Smart Contract Auditors play a critical role in ensuring the security and integrity of protocols.
As more and more projects get built, the need for skilled auditors who can analyze the security of smart contracts and give actionable advice to the teams becomes increasingly important.
We recently had an amazing and value packed interview with Patrick Collins, a world renowned blockchain development educator and Co-Founder of CyfrinAudits, where he shared several key insights and valuable advice on how to become a proficient Smart Contract Auditor.
In this article, we will dive into the important points discussed during the session, providing aspiring auditors with a roadmap for success and a list of valuable resources for further learning.
If you are someone who prefers video over text, then you can watch our 1 hour conversation with Patrick Collins on our YouTube channel instead.
The Importance of Smart Contract Audits
Smart Contracts are an amazing execution of tech that allows for the terms to never be changed once the contract is deployed(immutability).
However this is also something that poses a serious problem for smart contract developers, since if a contract gets deployed with a bug nothing can be done about it further.
This is where security and smart contract audits come in handy and provide a strong & secure foundation before deployment.
Smart Contract Audits serve as a vital component in the web3 ecosystem, ensuring the security, reliability, and trustworthiness of the contracts & the codebase.
By conducting thorough audits, auditors can identify vulnerabilities and weaknesses in smart contract code, ultimately reducing the risk of hacks, security breaches, and potential financial losses.
Patrick also mentioned a classic misconception in web3 and that is: “If you’ve got an audit done, you’re good to go”
According to him an audit is a single step in the right direction in the security journey of a web3 protocol but it’s definitely not the end all, be all.
He also stressed that teams should not think that an audit means their code is completely bug free. But historically the vast majority of contract hacks have come through unaudited code.
So even if an audit means your code is not completely bug free it still drastically reduces the chances of getting hacked.
Security Journey of a Web3 Protocol
Patrick gave us a few steps that protocol teams can use as a guide to make sure that they are building a secure protocol that aims at building something that is robust, safe and great for users with minimal security risk.
Here are the security journey steps as highlighted in our talk with Patrick:
- Start thinking about security from day 1 of your code. Otherwise you might literally have to start over.
- As a protocol you should do some testing yourself first including but not limited to unit tests, differential tests, fuzz tests etc.
- Use static analysis tools such as Slither and follow them with dynamic analysis tools.
- Once you’ve built a contract with security in your mind and done internal testing, it is time to go to a smart contract audit firm and get a private audit done.
- Ideally the team should go to one more private audit firm to get a second opinion.
- In this security journey after a private audit the teams should explore competitive audits as well. A competitive audit is beneficial because they are time boxed and they incentivize hundreds or even thousands of people to go through your code. However competitive audits might not get you an in depth security review such as a private audit but they are still highly beneficial.
- Once the code is deployed make sure to also include a bug bounty program. Immunefi is a highly recommended bug bounty program platform. Bug bounties are a crucial step in the flywheel that is the security journey!
Note: A great private Smart Contract Auditor should not only do an audit report for the team but they should teach the team to be more secure and also show them specific points in their code where things looked “suspicious” even if there was no bug there!
Becoming a Smart Contract Auditor
The journey to becoming a proficient Smart Contract Auditor involves a combination of technical knowledge, hands-on experience, and continuous learning.
Interestingly Patrick shared that he has worked with some auditors who are great at reading code from a security perspective, understanding business logic however not the best engineers.
He did add to this by also sharing that a lot of the best auditors he knows are coding wizards and know “every single inch” of coding.
So being great at coding is definitely something that aspiring Smart Contract Auditors should strive towards.
This will help you lay a strong foundation of your security career.
Here are some key steps from our talk to guide you along the path of becoming a great Smart Contract Auditor:
Learn How to Code Really Well
Spending time to learn how to code well definitely helps you in gaining an extra edge for your Smart Contract Auditor journey.
2 great courses for Smart Contract Auditors recommended by Patrick:
- Securem
- Smart Contract Hacking Course by RealJohnnyTime
Johnny also recently published a Smart Contract Auditor roadmap on his YouTube channel which you can check out.
