Learn from Reading Audit Reports (Sturdy Report)

Рет қаралды 5,084

Andy Li

Күн бұрын

Пікірлер: 70

@francoisguyot789 2 жыл бұрын

The video is going out at the perfect time, thanks Andy !

@andyli 2 жыл бұрын

cheers!

@harshitsharma9474 2 жыл бұрын

Hey... Bro... M a Blockchain Smart Contract developer... But never done this Auditing part.... Although m new to web3... I have just 6-8 month of experience... Can you make a Roadmap video for Biggners?

@andyli 2 жыл бұрын

Yea man I made a beginner road map video already, check the channel

@harshitsharma9474 2 жыл бұрын

@@andyli yeah just saw that .. it's awesome... Thanks dude... ❤️

@ayushmanthapa_onion 2 жыл бұрын

Great video as always, thanks andy!

@andyli 2 жыл бұрын

No worries!

@ouailtayarth4012 2 жыл бұрын

Thanks for sharing your journey! Can't wait for the upcoming videos!

@andyli 2 жыл бұрын

Thanks for watching!

@codenerd8396 2 жыл бұрын

Thank you so much for this video Andy ! This helps beginners tremendously! Can you make another video explaining high and medium severity findings from other beginner friendly audit report? Much appreciated 💪

@andyli 2 жыл бұрын

Yeah I can do more videos like this if people find it useful

@leisureclub_ 2 жыл бұрын

@@andyli Its indeed helpful.. loving the channel

@SathishKumar-ys2xm Жыл бұрын

Hi how and where I need to start to become smart auditor

@andyli Жыл бұрын

i made a beginner road map video

@yourdailyblockchain 2 жыл бұрын

Thanks Andy - been going thru a few of your videos and they’re super interesting. I’m in I.T. So I’m pretty technical and I know blockchain, DeFi, CeFi, etc but I’m not a developer/coder. More product/project mgmt. how did you learn Solidity coding so fast? Thx - Thomas

@andyli 2 жыл бұрын

I already knew how to code before this so it was not too hard of a transition. Auditing is mostly reading code.

@jerod2519 2 жыл бұрын

Thanks!

@andyli 2 жыл бұрын

You're welcome!

@andyli 2 жыл бұрын

lol just noticed that was a "Super Thanks". Cheers man! The first I have received on this channel :)

@jerod2519 2 жыл бұрын

@@andyli Haha, no worries! I’ve learned so much from your videos, and especially this one. Just wanted to send something your way as appreciation. Thanks for doing these!

@andyli 2 жыл бұрын

@@jerod2519 glad you found the videos useful!

@lacag-lacag 2 жыл бұрын

Thanks bro

@andyli 2 жыл бұрын

👍

@wafflemakr605 Жыл бұрын

Really useful video Andy! Please add more of these!

@yufang173 2 жыл бұрын

Perfect, thanks 😀

@andyli 2 жыл бұрын

👍

@ercanak2254 11 ай бұрын

good job bro :)

@apostle5135 2 жыл бұрын

Awesome !! thanks Andy :) need more of this :D

@andyli 2 жыл бұрын

will do!

@serousetrick Жыл бұрын

Hi, I have a question, I am beginner in this. How to find fixed lines, corrected/missing lines, how they look like? All I can see on these reports is description of solution, but there is no code line. How can I find corrected contracts/lines/..? Is there any way I can find corrected contracts by the name of warden?

@andyli Жыл бұрын

There won't always be a fix as part of the report.

@serousetrick Жыл бұрын

@@andyli Very often, by reading report I understand the they want to say, but if I would need to write that as a code, there is good chance that I would make a mistake. Thank you for answer. And one thing, is there any way I can find how some other wardens solved some findings, or we are limited only on what code4rena site shows?

@andyli Жыл бұрын

@@serousetrick you can click into the finding and browse the github repo, you will see all the submissions from other wardens as well

@blockchaintech9242 Жыл бұрын

Hey Andy , thanks for sharing .

@andyli Жыл бұрын

No prob!

@chibatomosuke5080 2 жыл бұрын

How to find the past "slippage issue" ? Is this a manual method?

