web3-start-here
WEB3 SKILLS — MASTER INDEX
Built from: 2,749 Immunefi reports + 100+ paid writeups + DeFiHackLabs (681 hacks) + ConsenSys + SlowMist + Trail of Bits + Foundry + Nethermind + Lido + AI agent research + live hunt experience
THE CHAIN (read in this exact order)
00-START-HERE.md ← YOU ARE HERE
01-foundation.md ← Mindset, target selection, recon setup
02-bug-classes.md ← All 10 bug classes with patterns + real examples
03-grep-arsenal.md ← Master grep patterns for every class
04-poc-and-foundry.md ← Foundry PoC writing, cheatcodes, 18 exploit templates
05-triage-report-examples.md ← 7-Question Gate, report format, 20 real paid examples
06-methodology-research.md ← ToB, SlowMist, ConsenSys, Immunefi, Cyfrin, Lido, Nethermind
07-live-hunt-ern.md ← Completed hunt: Ern protocol (2 findings)
09-live-hunt-zksync.md ← Completed hunt: ZKsync Era (0 findings — defense study)
08-ai-tools.md ← Shannon, LuaN1ao, SmartGuard, CAI Framework, AI code hunting
36-solidity-audit-mcp.md ← MCP server: Slither+Aderyn+SWC in Claude Code
HOW TO USE THIS
- Read one file fully — every section
- At the bottom: follow → NEXT
- After file 05: you can hunt independently
- Files 06-08: advanced tools + active work
- File 36: MCP integration for live scanning
QUICK STATS
| Metric | Number |
|---|---|
| Immunefi reports analyzed | 2,749 |
| Protocols covered | 51 |
| Critical reports | 406 |
| High reports | 616 |
| Total paid by Immunefi | $100M+ |
| Avg critical payout | $50K–$2M |
| Nethermind reports analyzed | 166 |
| DeFiHackLabs hacks reproduced | 681 |
THE ONE RULE
"Read ALL sibling functions. If
vote()has a modifier, checkpoke(),reset(),harvest(). The missing modifier on the sibling IS the bug."
This single rule explains 19% of all Critical findings.
→ NEXT: 01-foundation.md
More from shuvonsec/web3-bug-bounty-hunting-ai-skills
web3-poc-foundry
Complete Foundry PoC writing guide + all cheatcodes + DeFiHackLabs reproduction patterns. Use this when building a proof of concept exploit, setting up a fork test, using Foundry cheatcodes, or reproducing a known DeFi hack for learning.
3web3-ai-tools
AI-powered tools for Web3 bug bounty automation. Use when you want to automate recon, run autonomous audits, or use AI agents for vulnerability discovery.
3web3-bug-classes
Complete reference for all 10 DeFi smart contract bug classes. Use this when hunting for specific vulnerability types, need attack patterns for accounting desync, access control, incomplete path, off-by-one, oracle manipulation, ERC4626 vaults, reentrancy, flash loans, signature replay, or proxy/upgrade bugs.
3web3-triage-report
Bug triage validation system, Immunefi report format, and 20 real paid bounty examples dissected. Use this when validating a finding before submitting, writing an Immunefi report, checking if a bug is actually valid, or studying real examples of paid vulnerabilities.
3web3-hunt-zksync-era
ZKsync Era (Immunefi) completed hunt — 0 findings after exhaustive 5-session audit. Use as a DEFENSE STUDY — learn what makes a protocol unhuntable, which patterns block all 10 bug classes, and when to abandon a target. Contains architecture breakdown, 25 tested attack vectors, and pre-dive scoring refinements for large L1 bridge protocols.
3web3-solidity-audit-mcp
MCP server integrating Slither + Aderyn + SWC patterns into Claude Code for smart contract auditing. Use when analyzing Solidity files, running DeFi-specific detectors, or generating invariants. 10 MCP tools, 86 SWC detectors, DeFi preset pack, CI/CD workflow.
3