You can learn how to become a smart contract developer or learn to become a smart contract auditor on Patrick's education platform cyfrin updraft for free.
Practice Auditing a Lot
According to Patrick the best way to become a great Smart Contract Auditor is to audit a lot.
Auditing is like any other skill and practicing and reflecting after each audit really helps to hone your skills as an auditor.
Grasp Security Best Practices
Developing expertise in smart contract security requires a deep understanding of common vulnerabilities and best practices.
Familiarize yourself with concepts like reentrancy attacks, integer overflow/underflow, access control, input validation, and secure coding patterns.
Resources like the OpenZeppelin documentation and the Ethereum Smart Contract Best Practices guide are excellent references for learning about security considerations.
Gain Hands-on Experience
Practical experience is invaluable in becoming a proficient Smart Contract Auditor. Participate in bug bounty programs and security challenges to test your skills and learn from real-world scenarios.
You can always start by going through the codebase of popular protocols. It will allow you to understand best coding practices, help you be more thorough and in case you find a vulnerability they tend to pay quite impressive bug bounties too.
You should not think that if a protocol has been audited multiple times by great auditing firms it is bug free. There is always a chance of finding something worthwhile.
Here are a couple of tools that allow you to practice your auditing skills:
- Damn Vulnerable DeFi
- Ethernut
And 3 resources to practice your skills through competitive audits:
- Sherlock
- Saloon
- Code4rena
Internship Opportunities for Smart Contract Auditors
We get asked about crypto internships quite a lot so we made sure to ask Patrick about securing internships in this space.
Here are a few pointers he shared:
- Participating in competitions is a great way to learn while making a name for yourself
- Bug bounties is another valuable way to learn while building a great resume especially if you end up finding vulnerabilities
- Trail Of Bits internship program is a notable place to explore for a proper “internship” role
- Platforms like Immunefi are also quite effective to learn on the job while finding bugs for real protocols with huge payouts, however it also might be a good idea to explore lower payout bug bounties since not many auditors would be paying attention to those.
Career Tips for Experienced Smart Contract Auditors
About 6% of TVL in DeFi was hacked in 2022 according to the Crypto Crime Report by Chainalysis.
This is a huge number!
So the demand for experienced Smart Contract Auditors is very high and it is increasing even more with each passing day.
There are a few career paths a Smart Contract Auditor can take up.
Solo Auditor
Being a solo auditor is always an option but usually a hard route to take. Protocols prefer people with quite a lot of experience so being a solo auditor can mean you don’t make enough money or get enough clients.
However there is always an option of competitive audits and bug bounty programs.
Join a Smart Contract Auditing Firm
Teams usually have a lot of experience clubbed together and when multiple security professionals are working together the overall output quality is greatly enhanced.
Cyfrin might actually hire security professionals in the near future so keep an eye out for those openings with them on their careers page.
Bonus Advice from Patrick for Web3 Security Professionals
Smart contract engineering and security is definitely not an easy career path. It requires a lot of back and forth and analytical skills which requires patience and continuous effort to find vulnerabilities, understand the code base and make smart contracts more secure.
Patrick says: “It’s going to be hard, but know it’s okay and you must keep pushing through.”
Repetition is the mother of skill
The more you do something the better you get. This career path takes time to master so don’t rush through things, enjoy the process of becoming a better web3 security professional and find ways to enjoy the little wins along the way.
Wrap up
Becoming a Smart Contract Auditor is an exciting, difficult and lucrative career path.
Make sure to study well and we hope this article helps you get some clarity about the security roadmap that you need.
In case you have any more questions you can always Tweet at Patrick and share your questions.
He is quite active on Twitter & takes time to help and motivate all aspiring web3 developers and security professionals!
We also talked about the Ethics of white hat hacking and topics such as:
If you find a bug and the team doesn’t respond even after multiple attempts to tell them then “should you white hat hack the protocol”?
If you wish to see what else we talked about make sure to check out the video on our YouTube channel!
And we also had a 15 minute live QnA session at the end of this interview with our live audience.
Huge thanks to them for participating, asking questions and adding value to the Twitter space ❤
The QnA section is at the end of our YouTube video interview