Do you like exploits? Well how about them exploits
- Matt Damon, maybe
Web3 is one of the most predatory environments you’ll ever face. In 2023 we saw almost $2B stolen. That’s a billion with a big fat “B”.
Because of this, the demand for smart contract security is growing with auditor salaries skyrocketing to up to $200k/year.
In this article, we will give you the exact step-by-step roadmap to answer how to become a smart contract auditor (better known as a “Security Researcher”) in web3.
This guide is for you if you want to:
- Get a job at a top-tier security firm like Cyfrin, Trail of Bits or Open Zeppelin.
- Become a big payout bug-hunter
- Win competitive audits on platforms like CodeHawks
- Or just contribute to the security of web3
Keep in mind, that the key to breaking into a successful web3 security career is going to be improvement, you have to continuously improve, as mediocre security researchers see little success.
Go for gold if you’re going to go down this path, always be learning.
That said, let's get started with our roadmap to become a smart contract auditor.
How to become a Smart Contract Auditor
1. Take a solidity and smart contract auditing course
Learn Solidity
The first thing you need to do to become a smart contract auditor, is to familiarize yourself with solidity, the dominant language of web3 development. As of today, 94% of all smart contract value flows through Solidity, so you can be assured that Solidity is a good language to learn as the knowledge will apply to most blockchain applications.
Luckily, there are many places to learn solidity end-to-end, such as:
- Cyfrin Updraft
- Speed Run Ethereum
I highly recommend Updraft for learning solidity and smart contract development, as it’s the latest and greatest from the Cyfrin team to teach you EVERYTHING the top people in web3 know to make you a successful developer.
Do you have to become an amazing solidity savant? No.
We've been consistently surprised by chatting with the top 1% of security researchers, where some of them have a somewhat basic understanding of the language. Instead, they just get an incredibly detailed understanding of the codebases they are working with.
Does this mean you should skip learning advanced solidity? No.
There are a few special cases out there that can do this, but the better you get at solidity, and the better you get at advanced testing techniques, the more of a leg-up you’ll have on attackers.
2. Learn smart Contract auditing
The next step is to learn smart contract security and auditing. Get used to learning, as most of your job as an auditor/security researcher is to consistently learn. I’ll give you some tools later that you can use.
This is exactly why we set up the smart contract security and auditing course on Cyfrin Updraft for learning auditing.
This will teach you everything you need to know to be a successful security researcher, such as top exploits like:
- Reentrancy
- How to win a competitive audit
- Denial of Service
- MEV
- Oracle Manipulate with flash loans
- The top web3 attacks
- Signature Replay
- Weak Randomness
With guest lectures from Web3’s best like the Head of Blockchain at Trail of Bits, Auditors from Sigma Prime, Guardian Audits, and solo auditors such as Johnny time and Pashov.
Made together with Tincho from The Red Guild.
The most important part here is once you take this course never take another smart contract security and auditing course. You’ll be well on your way to being successful, and the most important thing you can do moving forward is practice.
How do you practice? Well, we're glad you asked.
3. Practice smart contract auditing - Compete in contests
The next step in this roadmap on how to become a web3 auditor, is you’ll want to learn and grow — but you’ll want to get feedback very quickly.
One of the best places to practice, while also building your reputation, is competitive audit platforms like CodeHawks. These allow you to compete with other security researchers in finding bugs, and allow you to compare how well you did on a codebase. And you additionally can win money depending on how well you do.
In addition to paid competitive audits, the CodeHawks platform in particular has First Flights:
First flights are beginner-friendly audits created specifically for new auditors to learn how to find different kinds of bugs in smaller and simpler dummy protocols. If you can’t find at least 1 bug in these contests, you might want to keep practicing before heading over to the main contests!
Competitive audits allow for top people to get scouted by firms and hired, and you can even see leaderboards like on Solodit with how other auditors are doing in the industry.
Every time you do a contest, a solo audit, or a bug bounty, you’ll want to update your GitHub to include the work that you’ve done. This way, others can review your work and see how good you are!
You can also practice by:
- Doing bug bounties
- Your security reviews/audits of codebases you like
- Connecting with other auditors
4. Continuously learn and grow
The biggest part of how to becoming a smart contract auditor is that you’re always going to want to improve your knowledge base. The more attacks you are aware of, the more likely you’ll be able to spot them in a codebase.
One of the top tools smart contract auditors should use is Solodit:
Solodit aggregates report from top firms and competitive audit platforms and places them into a searchable database/interface so you can learn about what types of attacks people are reporting. This way, you’ll know what kinds of bugs are popping up and how to get ahead of other security researchers.
Learning is something you’ll want to get comfortable with, and learning can be a bit uncomfortable, so you’ll want to get comfortable with being uncomfortable! Additionally, you’ll want to consistently have an influx of security content.
Some great web3 security newsletters are:
- Cyfrin Newsletter
- Blockchain Threat Intelligence
- Rekt
- Week In Ethereum
- Consensys Diligence Newsletter
Conclusions
In this roadmap on how to become a smart contract auditor, we've listed all the resources you'll need to go from zero to top 1% web3 auditors out there, kickstart you career, or start competing on smart contract auditing competions on CodeHawks.
Continue to learn, grow, and compete! As you’re learning and growing you can start to get paid and grow your career by: Applying for security roles at auditing firms get bigger payouts on more complex bug bounties and competitions W̶r̶i̶t̶e̶ ̶”̶D̶M̶ ̶f̶o̶r̶ ̶a̶u̶d̶i̶t̶ ̶o̶n̶ ̶y̶o̶u̶r̶ ̶t̶w̶i̶t̶t̶e̶r̶ ̶p̶r̶o̶f̶i̶l̶e̶”̶ Start your solo auditor career and more.
To learn smart contract security and development, visit Cyfrin Updraft To request security support/security review for your smart contract project visit Cyfrin.io or CodeHawks.com.To learn more about top reported attacks in smart contracts, be sure to study up on Solodit.
