:):

End of an era. I've never had a front-row seat to a product going from 0 to 100 back to 0 before. I still remember in 2022 when @sockdrawermoney said audit contests are a great thing for the Web3 space and that others should launch contest platforms. That was part of the green light that encouraged us to create Sherlock's audit contest platform. The irony is that I truly think Code4rena died due to competition. Sherlock was the 2nd entrant to the field, and Cantina and Immunefi came 1-1.5 years later and turned the space into a bloodbath where fees to audit contest platforms approached zero. I think if there had only been one audit contest platform (impossible I know), it would have been a very healthy, lucrative business. And the irony is that I think we'd see more contests and higher SR payouts in that scenario than we do today. On the bright side, I think competition made Sherlock's audit contest platform a much better product. Our customer-facing dashboards are more user-friendly. We reinvented our judging process 4x and it's now 10x better than it was 3 years ago. And our team as a whole was forged by fire thanks to the intense competition. I am a better founder and CEO because of the experience. I'm really grateful for the lessons that we learned by competing against Code4rena. Their team was truly mission-driven and cared about security outcomes in a way that some others sadly didn't (and still don't). Sherlock has fought hard to keep the security-first ethos in the audit contest space and in all our products. And we'll continue to fight hard for this. For any team that experiences a gap in the market due to Code4rena's exit, I hope you'll ask protocol teams and security researchers you trust for their recommendation. I'm grateful for everything Code4rena has given to the space and our team. And I look forward to Sherlock continuing to carry the torch of a security-first approach in audit contests.

@blckhv Not worried about putting in more effort, if you like it you don't see it that way. Thx man 🫂

@_smileNot 1. Shadow audits + contests in other platforms (when there are any) 2. Use AI to study faster 2. Bug bounties Not the most beginner-friendly path, unfortunately, but if you want it badly enough, you'll succeed

Code4rena is winding down, so many great auditors started their careers there, myself included. Forever grateful for shaping the security space back in the golden days of Web3 Security 🥹

@ret2basic @auditor_nate Fuck 😭. Well, I will try to make a place for myself and see if I get lucky

@_smileNot @auditor_nate we all love it but have to face the reality, tbh if I am a new grad this year, I don't even know what the fuck I should work on, just everything seems dead or going to be dead soon

Bye code4rena🥹 What’s next web3 SRs, what do you plan to do next? Any new field that has opportunities like code4rena back in 2021?

@saxenism What type of light do you see (just curiosity)?

If this is not the peak bear signal, I don't know what is. The two biggest threats (that had been on my mind since forever) finally hit crypto, HARD, in the last few months: + nation state actors targeting web3 + AI-assisted blackhats Now, protocols are beginning to realise what should have been a ground reality: In web3, security is not a nice-to-have, but rather an existential threat. A few bad security decisions + bad timing + bad luck, and you might never be able to recover from a hack. It's an extremely hard time for our industry and for those still building... just don't quit. There IS light at the end of the tunnel :)

@ret2basic @auditor_nate Okay, I understand you. I'm new in this sector and I love it, but it's kind of shocking to hear that news about C4. I'm still moving forward and improvising by the way...

I don't mean zk, in fact I know it but didn't make any money out of it (the firms I work with don't have any zk client incoming). Daml is a great option, but I expect it to be the same: you can only get client if you have connection in the right firm. I am already going deep into daml anyway, doesn't hurt to look for something else

@trust__90 I was just starting in this sector, I still love it and still want to learn, but do you have any recommendation on what to do? I'm feeling a little lost after that news

We all need to take a moment and give our appreciation to the pioneers of decentralized security audits. I personally owe much of my success to the opportunities they've created. In the face of competition it continued to stay faithful to its policies and treated researchers fairly, even if it meant losing business. It is true that in recent times C4 has become a shadow of what it once was, for various reasons. But I'll remember them for the epic competitions, intellectual judgment discussions and friends made on the way. On the business side, this is part of the phase-out of crowd audits, which are no longer feasible to run with AI submissions. For years the gig has stopped being profitable and used for customer acquisition and upsell potential, but now it's official. Security is already converging to multiple AI passes followed by A-tier team audit(s) for finding outliers, and a bounty program as last defense. So-long C4. You will be missed. 🐺

@ret2basic @auditor_nate Do you mean something like ZK Proofs? DAML could be an alternative?

