Mohamad

I started in web3 security by doing code4rena contests in 2022. I made $46.04 on my first one (Nibbl). Got lucky on the second one and made $926.63 (Illuminate) with ~6hrs of focused work. I was hooked. I was already making close to $200k/yr base pay in my full-time job, and this was even better ROI on my time, insane. A few months into this, I won my first contest. A Champion. 1st place, everyone else was behind me. Still, it was a small contest, made only $3561.22 (VTVL). This taught me that everything is possible in this space. I started doing all contests and posted about it on X, then it found me - someone reached out to do an audit for him. "A solo audit?" I said - he nodded. $600 for 6 hours of work - DEAL. After this, in a week I got another solo audit for $1500, which took me ~10hrs - even better. Felt awesome. I later got invited to work with OakSecurity and got paid $3000. I felt rich now. Here I was all-in, spending all my awake time to study and learn, speak to other people, analyse opportunities, I wanted to grow and be better. Was finding more and more vulnerabilities. Now, I joined Spearbit as an Associate Security Researcher position which I was proud of, with an advertised weekly rate of $6250. I don't think I ever ACTUALLY got paid that, but on paper, it looked cool. More solo audits followed - got my first 5 figure deals and it was pure profit. I had a good stream of clients. It was a business. This is ~February 2024. In the end of the year I launched a full-blown web3 security company, Pashov Audit Group. It was really about doing MORE of the good work, for more web3 projects. In 2.5yrs we did 500 audits so I guess that's that... The big lesson in here is that you can start small, very small. Again, $46.04 dollars. I kept going. Added lots of zeroes to that number. Spoke to the right people and teamed up with them. Ignored the naysayers, kept going. I really kept going, still going. Your time to decide now - will you keep going, or will you quit? Choose wisely🙏

Web3 makes people impatient. You see someone make $100k in a single contest. You see someone get a $500k acqui-hire. You see protocol founders raise $10M seed rounds. And then you're staring at your $50 Code4rena reward after three months of grinding. Here's what kept me going. The moment I started I understood I was looking at a five-year timeline. Not six months. Not one year. Five. That framing changes everything. You stop benchmarking your week against someone else's highlight reel. You start asking "where will I be in 2030." Frustration gets manageable. Boredom gets manageable. If you're early in your career transition and you find yourself frustrated every few weeks, the issue isn't your speed. It's your timeline.

I read these affirmations every morning before I start working. If you're on the journey to becoming a security researcher, I think you’ll need this too. It only takes a few seconds to read. Print it out. Put it in your workspace. BOOKMARK THIS ⚠️ 1. I will become a highly skilled security auditor. 2. I study every day, but I focus only on what moves me closer to the level I want to reach. 3. I am not a procrastinator. I am disciplined, consistent, and serious about my future. 4. There are bugs hiding in every codebase. My job is to build the skill to find them. 5. I can become highly valuable in this space if I keep improving every day. 6. I do not need to be perfect today. I just need to be sharper than I was yesterday. 7. Every hour I spend learning security compounds into freedom, reputation, and opportunity. 8. I train my mind to think like a world-class security professional. 9. I embrace difficult concepts because mastery comes from persistence. 10. My consistency today is building the expertise I will rely on tomorrow. 11. I stay focused on growth, not distractions. 12. I am becoming more analytical, observant, and disciplined every single day. 13. I have the patience to learn deeply and the courage to keep going. 14. Every challenge I overcome increases my confidence and capability. 15. I am building a future where my skills create impact, respect, and financial freedom.

