How I Used Solodit to Win Contests

Insider strategies for dominating audit competitions

If you’ve been following along, you might remember my earlier piece, “The Best Security Education Tool in Web3,” you’ll know I introduced Solodit as a game-changer for blockchain security learning. This article picks up where that left off — detailing how I first used it myself to sharpen my skills before unleashing it to the world, how I turned its vast resources into a winning strategy for security contests, and how the platform has grown into an even more essential tool.

Unlocking victory with Solodit — Image Generated by Grok 3

The Overwhelming Start

Solodit was my brainchild, born from a single idea: gather every past security finding from platforms like Code4rena and Sherlock into one place for study. But when I flipped the switch and saw thousands of reports pour in, I was stunned. Even as the one who built it, I thought, Whoa, can I actually handle this? Could I sift through this flood of data and pull out real lessons without dissecting every protocol’s source code?

I decided to dive in regardless, committing to 20 to 30 reports a day, starting with the latest competitions. Having participated in some of these contests, it felt familiar.

Every evening, I’d sit back and wonder: What are actual takeaways today? 
I wasn’t sure I could spot those bugs in the wild yet. That nagging doubt pushed me to turn Solodit into more than just a pile of reports — it had to help me learn smarter.

Reflection

Using Solodit wasn’t just about hoarding reports — it was about making them work for me. As I struggled to keep up with the flood of reports, I began adding features that mirrored what I’d been scribbling in my paper notes before.

• Comments: I’d scribble quick notes after each report — key takeaways or “oh, that’s clever” moments.

• Tagging: I began grouping findings by type, like “math errors” or “access bugs,” so I could revisit patterns.

• Scoring: I assigned “quality” and “generalization” scores to rank findings, later tweaking this into a rarity score for the truly unique bugs.

After each session of digging into 20–30 findings, I’d sit back and chew on what I’d read, trying to crack how those auditors sniffed out the bugs. It wasn’t enough to know what they found — I wanted to figure out how they got there, so I could spot the same issues next time.

That’s when I started building my own checklist, pulling insights straight from those reflections.

Checklist

Here’s the thing: I wasn’t just glued to reports all day. I was in the thick of it, jumping into every Code4rena and Sherlock contest I could. After each one, I’d pore over the results, zeroing in on what I’d missed that others caught. Every missed finding got a hard look — why didn’t I see it? I’d break it down into three buckets:

• Lack of knowledge: I didn’t get the tech concept or the protocol’s business logic — time to study up.

• Missing checklist item: I could’ve caught it if I’d had it listed, so I’d add a new line to my checklist.

• Oversight: I knew the concept and had it covered by the checklist, but I slipped — I’d tack it onto an existing item as a fresh example.

My checklist grew into a living, breathing tool — packed with tricks.

Part of my original checklist

It wasn’t long before it felt like a secret weapon, sharp and tailored to how I think.

And here’s a bonus I picked up along the way: I realized I didn’t always need to walk through a protocol’s entire codebase to understand its security flaws. The reports and the reflection — they were enough.

Digging for Gems

Not every finding was a revelation. Plenty were decent but predictable — fine for basics, not for breakthroughs. Then I’d hit reports from heavyweights like cmichel, watchpug, and 0x52. Their stuff? Goldmine material. Especially their solo finds — bugs no one else caught. I’d mutter, “Man, this is a diamond in the rough.”

To zero in, I tweaked Solodit again, adding finder details and a filter for solo or small-team discoveries. Then I’d deep-dive into those elite reports, reverse-engineering how cmichel might spot a hidden edge case or watchpug unravel a logic knot. Patterns emerged — subtle habits these pros shared without even realizing it. I mirrored their moves, and my checklist got sharper.

The Routine That Paid Off

For 2–3 months, I stuck with it — me, Solodit, and a daily grind of top-tier findings. Soon, I was entering contests with a new edge. My bug-spotting got faster, my submissions tighter, and before long, I was topping leaderboards. Here’s what worked:

1. Pick a master: I’d shadow an auditor like 0x52 for a stretch.

2. Filter the best: Solo finds or bugs caught by 2–3 people max — pure signal, no noise.

3. Study hard: 10–30 reports a day, about 2–3 hours of focused time.

4. Reflect and refine: I’d tag, score, and distill each session into checklist updates.

5. Repeat: Consistency was key.

It wasn’t magic — just a method that fit how I think. You might tweak it to match your own style, but for me, it was gold.

From Solo Hub to Public Powerhouse

Solodit started as my personal playground — a minimalist stash of findings I could query. But as I used it, I kept bolting on features born from necessity: auditor filters, comments, tagging. When I finally opened it to the public, it was ready to grow beyond my wildest expectations.

Since 2023, Solodit’s exploded. We’ve fused security checklists from top researchers into one slick framework — think of it as the ultimate auditor’s playbook. The database now holds about 40,000 findings from around 30 security firms far beyond Code4rena and Sherlock.

What began as my private tool is now a cornerstone of blockchain security, fueled by an amazing community and their feedback.

The Road Ahead

My dream for Solodit is huge: a daily go-to for developers and auditors — a one-stop shop to learn, debug, and level up in blockchain security. And I’m not alone in this.

Cyfrin, the crew backing Solodit, is swinging big to lift the heavy weights that matter for Web3.

Our ecosystem’s stacked:

• Cyfrin Private Audit: Top-tier researchers reviewing and protecting protocols with precision.

• Cyfrin Updraft: The world’s #1 platform onboarding over half of Web3’s devs and security pros with killer courses.

• CodeHawks: A competitive audit platform with the biggest crowd of auditors, plus “First Flights” to onboard new talent.

• Aderyn: A Rust-based static analyzer catching Solidity bugs in a flash.

Together, we’re chasing a vision to make Web3 safer and smarter — Solodit’s just one piece of that puzzle. The team’s all in, and I’m stoked to see it unfold. A massive thanks to Cyfrin for fueling this ride and to our users for pushing us forward with ideas and support. You’ve turned my little experiment into something epic.

Comments

[0xaudron]

Did you read just the reports and code snippet attached. Or did you actually shadow audited?

[0xEinarmig]

Does it still make sense to read reports that are more than two years old? I'm thinking mainly about staying focused and cutting through the noise.