Where You’ll Get the Best ROI Bughunting on Fuel’s $1.3 Million Attackathon

How do you bughunt on a codebase with 100,000+ lines of code?

You’re not alone in wondering this. Many security researchers have said they felt overwhelmed when considering the Fuel Attackathon. For only 5 weeks, this is a lot of code to review. Would your ROI (return-on-investment for your time) even be worth it? With these intimidating questions in mind, some have simply opted-out of hunting on Fuel — missing out on the most profitable audit contest of the year, even for part-time Solidity-only auditors.

To understand the ROI of hunting on the Fuel Attackathon, you need to view it as several smaller contests bundled together. The hugeness of the codebase gives you more opportunities to find bugs and stability in your potential earnings no matter which part you pick to hunt on.

So, based on your time and skills where will you get the best ROI hunting on Fuel?

Let’s break down Fuel into its parts so you can choose your own adventure. Remember, focusing on one part will yield you the best earnings.

Fuel Network Breakdown

• Rust SDK: Rust toolkit for interacting with virtual machines and full nodes. Also known as fuel-rs and fuels. Don’t confuse fuels-core Rust crate with fuel-core Rust crate. The former is part of the Rust SDK, while the latter is a full node.
• Fuel Core: The full client node. As with many projects, it implements a network layer and interaction interfaces like JSON RPC and GraphQL on top of the full node utility software such as Indexer.
• FuelVM: Transactions in Fuel Network support the execution of smart contracts. The FuelVM executes contracts, scripts, and predicates in new ways. Pay special attention to predicates and how they can be debugged.
• Sway: A new virtual machine needs a new high-level programming language. The everyday tool for developers on the Fuel Network. To get acquainted with the new language, you can use the step-by-step guide, learn how Sway builds constructs often used in Solidity, reproduce examples of popular dApps, and read the accepted standards.
• Sway Libraries: Sway already has several libraries to simplify building for developers. Among them are standard libraries and misc libraries.
• TypeScript SDK: An equally important part of the ecosystem is the user interfaces. To build web applications, developers will use the TypeScript SDK, which every dApp needs and on which the Fuel browser wallet is built.
• Fuel Bridge: The number one dApp in the ecosystem and how users can transfer data across blockchains. It is an end-user application that utilizes all the features of the Fuel Network and EVM contracts written in Solidity.

Not all of the listed assets are included in the scope list. However, all of them are built on the basic elements of the protocol — Fuel Virtual machine, Sway Compiler, SDKs. Studying a specific part at a high-level will give you insights into which code snippets or core primitives will have vulnerabilities.

Where’s Your Best ROI?

Glancing at the table above, there were probably parts that you can’t hunt on. Maybe they’re too much of a commitment or require learning tech you’re not interested in. Cross those off your list. Your best ROI will come from focusing on the part(s) most suited to you.

“But how do I find all the bugs?”

You don’t, and this is a good thing.

A unique aspect of the Fuel Attackathon is that it’s impossible for any single person to find all the bugs. Your rewards will be more reliable, since across the codebase you’re more likely to find bugs that are more unique and have fewer duplicates. Unlike a standard Solidity DeFi audit contest in which every contest auditor will be finding the same bugs, Fuel’s Attackathon has a wider attack surface allowing everyone to find more unique bugs.

Your best ROI is where your skill, interest, and time available meet.

Choose Your Own Adventure

So where should you focus?

1. If you have less than a week full-time to spend:

A. Are you a Solidity dev?
Focus on the Bridge. Bridge bugs are disastrous, especially on the L1 side on Ethereum. This allows you to utilize your Solidity skills in combination with how Fuel Network works.

B. Do you specialize in web2 or web2.5?
Focus on the Wallet, Explorer, and Connector. There’s a large attack surface on the web2 aspects of blockchain projects which fewer security researchers know how to examine and exploit.

2. If you have a week or more:

A. Do you know a bit of Rust or want to learn it?

I. Focus on the VM. This large codebase has a relatively high chance of having a critical. EVM knowledge will help here to find a bug among the moving parts.

B. Do you know about Rust or the Solidity Compiler?

I. Focus on the Compiler. Rust knowledge is required, but this is the holy grail of finding a bug because of how critical compiler bugs are. Knowing about issues in Solidity will help, as Sway is a new language, which means it may have similar issues.

3. What about the other parts?

The ultimate strategy when bughunting is to focus on what you’re interested in the most. The Client Node, Sway Libraries, SDKs, and other parts have bugs for those with the interest in understanding and breaking them. So while the VM, Compiler, and Bridge are the critical areas to focus on, this means there’ll be less competition for those who choose to hunt on these other parts.

Armed with this breakdown, where will you hunt on the Fuel Attackathon?

Start hunting on Fuel today.