Most people think smart contract security is about writing secure Solidity code. It’s not. The best security researchers use reverse psychology. They think like attackers. Here’s why that mindset is everything in Web3 security Let's dive into psychology of smart contract security. ➪ A normal developer asks How does this contract work? A security researcher asks How can this contract be abused? That single mindset shift changes everything. ➪ Smart contract security is psychological warfare. Attackers intentionally ➣ Abuse assumptions ➣ Manipulate logic ➣ Exploit edge cases ➣ weaponize user behavior ➣ Create unexpected states Auditors must mentally simulate chaos before attackers do. ➪ Most exploits happen because developers assume users will behave normally. Attackers never do. They ➣ Send weird inputs ➣ Manipulate protocol states ➣ Exploit timing ➣ Abuse integrations ➣ Break assumptions Security researchers train themselves to think in reverse. ➪ One of the most important questions in auditing is What is the developer unconsciously trusting here? That question alone can uncover ➣ reentrancy ➣ access control bugs ➣ flash loan exploits ➣ signature replay issues ➣ oracle manipulation ➪ Example A developer sees balances[msg.sender] -= amount; payable(msg.sender).transfer(amount); Looks harmless. An attacker sees Can I re-enter before execution finishes? That reverse thinking led to The DAO Hack. ➪ Threat modeling is basically structured reverse psychology. Instead of asking: What features should we build? Security engineers ask How could every feature become dangerous? That’s how elite teams discover vulnerabilities early. ➪ Modern Web3 attacks are not only technical. Attackers also exploit ➣ greed ➣ urgency ➣ fear ➣ trust ➣ authority This is why phishing and malicious governance proposals still work. Humans are often the weakest attack surface. ➪ The dangerous thing about vulnerabilities? Many vulnerable contracts LOOK secure. Clean architecture. Optimized gas. Beautiful UI. Attackers don’t care. They care about: ➣ edge cases ➣ economic weaknesses ➣ state inconsistencies ➣ external dependencies ➪ Flash loans changed DeFi security forever. Researchers suddenly had to ask: ➣ Can governance be manipulated? ➣ Can liquidity be distorted? ➣ Can oracles be abused? ➣ Can accounting break in one transaction? Reverse psychology became mandatory. ➪ The best smart contract auditors constantly think: ➣ Where is the trust boundary? ➣ What assumption exists here? ➣ What breaks under extreme conditions? ➣ What would an attacker try first? That mindset separates developers from elite security researchers. ➪ Smart contract security is not just coding. It’s adversarial thinking. The best auditors do not merely read code. They interrogate it. ➪ If you want to become better at blockchain security: Stop thinking like a builder for a moment. Start thinking like someone trying to break everything. That’s where real auditing begins. Bookmark this for your security journey ⚠️

Here’s a list of all crypto protocols hacked this year. It’s only May. Stake DAO WUSD fi/Glov Gnosis Users Fractal Protocol StablR Mure Polymarket MAP Protocol RetoSwap HermesVault Bankr Echo Bridge SEA Token Verus-Ethereum Bridge Adshares Thorchain DEX Transit Finance Aurellion SQ Protocol INK Finance Renegade TrustedVolumes Ekubo SmartCredit Sharwa Finance Bisq Wasabi Perps Aftermath Perps Sweat Foundation Syndicate Quant JUDAO Singularity Finance ZetaChain Scallop Lend Litecoin Purrlend Giddy Kipseli Volo Vault Thetanuts Finance Juicebox V3 Kelp Grinex Rhea Lend Zerion Wallet MONA Dango SubQuery Network Hyperbridge Aethir BSC TMM/USDT Drift Trade LML/USDT staking protocol GoonFi Cyrus Finance Resolv Neutrl dTRINITY dLEND Venus Core Pool Goose Finance Aave V3 Gondi V3 Molt EVM SolvBTC Curve LlamaLend FOOM Cash Wise Lending V2 Ploutos Money DGLD Blend Pools V2 IoTeX Veil Cash Moonwell Lending CrossCurve Step Finance Revert Lend Matcha Aperture LM Saga Makina Meteora DAMM V2 YO Protocol Truebit Polycule Fusion by IPOR TMX TRIBE PRXVT

