Interview with Georgi Krastenov: Diving Deep into Web3 Security
In a recent episode of the HackenProof podcast, Alex Horlan, CTO of HackenProof, sat down with renowned solo Web3 auditor, Georgi Krastenov. Their conversation delved into the intricate world of Web3 security, solo audits, and the emerging trends in blockchain technology.
Georgi Krastenov, a solo Web3 auditor, has made significant strides in the blockchain security landscape. With over 15 private audits, he has identified over 50 critical and high-severity issues, safeguarding over $100 million in total value locked (TVL). His journey from a traditional programmer to a leading security researcher is inspiring.
Thus, in this article we’ll summarize the key highlights from their discussion, offering valuable insights for seasoned professionals and field newcomers.
Welcome, Georgi! We’re thrilled to have you with us today. Could you start by telling us a bit more about yourself and your journey?
Hi Alex, and thank you for having me. I’m Georgi, and about a year ago, I transitioned to being a full-time security researcher. Before that, I was a traditional programmer working on less exciting projects outside of Web3. Since making the switch, I’ve had the opportunity to conduct numerous private audits and identify several critical vulnerabilities. My background includes two years of experience in traditional programming, mainly focusing on backend development with languages like JavaScript, C#, and C++.
Fascinating! When did you decide to start focusing on security? Were you involved in audits at your previous job, or did this interest develop later?
The interest developed later. One of my co-workers left the company, which prompted me to do the same. Last April, I decided to leave my job and fully commit to Web3 security. Initially, I participated in public contests, reporting mainly QA and gas optimization issues. A tweet I shared about my career change brought my first client the very next day. Although I was new to client acquisition and pricing, I offered to conduct a free audit to secure my first project. It paid off, and since then, most of my clients have come through referrals and my presence on Twitter.
That’s an inspiring journey. Could you share some resources or learning materials that were particularly helpful to you when you started, and those you rely on to stay updated?
Sure. My strategy involves staying updated with every new exploit and reading reported vulnerabilities from public contests. I follow many Web3 security researchers who cover interesting and emerging topics. For beginners, I recommend SolOdit, which aggregates audits from various sources, including private companies and solo auditors. It’s an invaluable resource for learning.
Can you share one of your favorite findings from your previous audits?
One of my most interesting findings was related to user deposit tracking, where a malicious user could manipulate the balances of other users. Unfortunately, the report isn’t public yet, so I can’t share specific details. Generally, I enjoy vulnerabilities that involve protocol economics or integrations with other protocols, requiring a bit of creativity and out-of-the-box thinking.
Thanks for sharing this. And what about a typical day in your life as a solo auditor?
After each private audit, I take one or two days to rest and catch up on Web3 security content on Twitter. My workday involves six to seven hours of auditing, reading past reports, and communicating with other researchers. It might sound monotonous to some, but I find it rewarding.
Reading code for hours can be quite demanding. How do you avoid burnout with such an intense schedule?
It’s important to balance active bug hunting with related tasks, like comparing codebases or debugging transactions. I also spend time on Solodit, reviewing past vulnerabilities related to my current projects. This variety helps maintain focus and avoid burnout.
What trends do you see in the market right now? Is it easier or harder to become a solo auditor compared to when you started?
If you’re skilled, there’s plenty of work and good pay available. I see a growing demand for Rust auditors and an increasing recognition of bug bounty hunting. New projects are launching bug bounty programs, creating more opportunities for researchers. However, public contests are getting tougher due to more participants and advanced automated tools.
And lastly, what advice would you give to beginners in Web3 security?
Being a good researcher takes time and effort. Invest as many hours as possible in learning. Having a mentor can be incredibly beneficial. Do your own research before asking for help and don’t give up. To gain knowledge quickly on a specific topic, read the top 10 articles from a Google search. This method is often more efficient than watching hours of videos or saving Twitter content you might never revisit.
That’s excellent advice, Georgi. Thank you for sharing your insights and experiences with us today. It’s been a pleasure having an interview with you.
For more in-depth insights and stories, be sure to watch the full HackenProof podcast episode. Georgi shares more about his favorite findings, the complexities of his work, and additional tips for aspiring security researchers. Don’t miss it!
