How to Become a Smart Contract Developer | Or Security Researcher
We explore the roadmap to becoming a smart contract developer or security researcher.
Introduction
This article was originally published as How to become a Smart Contract Auditor — Full Roadmap on the Cyfrin security blog.
As a smart contract developer, educator, and security researcher in the blockchain space for the past four years, I’ve revamped my roadmap to becoming a Solidity developer every year.
However, the high-level steps remain exactly the same each year, with the smaller details changing only slightly.
In this article, I’ll disclose the exact steps to becoming a successful Web3 technical person, whether a developer or security researcher.
⚠️ Important
In this article, I’m going to give you actions to take today that I want you to follow if you’re considering this journey. If you’re serious about potentially going down one of these paths (blockchain developer or security researcher), taking these action items will increase your chances of making it by 500%**.
If you’re unsure if you want to go down this path, then read on and hear about the fantastic opportunity Web3 brings.
**500%: A number I made up.
The Four Steps
- Understand why you should become a blockchain engineer
- Take a Blockchain Course
- Join a Hackathon, Competitive Audit, join the Community, & Build
- Start your protocol, take a job, freelance & contribute
If you make it this far, you’ve done it! However, I’ll add a bonus in step 5 that we will discuss soon.
5. Keep learning!
That’s it! These are the steps you need to take to become a blockchain engineer!
Watch our YouTube video on “How to become a blockchain developer” for more information.
Step 1. Understand Why
You can learn to do anything by just taking these steps:
- Set a specific outcome
- Understand exactly why you NEED that outcome
- Make a plan
- Execute
- Reflect on your plan, and refactor where the plan isn’t working
Set a specific outcome
For you, at a high level, this part is easy. You have one of two goals:
- Become a smart contract developer
- Become a smart contract security researcher
But we should get more specific. We should write down exactly what we want, down to the date. These are known as “S.M.A.R.T.” goals:
S: Specific
M: Measurable
A: Achievable
R: Relevant
T: Time-Bound
For a blockchain security researcher, your goal might be:
In 6 months time, I want to earn $1,000 in a single CodeHawks competitive smart contract security review
For a smart contract developer, your goal might be:
In 6 months time, I want to be hired by a company where I am paid to write smart contracts
This allows us to visualize exactly what we want more easily. Take a moment, and write it down. Don’t tell other people your actionable goals! They are for you and you alone. Studies have shown that getting the social reward of “Wow, what a great goal you have!” can negatively affect your motivation.
If you’ve done this step, lock it in by commenting on this post:
I have written my goal down, but I’m not going to tell anyone it.
And now we are on our way.
Understand Why
But we need to know why we want this before we start executing. When we have a bad day, the clouds come out, we get tired, or a lump of code seems particularly daunting, this “why” is what we can fall back on. The “why” is what we can do to keep ourselves motivated when times get hard. The stronger your “why” the more likely you’ll be able to continue.
I’ve already written about why you should become a blockchain engineer (and I’ll have one on security researchers soon, too), but a quick recap:
- 🌎 Web3 technology is changing the world; be a part of the movement
- 🦖 Remove centralized tyranny from traditional agreements & economic systems
- 💰 Experience insane economic opportunity (Competitive Audits, building protocols, etc)
- 💻 It’s fun to be crazy technical
Smart contract developers and security researchers are in massive demand, with average salaries around $120,000 — $140,000. But the best security researchers and developers can make even more. Here is an image of the top security researchers’ payouts on a few side competitions.
CodeHawks Leaderboard
Now, to be fair, not everyone can reach those heights, but those who really dig down can.
So, write down why you want to do this. It doesn’t matter what you write down; it just matters that it’s true to you. It can be anything. “I want to make a massive impact on the world,” “I want the money to provide for my family,” “I want to work on incredibly challenging technical projects,” or “I want to drive a Lambo.”
All that matters is you write it down and are true to yourself.
If you’ve done this step, lock it in by commenting on this post:
I have written down exactly why I want to acheive the goal that I have set here so when things get hard, I can remember why I’m doing this.
Step 2. Take a Blockchain Course
Pick one course, finish it, and then don’t do another one.
Don’t get stuck in tutorial hell.
Tutorial Hell: When you take infinity tutorials but never move out into getting paid or being productive with the skill you’ve learnt
After taking one tutorial (end-to-end, be sure to finish it) don’t take another one. One of the best ways to learn after you have a skill is to start applying it.
Want to learn Mandarin? Learn the basics and then force yourself to speak to other Mandarin speakers.
Want to learn to ride a bike? Learn the basics and then ride a bike all the time.
