Table of contents
No headings in the article.
Most people tend to go for the biggest wins when auditing smart contracts.
Truth is I think it's the way to make the most money in the LONG RUN, but I found it's not the best fit for me and how I audit.
I tend to take more of a War Dogs approach.
What is War Dogs you may ask? And why is it relevant to a thread about Smart Contract Security?
In "War Dogs," the main plot is about two dudes who decide to start selling guns into the military.
What's relevant here is the characters follow a unique strategy for running their business: focusing on smaller military contracts instead of big ones. This approach, often called the "breadcrumbs" strategy, helps them accumulate profits in a less competitive and scrutinized space.
By targeting smaller contracts, the "dogs" face less competition and can focus on the number of contracts more than the high-dollar ones. They can quickly generate revenue with quicker decision-making and take advantage of niche opportunities that larger companies might overlook.
The "breadcrumbs" strategy comes with advantages: easier scalability, and quicker turnaround. But it's not without challenges. They must maintain a steady stream of deals and navigate ethical and legal dilemmas in the arms trade industry.
And how does this relate to smart contract auditing? Well over the past month I've stuck to contests and private audits with low SLOC, I think the highest I did was just under 1000 SLOC.
Why would I do that instead of focusing on one big audit with 300k + rewards?
Because I'm trying to clean up all the breadcrumbs that no one else wants that's why.
People will spend weeks on a $300k codebase to come out the other end with earnings of 20k that they have to split with 4 other people they teamed up with. Mind you, I'm not shitting on anyone doing this. This is a great way to make money, especially if you're learning during the process. And I've learned a lot from the teams I've worked with. But for me, I prefer to digest a smaller codebase in a shorter amount of time and focus on finding unique and solo vulnerabilities and a HIGH quantity of other findings.
Since a lot of seasoned auditors avoid smaller contests cause the payouts as high as some of the bigger contests, you're usually competing with newer folks who tend to find the lower-hanging fruit while you get to do a deep dive on some of the bigger vulnerabilities, as they should they're learning and this is how you level up when you're starting!!
The lower SLOC in these contests allows me to deeply understand a codebase and have a higher chance of being one of a few people to find a vulnerability. That's a great way to increase your payouts while also increasing the number of findings you get on the leaderboard (though I understand they're usually ranked by $ amount).
Why not make this process easier on yourself by auditing easier codebases more frequently while moving up the rankings with more findings to market yourself with?
This is especially useful because your private audit leads aren't going to ask you how much money you made as an auditor. They're going to ask you to see your past audit reports, want to know how many codebases you've audited previously, and how many vulnerabilities you found.
Another reason I enjoy sticking to smaller codebases is cause as an auditor, and more importantly as someone running an independent business, I have to understand what motivates me. For me, my ADHD sets in and I get bored super easily and want to give up after staring at the same codebase for what feels like an eternity(though it's usually only two weeks). So sitting with a codebase for weeks is very demotivating for me, while for others, this is IDEAL.
So I understand why auditors choose the bigger payout contests, but there still exists tons of benefits in focusing on smaller contests in order to build a solid portfolio. Once you've grown and are well connected, big codebases will excite you and small ones will bore you. But I challenge you to spend a month only focusing on smaller contests and then another month focusing on high SLOC contests and see which one is more beneficial to you. You may be surprised by the outcome.
Follow me for more thoughts on Smart Contract Auditing and retweet if you liked the content!