@auditor_nate Something that is research oriented and math heavy maybe. I don't have an answer yet...If I know what to do I am not posting this tweet

@HildaGilbora @adeolRxxxx @code4rena Me too 😔

@adeolRxxxx @code4rena What's painful is that I never got the chance to try out Code4Arena, I just started learning about Web3 Security.

Hacks are happening on a steady. @code4rena just decided to wind down. What a terrific year to be in web3 security.

@iphelix @blockthreat Awesome article, mate. I'm new here and didn't really notice how catastrophic these last months were

@panditdhamdhere Explain it

The most wildly dangerous job in tech is right now Smart contract Engineer. 💀 The most popular one is AI Engineer.

@0xBiyyah I'm halfway through this course, I hope to be able to understand all the theory, anyways good luck with the next step 🫡

Day 42 May 3, 2026 Finished the Advanced Foundry course today. It was definitely a rollercoaster. The opcode detour and rebase token section exposed a flaw: following blindly without understanding the flow doesn’t work. Lesson learned.

@MOHDDANISH798 Congrats bro. I'm halfway through "Foundry Fundamentals" and then I am thinking of starting that one

Just unlocked a new milestone in Web3 security! 🚀 Completed the Security Course on Cyfrin 💻🔐 From understanding smart contract vulnerabilities to diving deep into auditing — this journey is just getting started. Web3 security is not just a skill, it's a responsibility. ⚔️

@0xFlint_ Crap is making space for good projects to rise

Market is down, contests are nearly dead, bounty hunters get rekt by protocols and firms are shutting down and/or reducing headcount. Sad Vibes☹️ So let me give you some Good News. I have been talking to 20+ banks in the last months and EVERY last of them is launching into digital assets this year. Some with a tiny feeler project and others fully all-in, but there is a hard FOMO in TradFi that you need to be on-chain as fast as possible or you will be left behind. This means that 2026 is indeed difficult, but 2027 will be glorious. There is a massive wave of projects coming which means recruitment will be immense. Positions for: - SRs for Blockchain - SRs for offchain & KMS - FV & Testing Engineers - Solidity & Rust Engineers - Account Managers - Sales & Sales Engineering - Marketing - etc... I know it's hard today, but keep learning, keep grinding and don't give up. Your Opportunity Will Come!

@DeltaXV_ @MezoNetwork Great, glad to learn about that vulnerability

1 months ago I've discovered a critical vulnerability in @MezoNetwork's AssetsBridge precompile which could have led to a direct theft of $1,753,958.4 ($40m if no ratelimit). happy to share the security advisory (includes full report + PoC) and mezo post-mortem write-up. github.com/mezo-org/mezod… I'm also planning to post soon an X article about this finding which will include much more context on my journey and this discovery.

@anchabadze I just started a few months ago, do you have any tip or recommendation of where to learn quality content?

Exactly one year ago, I started my journey toward a Web3 Security Researcher position at a company. At that time, I had already learned Solidity and was just beginning to participate in public contests. Since then, I’ve found dozens of bugs, earned thousands of dollars, accumulated around 2000 hours of auditing and skill development. My professional level, my understanding of web3 security, and attack vectors have grown tremendously over this year. I’ve developed my own auditing style and methodology. I actively use AI, which helps a lot in my auditing process. I haven’t reached my goal yet and my journey continues. Yes, it’s not the best time to land a job as an SR right now - bear market, fewer contests, intense competition, AI audits - but I believe in myself. I know I don’t want to do anything else, and I will keep moving toward my goal. Even for another year, if needed. Consistency is the key There is no plan B Success is inevitable #RoadToWeb3SecurityJobChallenge

@chrisdior777 @aave @SkyEcosystem @LidoFinance Good examples of a serious and good development

Top 3 most battle-tested protocols in Web3: @aave : survived crashes, liquidations, contagion, bad debt scares @SkyEcosystem : survived Black Thursday, USDC depeg spillover, stablecoin stress @LidoFinance : survived stETH depeg panic, Shanghai withdrawal transition and more

A new smart contract auditor has been born... ‍💻😈 profiles.cyfrin.io/u/smilenot/ach…