How to become a successful web3 auditor: The Roadmap

How to become a successful web3 auditor: The Roadmap

So, you want to be a security researcher? A web3 auditor making Millions?

You have a burning desire to achieve greatness in the field, to become successful and acquire riches beyond the imagination of mortal men. You want to reach for the Stars. Magnificent!

But…how exactly do I get there?

That is the question everyone asks themselves when they start a journey such as this. The goal is so far off in the distance that it becomes nearly impossible to see the path forward.

So what do people do?

  • Some try to copy the predecessors, hoping that doing the same will reap the same rewards.
  • Some randomly pick a direction and try to force their way through sweat, blood and tears.
  • Many do not start at all, paralysed by the near-infinite choices and the fear of making a mistake.

When it comes to web3 auditing, I’ve walked this path for quite a distance and I’ve had my share of trials and tribulations. Many failures and many successes along the road.

I’m writing this to share my experience and hopefully point you in the right direction. We need a lot more auditors to secure and safeguard web3 and it is my sincerest wish to help a few reach the stars.

1. It is a Long Road

Let me be clear, this is not a get rich quick scheme.

Yes, it is possible to find a $1 Million bug on your first week. Just like it’s possible to win the lottery or 100000x your savings on a random meme coin.

Possible however, does not mean realistic. Hoping to get lucky is setting yourself up for assured failure. A realistic path is one that is very long and requires an extreme amount of work, but it is one that will work regardless of luck.

If you get lucky, fantastic. But do not count on it. Never count on it!

If you’re wondering how then, it is possible that others just seem to appear and make millions, read my previous article

In reality, most web3 superstars worked between 4000-6000 hours from starting point before they reached success.

Yet, if you merely do the same as them, you will be sorely disappointed by the results. This is because of first mover advantage.

If we look at the famous @cmichelio, who was able to earn $1 Million in 2021, we can clearly see he is a very hard working, skilled auditor. But he was also exactly at the right time and place, when everyone doing contests was an absolute beginner. To replicate this today with hundreds of seasoned auditors competing on every contest, would be nearly impossible.

Another example would be @bytes032 and @pashovkrum, who both built a private auditing business in 2022-2023 and are now considered titans in our tiny industry.

How did they do this? Through hard work and perseverance no doubt. But this was also aided by the simple fact that there were nearly no competitors. Today there are dozens of companies trying to copy them and market share is hotly disputed.

Do not be discouraged by this. You are not the first and neither am I. And yes, I can’t deny I haven’t thought about how much more success I would have today, if I had started 1 year earlier.

But remember that blockchain and the web3 industry is still in its infancy, set to explode and become 100 times larger, so keep this in mind:

Today you are envious of the hundreds that started before you. Start today and there will be thousands upon thousands who will be envious at you for starting so early.

2. Who Are You?

The path laid before you is different depending on your starting point, so I will offer specific advice for the following groups:

  • Those currently not working in IT.
  • Those currently working in IT, but not in cyber-security related fields.
  • Those who are working in cyber-security.

Note: I am assuming you need to work for a living. If you’re still in school or don’t have to work for 3-4 years, congratulations, you can skip this part.

Those currently not working in IT

If you currently don’t have any experience in IT, then your only realistic path forward is to get into IT and gain experience. Not web3, but simply any entry level IT role you can find. Most likely IT support or junior developer.

Web3 security research is a niche within a specialization within a niche. Without a solid foundation and experience in general programming, you have extremely little chance of having any success. The few exceptions that exist, had the benefit of starting much earlier when the level was vastly lower.

I understand very well how frustrating this must sound, because I am You.

Five years ago I was working at IBM in Sales, selling cyber security solutions. I discovered coding and did a bootcamp of 4 months to switch to a developer role.

During my first projects, I was completely lost. I didn’t have imposter syndrome, I was simply faking everything and praying they didn’t find out and fire me. The meager skills I had were completely useless since anything you build uses countless frameworks, has an undefined number of dependencies you never heard of and lives in an environment that is completely alien to you.

It took me close to 2 years to finally start seeing the forest through the trees, after countless hours of learning, building, re-factoring and getting yelled at for making dumb mistakes.

If you’re starting from absolute zero, first spend a few thousands hours becoming a developer. And the best way to do that, is to get paid on the job to learn.

Those currently working in IT, not in Cyber-Security

There are basically three options:

  1. Part-time auditing contests
  2. Move to a Solidity/Rust/Go Developer role
  3. Move to a Cyber-Security role

Part-time auditing is the most straightforward option. You simply study Solidity for a few months and then you start an endless grind of contests. It is the quickest path but also the hardest. You need to work 60-70h (40h job + 20/30 auditing) consistently for many months and most likely years.

Moving to a Developer role is a more long-term approach. Many of the best auditors today were at some point web3 developers. The better you know the language, the easier it becomes to find weaknesses. This requires building a portfolio, applying to dozens of jobs and then become an expert over a few years. This takes more time and it can be very difficult to get a role since web3 dev roles are hotly contested all over the globe. However, once you get a role, you get paid very well to learn the language at a deeper level.

The last option is to move into a Cyber-Security role. As a web2 whitehat you will learn many skills which will make you a vastly better web3 auditor. The web2 security industry is gigantic and there is an extreme demand for new people so making the change is not very difficult. A few nice certificates and you’ll easily land a position. Then acquire hacking skills over time and learn solidity in your free time. This is the slowest approach, but it also has the least amount of barriers to success.

Those currently working in Cyber-Security

The advice is very simple. Learn solidity and grind contests. 😁

3. What to Learn

Unless you are already very skilled in either Rust or Go, the answer is simple:

Solidity

Why? Because 80%+ of all contests are in solidity and it will remain the dominant language for the foreseeable future.

Since web3 still has major volatility as an emerging industry, it best to choose the language that will give you the highest % chance of having sufficient work year round.

4. Where to Learn

There are countless courses, guides, videos, CTFs, etc to pick. And most will give you a good foundation. But if I’m asked to give one recommendation of what I believe is most solid, all around best course to prepare for auditing, then there is only one answer:

Updraft from Cyfrin.

Once you’re done with the course, Stop Learning and start doing contests. Too many remain in an eternal limbo of more courses, more CTFs, more studying. Stop it, no matter how much you study, you will never feel ready nor be ready.

You simply have to start competing. And yes, the first 5 contests will be extremely difficult, your brain will feel like it is melting and you will be lucky to earn enough to pay for a coffee for hundreds of hours of work.

That’s normal. That is the Grind.

5. Conclusion

If you’re still reading up to here with shining eyes and a burning ambition to achieve greatness, I salute you!

Think deeply over which path will suit you best, understand and accept that it can and most likely will take multiple years and start walking.

I’ll be walking a bit down the road, hoping to see some new Stars pass me by.