Sign in Subscribe

Stop being the $1 leaderboard auditor

By Arsen
Stop being the $1 leaderboard auditor

You think experience is just putting in more hours.

Yes, hours matter.

But many people grind for months or years and still see no real progress.

They study AMMs, Lending, Cross-chain, Rust, Solidity, Move.

They end up at the bottom of leaderboards earning $1.

It sucks.

The problem is simple.

They don’t go deep — not into the code, their thinking, or their focus.

2025 is about quality.

Quality of findings.

Quality of reports.

Quality of thought.

Quality of questions.

Quality of focus.

AI is everywhere, but it still lacks real reasoning.

If you want to become a strong auditor, remember:
quality beats quantity every time.

Chase quality in how you read, study, and review.

This is how strong security auditors rise in the new Web3 era.

When I started, I spent hours on Solodit issues and old reports.

It helps, but only up to a point.

You should ask yourself every fucking day:

Is my approach efficient? Is my understanding deep enough? How well do I know this?

These questions are how you beat AI.

AI is great at math and explaining, but it cannot think for you.

At some point you may feel:

It’s so strong. Why would Web3 need auditors in the future?

But remember:

Slow and steady wins the race.

You may learn slowly at first, but deep understanding pays off later in real audits.

So how do you outperform?

By going deep in your review and analysis.

Take a complex exploit, for example.

AI can explain it, but it rarely goes deep.

That's why you need a system of:

  1. Studying
  2. Learning
  3. Improving
  4. Going really deep....

Every top auditor has it.

You need it to.

Before every deep/complex work that affect your progress

Ask yourself:

  • What are most important parts I need to concentrate on?
  • What I don't understand? *Define it clearly
  • What parts will lead me to understanding it?
  • What is my final goal I want to achieve?

And once you answer these and did your work, solidify your knowledge by:

  • Explaining it in a simple words to yourself
  • Reviewing each notes and look for a hole in understanding.
  • Create a post around it *it's good for promotion

For example, let's examing Elastic KyberSwap bounty.

It’s complex. You need to understand how CLMM works and how Kyber’s swap logic works.

Without that, you only understand the bug on the surface.

And it leads you to be "average".

Pro auditors rarely read audit reports issue

They study complex exploits which pushes them harder.

The core Kyberswap issue is simple — the system lets you double-add liquidity.

This has caused real losses in the past.

But the real question is: How do we reach this double-add, and what allowed it?

It starts with a single line of code.

Before you even look at that line, you must know the context:

  1. Which state parameters matter.
  2. What the starting state looks like.
  3. What the “bad state” is.
  4. What that bad state allows.
  5. What you must understand before studying the hack.

There is always more context behind an exploit than the exploit shows at first.

If you were the hacker and didn’t know the bug existed yet, you would still need deep context for every part of the code you touch.

Here are the key parameters:

  • sqrtP — pool price
  • currentTick — the pool tick
  • nearestCurrentTick — nearest tick divisible by spacing

Now look at the two possible states.

Normal good state at tick 20:

sqrtP              = sqrt(price at tick 20)
currentTick        = 20
nearestCurrentTick = 20

Bad state we want:

sqrtP              = sqrt(price at tick 20) // price is still exactly on 20
currentTick        = 20                     // this part is correct
nearestCurrentTick = 10                     // this is WRONG

At a tick boundary, currentTick and nearestCurrentTick must match.

The main objective is to break this rule.

Our goal becomes:

nearestCurrentTick == currentTick - 1

To understand this exploit, you must know how price behaves at boundaries in CLMM.

getTickAtSqrtRatio returns the floored tick.

Simple.

But edge cases matter:

When moving upward:

When price equals the right boundary, math says it already belongs to the next range.

tickLeft ≤ price < tickRight

When moving downward:

The boundary you hit is the upper endpoint of the lower range. (10–19).

The active tick is one lower (e.g., you hit 20 → active range is 10–19).

So the system applies -1 on downward moves:

swapData.currentTick = willUpTick
    ? tempNextTick
    : tempNextTick - 1;

This places the price in the correct left-hand range.

Now the hack begins.

The swap runs tiny sub-swaps.

At the boundary, a tiny swap moves us from 20 to 19 (because of the -1).
nearestCurrentTick updates to 10.

But the sqrt price stays at the price of tick 20.

It's intentional:

State we end up with:

  • nearestCurrentTick = 19
  • sqrtP = 20

On the second sub-swap:

  • The sqrtPrice still maps to tick 20.
  • The next sqrtPrice maps to tick 10 *it's next boundary we aim to.
  • This triggers a check that snaps currentTick back to 20.
  • But nearestCurrentTick stays stuck at 10 because execution breaks early and important function isn't called.

Then, in the final pool update:

nextTick (10) < currentTick (20).

So nearestTick remains 10.

This creates the bad state.

And once you reach that state, you can double-add liquidity and steal real money.

Once you will analyse such complex attack vectors

You will end up in a "confusion zone".

It's not classical solodit or audit report issue

It's pure alpha, which you MUST study.

And only studying such alpha

You learn to think, distill, analyse, attack.