Do you like exploits? Well, how about them exploits?
- Matt Damon, maybe
Web3 is one of the most predatory environments you’ll ever face. In 2024, we saw over $2.2 Bn stolen. That’s a billion with a big fat “B.”
Because of this, the demand for smart contract security is growing, with auditor salaries skyrocketing to $200k+ per year.
In this article, we will give you the exact step-by-step roadmap to answer how to become a smart contract auditor (better known as a “security researcher”) in web3.
This guide is for you if you want to:
Keep in mind that the key to a successful web3 security career is improvement. You have to continuously improve, as mediocre security researchers see little success.
Go for gold! If you’re going to go down this path - always be learning.
That said, let's get started with our roadmap to become a smart contract auditor.
The first thing you need to do to become a smart contract auditor, is to familiarize yourself with Solidity, the dominant language of web3 development. As of today, 85% of all smart contract value flows through Solidity, so you can be assured that it is a good language to learn as the knowledge will apply to most blockchain applications.
Luckily, there are many places to learn Solidity end-to-end, such as:
I highly recommend Updraft for learning Solidity and smart contract development. It’s the latest and greatest from the Cyfrin team, packed with EVERYTHING the top minds in web3 know to help you become a successful developer.
Do you have to become an amazing Solidity savant to be a top auditor? No.
We've been consistently surprised when chatting with the top 1% of security researchers because some of them have a somewhat basic understanding of the language. Instead, they just get an incredibly detailed understanding of the codebases they are working with.
Does this mean you should skip learning advanced Solidity? No.
There are a few special cases out there that can do this. But, in general, the better you get at Solidity, and the better you get at advanced testing techniques, the more of a leg-up you’ll have on attackers.
The next step is to learn smart contract security and auditing. Get used to learning, as most of your job as an auditor/security researcher is to consistently learn. I’ll give you some tools later that you can use.
This is exactly why we set up the smart contract security and auditing course on Cyfrin Updraft: to learn auditing.
This will teach you everything you need to know to be a successful security researcher, such as top exploits and concepts like:
Guest lectures include web3’s best, like the Head of Blockchain at Trail of Bits, Auditors from Sigma Prime, Guardian Audits, and solo auditors such as Johnny Time and Pashov.
I co-created the course with Tincho from The Red Guild.
The most important part here is that once you take this course, you’ll never HAVE TO take another smart contract security and auditing course. You’ll be well on your way to being successful, and the most important thing you can do moving forward is practice.
How do you practice? Well, I’m glad you asked.
The next step in this roadmap to becoming a web3 auditor is essential. You’ll want to learn and grow — but you’ll also want to get feedback quickly.
One of the best places to practice while building your reputation is competitive audit platforms like CodeHawks, Code4rena, and Sherlock. These allow you to compete with other security researchers to find bugs. They help you compare how well you did on a codebase against other security researchers. Additionally, you can win money depending on your performance!
In addition to paid competitive audits, CodeHawks also offers First Flights. These are beginner-friendly audits created specifically for new auditors to learn how to find different bugs in smaller and simpler dummy protocols. If you can’t find at least one bug in these contests, you might want to keep practicing before heading to the main contests.
Competitive audits allow the top performers to get scouted by firms and hired, and you can even see leaderboards like on Solodit with how other auditors are doing.
Every time you do a contest, a solo audit, or a bug bounty, you’ll want to update your GitHub to include the work that you’ve done. This way, others can review your work and see how good you are!
You can also practice by:
The biggest part of how to become a smart contract auditor is that you will always want to improve your knowledge base. The more attacks you are aware of, the more likely you’ll be able to spot them in a codebase.
So, one of the top tools smart contract auditors should use is Solodit.
It aggregates findings from top firms, solo auditors, and competitive audit platforms into a searchable database/interface so you can learn about what types of attacks people are reporting. This way, you’ll know what kinds of bugs are popping up and how to get ahead of other security researchers.
Learning is something you’ll want to get comfortable with (have you heard this before), and learning can be a bit uncomfortable, so you’ll want to get comfortable with being uncomfortable! Additionally, you’ll want to consistently have an influx of security content.
Some great web3 security newsletters are:
In this roadmap to becoming a smart contract auditor, we've listed all the resources you'll need to go from zero to the top 1% of web3 auditors. So, you can kickstart your career or start competing in smart contract auditing competitions on CodeHawks.
Continue to learn, grow, and compete! As you’re learning and growing, you can start to get paid and grow your career by applying for security roles at auditing firms or getting bigger payouts on more complex bug bounties and competitions.
To learn smart contract security and development, visit Cyfrin Updraft
To request security support/security review for your smart contract project, visit Cyfrin.io or CodeHawks.com.
To learn more about the top reported attacks in smart contracts, be sure to study up on Solodit.
