How to become a Smart Contract Auditor in 2023

Aitor Zaldua
4 min readMay 3, 2023

--

Want to be a smart contract auditor? Contact me for learning paths, advice and real-world challenges by email at aitor.zaldua@draftdigital.xyz or in X as @azdraft_.

In 1905, Albert Einstein proposed the Special Theory of Relativity, stating something that is now common knowledge: Time is relative with respect to space and, in general, to the environment that contains it.

This is extremely true with respect to Blockchain technology. Like the Big Bang, our beloved ecosystem undergoes a meteoric evolution and a minimum time span of 6 months represents a thousand years of evolution for the universe.

And it is, precisely, 6 months that have passed since I wrote an article talking about ‘How to become a Security Smart Contract Engineer’ so it is time to review the current state and how that “how to become” process has evolved. Because there are many things I learned, many things that changed and a new resource was added: The Smart Contract Hacking course.

Why it feels this course will be different

I am going to start collaborating with a platform to create courses on smart contract development and solidity and the first thing you notice about the platform, and it is similar to others, is that everything is a mess. Yes, plain and simple. Under the heading “Blockchain”, we can see courses on trading, the history of Bitcoin, Ethereum for beginners, build your own app,… this is crazy. If you want to learn JavaScript, you don’t learn the history of Bill Gates and MS-DOS programming, right?

If you want to be a Blockchain engineer there are 3 paths: Full Stack Blockchain developer, Smart Contract Developer and Security Auditor. We need schools for each of these 3 paths, and this is something that is finally available: The Johnny time Smart Contract Hacking course to follow for one of these paths: To become a Smart Contract Auditor. No more, no less. And the syllabus is very explicit:

Focused 100% on vulnerabilities and auditing. I’d love to know how they teach vulnerabilities if they’ve added foundry or hardhat testing or something similar, I’ll probably ask Johny! and I’ll update Medium with his answer.

Who is behind this course

The second thing that is clearly evolving is that we now have references. One of my favourites is Patrick Collins, of course, a standard bearer in the industry but we can also follow some of the most important rockstars in the auditing career. People like tincho, rajeev or cmichel are very nice and are constantly sharing information and knowledge. But a clear reference in the area of teaching is very much needed and I have the feeling that this is JohnnyTime’s favourite field: Being a teacher, an instructor, a mentor.

And we need this kind of profiles. Sometimes it is difficult to follow the gurus and we need instructors and experts in conveying knowledge in an accessible language and Johny is one of them, a professional communicator. You can also follow him on youtube, twitter and, of course, Medium.

This is also my case. I love teaching and transmitting everything I learn.

But he is not alone. Other industry personalities like pashov, trust, Owen and bytes031 participate. Like the new Dream Team. I follow them all on twitter and I recommend you to do the same.

The job opportunities

This is going to be easy:

Yes, pashov will be in the hall of fame of smart contract auditors when he retires, but it is only a reflection of the current state of security in the blockchain. There are many opportunities of all profiles and at all levels. You can work alone or in a team, starting as a junior.

Remember that you can work with all the CFTs at your disposal, like Ethernaut or Damn Vulnerable Defi, you can find a lot of solutions on my Medium, you can use Secureum to learn and practice on their RACES, and you can try bug bounties or apply for security companies, which always have open jobs, like Open Zeppelin.

I am really intrigued by this training and hope to be able to do it. If so, I will continue with my articles and reports on it as I go along. Once the course training has been completed, the focus should be on auditing, then auditing, then auditing.

Starting with sending reports, in code4arena or Sherlock with improvements in gas consumption, the next step is to perform a full audit, with functionality and vulnerability testing, fuzzing, invariant…

If you want more information about the career, ask Johnny or enter in the website.

--

--

Aitor Zaldua

Security Researcher | Smart Contract Dev | Blockchain Instructor. Follow me on twitter: @azdraft_