How I'm re-learning how to audit. Working with notes. Sablier contest

It's very hard to take part in competitive auditing when you only have 8-10 hours a week to spend studying code and looking for vulnerabilities. Full-time auditors will laugh at this amount of time, and they will be right. It's unlikely that you'll be able to study the project well in that time, let alone find any significant bugs.

I've been involved in competitive audits before and I know what it's like. Also, reading audit reports on a daily basis helps a lot to keep me sharp and understand the level of modern vulnerabilities in protocols. The only thing left is to quickly learn to understand the contract and protocol architecture in general.

These were all prerequisites for my quest to relearn how to audit protocols.

I used to study each contract and each function separately in details, making notes next to the code like @audit, @audit-issue and others. But focusing on details I quickly forgot the essence of the contract, so I had to go back to the same section of code again and again.

I decided to take notes and armed myself with a pen and a notebook. Not in a computer or a tablet, but in a real one. And I realised that I don't know how to take notes....

In the screenshots you can see examples of my notes from the recent Sablier Flow audit competition that took place on the Codehawks platform. This was my first contest where I worked with physical notes.

I purposely choose small contests now, up to 1000 lines of code, to learn how to take notes as the audit progresses. And this was a perfect fit.

The Sablier Flow contracts turned out to be excellently written and had high security. Despite the fact that I couldn't find any problems there, my first experience with notes gave me some ideas for future work.

Firstly, I now use different pen colours for different ideas. This helps me to focus on certain points in the contract and to find them quickly with my eyes when I need to.

Secondly, pencils are convenient for drawing schemes, token movement and function flow.

Thirdly, you can take notes with you. When you get an idea, you can look at the code on your phone and make additional notes.

In general, even without any skills of writing notes on the code, I managed to understand the protocol 90% during the first 6-7 hours of audit. And leave another 2 hours to search for vulnerabilities.

That time the notes took me 2 pages.... By the way, on the next audit I wrote 5 pages.

Speaking up, I couldn't find any valid bugs in this contest, but working with written notes has given me new skills that I will use in future contests.