🔦 Auditor Spotlight! 🔦
This week, we're featuring 0xluk3 (@0xluk3), a veteran web2 pentester (since 2015) turned elite multi-chain auditor.
With 70+ web3 audits and hundreds of pentests under his belt, his attention to detail is surgical.
In this thread, we’ll break down:
🤯 How one forbidden character bricked an entire protocol (and how he found it)
🏆 Why building a brand is harder than a 10-year engineering career
🧠 His #1 rule for surviving your first year in web3 security
Bookmark this immediately. 👇
The Death of the Audit Contest? A 2025 Retrospective
I will always be thankful for audit contest companies. They pioneered the open-sourcing of Web3 security knowledge, allowing security researchers (SRs) like myself to improve at a fast and consistent pace. However, looking back from 2025, it is clear that the landscape has shifted dramatically.
2024: The Golden Era
2024 was undoubtedly the best year in the history of Web3 audit contests. The volume of opportunities was unprecedented; almost every month featured a million-dollar prize pool, often with a dozen other contests running in parallel.
The hype was strong, and the space was filled with highly trained competitors. During this time, the number of submissions was manageable, and "report spam" was significantly lower than what we see today. However, 2024 was also the beginning of the end for the traditional contest model.
The Profitability Problem
In the early days (pioneered by Code4rena), audit contest platforms typically charged a 40% margin on the total audit pot. Despite these large margins, most companies were burning through VC cash and failing to turn a profit. They were in "growth mode," prioritizing market share over sustainability.
As the model's initial success became visible, it inspired a wave of new competitors. These companies introduced new models or used existing relationships with protocols to sell audits. This fierce competition was a win for protocols—they received high-coverage, deep-vulnerability reports as SRs competed to break their code—but it forced contest platforms into a "race to the bottom" on pricing.
The Shift in Incentives
To lower costs for clients, platforms had two options:
- Reduce the SR Prize Pool: This led to "conditional pots" and custom rules that favored the client (e.g., defining a "High" severity only if >50% of TVL could be stolen).
- Reduce Platform Fees: Platform fees shrank to 10%–20%, which is too low to sustain long-term growth or quality operations.
This created two major shifts:
For Platforms: They pivoted to private audits, which require less effort to manage and offer healthier margins.
For SRs: The most capable researchers with personal brands grew tired of "unlocked" pots—where they could work for a month and earn $0 because a specific threshold wasn't met. These top-tier researchers moved to private auditing as freelancers or by joining major firms.
The State of the Market in 2025
Today, most platforms are growing their profits by running fewer public contests and focusing heavily on the private/team audit sector. It no longer makes sense for them to sell a contest when a private audit is more efficient and profitable.
For SRs, the ecosystem feels broken. The top talent has moved to private work, while public contests are increasingly flooded with low-quality spam reports fueled by the 2024 hype and AI-generated submissions. The original incentive alignment between SRs, protocols, and platforms has fractured.
The Path Forward
I want the "Golden Era" of audit contests to reemerge. To do this, we must fix the incentives:
Healthy Margins: Platforms need to make enough profit to prioritize contests again.
SR-Friendly Terms: We must enforce terms that protect researchers' time and attract top talent back to the public arena.
Value for Protocols: By attracting the best researchers, protocols will once again receive the substantial security value that only a competitive environment can provide.
I have avoided naming specific companies because my goal isn't to create drama or attack anyone. These thoughts are based on my own analysis and data from friends in the industry. My only goal is to propose a way for our space to innovate and thrive once more.
Dear X algorithm,
Please show this post to protocols seeking commission-free solo audits from a network of over 80 elite security researchers.
Thank you 🙏
Thanks @AliX__40 for the invite to @soloauditcom! Feels pretty awesome to be amongst big-brained web3 security chads.
Let's continue to catch all the bugs in the world 🐛
A lot of friends have told me they really enjoyed this @bountyhunt3rz episode I was on!
🎙️ We dive into Web2 vs. Web3 security, keeping the independent security researcher dream alive, and more. If you want to check it out, here’s the link:
https://t.co/uL7h5XFzzG
BOUNTYHUNT3RZ Episode 26: w/ @AliX__40 & @0xriptide discuss @soloauditcom: his public good contribution to the security space where devs can find independent security researchers for hire, why @ValkyriSecurity is offering web2 & web3 security reviews, web2 bug hunting vs web3, web2 defi attack points, how we make this space secure for both grandma and JP Morgan, AI audits, and much, much, more ...
podcast, discord, substack, sponsors/discounts: https://t.co/rhuP3TD0An
OpSec & Wallet Security have never been more important. 🛡️
We curated 60+ resources to help you learn, audit & manage wallet security — all in one repo.
Go check it out 👇
🎙️Speaker spotlight:
We’re excited to welcome @AliX__40, Security Researcher and Founding Partner at @ValkyriSecurity. Anouar is also the founder of @soloauditcom, a public-good platform supporting security in Web3 and Web2.
At ETHSofia, Anouar will share his framework for conducting holistic, full-stack audits. This is a must-attend for builders who want to secure their protocols from Solidity to servers to the user’s browser.
Some may say I'm a Bounty Hunter, but I am actually a Phantom Assassin with Daedalus and Rapier
Nailing those criticals hahahah
Thanks @HackenProof for this and for the opportunity 🫡
Soloaudit is a network of 70+ world-class security researchers.
Every auditor has publicly proven their skills, uncovering hundreds of vulnerabilities.
The best part? Zero overhead — connect with them directly at soloaudit(dot)com 🔒
And that's a wrap on our spotlight with the incredible @0xluk3! His deep experience is invaluable.
He audits in Solidity, Rust, Move, & TON. Explore his full portfolio and connect with him for your next multi-chain audit on @soloauditcom: https://t.co/Tg6X2ph1od
🔦 Auditor Spotlight! 🔦
This week, we're featuring 0xluk3 (@0xluk3), a veteran web2 pentester (since 2015) turned elite multi-chain auditor.
With 70+ web3 audits and hundreds of pentests under his belt, his attention to detail is surgical.
In this thread, we’ll break down:
🤯 How one forbidden character bricked an entire protocol (and how he found it)
🏆 Why building a brand is harder than a 10-year engineering career
🧠 His #1 rule for surviving your first year in web3 security
Bookmark this immediately. 👇
@0xluk3's advice for newcomers is brutally honest and essential.
"Be prepared for struggle and don't give up... The first year... will be basically constant confusion."
His metaphor for success: "First 19 times you will think that you are banging your head against a wall. Then the 20th time you will find yourself suddenly finding something."