blog home

News

XuWinnie: The Warden that won zkSync’s $1.1M audit

They were already a noted figure in the web3 security space, but xuwinniexu has become legendary since the end of the zkSync audit.

Winning a giant $500k+ prize is reason enough for the increased notoriety, but when you add in the fact that Winnie wasn’t familiar with Rust before the audit was announced, it’s an incredible story.

We sat down with Winnie to ask if the rumors were true, and find out more about how they prepared for the audit.

I’ve heard that you didn’t know Rust well before the audit. How did you prepare enough to find 5 high vulns (4 solo)?

It’s true. After the announcement [of the audit] I read the rust official doc to get familiar with it. [As of today] I still cannot write rust, but understanding it is enough.

Do you feel like the skills needed for writing in a language like rust are different from the skills needed to “hack” it?

Oh, IMO hacking skill is independent from language. None of the bugs are about the language itself … they are on a higher level (what the language tries to express).

Even if the code is rewritten in another language, the bug will still exist.

[I don’t have] writing skill, but I guess engineers should write code with good architecture and high performance. [Auditors] only care about correctness.

Congratulations on the award you won. Does winning that prize change your plans or approach to competitive audits in the future?

Yes, it is a big prize. I think my interest in small pot contests will decline. [Instead] I’ll allocate more time to private audits booked through my C4 profile or website, Code Blue, and other parts of my life.

Blue team will be an interesting part … I think the main benefit of blue team is that it acts as a reliable 3rd party which reduces trust assumptions for hunters.

Thanks for chatting with us. Do you have any advice for up and coming auditors inspired by your performance with zkSync?

Hold the belief “there must be something wrong in the code” and try your best to break it.

Related Posts