We have worked with billion-dollar protocols and organised 150+ security audits over the past 3 years. Here are 5 rules every Web3 project should live by in 2026: (BOOKMARK AND RETWEET) 1. Don’t rely on AI security alone before mainnet We are not there yet, and we won’t be there anytime soon to rely only on AI for security. AI should be leverage for auditors, a tool that helps them deliver better results, not a substitute. Dev teams running automated tools and calling it an audit is absurd. That’s how you start getting hacked. Security can be expensive, but it’s mandatory and existential. If you had $50M stored in your house, wouldn’t you invest heavily in protecting it? 2. High-paid devs ≠ secure code We’ve spoken to many founders who believe that because they hired expensive developers, mistakes won’t happen. They will. Everyone is biased toward their own code. Security requires an unbiased, professional opinion from a dedicated audit firm. Never assume your devs can’t make mistakes, because that assumption can cost you everything. 3. Clear documentation reflects a clear threat model This is extremely important for auditors. The clearer your documentation, the faster and more accurately they can understand your protocol and its intended behavior. If it improves the auditor’s work, it directly improves your security, so there’s no reason to neglect it. Messy or incomplete documentation increases risk and frustrates both auditors and users. You also need well-structured contracts and proper NatSpec reduce audit blind spots. Good structure makes complex systems easier to reason about and reduces the chance of missing critical issues. Follow the official Solidity guidelines and keep your code clean and consistent. Poor structure hides vulnerabilities and slows down the entire audit process. 4. Too many Crits and Highs? Don’t deploy If you have lots of Critical and High findings in your first audit, that’s a clear signal there are likely more bugs in the codebase. An audit is a time-restricted engagement, and if the system is full of issues, not everything may be uncovered within scope. That’s not the auditor’s fault. In this case, you need a second audit before even considering mainnet. 5. Have a detailed incident response plan You may think it can never happen to your protocol, but no one is 100% safe. There is always a real chance something goes wrong, and you need to be prepared. You need: • Clear communication strategy • Defined roles and responsibilities • Precise steps in case of a hack • Pre-made decisions such as pausing contracts or freezing assets Everything should be prepared in advance, down to the last detail.

Today, we are introducing Immunefi Studio, a new suite of tools built with and for Immunefi’s security researcher community. Finding a real bug is only half the battle. The other half is proving it clearly enough to get paid. A strong finding can still be weakened by missing evidence, unclear impact, vague PoCs, unsupported claims, poor framing, or duplicate risk. Immunefi Studio is designed to help researchers before two critical moments: Before they start hunting and before they submit. The first tools are Studio Review and Studio Signals. Studio Review helps researchers strengthen bug reports before they submit to a real program. It gives structured feedback on clarity, PoC strength, impact quality, plausibility, missing evidence, unsupported claims, and duplicate risk. Sometimes the bug is real, the report is strong, and the impact is clear, but the same underlying issue may have already been reported. Studio Review helps researchers check whether their report may overlap with an existing or previously submitted finding in real time, so they can sharpen their angle, clarify what makes their discovery different, and avoid wasting their best work. It also helps researchers write, review, improve weak spots, and submit only when the report is stronger. Studio Signals helps researchers decide where their time is most likely to pay off. Choosing the wrong target is costly. Researchers can spend hours reading docs, tracing contracts, building context, and looking for a real vulnerability, only to realize the program does not move at the speed, severity profile, or payout opportunity they expected. Studio Signals gives researchers better intelligence before they commit serious research time. It shows real program data, including paid-to-closed ratio, payout speed, confirm-to-paid velocity, response speed, outcomes across severity levels, and other key signals. The headline max bounty is not the full story. Studio Signals helps researchers look beyond brand name, max bounty, and guesswork, so they can choose programs with more context and better alignment to their skills, goals, and time. Together, Studio Signals helps researchers hunt smarter, and Studio Review helps researchers submit stronger. Immunefi Studio is currently rolled out to 20% of users, with a full release coming soon. Start using Immunefi Studio today or join the waitlist: https://t.co/l1W4hC8cCY More tools are coming.

