Security is a critical requirement for mainstream adoption of DeFi and blockchain technology. However, in the past two months alone there’s been approximately $300 million exploited from blockchain protocols and infrastructure.
There is a clear need for skilled blockchain security researchers. And, huge opportunity for individual contributors as the security ecosystem experiences exponential growth.
This article will explore how to optimize your transition from traditional cybersecurity into blockchain security research. We’ll share tips for navigating the industry and discuss the differences between traditional and web3 security landscapes. We’ll also explore the business realities independent security researchers will encounter to maximize opportunity.
The worlds of traditional cybersecurity and blockchain security research are at very different maturity levels. For experienced cybersecurity researchers, transitioning into blockchain security research can be confusing. A new set of skills, strategies, and knowledge are necessary to achieve success.
The roadmap from cybersecurity to blockchain security researcher:
For roles in blockchain security, you must have a foundational knowledge of smart contract development and security. Even for non-technical roles, contributors must understand the principles and methods of the systems they are built on.
Luckily, learning how to develop smart contracts and advanced security concepts is freely accessible. Multiple learning platforms offer a clear learning path from beginner to advanced, simply follow the plan. Cyfrin Updraft is the gold standard for blockchain education.
The path to smart contract security is more viable than ever. In a series of posts, independent security researchers (N0kto, Bube and Nisedo) detail how they transitioned to smart contract auditing from development, academics, and traditional cybersecurity.
More and more high achieving researchers come from non-technical backgrounds, upskilling in a relatively short period of time. It is possible. Elhaj shared his journey from Taxi Driver to Security Researcher using Cyfrin Updraft, crossing over from a non-technical background into blockchain security.
Solidity is the most popular smart contract language. Others helpful development languages include Rust, Vyper, JavaScript, Cairo, and Noir.
Though the universe beyond foundational understanding is more varied than with purely audit or engineering roles, understanding how smart contracts operate remains essential.
Public audit competitions have become the ‘traditional’ route to success as a smart contract auditor. And many platforms are solely designed to facilitate public smart contract audit competitions including Cantina, Code4rena and Cyfrin CodeHawks.
New security researchers can gain experience with beginner-friendly First Flights contests on Cyfrin CodeHawks. Then, graduate to real public audit contests, sponsored by leading protocols, to earn money and climb the leaderboard.
Also helpful is performing Capture the Flag (CTF) exercises to test the knowledge that you have learned. Damn Vulnerable DeFi V4 is an excellent collection of such challenges.
The traditional cybersecurity industry has had decades to mature. Blockchain security is in its infancy.
Concepts, frameworks, tooling, methodologies, and even roles taken for granted in traditional cybersecurity, have either not been created or need time to develop.
There is a future with a single ‘source of truth’ for securing smart contracts, blockchain infrastructure, and web3 organizations, but it needs to be built first.
A good comparison is the NIST (National Institute of Standards and Technology) Cyber Security Framework. This globally adopted framework provides a common set of controls and systematic methodology for managing cybersecurity risk within an organization.
In Blockchain security, the two ‘frameworks’ below are a good starting point for providing a systematic methodology to achieve durable security in the smart contract world.
Solodit is the most comprehensive database of vulnerabilities, hacks, exploits, mitigations, and auditor reports publicly available. Its mission is to help developers build protocols more securely.
It is the core backbone of almost all security researchers' reference knowledge and the most useful tool in the security researcher's arsenal. It has over 12,000 findings to research. From those, the team developed a Checklist as a reference framework for security audits.
The Smart Contract Security Verification Standard was developed by Damien Rusinek and Pawel Kuryłowicz. In addition to smart contract security controls, it explores operational security measures such as incident response. It also highlights controls such as security threat modeling and adding them into the development lifecycle to reduce security risk.
A structured, methodological approach in your audit process will increase your chances of finding vulnerabilities. Frameworks, though not a requirement, offer direction and ensure you’ve covered all well known attack surface areas.
Researchers' tools for vulnerability discovery are evolving. For example, static and dynamic analyzers are now available to test codebases and highlight areas for investigation.
