Auditing process

1. Overview audit of the protocol:

Audit every single contract for the most obvious things. Understand the full protocol and find most of the low hanging-fruit. Identify most logical issues and observe the storage behavior for most flows. Also advanced exploits can already be found here already.

This step takes the most time.

2. Line by Line audit of every single contract:

This step mostly uncovers dumb bugs which were overseen during the first stage. Storage correctness is double checked carefully here and arithmetic operations are double checked.

3. Advanced exploit techniques:

At this point all low-hanging fruits and logical errors have been identified. It’s now time to exploit the codebase with different attack vectors, such as input exploits, unexpected call-paths, external storage manipulation or arithmetic manipulation / revert triggers, just to name a few.

Especially the third part can only be conducted on a working and *almost* bug-free codebase, otherwise it is pointless since still fixes and logical changes will happen. It is true that the third part is what pays off in contests.