@Gracious @Kuririn @PlagueCrafter were part of my recent mentorship program focused on web3 security. We had a great time and it looks like it was time well spent for them too! For reference, here’s my mentorship post.
They first focused on completing more challenges from ethernaut CTF. Since they were familiar with security basics, we jump directly into one of my past audits. The audit code was a good mix of complexity and scope to be someone’s first audit. They had about a week for this after which we discussed, in a detail, everyone’s findings and the ones they missed. Along the way, we shared insights that would have helped them to identify those missed bugs.
Throughout, I provided them with resources on fuzzing, formal verification and popular protocols that they could use later on. We discussed some general concepts like shorting and longing a token, programming uniswap v1/v2 from scratch, proxies, gotchas etc.
We then went through a series of challenges, each designed to highlight certain skillset and things to keep in mind while audit (input validation, importance of diff-ing with the original code, unit test, memory pointers).
Another major chunk of the time was spent on Just Enough Elliptic Curve for Ethereum - a post I wrote for the mentees and is now publicly available. We went right from understanding modular arithmetic to the key generation process in Ethereum to ECDSA signatures. This was covered in 4 to 5 sessions across 2 weeks.
We also went through another one of my material: GitHub - 0xbok/ecdsa-vuln-poc.
At this point, it was time to end the program and I encouraged all of them to participate in c4 and sherlock contests. I think they enjoyed the mentorship as much as I enjoyed engaging with them (seems so based on the feedback). Super excited for what they do from here on!