How to Become a Smart Contract Auditor
We look at the roadmap to become a web3 security researcher, (sometimes called smart contract auditor) and tell you the exact steps to be successful in web3 security.
Introduction
You like exploits? Well how about them exploits
- Matt Damon, maybe
Web3 is one of the most predatory environments you’ll ever face. In 2023 we saw almost $2B stolen. That’s billion with a big fat “B”. Because of this, the demand for very strong security personale is growing.
In this artcle, we are going to give you the exact step-by-step to become a smart contract auditor (better known as “Security Researcher”) in web3. For anyone who wants to:
- Get a job at a top-tier security firm like Cyfrin, Trail of Bits, or Openzeppelin
- Become a big payout bug-hunter
- Win competitive audits on platforms like CodeHawks or C4
- Or just contribute to the security of web3
This is exactly the steps you need to take.
- Take a solidity and smart contract auditing course
- Compete in competitive audits
- Continuously learn about new hacks and exploits
- Repeat
Keep in mind, the key to breaking into a successful web3 security career is going to be improvement, you have to continuously improve, as mediocre security researchers see little success.
Go for gold if you’re going to go down this path, always be learning.
1. Take a solidity and smart contract auditing course
Learn Solidity
The first thing you need to do is familiarize yourself with solidity, the dominant language of web3 development. As of today, 94% of all smart contract value flows through solidity, so you can be assured that solidity is a good language to learn as the knowledge will apply to most blockchain applications.
Luckily, there are many places to learn solidity end-to-end:
I highly recommend Updraft for learning solidity and smart contract development, as it’s the latest and greatest from the Cyfrin team to teach you EVERYTHING the top people in web3 know to make you a successful developer.
Do you have to become an amazing solidity savant? No. I’ve been consistently surprised by chatting with top 1% security researchers, where some of them have a somewhat basic understanding of the language. Instead, they just get incredibly detailed understandings of the codebases they are working with.
Does this mean you should skip learning advanced solidity? No. There are a few special cases out there who can do this, but the better you get at solidity, and the better you get at advanced testing techniques, the more of a leg up you’ll have on attackers.
Learn Smart Contract Auditing
The next step, obviously, is to learn smart contract security and auditing. Get used to learning, as most of your job as an auditor/security researcher is to consistently learn. I’ll give you some tools later that you can use.
For learning auditing, this is exactly why we set up the security course on Cyfrin Updraft. This will teach you everything you need to know to be an successful security researcher:
Top exploits like:
- Reentrancy
- How to win a competitive audit
- Denial of Service
- MEV
- Oracle Manipulate with flash loans
- The top web3 attacks
- Signature Replay
- Weak Randomness
With guest lectures from Web3’s best:
- Trail of Bits | Josselin
- Sigma Prime | Andy
- Guardian Audits | Owen
- Cyfrin | Alex
- Independent Security Researcher | Pashov
- Cyfrin | Juliette
- Gingersec | Johnny
Made together with Tincho from The Red Guild.
The most important part here, is once you take this course never take another security course. You’ll be well on your way to being successful, and the most important thing you can do moving forward, is practice.
How do you practice? Well I’m glad you asked.
2. Practice | Compete in Smart Contract Audit Contests
The next step is you’ll want to learn and grow — but you’ll want to get feedback very quickly. One of the best places to practice, while also building your reputation, is competitive audit platforms like CodeHawks or C4. These allow you to compete with other security researchers in finding bugs, and allow you to compare how well you did on a codebase. And you additionally can win money depending on how well you do.
In addition to paid competitive audits, the CodeHawks platform in particular has First Flights. First flights are beginner friendly audits created specifically for new auditors to learn how to find different kinds of bugs in smaller and simpler dummy protocols. If you can’t find at least 1 bug in these contests, you might want to keep practicing before heading over to the main contests!
Competitive audits allows for top people to get scouted by firms, hired, and you can even see leaderboards like on Solodit with how other auditors are doing in the industry.
Every time you do a contest, a solo audit, or bug bounty, you’ll want to update your GitHub to include the work that you’ve done. This way, others can review you’re work and see how good you are!
You can also practice by:
- Doing bug bounties
- Your own security reviews/audits of codebases you like
- Connecting with other auditors
3. Continuously learn and grow
The biggest part of being a security researcher/auditor is that you’re always going to want to be improving your knowledge base. The more attacks you are aware of, the more likely you’ll be able to spot them in a codebase. One of the top tools smart contract auditors should use is Solodit.
Solodit aggregates reports from top firms and competitive audit platforms and places them into a searchable database/interface so you can learn about what types of attacks people are reporting. This way, you’ll know what kinds of bugs are popping up and how to get ahead of other security researchers.
Learning is something you’ll want to get comfortable with, and learning can be a bit uncomfortable, so you’ll want to get comfortable with being uncomfortable!
Additionally, you’ll want to consistently have an influx of security content. Some great web3 security newsletters are:
- Blockchain Threat Intelligence (Referral link)
- rekt
- Week In Ethereum
- Consensys Diligence Newsletter
- Cyfrin Newsletter
4. Repeat
And finally, continue to learn, grow, and compete! As you’re learning and growing you can start to get paid and grow your career by:
- Applying for security roles at auditing firms
- Get bigger payouts on more complex bug bounties and competitions
- W̶r̶i̶t̶e̶ ̶”̶D̶M̶ ̶f̶o̶r̶ ̶a̶u̶d̶i̶t̶ ̶o̶n̶ ̶y̶o̶u̶r̶ ̶t̶w̶i̶t̶t̶e̶r̶ ̶p̶r̶o̶f̶i̶l̶e̶”̶ Start your solo auditor career
And more.
To learn smart contract security and development, visit Cyfrin Updraft
To request security support/security review for your smart contract project visit Cyfrin.io or CodeHawks.com.
To learn more about top reported attacks in smart contracts, be sure to study up on Solodit.
