// Hunter mindset, recon setup, and target scoring for Web3 bug bounty. Use at the START of any new protocol hunt - scoring targets, setting up environment, understanding architecture.
Bug triage validation system, Immunefi report format, and 20 real paid bounty examples dissected. Use this when validating a finding before submitting, writing an Immunefi report, checking if a bug is actually valid, or studying real examples of paid vulnerabilities.
Master index for the web3 smart contract security knowledge base. Use this to navigate the skill chain. Read files in order — each ends with NEXT.
MCP server integrating Slither + Aderyn + SWC patterns into Claude Code for smart contract auditing. Use when analyzing Solidity files, running DeFi-specific detectors, or generating invariants. 10 MCP tools, 86 SWC detectors, DeFi preset pack, CI/CD workflow.
Complete Foundry PoC writing guide + all cheatcodes + DeFiHackLabs reproduction patterns. Use this when building a proof of concept exploit, setting up a fork test, using Foundry cheatcodes, or reproducing a known DeFi hack for learning.
External research synthesis from Trail of Bits, SlowMist, ConsenSys, Immunefi, and Cyfrin. Use this for advanced audit methodology, Echidna/Medusa fuzzing setup, Slither custom detector writing, attack pattern deep dives, or the 4-phase learning roadmap.
ZKsync Era (Immunefi) completed hunt — 0 findings after exhaustive 5-session audit. Use as a DEFENSE STUDY — learn what makes a protocol unhuntable, which patterns block all 10 bug classes, and when to abandon a target. Contains architecture breakdown, 25 tested attack vectors, and pre-dive scoring refinements for large L1 bridge protocols.
| name | web3-hunt-foundation |
| description | Hunter mindset, recon setup, and target scoring for Web3 bug bounty. Use at the START of any new protocol hunt - scoring targets, setting up environment, understanding architecture. |
| Contains | attack/triage mental models, 10-point scorecard (score ≥6 to proceed), crown jewels approach, static analysis setup, recon checklist. |
Mindset + Recon + Setup. Read this before touching any new target's code. Replaces: 01-mindset, 02-recon-setup, 20-chain-complete
You are NOT looking for "vulnerabilities" in the abstract. You are looking for specific actions an attacker can take TODAY that result in profit.
Everything flows from one question: "What can I STEAL, FREEZE, or DESTROY — and what do I END UP WITH?"
Apply to every finding before writing a single line:
I am an attacker. I will:
1. SETUP: What do I need? (wallet, capital, any whitelisted permissions?)
2. CALL: Exact transactions, exact order, exact function names
3. RESULT: What do I end up with that I didn't start with?
4. COST: Gas + capital + flash loan fee + any other expense
5. DETECT: Can anyone stop or reverse this?
6. NET ROI: I gained X at cost of Y. Is Y << X?
If you can't fill in steps 2 and 3 with specific function calls → it's not a real bug. Stop. Move on.
amount = 0? Does anything revert or silently pass?initialize() is called?amount received ≠ amount sent?address(0) or a malicious contract as an address param?type(uint256).max as a numeric param?Question #10 explains 19% of all Critical findings. If
vote()hasonlyRole(VOTER), checkpoke(),reset(),harvest()— the missing modifier on the sibling IS the bug.
Before spending time on a PoC, try to KILL the finding:
One YES = KILL. Move on.
If you've been on the same function for 5 minutes with no clear attack path → STOP. Add it to a low-priority list. Move to the next function. Top hunters: 95% fast-reject + 5% deep dives on confirmed leads.
Don't review 10 protocols in one week. Pick ONE. Spend 3-5 days becoming the expert. Protocol-specific knowledge compounds. The Curve expert found 5 bugs. The 10-protocol tourist found 0.
If functionA() has a security check, and functionB() doesn't — that IS the report.
You don't need to fully understand why. The inconsistency proves the developer intended the check.
