The Smart Contract Hacking Course: 25 things about me

Want to be a smart contract auditor? Contact me for learning paths, advice and real-world challenges by email at aitor.zaldua@draftdigital.xyz or in X as @azdraft_.

There are goals and milestones of all kinds. Climb a mountain, swim across a lake, win a hot dog eating contest. I told you so, all kinds.
My latest personal goal was to take and complete JohnnyTime’s Smart Contract Hacking course. And I say “was” because, yes, I completed it.

Blood, swears and tears were spilled, but the goal was finally achieved. Good for me!

And there is this funny thing that the influencers do when they achieve something big, like 100k subscribers or opening a new channel on Twitch: a 25 things about me. And since in this case I’m not the influencer, but the course itself, let’s do a “25 things about the Smart Contract Hacking course you always wanted to know but were afraid to ask”.

I will try to gather the most accurate and objetive information not only from my own experience but also from the various information that has been commented, on twitter… ups on X or discord, by other colleagues who have done or are doing the course. I hope that all this information will be useful to all those approaching the web3 security career and especially to those who are interested in doing the course.

All set… let´s go!!!

1. What is this?
   It is the Smart Contract Hacking course. A complete course where you will find the most common and uncommon vulnerabilities in the web3 ecosystem. There are also a few chapters about tokens (ERC20 and ERC721) and Defi (DEX, AMM,…).
2. Who is behind it?
   The course is run by @RealJohnnyTime, a well-known figure in the security ecosystem. I think he’s a really good communicator and it was easy for me to follow, but sometimes it’s personal for everyone. So the better way to find out is to check out his YouTube channel. You can watch a few videos and see if the way he communicates is a good fit for you.
3. What does it cost?
   It will probably change a bit with promotions, new content or because the ecosystem evolves, so better check the website. But there are a few collaborators with discount codes, for example @KrisApost1, @0xOwenThurm, James Lim or Bloqarl.
4. How long is it?
   There are 377 videos and 52 exercises in total. The theory videos are usually between 3 and 10 minutes long and the exercise solution videos are usually between 20 and 30 minutes.
5. Are there any extras other than the videos?
   As usual, there is a discord community. The good thing about the security discord communities is that they are fairly new and really focused on the subject. Sometimes I feel in other web3 communities (mostly developers) that there are a lot of people just trying to jump into web3 because of the salary. This is very annoying. At least at the moment this is not the case. Another really good thing is that @RealJohnnyTime does live audits with the community from time to time. We can talk to him and other colleagues and discuss our own findings. For example, check out this one about the Codehawks Stable Coin Contest.
6. How difficult is it?
   “It’s not a sprint, it’s a marathon” We’ve heard this line before, but it’s perfect to describe the course. It is not hard because you cannot understand the concepts or the exercises, it is hard because it is long and requires a lot of attention every day.
   If you have already decided that this is your way, this course is perfect, if you are in doubt between web3 security and gardening, just wait a little and continue digging in your preferences.
7. How much time will I need to finish?
   About 3 months, 4 hours a day. Watch the theory videos, supplement them with more online information, try the exercises at least for 1/2 days before checking the solution, participate and help your colleagues in the discord channel,… think of it as a university degree.
   You can probably reduce the time if you are fully dedicated to it and have no other responsibilities. Everyone is different!
8. And if I already have a job?
   Yeah, I know, this is where it gets tricky. When you have a full-time job or other responsibilities, any change is like moving the Titanic to avoid the iceberg. But you can do it if you stay focused. Don’t set a deadline, ask a lot of questions in discord to gain time,… I’m not going to tell you it’s going to be easy, but I know teammates in the same situation and they’re managing to succeed.
9. Do I need any prior knowledge?
   Yes, you do. I think you need at least an intermediate level of solidity. If you have zero knowledge of solidity, I recommend you take one of these 2 courses before starting: Alchemy University Bootcamp or Patrick Collins Solidity Course. The course uses the Hardhat framework. You need to understand what a development framework is and what a test is. These tests are made with Javascript in Hardhat, try this scaffolding if you don’t have knowledge of JS.
10. What about the language?
    The whole course is taught in English and only in English. I think anyone with an intermediate level of English can manage, but of course it is better to check for yourself. Again, go to @JohnnyTime’s Youtube channel, watch his videos and see if you understand him well enough. The community is full of people from all over the world who will be happy to help you with any translation issues you may have.
