🏴‍☠️ Hacks / Bounties

• Aave wstETH Oracle Error — $21M in Unfair Liquidations (Link)

• DBXen ERC2771 Exploit — $150K Loss (Link)

• Alkemi Self-Liquidation — $90K Loss (Link)

🗞️ News

1. Ethereum Bug Bounty Raised to 1M (Link)

2. Safe Zodiac Roles Permission Bypass (Link)

📙 Education

1. 9 Common Vault Bugs — Real Audit Findings (Link)

2. ERC-4337 Account Abstraction Security Risks (Link)

Deep Dive

That’s not the end. That’s the starting line.

We’re not programmers. We don’t write much code.

We read it. Every day. That’s the job.

Nobody teaches you how to read code properly.

You grind courses, collect tools, study vulnerabilities.

But the skill senior auditors do 80% of the day?

Reading code fast and deeply.

Most people are terrible at it.

The problem

Here’s what beginners do.

They open the codebase. Open the docs.

50 pages of specs and architecture diagrams.

Page 5 — overwhelmed.

Page 10 — lost the thread.

Haven’t touched a single line of code.

Or worse — they jump into one function.

Go deep immediately. Lose the whole system’s context.

Waste 3 hours on something that doesn’t matter.

Then they say:

No. You didn’t understand the code. You just read it.

The bugs are still sitting there.

The real problems:

• Docs first = overwhelm before you even start

• Going deep too early = wasted time

• “No bugs found” = you stopped at understanding

• No system = random scanning, random results

The 3 layers

Code reading has 3 layers.

Most auditors only do 1 or 2.

Layer 1: Skim & Contextualize.

Grab the big picture. Jump into the code. Not docs.

Layer 2: Deep Read & Memorize.

Go line by line. Walk the entire flow in your head

without looking at the screen.

Layer 3: Research.

This is where bugs actually live.

NOW read the docs. Compare to reality.

Study other protocols. Work backwards from failure modes.

Here’s the game-changer:

AI accelerates Layer 1 massively.

Feed it each function. Get line-by-line comments.

Ask it to explain flows above each function.

You get context 10x faster — and save that time for Layer 3.

Most auditors stop after Layer 2.

The ones finding criticals? They live in Layer 3.

The playbook

LAYER 1: SKIM & CONTEXTUALIZE

• Jump into code first. Not docs.

• Skim every function without going deep.

• Identify entry points, libraries, integrations, main actors.

• Use AI as your co-pilot here:

feed each function → get comments → map the flows.

• This is orientation. Not understanding yet.

You’ll lose context before you start.

LAYER 2: DEEP READ & MEMORIZE

• Go function by function, line by line.

• For each critical function: what it validates,

who can call it, what state it changes.

• The goal: close the editor.

Explain the entire flow from memory.

• If you get stuck — do another pass.

• ~50% of your audit time = Layer 1 + Layer 2.

Common mistake: moving to “bug hunting”

before you can explain the system from memory.

LAYER 3: RESEARCH (where bugs live)

• Read the docs NOW.

Compare every claim to the code. Contradictions = bugs.

• List developer assumptions. Ask: “What if this is wrong?”

• Study how other protocols solve the same problem.

• Research every error in try-catch blocks.

• Work backwards: all failure modes → eliminate what can’t happen

→ what survives is your attack surface.

Common mistake: treating “I understand the code”

as the finish line instead of the starting line.

Timeline for a 10-day engagement:

• Days 1–2: Layer 1 — skim, map, use AI

• Days 2–5: Layer 2 — deep read, memorize

• Days 5–10: Layer 3 — research, docs, comparisons

Arsen

Reply with what you want me to cover next — I read every one.