5 Reasons to Become a Smart Contract Security Researcher (Smart Contract Auditor)
We explore why someone would want to become a smart contract/solidity auditor, the opportunities, why we need them, and more.
Introduction
Smart contract security is one of the most important disciplines in making DeFi and Web3 mainstream. In this article, we will answer the following questions:
- Why bother learning security?
- Won’t AI replace us all soon, anyway?
- Is there any opportunity for me here?
We’ll do so by reviewing the top five reasons for becoming a smart contract security researcher (smart contract auditor). The reasons are as follows:
- Help secure the web3 ecosystem
- Become a better smart contract developer
- Compete in competitive audits
- Career opportunities
- Memes
This is probably one of the funniest jokes from Formal Verification pro and top technical Web3 member 0xkarmacoma, but you need to be an EVM expert to get the joke.
So yes, #5 on our list is a serious reason.
After reading this article, you can learn smart contract security and auditing on Cyfrin Updraft, to become a security researcher.
Help secure the web3 ecosystem
This is the current state of Web3 and DeFi.
It shows that over the period of one month, there were at least two hacks or rug pulls of over a million dollars every single week. This is clearly not the advertisement we want to show our banking and traditional finance friends to convince them to come to Web3.
We want cryptocurrencies and Web3 to succeed because we have this fantastically better technology that allows trust to minimize agreements and removes the possibility of corruption. But if you have to tell your grandmother this, her eyes may roll into the back of her head as she says
What the f*** are you talking about?
**You have a vulgar grandmother
It can often be very difficult to convince many people about Web3's benefits. It’s often only when someone is destroyed by a centralized actor (for example, a government preventing you from withdrawing your money from your bank) that they see the need for what Web3 brings.
But by then, it’s too late.
Once we convince them, they will look at how often Web3 gets hacked and turn right back the way they came. We have this massive uphill battle to fight, and we need to show that the grass is greener in every way possible, so they finally decide to stick their noses up to the centralized entities and into the arms of what we are cooking.
But we can only do that if our security is as good as, if not better than, what they have going on in traditional finance, and as of right now, we do not have that.
According to Chainalysis, almost $2B was stolen in 2023, and if you consider that DeFi's entire TVL at the time barely crossed $50B, that number starts to become jarringly unacceptable.
If we want to onboard the world to Web3, we must fix it. By becoming a security researcher, you can directly contribute to making Web3 a safer place, enabling the rest of the world to come to what we are making and not get rekt doing so. You can actively be part of the mission and feel great about what you’re doing.
Become a better smart contract developer
So, maybe you’re a builder and have difficulty reading your own code, let alone someone else’s. Maybe, your eyes start to glaze over when you see any function longer than two lines, and it pisses you off when someone tells you to read the documentation.
You are not alone.
However, if you don’t understand the security aspects of your smart contract, you’ll never be as good as someone who does. Here, legendary hacker George Hotz explains why everyone should learn to write code in assembly (a prerequisite to being a great security researcher).
Smart contracts should be considered hardware, and we should be very careful when building and deploying them because, as you should know, they can be challenging to change. If you understand the security implications of your smart contracts, you can better design and build your protocols with security embedded every step of the way.
Security shouldn’t be “outsourced to the audit.” It needs to be baked in from day one.
The only way to ensure that is if you, as a smart contract developer, understand security and auditing.
Additionally, if you understand the audit process, when you send your codebase to audit, you’ll understand the process better and know to judge how good your auditors are.
Compete in competitive audits
Part of the fun of being a technical person in Web3, is that there are many opportunities to flex your skills and potentially get paid to do so. Competitive audits are quickly becoming one of the most popular ways for protocols to ensure their codebase is secure.
Competing in competitive audits is a fun way to learn more about smart contracts, what protocols are being built, and show off how much of a badass engineer you are. One of the quickest ways to know how good you are is to start competing and see how you do!
If you’re nervous about being overwhelmed with how big some of the audits are, the CodeHawks platform has something called “First Flights,” which are minimized competitive audits built specifically for learning auditing. One of the best ways to learn anything is to throw yourself into it, and first flights are a great way to get your feet wet without being overwhelmed. The codebases are specifically created so they can be audited relatively quickly while adding bugs in for users to find, learn, and grow.
Career opportunities
I’m sure this is the one a lot of you are here for. According to Cryptojobslist, smart contract auditors and security researchers can earn between $100k — $200k, depending on their skill level. The best of the best can make even more when you factor in prizes from bug bounties, competitive audits, and private clients.
There is a lot of demand for smart contract security. However, there is very little demand for junior talent. This is why competitive audits are so important for people to gain skills.
You can read our in-depth salary article in our smart contract auditor salary guide for more information.
A lot of people ask me:
“Won’t AI be better than me and replace me?”
And I answer with a big:
“Not in the next decade”
I’ve reviewed a lot of AI-based smart contract audit tools, and they are all terrible. AI will be a great tool to aid smart contract auditors, but it’ll take a long time before they replace any security researchers. The security researchers who get in now, or in the next couple of years, will be the ones to walk away with the biggest rewards.
Now, the opportunity here is massive, but I must emphasize this:
💡 Being successful as a smart contract security researcher is not “easy.” There is a misconception that there is an “oversupply” of security talent. Let me make this clear.
There is not an oversupply of talent.
The top security talent will receive most of the rewards, and not everyone will reach the top.
There is a lot of competition for job opportunities, and it’s not a guaranteed win. If you’re looking for jobs in Web3 security, you’ll need to do a lot of studying. It’s very doable, but don’t expect any free lunch.
Memes
There is something oddly special about being able to understand jokes that require a backlog of knowledge. Here are some memes from the king of avant garde Web3 memes. Your task is to go learn smart contract security, then come back here and see if you can understand these jokes.
And he’s got a few more, like this one, this one, this one, and this one.
Come back when you understand all these jokes.
Summary
I hope I’ve convinced you to get into smart contract security, as it’s one of the most important disciplines needed for cryptocurrency to succeed at the moment. You can learn smart contract security and smart contract auditing on Cyfrin Updraft if you’re looking to get started. Then, head over to CodeHawks to start getting onto the leaderboard, growing your skills, and leveling up.
Happy learning, and let’s make Web3 a safer place.
To learn smart contract security and development, visit Cyfrin Updraft
To request security support/security review for your smart contract project visit Cyfrin.io or CodeHawks.com.
To learn more about top reported attacks in smart contracts, be sure to study up on Solodit.
