Please give a warm welcome to Immeas in this month’s Warden Spotlight!
In August of this year, he blew his previous C4 performances out of the water with $23,323.06 in awards, and that trend has very much continued. September brought in $14,783.28, and November $16,892.25 so far. You can see this massive jump below.
Enough stats, let’s dive into the interview!
Can you please introduce yourself and provide a brief overview of your background and experience?
I’m a senior software engineer/tech lead with 10+ years in fintech, mainly in e-commerce and payments. Currently, I do auditing in my spare time.
I studied a Masters in engineering physics but got hired before I managed to graduate.
How did you get started in auditing, and what motivated you to pursue it?
I started about one and a half years ago. It was really a random late-night internet doom-clicking that landed me here. Before I had never heard about solidity or EVM and knew almost nothing about blockchain.
Motivation-wise I think it’s twofold, there’s obviously the monetary motivation. But almost as much, I’d say, it’s the intellectual challenge of understanding and breaking a piece of code.
The combination of getting challenged intellectually and the fast feedback chain is really powerful. You learn a new protocol/pattern or tech and then within weeks to months, you get feedback and (hopefully) a reward for your effort. So I got hooked.
Can you share an example of a particularly challenging audit you worked on through Code4rena and how you overcame the challenges?
The most impactful audit I’ve participated in so far was Chainlink CCIP. Not because I did great in it, I tried and absolutely failed, but it’s the one where my failures taught me the most.
The lessons I learned were not specifically vulnerability or code-related but rather how I should manage my time and focus better. Which shows in my later summer successes.
To me, it’s important to be invested enough in a task that it hurts when you fail at it. That’s the motivation to learn and become better next time. To not have to endure that failure again.
Hence the contests where I do try, I really try. Then there are audits where I participate just to see the code and get familiar enough to learn from others’ findings.
What skills do you believe are essential for a high-performing auditor, and how have you honed these skills throughout your career?
Auditing is largely about understanding new protocols, new tech, and new codebases fast.
I think the most important skill is being able to learn by yourself. And continue practicing learning, in whatever you do. Be it 15 min of Duolingo per day, perfecting a croissant recipe or ZK math.
Practicing different skills, not just audit-related, keeps your mind learning even when you have “off focus” time. I follow a lot of popular science YouTube channels. It’s great for keeping your mind busy while doing mundane tasks like cooking and cleaning.
Learning is also a skill that needs to be honed. Keep learning and practice learning in everything you do.
This together with knowing how to manage your focus I believe will make you a great auditor.
What’s your process for choosing what to submit? Do you have some sort of strategy?
Firstly, I don’t really bother with gas findings, no particular reason. Perhaps sometime I’ll pick it up. Sounds kind of fun.
Otherwise, lately, I’ve started submitting everything I find. Down to just normal code review comments for readability, code flow, and structure.
I don’t really have any copyable strategy. Whatever makes me itch enough, I submit.
Together with writing coded PoCs as much as possible. I think this is important. It both familiarizes you with the code and helps you understand the actual impact of the issue at hand.
Well, you’re clearly on the lookout for the important finds! We looked into your findings distributions and 81% of your findings are either Highs or Mediums (31% Highs, 50% Mediums). Also, on average, you make $660 per finding, which is in the top 10% of the average award per finding!
Your success in the last 90 days has been significant. Why do you think that is?
I’ve learned how to spend my focus better. Also, during the summer there was less happening at work which let me spend more attention on audits. Since auditing is very much focus-oriented, the more you can be in the “zone” the better you do.
Many have said this but it really isn’t as much about the amount of time you spend but rather about the quality of the time you spend.
Moving on, are there specific training programs, workshops, or resources that you found particularly valuable?
Hard to say, like many others, I started with the “How to become a smart contract auditor” by cmichel.
It’s hard to point to specific stuff because I learn on a need-to-know basis. I started with the usual CTFs (ethernaut, Damn Valuable…) and googled my way forward really.
As for CTFs, it’s a contested topic how important they are. To me, they were more for making me familiar with blockchain and basic solidity. Which helped me a lot. They were also useful for learning the basic patterns of common vulnerabilities. I agree with the sentiment that they don’t translate directly into real auditing. For that, you just have to dive into audits and try and fail and learn.
Another thing that stayed with me was one of the interviews that Andy did, can’t remember with whom. The message was, don’t just read others’ submissions but ask yourself what made them find what you missed. What question would you have had to ask yourself to make the same finding?
What opportunities do you see for auditors in web3?
I’m still not knowledgeable enough about the ins and outs of the web3 business to answer this.
What I can say from what I’ve seen in the time I’ve spent here is that everything needs to be safer. Coming from trad-fi and card payments, web3 has no safety nets for users which makes bugs and hacks a lot more impactful.
Audits are a crucial part of making protocols safer hence as long as web3 is around, audits will be around as well.
How do you think Code4rena is contributing to the growth and development of auditors in the blockchain industry?
I’ve only ever seen the public audit contest part of the whole auditing/security review industry in web3, hence, can only answer from this point of view.
But from here, the impact seems immense. C4 competitive nature fosters new talent very effectively and brings out a lot of incredible expertise. I am astonished at how effective this platform is in allowing talented and hardworking people to grow.
Looking ahead, what are your aspirations and goals as an auditor?
Currently, I’m trying to switch to auditing full-time (hire me!). As for my goals, I just want to do more, learn more, audit more, find more, and become better. And I still have the “finding a solo high” box to tick. So that’s obviously one of my goals.
Based on your journey and experiences, what advice would you give to individuals aspiring to pursue a career in auditing in web3?
Considering myself one of these individuals my advice to myself is:
Be humble. In the beginning, it’s a lot to comprehend. Not only how to understand blockchain but also how to write and judge the severity of issues. Stay in there and be kind to yourself. It’s the harsh reality that you’ll not succeed in the beginning and it’s rough seeing others succeed. Focus on yourself, become better, and learn from others.
Some more concrete advice that helps me a lot: Code PoCs. It’s a great way to learn a protocol by diving into it. Write PoCs for everything, once you start doing this, just by writing a PoC you’ll often find other issues. It might be hard if you don’t have a background in programming but if that’s the case it’s even more valuable. Spend time writing PoCs, not only to prove your exploit works (which is a great feeling) but also to learn the code in question.
I typically combine PoCs with an enormous amount of console logs to track the movement of all the internals.
Are there any specific qualities or habits that you believe are crucial for success in this field, and if so, how can aspiring auditors cultivate these qualities?
I think I covered a lot of it above. But being able to learn fast is very important. Together with knowing how to focus. Knowing yourself and when you are focused and how to stay focused.
Don’t overwork yourself, take breaks, do fun stuff. Your brain needs to relax too.
Get a quote for a solo audit with Immeas here.