Before touching any code: score the target. Score < 6 → skip.
| Criterion | Points | How to Check |
|---|---|---|
| Max bounty ≥ $50K | +2 | Immunefi program page |
| TVL > $1M | +2 | DeFiLlama |
| Program launched < 30 days ago | +2 | Immunefi "new" filter |
| Custom math (AMM/vault/lending) | +1 | Read scope contracts |
| Recent code changes | +1 | git log --oneline -20 |
| Prior audits available | +1 | Program page / GitHub |
| In-scope includes smart contracts | +1 | Scope section |
| Protocol type you know well | +1 | Your specialization |
| Source code public/readable | +1 | GitHub / Etherscan verified |
< 4: Skip — too small, too audited, wrong fit 4-5: Only if nothing better available 6-8: Good — spend 1-3 days ≥ 9: Excellent — spend up to 1 week
Note:
- All in-scope contract addresses + GitHub links
- Out-of-scope list (DO NOT report these)
- Primacy of Impact: YES/NO (YES = more forgiving on novel impacts)
- Max bounty amounts by severity
- Time on Immunefi (newer = fewer duplicates)
git clone <target-repo>
cd <target-repo>
git log --oneline -20 # Recent changes = freshest bugs here
forge build # Must compile clean (fix if not)
forge test # Note failures — may indicate known issues
forge coverage # Untested code = priority review target
For each finding, note its status:
Find audits: GitHub repo, protocol docs, Immunefi page, Google "[protocol] audit report"
Ask: "Worst thing an attacker could do to users of this protocol?"
Work backward from impact to code:
Draw the money flow (even mentally):
User USDC
↓ deposit()
[Protocol Vault] ──→ External Protocol (Aave/Compound/Uniswap)
↓ yield accumulates
[Reward Distributor] ──→ Users via claim/harvest
Find WHERE VALUE ACCUMULATES. That contract = highest priority.
Key state variables to map:
# Slither — 93 detectors, fast
slither . --exclude-low --filter-paths "test|lib|node_modules"
slither . --detect reentrancy-eth,unprotected-upgrade,arbitrary-send-eth
# Aderyn — Rust-based, Foundry-native
aderyn . --output report.md
# Read output → note HIGH/CRITICAL only
# Tools catch ~30-40% of bugs. Human review finds the rest.
Run through this before any deep review:
PROGRAM:
[ ] Max bounty noted per severity
[ ] ALL in-scope contracts listed (name + address)
[ ] Out-of-scope list read — nothing to falsely report
[ ] Primacy of Impact: YES/NO noted
[ ] Program launch date noted (new = good)
PRIOR AUDITS:
[ ] All audit PDFs downloaded and scanned
[ ] Each finding: status noted (Fixed/Ack/Risk Accepted)
[ ] Acknowledged items in notes as starting points
CODEBASE:
[ ] git clone + forge build passes
[ ] git log checked — recent commits noted
[ ] forge coverage run — untested functions noted
[ ] Slither + Aderyn run — high/critical noted
ARCHITECTURE:
[ ] Fund flow drawn
[ ] Crown jewels identified (where value lives)
[ ] External dependencies mapped (Chainlink, Uniswap, Aave, etc.)
[ ] ALL privileged roles found (onlyOwner, onlyRole, etc.)
[ ] Proxy/upgradeable pattern identified (if any)
ATTACK SURFACE:
[ ] All external/public non-view functions listed
[ ] Mint/burn functions located
[ ] Withdraw/emergencyWithdraw functions located
[ ] Upgrade/migration functions located
[ ] Oracle dependencies found
[ ] Signature/permit usage found
[ ] Cross-contract interactions mapped
DEX / AMM:
- Oracle manipulation (getReserves, slot0 = flash-loan manipulable)
- Rounding in pool math (1-wei attacks × flash swap)
- Missing slippage protection (sandwich vector)
- Fee-on-transfer token handling
LENDING / BORROWING:
- Collateral valuation (oracle → overborrow)
- Liquidation logic (bad debt creation, self-liquidation)
- Interest accrual rounding (favors borrower or protocol?)
- Flash loan → inflate collateral → borrow → repay
VAULT / YIELD:
- First depositor share inflation (ERC4626)
- Donation attack via direct balanceOf transfer
- Strategy rug (malicious strategy contract)
- Reward accounting timing (enter/exit attacks)
BRIDGE / CROSS-CHAIN:
- Message replay (missing nonce/nullifier)
- Signature replay (no chainId)
- Validator set manipulation
- Destination execution reentrancy
STAKING / RESTAKING:
- Reward distribution timing attacks
- Slashing logic errors
- Role never granted → permanent lock
- Withdrawal queue multi-field desync
| Situation | File to Read |
|---|---|
| Starting new hunt | This file |
| Need specific grep commands | 03-grep-arsenal |
| Found a bug, building PoC | 04-poc-and-foundry |
| Ready to validate + submit | 05-triage-report |
| Need all bug class patterns | 02-bug-classes |
| Want external research depth | 06-methodology |
| Hunting Ern protocol | 07-live-hunt-ern |
| Want AI tool automation | 08-ai-tools |
→ NEXT: 02-bug-classes.md