Fuzz testing is an example of dynamic testing for vulnerabilities. Dynamic testing is when the tool actually runs the code during testing allowing security researchers to monitor transaction outputs to reveal issues.
Echidna is the industry-leading fuzz-testing tool. It uses property-based fuzzing to surface vulnerabilities by testing contracts against user-defined predicates.
More experimental is Medusa, a cross-platform go-Ethereum smart contract fuzzer inspired by Echnida. Though still in development, it is proving to be one of the most powerful smart contract fuzzers.
Veteran blockchain security researcher Alex The Entreprenerd and his team developed Recon. The tool integrates existing fuzzing applications Echnida and Medusa to simplify operations for security researchers and make it easier to debug tests.
Cyfrin developed Aderyn, allowing developers to create custom detectors to analyze and uncover specific code-based vulnerabilities. Aderyn is a static analysis tool that looks for issues within code logic. It is highly flexible and enables developers to build their own detectors and easily export findings in markdown format.
The world of blockchain security and smart contract auditing is niche.
Although blockchain security is about securing trust-minimized systems, the collaborations required to build those systems still depend on personal relationships.
As specialists, in a nascent field, security researchers are quickly known to one another. Especially if they do great work. And job opportunities often come through referrals.
Credibility and reputation are paramount.
All interactions–performance in public security audits, replies on Twitter/X, discussions in Discord, or comments in Github repos–are largely transparent and publicly available. Your brand is built from the first moment of interaction.
Reputations and credibility are built through public contest wins, collaborations with web3 security teams, independent content creation, and verifiable credentials.
Embrace integrity and professionalism as your guiding principles. These are your most valuable assets in building trust and long-term success.
Demonstrating high performance is the baseline. Integrity, honesty, and focusing on the right things lead to sponsorship, repeat business, recommendations, and future collaboration.
Positive testimonials and your professionalism will ensure potential sponsors feel confident in your ability to execute high-importance work.
The culture of blockchain is very different from the work culture of “traditional” industry. And can be a shock to those coming from traditional corporate career paths.
Most blockchain organizations are start-ups with few formal processes that experienced cybersecurity professionals may be used to.
One advantage is that startups can pivot and pursue new product gaps or market opportunities without much bureaucracy. Adjusting their business quickly as the market or industry landscape changes.
The disadvantage is that contributors need flexibility and the awareness to adapt to changing needs.
Corporate organizations have a defined list of roles & responsibilities. In a startup, you may be asked to work on tasks you were not hired for or have little experience doing.
Security researchers anecdotally note many projects that initially wanted to discuss smart contract audits are now also requesting information on their organization’s traditional cybersecurity posture.
An entrepreneurial approach is essential. Traditional cybersecurity experts often have no experience with sales or marketing unless they come from consulting, where sales and client management skills are required.
Understanding the power of personal brand and actively demonstrating and marketing achievement is important.
Learning and working in public is very much encouraged: posting successes on Twitter/X, developing blog or video content to share learnings and help others.
As an independent security researcher you should view your work as akin to developing a start-up business. And, you must explore different strategies to grow.
Build your brand and market your services. Expand your visibility to potential clients. Develop content that adds value. Engage in industry discussions to demonstrate technical acumen.
There’s a large amount of open-source material to help with common challenges. For example, “44 Common Sales Objections & How to Respond” can help you negotiate when discussing a private security review. It is highly recommended that you expand your entrepreneurial knowledge base to assist in generating new business opportunities in the blockchain world.
Massive opportunity exists in blockchain security. The industry is growing exponentially and the need for experienced voices is essential to elevate blockchain security to the level of traditional cybersecurity. Following this roadmap can help shape your journey. Enabling you to successfully transition from cybersecurity to blockchain security researcher.
Block spent nearly 10 years climbing the ranks in traditional cybersecurity before moving into blockchain security. He is a freelance smart contract audit manager, team lead, and technical writer. Block leads the Sapphire Dynasty security team, a collective of elite competitive security researchers.
