If you’ve seen my earlier piece, “The Best Security Education Tool in Web3,” you may remember I introduced Solodit as a game-changer for blockchain security learning. This article picks up where the other one left off.
It details how I first used Solodit to sharpen my skills before unleashing it to the world, how I turned its vast resources into a strategy for winning security contests, and how the platform has grown into an essential tool for security researchers.
Solodit was my brainchild, born from a single idea: gather every past security finding from platforms like Code4rena and Sherlock into one place for study. But when I launched it and saw thousands of reports pour in, I was stunned. Although I built it, I thought, Whoa, can I actually handle this? Could I sift through this flood of data and pull out real lessons without dissecting every protocol’s source code?
I decided to dive in regardless, committing to 20 to 30 reports a day, starting with the latest competitions. Having participated in some of these contests, the reports felt familiar.
Every evening, I’d sit back and wonder: What are the actual takeaways today?
I wasn’t sure I could spot those bugs in the wild yet. That nagging doubt pushed me to turn Solodit into more than just a pile of reports — it had to help me learn smarter.
Using Solodit wasn’t just about hoarding reports. It was about making them work for me. As I struggled to keep up with the flood of information, I began adding features that mirrored what I’d been scribbling in my notes before.
After each session of digging into 20–30 findings, I’d sit back and chew on what I’d read, trying to crack how those auditors sniffed out the bugs. It wasn’t enough to know what they found — I wanted to figure out how they got there so I could spot the same issues next time.
That’s when I started building my own checklist, pulling insights straight from those reflections.
Here’s the thing: I wasn’t just glued to reports all day. I was in the thick of it, jumping into every Code4rena and Sherlock contest I could. After each one, I’d pore over the results, zeroing in on what I’d missed that others caught. Every missed finding got a hard look — why didn’t I see it? I’d break it down into three buckets:
My checklist grew into a living, breathing tool packed with tricks.
It wasn’t long before it felt like a secret weapon, sharp and tailored to how I think.
And here’s what I realized: I didn’t always need to walk through a protocol’s entire codebase to understand its security flaws. The reports and the reflection were enough.
Not every finding was a revelation. Plenty were decent but predictable — fine for basics, not for breakthroughs. Then I’d hit reports from heavyweights like cmichel, watchpug, and 0x52. Their stuff? Goldmine material. Especially their solo finds — bugs no one else caught. I’d mutter, “Man, this is a diamond in the rough.”
To zero in, I tweaked Solodit again, adding finer details and a filter for solo or small-team discoveries. Then I’d deep-dive into those elite reports, reverse-engineering how cmichel might spot a hidden edge case or watchpug unravel a logic knot. Patterns emerged — habits these pros shared without even realizing it. I mirrored their actions, and my checklist got sharper.
For 2–3 months, I stuck with it — me, Solodit, and a daily grind of top-tier findings. Soon, I was entering contests with a new edge. My bug-spotting got faster, my submissions tighter, and before long, I was topping leaderboards. Here’s what worked:
It wasn’t magic — just a method that fit how I think. You might tweak it to match your own style, but for me, it was gold.
Solodit started as my personal playground — a minimalist stash of findings I could query. But as I used it, I kept adding features out of necessity: auditor filters, comments, tagging. When I finally opened it to the public, it was ready to grow beyond my wildest expectations.
Since 2023, Solodit’s exploded. We’ve fused security checklists from top researchers into one slick framework — think of it as the ultimate auditor’s playbook. The database now holds about 40,000 findings from around 30 security firms far beyond Code4rena and Sherlock.
What began as my private tool is now a cornerstone of blockchain security, fueled by an amazing community and their feedback.
My vision for Solodit is bold: a daily go-to for developers and auditors — a one-stop shop to learn, debug, and level up in blockchain security. And I’m not alone in this.
Cyfrin, the crew backing Solodit, is swinging big to lift the heavy weights that matter for web3.
Our ecosystem’s stacked:
Together, we’re chasing a vision to make web3 safer and smarter — Solodit’s just one piece of that puzzle. The team’s all in, and I’m stoked to see it unfold. A massive thanks to Cyfrin for fueling this ride and to our users for pushing us forward with ideas and support. You’ve turned my little experiment into something epic.
