Manish Kashyap
8 posts
English
Manish Kashyap retweetet
🏆 Audit Arena Week 19 results are inBig congrats to this week’s top performers:
🥇 @mibunna 17 pts
🥈 2nd place:
@SyedGhufranHas1 @zriym17 9.5 pts
🥉 3rd place:
@yun0hu @0xbube @mr_nob0dye @0xEzed 8.5 pts
4th place:
@devmukhtar @maFa_686 @254Oti_ 7 pts
5th place:
@acyutaharidas 5 pts
6th place:
@GeorgievWeb3_ @royysd 3.5 pts
Big congrats to everyone who took part this week.Keep pushing.
Keep learning.
Keep climbing.⚔️
See you in the next arena.
English
Starting a new audit contest today.
Focusing on understanding the protocol, improving my testing skills, and learning as much as possible from the codebase.
Back to reading contracts.
English
Manish Kashyap retweetet
The Reality of Becoming a Top 1% Security Researcher
Most people think it's about intelligence.
It's not.
It's about surviving years of confusion, rejection, self doubt, and failure long enough to become dangerous.
Here's what nobody tells you
Let's dive in
➪ The internet only shows the wins.
You see:
➣ Accepted bug bounties
➣ Audit reports
➣ Conference talks
➣ Hall of Fame achievements
➣ Research publications
You don't see:
➣ 100+ rejected findings
➣ Failed exploit attempts
➣ Weeks spent understanding one vulnerability
➣ Thousands of lines of code read for nothing
Success is visible.
The struggle isn't.
➪ Security research will make you feel stupid.
A lot.
You'll open a protocol and understand absolutely nothing.
You'll read a Solidity function 20 times.
You'll stare at an exploit writeup for hours.
And you'll wonder if everyone else is smarter than you.
They're not.
They've just been confused longer.
➪ One lesson I learned:
Feeling lost is not a sign you're failing.
It's usually a sign you're learning.
The best researchers aren't the ones who avoid confusion.
They're the ones who stay with it long enough for understanding to emerge.
➪ Nobody talks about the 3 AM reality.
The monitor glow.
The cold coffee.
The failed PoC.
The endless transaction traces.
The attack path that doesn't work.
Then doesn't work again.
Then finally works.
The world sees the report.
You experience the thousand failures before it.
➪ Security research is mostly being wrong repeatedly until you're finally right.
That's the job.
Not glamour.
Not recognition.
Investigation.
➪ Most people don't fail because they lack talent.
They fail because they quit too early.
The learning curve is brutal.
Progress feels invisible.
Validation is rare.
Rewards are delayed.
So people leave.
The few who stay become dangerous.
➪ Consistency beats talent more often than people want to admit.
Read code every day.
Study exploits every week.
Write research publicly.
Repeat.
Small efforts compound.
➪ The most underrated security skill isn't intelligence.
It's curiosity.
Elite researchers ask questions longer than everyone else.
Why is this here?
Why is this unchecked?
Why did this exploit work?
Why did nobody notice?
Curiosity uncovers vulnerabilities.
➪ Most vulnerabilities hide inside assumptions.
Attackers know this.
Researchers should too.
➪ Another uncomfortable truth:
Security research is mostly pattern recognition.
The best auditors don't magically spot bugs.
They've simply studied enough failures to recognize familiar attack surfaces.
Experience is pattern recognition in disguise.
➪ Want to improve faster?
Study:
➣ Historical hacks
➣ Audit reports
➣ Post mortems
➣ Exploit writeups
➣ Attacker behavior
Every exploit teaches a lesson.
Every lesson becomes intuition.
➪ Let's talk about the emotional cost.
Nobody warns you about this part.
Security can be lonely.
You miss events.
You skip outings.
You spend weekends reading code.
Sometimes you become obsessed.
And sometimes that obsession is exhausting.
➪ Then imposter syndrome arrives.
You compare yourself to famous auditors.
Respected researchers.
Top bug bounty hunters.
You feel behind.
Here's the truth:
Even experts feel this way.
They just keep moving anyway.
➪ Top 1% doesn't mean:
➣ Knowing everything
➣ Finding every bug
➣ Never making mistakes
➣ Being a genius
Top 1% means:
➣ Showing up consistently
➣ Learning relentlessly
➣ Staying curious
➣ Refusing to quit
➪ If I could give one piece of advice to aspiring blockchain security researchers:
Stop chasing shortcuts.
Read code.
Study exploits.
Think like attackers.
Build things.
Break things.
Write about what you learn.
Depth beats hype.
Every time.
➪ One day people will see your audit reports, findings, and achievements.
They'll assume you were naturally gifted.
They won't see:
➣ The confusion
➣ The failures
➣ The rejected reports
➣ The late nights
➣ The moments you almost quit
But that's the reality of becoming a top 1% security researcher.
Not brilliance.
Persistence.
➪ The researchers who change the industry are rarely the smartest people in the room.
They're the ones who refused to leave the room.
If you're building a career in Smart Contract Security, Blockchain Security, or Web3 Security:
Keep going.
Your future expertise is being built in today's confusion.
Repost if you're on the journey.
English
Got my first valid high severity bug on CodeHawks First Flight
Huge thanks to the Cyfrin team ❤️
Still learning, improving, and continuing.
#SmartContractSecurity #Web3Security #CodeHawks #Cyfrin #Audit
English
I, FINALLY, broke the ice.
I hoped for at least Medium here, but I'll take this as a first BB win.
English
I want to start a community dedicated to Web3 security auditors.
It's becoming harder to enter the field and find complex, valid bugs.
This will be a space for sharpening security skills, studying attack patterns, real exploits, and current attack techniques.
Comment "Defendor" if you want to join and I'll DM the link
English
