The open-book platform where security researchers practice writing real exploit PoCs against vulnerable codebases sourced from real on-chain hacks and public audit reports. Filter by protocol type. Get validated automatically. Build a skill profile that proves what you can actually do.
by SherlockVarm
Challenges sourced from real on-chain hacks and publicly available audit reports
QuillAudits · Trail of Bits · OpenZeppelin · Cyfrin · Spearbit · Sherlock · DeFiLlama · Rekt
The Concept
Junior and senior auditors read hundreds of audit reports — but there's no structured way to practice turning those findings into working exploits. PoC Arena changes that. We take real vulnerable codebases from public audit reports, tag them by protocol type, and challenge you to write Foundry PoCs that actually trigger the vulnerabilities. Practice on Lending protocols this week, DEX exploits next week, or filter by Oracle manipulation — build deep expertise in the domains you care about.
Filter challenges by protocol type. Build deep expertise where it matters.
Two Tracks
Whether you're a junior auditor building foundations or a senior researcher sharpening skills — both tracks give you a real playground to test your exploit-writing ability against actual vulnerable code.
Reproduce past on-chain hacks using Foundry fork tests. You get the chain, block number, and exploit transaction hash. Write a PoC that replicates the attack from scratch. Great for learning exploit patterns and building speed.
Real vulnerable codebases from public audit reports. The report describes each finding in English — your job is to turn that description into a working Foundry exploit. The same skill that separates junior auditors from senior ones, now with a platform to practice it.
Every challenge links the audit report and codebase directly. You don't waste time searching — you go straight to learning.
How It Works
Choose your track. For Hack Replay, we give you the chain, block number, and exploit transaction hash. For Audit PoC, we link the public audit report and the pre-audit codebase. Everything is open book — you know exactly what to target.
Write a working Foundry PoC that triggers the vulnerability. Replay a real on-chain hack from scratch using fork tests, or turn an audit finding into executable exploit code. Real Solidity — not a markdown writeup.
Your PoC runs automatically against hidden validation checks — balance changes, storage mutations, event emissions. First valid submission earns the most points. Your profile builds a skill breakdown by protocol type. No human judges, no waiting.
Leaderboard
One unified leaderboard. Your profile shows a tag-based skill breakdown by protocol type — Lending, DEX, Vault, Bridge, Oracle — so anyone can see exactly where you dominate.
About
Security Researcher & Smart Contract Developer
Security researcher with experience across DeFi protocol auditing, smart contract development, and hack analysis. Previously worked with Kleros on cross-chain proxy contracts and security reviews, and with QuillAudits on 20+ exploit analyses covering $435M+ in losses. Built tools like SlotMatrix for smart contract inspection. Passionate about making Web3 security measurable and competitive.