@andyli 2 жыл бұрын

Yeah I manually went through the reports

@chibatomosuke5080 2 жыл бұрын

@@andyli You are a hard worker. I noticed behind the smart result, there is always a lot of effort that no one appreciates. Thanks!

@aizhetengFred Жыл бұрын

Really great content! Wondering if you go through the codebase first before you read the report? I tried to read the code first before reading the report but soon got burnt out. Some codebases are huge and hard to read.

@andyli Жыл бұрын

just read the report reading code takes a long time, if you want to read code, then just participate in a real audit contest and you can find out results when the report is released

@aizhetengFred Жыл бұрын

@@andyli Thank you for the quick reply. I will try only read the report for now. Btw I'm going through all your videos. They are all great!! Nice work!

@Ashish93930086 6 ай бұрын

Thank you ⁠@@andyli for this answer. This question was circling around in my head from last few days

@liyinz 2 жыл бұрын

👍👍

@andyli 2 жыл бұрын

👍

@MoCrits Жыл бұрын

Very helpful

@andyli Жыл бұрын

cheers

@raqeeb_ameen 2 жыл бұрын

Hey. So I got a question ? I recently got interested on Bug Bounty Hunting. And I am thinking on what to choose. Either Web2 or Web3 (Smart Contract Hacking). What do you prefer and suggest to me if you were a beginner and you are starting over. Because you got some cyber security certifications and you have experience in the field. Do you think web3 is the future and focusing on pentesting is not needed. What will you suggest me as a beginner ?

@andyli 2 жыл бұрын

Traditional pentesting will always be needed, it just depends on where your interests lie. Try a bit of both and see which you like better

@muhammadhaashir7489 2 жыл бұрын

Sir kindly guide us about POC, what is it? And how to do it on immunefi bug report? Please.

@andyli 2 жыл бұрын

Proof of concept, you need to write code to demonstrate the bug

@muhammadhaashir7489 2 жыл бұрын

@@andyliThanks sir but what kind of code I am supposed to write in poc, the company smart contract code in which vulnerability is found or my own calling smart contract code.

@andyli 2 жыл бұрын

@@muhammadhaashir7489 depends on the vulnerability, sometimes you don't need an exploit contract

@muhammadhaashir7489 2 жыл бұрын

@@andyli Thank you very much sir for clearing my confusion. From where can I get previous bug reports of immunefi?

@andyli 2 жыл бұрын

immunefi.medium.com

@LukaS-oi1tk 2 жыл бұрын

Hey Andy thanks for the video, how to check code before/after implementation?

@andyli 2 жыл бұрын

Sometimes there is a link to the pull request in the findings repo

@so3litude_ 2 жыл бұрын

Thanks :)

@andyli 2 жыл бұрын

@francoisguyot789 2 жыл бұрын

About the 9:55 finding, honestly I wouldn't even classify it as a finding, maybe a low severity. There is no need to sanitize every parts of the smart contract from bad manipulation, if people didn't read it well nor understood it and tried to interact with it in an exotic way, it's their responsibility.

@andyli 2 жыл бұрын

These edge case/user stupidity type of issues seem to be marked as Medium quite often. Another edge case example here: code4rena.com/reports/2022-04-jpegd/#m-05-rewards-will-be-locked-if-user-transfer-directly-to-pool-without-using-deposit-function-

@francoisguyot789 2 жыл бұрын

@@andyli This one is interesting because it affects other users funds. In the case of the finding in your video, it's about somebody trying to send both an ERC20 with ETH in the same tx. Nobody would do that and it's kinda ridiculous

@lacag-lacag 2 жыл бұрын

Andy what do think future of web3 will it be like web2 which is actually hard to find one bug becouse of full of compititors ? Olso do u use softwares to find bugs or u do it manually like reading throughout the code?

@andyli 2 жыл бұрын

Only manual reading through the code

@lacag-lacag 2 жыл бұрын

@@andyli what do you think the future of web3 does it be saturated like old web2 which is hard to find bugs

@andyli 2 жыл бұрын

I think it will take some time before it gets saturated