From QA Engineer to Web3 Security Expert
Introduction
For 10 years, Bloqarl, née Carlos, worked as a software engineer and QA tester, reporting bugs manually and automating UI tests for mobile apps (Android & iOS). Then, a chance Twitter thread introduced him to DeFi and smart contract auditing. He’s now a full time security researcher and the co-founder of Zealynx Security.
Be consistent, show up everyday, be kind, learn in public, and build your brand.
—
How I came to smart contract auditing and security research
I discovered smart contract auditing on Twitter. Don’t remember where, exactly. Eventually, I found my way to Guardian Audits’ Discord where conversations around smart contract vulnerabilities and web3 security were in full force.
My first impression was “oh my god, people are so cool and nice.” Seeing people share their knowledge, asking nothing in return, was absolutely amazing! I knew I had to be a part of it.
When I started my journey, I was one of maybe a few thousands people who did smart contract audits. I knew that if I worked hard, I could build a brand and be successful.
My first approach to blockchain was through a DeFi course to gain general knowledge.
Then, I began to learn web3 development on Cyfrin Updraft’s Solidity course. And even managed to work on a friend’s smart contract project, putting practice into execution.
That’s when things got interesting.
I joined Johnny Time’s Smart Contract Hacking course, which gave me the push needed to learn and get better every day.
I was still working full-time, 9-5, as a QA engineer.
Sacrifices needed to be made to continue studying smart contract auditing.
I woke up every day at 6am and spent hours learning smart contract security on Cyfrin Updraft, writing articles, and being active on Twitter. Then, I’d go to my full-time job.
I didn’t sleep much. Because all other free time was dedicated to my family and baby daughter.
But, I woke up everyday addicted for more, focusing on doing as much as possible in the little time available.
I was a little jealous seeing people on Twitter/X sharing wins and amazing progress. Also motivated. But, I understood the situation: Focus on the long term, don’t rush things, slow and steady wins the race.
Until March 2024.
Then the unthinkable happened. I, and 50 other colleagues, were laid off.
No safety net. Only opportunity.
I jumped into web3 security full time, started Zealynx Security, and participated in public contests. When Cyfrin CodeHawks launched, I joined the smart contract auditing competitions there too.
Two highlights are: 1. Securing a top five result on Cyfrin CodeHawks in only two days for the Beanstalk Part 1 competition (I wrote a case study about it) and 2. Identifying two high risk vulnerabilities in the Tadle competition.
In total, I’ve been doing security research for three years, auditing DeFi protocols and making use of fuzzing and formal verification.
Zealynx covers all security stages for DeFi protocols. From threat modeling to pentesting, smart contract audits, and advanced security test suite implementations with fuzzing, Invariant testing and formal verification.
In addition to the work of security research, I’m still writing and sharing learnings with the broader web3 community. Not only does it fortify my learnings, it also builds my brand and helps me connect with fellow blockchain enthusiasts.
Placing security at the front of web3 development
Web3 and blockchain are still at a very early stage. The role of security researcher is to help make smart contracts as secure as possible so DeFi can be the next big revolution.
One key aspect of blockchain security is the idea of learning in public.
Sharing resources, learnings, and content.
Protocols must take security seriously and do everything possible to safeguard user assets.
Obviously not everyone has a large budget for multiple audits. But, there are solutions that allow companies of any size to strengthen their protocol.
For example, bring on an in-house security researcher. Integrate security into the full development process. Correct potential exploits before they happen and advise on code implementations to avoid vulnerabilities.
Learn how to write fuzz and invariant tests, how to add formal verification to the project. A protocol with a testing suite like this will have a higher layer of security than those that don’t.
Thoughts on joining the security revolution
People often ask me how to enter blockchain security and I share two notes from my experience. First, understand that it is a long, complicated journey, but well worth it. Second: be loud about your success; the work you do is hard and you must advocate for yourself.
Outside of those things, what’s worked for me is being consistent, showing up everyday, being kind to people in the community, learning in public, and building my own brand from the start.
Lots of interesting things happen in security. For example, the volume free content and resources available, freely shared every day is astounding. The community is amazing and people genuinely want to help each other. No other industry does it like blockchain.
More practically, discovering vulnerabilities in protocols is always fun, even if they’re less important ones. Our goal is to harden security and build safer products, every bit helps.
If you’d like to continue following my journey, you can find me @TheBlockChainer and @ZealynxSecurity.