Audit Real Protocols. Find Real Bugs.
Review actual DeFi protocols that went through public security contests. Submit findings, get scored against known vulnerabilities, and learn what you missed.
1. Start Your Audit
Choose a protocol, read the docs, and begin your individual timer. Review the codebase and hunt for vulnerabilities.
2. Submit Findings
Report vulnerabilities one by one using structured templates. Include severity, affected code, impact, and your recommended fix.
3. Learn from Results
After your timer expires, see how your findings compare to actual contest results. Learn what you missed and why.
Scoring
Earn Points (True Positives)
Same root cause counts as one finding. Duplicates score 0.
False Positive Penalties (Progressive)
A few wrong guesses are fine. Spamming findings to game the system is not.
Has your protocol been audited?
Get a free community re-audit of the same commit hash your auditors reviewed. Hundreds of builders will review your codebase as part of their learning, and you get fresh eyes on your protocol at zero cost. All you need to do is share your code for educational use.
Message me on TelegramAvailable Shadow Audits
Shadow Arena #001: Basin
Composable DEX with ConstantProduct2 (x * y = k). 10 files, 1,145 SLOC. Find the 14 vulnerabilities discovered in a $40k public contest.
Shadow Arena #002: ElasticSwap
First AMM for elastic supply (rebasing) tokens. x * y = k with a twist. 3 contracts, 739 SLOC. Can you spot where the math breaks?
Shadow Arena #003: Velodrome Finance
Solidly fork (ve(3,3) AMM) on Optimism. Familiar Uniswap V2 core with novel gauge/bribe/voting extensions. 8 contracts, 1,914 SLOC. The AMM is clean. The bugs are in the extensions.
Shadow Arena #004: Flux Finance
Compound V2 fork with KYC/sanctions and a CASH token system. 11 contracts, ~4,365 SLOC. Lending mechanics forked from cDAI plus novel cash management layer.
Shadow Arena #005: Canto v2 Lending
Compound V2 fork with algorithmic stablecoin (cNote) and custom interest rate model. The bugs are almost a syllabus for what goes wrong when you fork Compound. 6H + 4M in scope.
Shadow Arena #006: Venus Isolated Pools
Largest lending protocol on BSC. Compound V2 fork with isolated pools and bad debt auctions. The classic block-time interest rate bug lives here. 28 contracts, 3,549 SLOC.
Shadow Arena #007: Reaper Vaults V2
Yearn V2-style yield aggregator by Reaper Farm, audited as part of the Ethos Reserve contest. Vault + strategy chain with locked-profit degradation, gain/loss reporting, and Granary/Aave integrations. 5 representative findings (3 H + 2 M).
Shadow Arena #008: Yearn yBOLD
Yearn's own product on Liquity V2. Multi-strategy BOLD allocator across three Stability Pools with collateral auction recovery. 3 surgical findings (2 H + 1 M), each mapping to one Yearn V2 Build section.
Shadow Arena #009: Popcorn Protocol
Multi-vault factory built on Yearn V2 patterns. Factory deploys per-asset vaults with adapter strategies and a fee module. The bugs cluster around factory cloning, fee config, and adapter accounting. 6 findings (3 H + 3 M).
Shadow Arena #010: Tokemak v2
Sibling architecture to Yearn V2: Autopilot Vaults (LMP) plus Destination Vaults across Curve, Balancer, Maverick. Not a fork, the team re-derived many V2 patterns from scratch. The graduation audit. 6 findings (4 H + 2 M).
Prepare with the Build Modules
Build the protocol first, then audit its forks. Uniswap V2 prepares you for the AMM audits (Basin, ElasticSwap, Velodrome). Compound V2 prepares you for the lending audits (Flux, Canto, Venus). Yearn V2 prepares you for the vault audits (Reaper, yBOLD, Popcorn, Tokemak).