Want to learn smart contract security and development? Learn the basics and then code a lot or do security analysis a lot.
A lot of people feel a massive amount of imposter syndrome, fear of failure, and analysis paralysis when it comes to making the leap from the learning platform.
Oddly enough, my best advice is to ignore your imposter syndrome.
I’ve written so many guides on how to write Solidity and have done security audits on multiple protocols, and I still feel imposter syndrome sometimes. Everyone does. It’s normal. You have to ignore it and move past it.
Anyways, you do need to learn a tool on a learning platform. Learning can be challenging, which is why we designed Cyfrin Updraft to teach you smart contract development and smart contract security as efficiently as possible. You can take any course you like; just take one, pace yourself, finish it, and then start building. Cyfrin Updraft is the most advanced curriculum for anyone, starting 100% for people with zero technical knowledge, but the curriculum is so dense, that even advanced smart contract developers should take it to make sure their game is on point!
In Cyfrin Updraft, we will teach you everything you need to know to be successful. When you join, pace yourself, have fun, and get ready to grow.
However, be sure to choose the platform that works best for you!
Important Tools To Learn:
In any course you pick, there are tools you will learn/should learn. If they don’t teach some of these tools, drop the course immediately and pick a different one.
- Solidity | The language of 90% of smart contracts
- Openzeppelin | The unofficial standard library of solidity
- Chainlink | Oracle connection for hybrid smart contracts
Important Deployment Frameworks (Pick One!)
- Foundry | The command line framework (Recommended)
- Remix | The go-to starting point
- Hardhat | The javascript framework
- Apeworx | The python framework
Basics
- Basic Cryptography and Consensus | How blockchains work
- Blockchain Wallets & Gas| How to interact with blockchains
- Solidity Basics | Everything solidity
Advanced Concepts
- NFTs | Art and unique tokens on-chain
- DAOs | Decentralized autonomous organizations
- DeFi | Decentralized Finance
- Upgradeability | How to “change” your smart contracts
Tools
- Testnets | Integration testing in blockchain
- Etherscan & Block explorers | How to “see” what happens on-chain
Here are now my top choices for different education platforms
Suggested Smart Contract Development Courses
Overall Recommended Pick (For Developers & Security Researchers)
- Cyfrin Updraft | Created by the Cyfrin security team, this is the most dense and beginner-friendly curriculum but also most thorough for advanced engineer that has ever existed. With over 70+ hours of content, written lessons, NFT rewards for solving challenges, and more. This content is consistently kept up to date, and created by some of the best technical minds in the field. Graduates work at places like Chainlink Labs, Openzeppelin, Metamask, and every Web3 company you can think of. The content is 100% free forever and is aimed at activating you to be productive. This is both the most challenging and beginner-friendly curriculum on earth. The course starts with blockchain basics, then into Solidity basics, into Foundry basics, then, ramps up to Advanced Foundry, Assembly and Opcodes, Formal Verification, Security and Auditing, Web3 DevOps, and every advanced discipline you need to be successful in Web3.
Free Courses for Developers:
- Solidity, Blockchain, and Smart Contract Course — Beginner to Expert Foundry Tutorial | Created by me! This course was designed to be the most beginner-friendly to expert, dense, powerful course. I highly recommend it to anyone. It teaches Solidity, DeFi, NFTs, Foundry, Stablecoins, and everything in between. It’s a subset of the Cyfrin Updraft curriculum, but if you like long YouTube tutorials, this is for you.
- Speed Run Ethereum | Created by Austin Griffith, this codebase walks you through many example Web3 applications.
- Cryptozombies | A gamified version of learning about smart contracts, solidity, this is constantly rated as one of THE starting places for learning solidity and smart contracts.
- Alchemy University | Previously Chainshot, there are few educators in this space that make free content as up-to-date, powerful, and effective as them.
Additionally, anything listed from any of these sites:
- Solidity-By-Example | Not exactly a course, but one of the best educational sites out there for quick and effective learning.
Free Courses for Security Researchers:
- Become a web3 ethical hacker | Another subset of the Cyfrin Updraft curriculum, this 21-hour course will walk you through the exact process the top smart contract auditors and security researchers go through. You’ll learn to audit 6 highly technical codebases with advanced bugs in them, including DEXes/AMMs, Loan protocols, Bridges, and more.
- Gateway | Created by the Guardian Audits team, Owen walks through his workshops with smart contract security researchers to teach them the ways of the land.
Paid Developer Courses:
- Rareskills | Between $2,700 — $6,000, this is a bootcamp where you’ll get a course instructor who can help you along the way.
