Public audit contests are the rawest measurement of security skill - hundreds of competitors, same codebase, same deadline. Every finding we submit directly strengthens ecosystem security. Below is a breakdown of 16 contests where TrustSec took 1st place.
Forgeries is an NFT raffle platform where a host stakes a prize NFT and holders of a specific collection can enter a draw. A winner is selected using Chainlink VRF (verifiable random function) to ensure fairness.
The draw organizer could rig the raffle to heavily favor their own tokens, effectively stealing the expected value of the prize from legitimate participants.
The system uses Chainlink VRF for randomness, but the raffle host controls the subscription that funds the oracle request. By leaving the subscription unfunded, the host can delay the random response for up to 24 hours โ well past the 1-hour redraw cooldown. Once they fund it and see the incoming result in the mempool, they can either accept it (if they win) or frontrun it with a redraw() call that invalidates the old request. This "peek and retry" loop breaks the fundamental fairness assumption of the raffle โ the developer didn't account for the gap between when a redraw becomes possible and when the oracle is guaranteed to have responded.
If your system depends on an external service responding within a time window, don't allow user actions that assume the response has arrived until that window has definitively closed.
The same people who dominate public competitions are the ones reviewing your protocol behind closed doors.