in code for arena and
00:02:35
most security audits there's this
00:02:37
concept called scope it's what you're
00:02:38
allowed to look at and what you're not
00:02:40
allowed to look at if you submit a
00:02:42
finding a critical vulnerability for
00:02:44
something that's out of scope you don't
00:02:46
get paid once you identify all these
00:02:48
areas of code you start filtering out
00:02:51
the trivial things and you want to focus
00:02:53
on the more complex stuff like what sort
00:02:56
of code is actually new or novel in this
00:03:00
particular project right I I like to
00:03:02
spend my time focusing on the new stuff
00:03:05
in each project and also if they've
00:03:07
changed something on top of another
00:03:09
project they need to ask yourself like
00:03:11
why did they change it and have they not
00:03:15
fixed any issues that exist in the
00:03:17
original like in the fork project there
00:03:20
is basically no shortcut to
00:03:21
understanding how the code actually
00:03:24
works and in order to find bugs you need
00:03:27
to find any assumptions that the
00:03:29
developers are making which are not
00:03:33
definitely true because if there is no
00:03:35
Gap there's no like any misunderstanding
00:03:38
that the developer did then there won't
00:03:40
be bugs in the contract there's always
00:03:43
going to be some Gap in and developers
00:03:47
understanding of the systems they're
00:03:48
building that's one way to focus another
00:03:51
way to focus is on like easy mistakes
00:03:53
that keep on being made re-entrances or
00:03:57
Precision loss errors lots of these
00:03:59
common mistakes that we keep happening
00:04:01
keep seeing so you can have a pretty you
00:04:04
can take a wide view of all the projects
00:04:08
like what the product is doing and see
00:04:10
if there's like any of the simple things
00:04:12
going on wrong but usually these bugs
00:04:15
will get reported by a lot of others
00:04:17
they're in the submissions that really
00:04:19
make you the big bucks are going to be
00:04:22
like the special ones that require the
00:04:24
most theological understanding of the
00:04:26
project and that's usually the ones that
00:04:28
actually take you the longest time to
00:04:30
find because on the surface level they
00:04:33
aren't even visible and sometimes these
00:04:35
bugs aren't even to do with anything
00:04:37
about solidity it's only about the
00:04:40
thought process it's about what are you
00:04:42
logically allowed to do and it's not it
00:04:46
could have been written in English and
00:04:47
the bug would still be there this is
00:04:49
like some of the more elegant findings
00:04:52
you can find right so if you read the
00:04:53
docs you say hey this is an application
00:04:54
for staking you're saying once you get
00:04:57
that once you understand what staking is
00:04:58
locking up collateral then you can go to
00:05:01
the docs and say okay where's the stake
00:05:02
function okay it's here is it doing is
00:05:05
it match up with what I conceptually
00:05:08
think they're trying to do and then you
00:05:10
just keep doing that for the whole
00:05:11
contract yeah and eventually you want to
00:05:13
go over the whole contract at least as a
00:05:16
first pass and sometimes they even
00:05:17
document the number of passes they do
00:05:19
per Amtrak in order to increase my
00:05:22
confidence that this part is legit you
00:05:23
definitely want to go over everything
00:05:25
separately and then after that you also
00:05:28
want to have another pass where you try
00:05:30
to understand the dependencies and the
00:05:34
ways in which to the different contracts
00:05:36
interact together because that may
00:05:38
introduce lots of risks as well so what
00:05:40
are the tools tools that you'd use to do
00:05:42
this obviously it's important to have a
00:05:44
setup where you can experiment and try
00:05:46
out ideas PLC my setup is like a Windows
00:05:50
machine with an Ubuntu WSL too and I use
00:05:55
it to run all my hard hat and Foundry
00:05:58
tests I usually try to do it as little
00:06:00
as possible on the Windows side and
00:06:02
because everything works a little more
00:06:03
smoothly on Linux a lot of my testing is
00:06:06
on remix
00:06:08
because it's just really great to trace
00:06:11
through and check out like a lot of
00:06:13
different tests quickly and when I need
00:06:15
to check specific events that take place
00:06:18
in the like in in some blockchains
00:06:21
they'll use tenderly tenderly.co was
00:06:24
really great tool for debugging specific
00:06:26
transactions and trying to deploy your
00:06:30
own contracts and see how they behave I
00:06:33
try to use like the different tools as
00:06:35
the most important and appropriate tools
00:06:37
for the specific circumstances it's
00:06:40
important to know Foundry hard hat and
00:06:43
for code Arena contest we want to make
00:06:45
use of the existing test suit that each
00:06:49
project provides because it cuts down on
00:06:51
the amount of prep time you need and
00:06:55
and it's also great for developers as
00:06:58
they're like to validate whatever
00:07:01
finding you bring with their own tests
00:07:04
with their own tests so it's easy for
00:07:06
them get into it and understand exactly
00:07:07
what you're doing or where can people
00:07:09
find you find me on Twitter on trust for
00:07:13
90 also will be available I hang around
00:07:16
in the C4 Discord Channel a lot and on
00:07:19
the unified channel so you can find me
00:07:21
over there and also on my website trust
00:07:24
in distrust.com
00:07:26
so there it is understand the
00:07:28
fundamentals understand exactly what the
00:07:30
protocol does from a conceptual level
00:07:32
and then number three comb through the
00:07:34
code seeing if what it should do is what
00:07:37
it is doing looking forward to see you
00:07:39
all competing in code for arena
00:07:40
[Music]
00:07:53
foreign
00:07:58
foreign
00:08:00
[Music]