- Consensys Bootcamp | At around $985, this is one of the oldest courses in the space, they know what they are doing!
Paid Security Researcher Courses:
- 0xMacro Fellowship | Not sure the price on this, but the 0xMacro team is stellar at what they do, and I’m sure their curriculum would be as well.
Have you taken a course yet? It doesn’t matter which one. Do not proceed to step 3 until you’ve completed at least one course — it doesn’t even have to be from this list!
Step 3. Join a Hackathon, Competitive Audit, the Community, & Build!
You’ve taken a course, yes?
Good.
At this point, the main thing to do is to try out your skills and connect with other builders or security researchers.
Once you have some basic understanding, the best move is to start applying it. Running into issues will force you to learn even more and look up how to unblock yourself.
Make something — Developer Hackathons
Give yourself a deadline. One of the easiest ways to force yourself to make something is to join a hackathon. Many full-blown projects even start as hackathon projects, like 1inch or Instadapp. Hackathons are coding competitions ranging from a few days to a few weeks. You can win money, but most engineers use them to try to learn something new! I’ve already written about why everyone should join a smart contract hackathon as well. Some of the best blockchain hackathons on the planet are:
These will also build your GitHub, GitLab, or Bitbucket profile, so when you go to start getting jobs, people will be able to see what you’ve done in the past! Put everything that you do on something like GitHub! Building a portfolio is one of the most important steps when starting your career.
Audit something — Competitive Audits
The number one entry point for security researchers is competitive audits like CodeHawks or C4. These are security review competitions where security researchers or “hawks” will look for bugs in codebases for a specific amount of time. At the end of the event, the people who found the most bugs with the most vulnerabilities get paid the most!
This is the best way to show off your skills while learning and becoming better. If you climb the CodeHawks leaderboard, it’ll be a surefire way for people to notice you and want your services!
Join something — Community
And finally, connecting with the community for example on Twitter or Discord is one of the best ways to stay in touch.
Reach out for help
The community is the best resource for helping you out of those weird things that will trip you up. When you run into any technical issue, follow this document to learn how to get past it:
- ChatGPT It
- Google it
- Ask a question on Peeranha, Stack Overflow, or Stack Exchange
- Make an issue on their GitHub repo
- Ask on Reddit, Discord, a forum, or anywhere else!
Step 4. Go Deeper
Apply for jobs
- Freelance for grants & work
- Do competitive audits
- Start your own protocol
- Anything else…
At this point, you’re in — deep in — and you are about to start getting paid for all you’ve done. There are a ton of ways to start getting paid for your skills.
Apply for Jobs
Once you are at this point and you want to start connecting with a protocol, start applying! You’ll find blockchain developer job boards everywhere. Here are some examples:
And so much more… Or, you can contact protocols you like and see if they are hiring!
Freelance for Grants
Decentralized protocols have treasuries that are dying for work to make them better. If you have an idea for a protocol, apply for a grant! One of the best places to find grants out “in the wild” is on gitcoin, but often protocols will have grant programs as well:
And so much more. You can typically find freelance jobs just about anywhere as well.
Start your own protocol
There are a lot of protocols that have yet to have been built. You can also look at this list of 77 Hybrid Smart Contract use Cases if you’re stumped on ideas. If for some reason, you can’t find an opportunity, create one.
Only about 1% of this industry has been created. We are so early, and there is so much to build.
Step 5. Keep Learning
The only thing in life that is constant is change
The industry pivots consistently, and because of that, you’ll always be learning and growing. Never get complacent. The instant you stop caring about growing, you start dying. So keep learning, and keep growing.
But Patrick, won’t AI replace us?
At the moment, and likely for the foreseeable future, AI is a great helping tool, but it’s making a lot more code in the world worse. AI is a great tool for helping you get started, but you need to be an expert in the tools to find the areas when AI gets it wrong.
Because, as of today, and probably for at least the next decade, AI gets a lot of things wrong.
Summary
Web3 is inevitable, and the opportunities are massive. With this article, I’ve given you the keys to exactly how to get into the game and start being successful.
The journey will take consistency and dedication, but you can do it if you put in the work!
Did you do the exercises from above?
- Write down exactly what you want, and when you want it
- Write down exactly why you want it
- Then comment on this article saying you’ve done it, without saying what you wrote down
When you make it, shoot me a message on Twitter.
Good luck, start your journey, and looking forward to you coming out the other side.
To learn smart contract security and development, visit Cyfrin Updraft
To request security support/security review for your smart contract project visit Cyfrin.io or CodeHawks.com.
To learn more about top reported attacks in smart contracts, be sure to study up on Solodit.