Combinatorics of bug finding are brutal (warning: long text ahead). I once wrote a brute-force bug finder (fuzzer) that could reproduce end to end a couple historical exploits in EVM contracts. Use ABI to find reasonable steps, quantized each parameter with a few values based on type. All "autonomous", based on bytecode and real deployed state of contracts. About a billion combinations in a severely reduced search space for a tiny contract with a few state-changing functions. Ran on a Rust EVM stripped of almost everything, for hours -- forget actually using Foundry or reth. Had to make lots of assumptions to optimize it enough. Found the exploit! But when I try a slightly more complex contract or more steps for an exploit and you'd have a better chance brute forcing SHA256. Can we improve on brute force? Tried GA, MCTS, ANNs. Nothing. There's just no gradient. The exploit is 1 bit different from something completely useless. Curriculum learning doesn't help that much either. Short of further reducing search (basically telling to the algorithm what it must find), the only way to improve is a better random generator biased with heuristics either hand-crafted by a human, or extracted from statistics of historical bugs. Human-written heuristics are very expensive to produce, and not necessarily that good. Statistics based heuristics are biased towards what looks like previous bugs. The likelihood of a novel exploit type is for all practical purposes zero. For existing exploit types that are very similar to historical ones, the search space still grows exponentially, long sequences of steps are still unfeasible. And it has gigantic blind spots -- for any heuristic the potential exploits you could find is an infinitesimal amount of the true universe of exploits. It does amazing as long as the probability distribution of steps matches typical exploits in training, and exploits are relatively short. Just a couple of out of distribution steps make it impossible to find. And the most valuable bugs are hardly ever in distribution. Maybe you can get lucky with some missing initialization leading to a 10M bounty, but this isn't 2022 anymore. And the above analysis is for an already completely amputated search space. Add the entire DeFi landscape as potential attack vector for a highly integrated protocol and we can't even enumerate steps to choose from, much less navigate a decision tree of steps. If that problem is so intractable, then how humans do it? I know this will shock many people, but humans aren't doing tree search. We are not fuzzers, static analyzers, ML algorithms either. We are not "Neural Networks", Genetic Algorithms, and most definitely not LLMs. We are not running Monte Carlo simulations in our heads. We are **thinking**. The fact that we don't know how to describe that in terms of Turing Machines doesn't make it go away. I'm not positing some magical or spiritual entity -- I'm just looking at reality and believing it rather than assuming it must fit whatever I think *intelligence should be like*. You dont even need to look at humans. We have no computational model for the complexity of **worm** behavior. We just don't know the algorithm for doing what animals do in general -- definitely not for when you confront them with atypical circumstances. And if we did we have no idea how much compute it would need. Until we do throwing money at it can at best emulate typical behavior for a distribution based on past samples, at exponential cost. That's what the "scaling law" is. "I don't know how to do it, but give me enough money and I guarantee I'll create God." This year many millions were paid in web3 bounties already. A very small share of it was by people who *claim* it was found by "fully autonomous AI". I personally made more in bounties in my career than all of the "autonomous agents" combined. I'm not the only one. You can raise VC money or burn your own in tokens as you race to the bottom of only finding duplicates. By all means use whatever tool you believe is best -- including LLMs, fuzzers, static analyzers, anything else. But don't believe for a second your edge will come from them. Hunting bugs is about taking a deep look at what is hidden in the blind spots of others. Now you have to look at the blind spots of LLMs too -- and they definitely exist. And at least for the foreseeable future you'll need **Animal Intelligence** to do that.

we are hiring 3 people at QuillAudits. not "salespeople". not "growth hackers". real operators who can sit with a Web3 founder and talk about exploits, audit timelines, and why a single bad assumption can cost them 9 figures. 2x Security GTM Engineer 1x EIR, Productized Growth LATAM, SEA, India, Eastern Europe. fully remote. 1,500+ protocols secured. 25+ chains. full lifecycle Web3 security. trial task is real work. 3 rounds. we close in under a week. links in replies. repost so the right person sees it.