11. Do I need to add any additional knowledge during the course?
    Yes, you do. You will need to improve at each level. Solidity advanced, frameworks like Hardhat and Foundry, and vulnerability reports. You will learn a lot of things, but the ones I mentioned are up to you. So yes, a full marathon my friend, being a web3 security researcher is not a walk in the park.
12. What is the list of skills I will have at the end of the course?
    We love the section on your CV that is labelled “Skills”. OK, let’s see: Solidity developer, experience with Frameworks, very good knowledge of DEFI protocols, very good knowledge of ERC20 and ERC721 tokens and, of course, experience in finding attack vectors and pentesting. Not bad at all, right?
13. Could I get the same knowledge online without attending the course?
    You can be a brain surgeon by watching videos on YouTube, there are probably live surgeries on Twitch, so yes, you can be a security researcher on your own. You will probably have to do a lot more work, like everything else in life, do your own research, etc... Sometimes it is difficult to simply know where to start and sometimes we end up going around in circles and wasting time. If you feel this way, it is better to take courses like this one, where you are focused from the beginning.
14. Is there a deadline for completing the course?
    I remember all those exams in February and June to finish the courses at university. Luckily that’s over and with online training we can do it at our own pace. Take YOUR time, a month or a year. If you have access problems because you haven’t logged in for a while, just contact @RealJohnnyTime on discord or X.
15. Am I too young/too old to do the course?
    Don’t even think about it. There are people under 18 and over 50 on the course, so if you want it, go for it.
16. Will I get a certificate or diploma?
    @RealJohnnyTime is currently working on an exam and certification. Obviously it is a very complicated task but we expect it very soon. Personally, I am very curious and excited. I will update this question when the certification is available.
17. Does the course cover 100% of web 3security?
    The course covers the EVM compatible blockchains, i.e. 90% of the ecosystem, including Ethereum, Optimism, Polygon, BNB chain,… It does not include other non-EVM such as Solana, Cosmos or Near.
18. Do I have to continue learning at the end of the course?
    Yes, you do. A security researcher is, after all, a researcher. You need to learn new attack vectors almost every day, check news channels and social media to improve yourself every day. The networking you have done during the course is very important to keep up to date with new discoveries.
19. Can I meet some of the students on the course?
    There are team members who are creating content that perfectly complements what we learn in the course. Get to know shealtielanz, @KrisApost1, @HackAndDo, @yongtaufoo123 , @TheBlockChainer, @0xOndrejJuda, @talfao1, @maueth_, and more that I am probably forgetting now. And, of course, find me on @azdraft_
20. And the other teachers?
    You probably already know them, but you didn’t know it. They are: @0xOwenThurm, @trust__90 and pashov. The really good thing is that you can contact them both, students and teachers, and they will all be very friendly and help you with whatever you need.
21. How hard is it to be a security researcher/auditor?
    It is somewhere between being an astronaut and an NFL quarterback. Don’t think it’s easy or free money. It is very complicated, it requires a lot of work every day and involves a lot of responsibility.
22. When can I take part in the audit competition?
    As soon as you have completed the course. And even sooner. For example, a teammate recently said that he started a couple of competitions in the middle and was able to find some vulnerabilities and learn others. And when he came back to the course, he recognised some attack vectors. So it’s easy to start with competitions, maybe you don’t find vulnerabilities at the beginning, but with practice you will.
23. When will I be able to get a job in a company?
    This is more complicated. Think about a university degree. After 4 years of study, how many companies are willing to give a job to a new graduate with no experience? Get some experience, build your network and start meeting companies. For example, check out the Encode Club job fair. I went to the last one and it was an amazing experience with lots of people from the industry.
24. What are the chances that web3 will eventually be adopted by traditional financial systems?
    99.99%. It is all about the technology. It is perfect for the financial system and remember we are using the same technology in this industry as we did in the old sixties. In addition, Paypal, the BCE and the Brazilian Central Bank are already working with their own stable coins. It is not a question of if, but when.
25. Were you completely honest in your answers?
    100 %. This is a whole new world and we have to explore it together. People here are always honest, friendly and helpful. You don’t have to tell stories to achieve something or any of that nonsense that happens in traditional jobs. If you have a question, ask. If you need help, ask for it. Carpe Diem. This is a unique and exciting place.