Since 2022, I’ve climbed from an anonymous contestant to top-2 on Sherlock and on Code4rena 90 days leaderboard, finished 28 times in the top-3 of audit contests and was rewarded 54 times from my contributions, earning over $600k in public contest rewards. Today I’m launching The Contest Academy – a place where the next generation of elite auditors will learn exactly how the best in the game think, find, and report critical bugs.
Who Am I
I am 0xSimao, an Aerospace Engineer fep up with the boring corporate world who deep dove into web3 security in mid October 2022, 3 years ago, having only worked for 4 months for a software company as a full stack engineer. I was lucky to find out about web3 security early on, but if you are reading this, chances are the same also applies to you.
The meritocracity of the crypto industry shows time and time again that those who put consistent and effort and truly dedicate themselves fully to web3 security claim the rewards. I literally went from hundreds a month to hundreds an hour based solely on trying to be the best possible, trying to find the bugs that others miss.
I joined a firm from mid October 2022, ThreeSigma, in an internship program, and went through Mastering Bitcoin, Mastering Ethereum, Damn Vulnerable Defi CTFs, and then started shadowing and helping in whatever auditing or dev task was needed. In my opinion, joining a firm early on is the best decision you can do, since it is much easier to get started when there are expert people helping you out.
I started competing in December 2022, around Christmas time, and earning my first rewards in January 2023, 498 USD. This was the GoGoPool contest on Code4rena, in which I submitted 3 issues, and placed #36. My handle at the time was 0x73696d616f, which came from the ASCII table from Simao, and looking back it was terrible decision, nobody was able to memorize, not even me 😢
After this huge win, being just 2 months in, I was crazy, I had literally found gold. I turned 95% of my energy into auditing, and was putting in all my waking hours in auditing, either on firm audits or audit contests. During a long time, I never managed to rank significantly high in the ladders because 1) I wasn't too experienced and 2) I was busy with my full time firm duties so I couldn't put in as much time as I wanted to. Still, I managed to secure some nice results, earning several hundred and thousand USD for the next few months, whilst being basically fully booked in my job at Three Sigma.
Since then, you can check out my profile here, but I have been top-2 in the Sherlock leaderboard for almost all of 2025, having been winning contests since the Summer of 2024 (again, vacation from my full time audit job) and reached top 2 in the Code4rena 90 days leaderboard at some point as well.
Code4rena
Notice my initial results were all on Code4rena, which was the pioneer of audits contests. Back then, legends like cmichel had already made $1M in earnings, and it was for the most part the absolute go to place for audit contests.
The experience was not that different from today, the dashboard was less polished, there was a simple form to submit issues, but then all judging activity was happening on Github. There was basically little to not AI spam, but auditors were still making 3 to low 4 figures from mostly automated tooling, very simple tools like Slither, based on conditionals mostly. There was only a judge that would go through all findings, helper roles were only added later. The OpenSea contest is probably the most famous Code4rena contest, where even Spearbit was participating as a team, and they actually won the contest, netting $300k USD.
I have earned a total of $60k on Code4rena, and am currently placed #81.
Sherlock
Sherlock was born a little later than Code4rena, and many people disliked the much stricter rules they have. However, since then I think this opinion has changed, because having a common set of rules that applies mostly regardless of contest paves the way to a truer contest experience.
To this day, I believe their most succesful achievement was the LSW model, in which an auditor is picked to lead the contest, in which they must commit, and earn fixed pay, and at the time it was at $25k per week! Since then, it was reduced to a maximum of $12.5k / week, which is still very generous given that they have access to the common pool on top of this payment, which in my experience comes close to the $25k / week rate.
I have earned a total of $442k on Sherlock, and I am ranked #2 on the leaderboard.
Cantina
Cantina appeared later, around 2023/2024, and also brought audit contests. They built their own platform for everything related to the audit, in a 1 stop shop solution, and they claim it is faster than using GH. I haven't used it extensively, but indeed having your own customatizable dashboard for all audit related stuff is certainly helpful, GH can be a pain in the a** to customize.
Cantina has had some extremely succesful contests, for example the Blast contest in which I directly participated, where many people many 5 figures, and some even 6!
They pioneered the conditional contest concept, in which rewards are unlocked according to the findings founds, for example, if at least a Medium is found the pot is $100k, if at least a High is found the pot is $500k. At the time this was extremely controversial, and still is, mostly because it is extremely hard to balance out auditors and sponsors demands in the severities, and it is also hard to make well structured pots. Since then, all contest platforms have been providing conditional pots.
I have earned $45k on Cantina and am ranked #72.
Immunefi
Immunefi joined the audit contest scene slightly after Cantina, having also hosted many competitions. For some reason, the auditors on Code4rena/Sherlock/Cantina seem to be different to the ones on Immunefi, which if I had to guess I would say it's because Immunefi has their own talent pool from their Bug Bounty platform.
I believe whilst Code4rena/Sherlock focus more on Defi, Immunefi and to some extent Cantina, tend to host more general contests, such as infrastructure ones, think L1,L2s and so on. These contests are massive, 100k nloc, but also hold massive rewards. It's very common the top performers earn $100k more from these contests, but I don't have a huge experience on them, as I tend to do Defi audits. I still managed to take 2 4th places in 2 Sway audits on Immunefi, but I would say I am not as experienced on Immunefi for sure.
The Fuel attackathon is an example of a Immunefi audit competition. Fun fact, I participated and earned $500.
Codehawks
Codehawks, is another audit contest platform that appeared around the same time as Cantina. I only participated in one of their contest, and the experience was quite smooth on their dashboard. I believe they are most famous for having hosted the ZKSync competition, which was huge, just on top of my head. There were $500k in rewards, and the first place earned $236k, absolutely crazy. They have something called Eagles which earned fixed rewards and participate on Cyfrin private audits as well.
Fun fact: they pay on the ZkSync network (fact check if they still do).
Honorable mentions
HackenProof is also an audit contest platform, but isn't as well known in the SR community and I have never personally participated. There are also other platforms coming up, so just make sure to follow the Contest Academy on news.
Private Audits
From 2022 to 2024 inclusive I was doing full time audits at Three Sigma. Since 2025, I began doing collaborative audits at Sherlock and Blackthorn, a top tier auditing firm, along with some of the best of the industry.
Essentially, there is a low chance you will be doing contests full time, which can become quite draining with escalations, and you will want to join forces with other firms on some audits or do solo audits.
What is The Contest Academy?
Bug Deep Dives
I will try to post as frequently as possible the best paying bugs in contests, as well as specify what context is needed to find those bugs.
Contest Mastery Series
I will provide in-depth breakdown of every active contest platform at certain points in time. Rules, payout structures, senior auditor handles, timeline quirks, communication style expected.
Methodology & Workflows
My current methodology will be shared at some point, as well as it's evolution, namely regarding specific tools that I use or other people are using.
Interviews With The Best
Reaching out to the current top-10 auditors across platforms, as well as new auditors crushing it, and try to find out about their methodology, their findings, about themselves.
Knowledge Sharing
You are incentivized to reach out to me, via X, discord or other means, to discuss specific topics you would like covered in the Contest Academy, I will take notes and see what I can do!
Who This is For?
From absolute beginners to the top auditors, everyone can benefit from knowing about the top bugs paid out in contests, the current state of the auditing contests industry, and other top auditors opinions and tricks!
Why Now?
The bear market is coming, need something to do LOL.
Now for real, I've become arguably Top-10 in this industry, and there isn't a resource yet meant for audit contests, so it just makes sense!