As we reach the end of an eventful year of ups and downs, it’s a good time to remember the silent figures securing DeFi behind the scenes: smart contract auditors, many of whom will need to work through the holiday to roll out audits for projects launching in January 2022.
Auditors are the Clark Kents of the DeFi security stack. Quiet, unassuming, yet saving the day constantly without recognition. Whatever they’ve personally accomplished is often overshadowed by the name of their firm.
The work never ends for auditors: reviewing lines and lines of code that all look nearly the same, thanks to the fork-friendly nature of Web3. There are hundreds of projects that use recycled, unpatched code from old repositories, as well as adding structural changes that may affect the integrity of the entire smart contract.
Despite the repetitive nature and long hours of work, auditors still have to be extremely careful — a mistake could mean severe consequences, and this creates a lot of stress.
Auditing is necessary, but it sometimes is a bit of a slog. What if there was another way to make smart contract security fun again, while getting massive payouts and rep for it?
It turns out that there is a way: through bug bounty hunting. We believe that it benefits auditors, auditing firms, and the community at large.
We’ll explain how and why.
The Basics
As an auditor, you have extensive knowledge of smart contract code, as well as the details of execution, exception handling, etc. You’ve pretty much been breathing, eating, and living smart contract code. There’s no better suited individual for bug-hunting — unless, of course, you already are a bug hunter.
Bug hunting can be a breath of fresh air for auditors. Instead of going through multiple projects a month, you can commit all of your focus and attention on one project at a time. That means a lot less energy wasted on highlighting the same types of issues over and over again.
Unlike auditing, bug hunting is much more like trying to crack a safe or solve a puzzle, which means you get to flex your creative muscles and think from the perspective of an attacker. You can find creative solutions to problems that nobody else sees — and be at the forefront of a new discovery.
Audit Firms Should Encourage Bug Hunting
It makes sense for auditors to hunt bugs, so why doesn’t it happen more often?
Some auditing firms are under the impression that allowing auditors to hunt bugs hurts their bottom line because it distracts auditors from the work they’re supposed to be doing.
This couldn’t be further from the truth.
Reputation
An audit firm that has expert bug-hunters — living proof of their knowledge and expertise — is often far more important to clients than one that simply processes a high volume of audits a year. Bug hunters like samczsun are a major brand, reputation, and awareness booster for whoever employs them. It makes auditing firms more relevant and increases their status.
Having a reputation as the home of hotshot bug bounty hunters will bring many more opportunities your way, including consulting deals, media appearances, panel invitations, and general praise from the community. It feels good to be known and respected for your talents.
This isn’t just a hypothetical. Auditors and auditing firms who have hunted on Immunefi, like Yannis Smaragdakis and Neville Grech of Dedaub, and Ashiq Amien of iosiro, have increased the reputation of their firms, saved a large amount of user funds, and scored new clients.
With a reputation for expertise comes better deals, higher client satisfaction, and a much better working experience for auditors.
More Money
Auditors are usually on a fixed salary at their firms–even if they find a critical bug that could wipe out hundreds of millions of TVL. Allowing auditors to spend some time bug hunting–during work hours or on their own time–allows them to stay motivated by receiving the right amount of reward for the amount of value they provide, given user funds at risk.
In bug hunting, you get rewarded for every new exploit mechanism and vulnerability you discover. Additionally, auditors and auditing firms can come to a revenue sharing agreement for bug hunting, so that there’s financial upside for the firm as well, such as a 70:30 split for hunter and the firm, or some other arrangement. Bounty splitting is common and acceptable.
Critical bug bounties can go for up to $2.5 million apiece on Immunefi. No matter the splitting arrangement, a bounty like that will make any auditor and auditing firm happy.
Continuing Education
Many auditing firms eventually specialize in an area of smart contract security, but smart contract development moves so fast that if auditors don’t have time for continuing education, they’ll quickly be left behind. One way auditors can keep sharp technically is for firms to allow auditors to look at code in the wild as it’s being created and released. Bug bounties are an excellent tool to incentivize auditors to stay up to date because if they find any vulnerabilities during the course of their education, they get paid for it. Imagine an educational course that brings the auditor and the auditing firm more money and prestige. That’s effectively what bug bounties do for successful bug hunters from auditing firms.
Fun
Bug hunting is extremely fun and exhilarating. This is a fact. First, it’s a little break from the usual. Second, auditors get to experience the thrill of the hunt and the feeling of their pulse quickening as they realize how much money and fame they’ll be able to claim for them and their auditing firms after finding a critical bug.
Who will be the first auditing firm that will brag about being the “home of million dollar bug bounty hunters’’? It could very well be Dedaub, or iosiro — both reputable firms that have disclosed important bugs, like the function initialization disclosure, or the uninitialized proxies issue.
Easy
On Immunefi, you use all the same skills to review code that you already do in auditing. There’s no extra work for you to do. We’ve taken care of onboarding the projects and structuring the programs. The bounty programs have already clarified what the terms are for hunting, and the bounty rewards are clear.
You also have a champion in your court: Immunefi is here to secure the interests of bug hunters, since we only get paid when bug hunters get paid.
You can do as much bug hunting or as little bug hunting as you want. There are no timelines. There is no pressure. You’re not under the gun. You can hunt on the projects that you like and are interested in.
If you’re an auditor and want to hunt bugs but your firm has a policy against bug hunting during work hours, or even in your off-time, send them this article and open that discussion. Bug hunting has real benefits not just for auditors, but for auditing firms.
Needless to say, auditing skills are highly valuable. But are auditors and auditing firms really making the best use of them, if they don’t hunt bugs in their spare time? Think about it.
