How to Learn Web3 Security

Becoming a Solidity Smart Contract Auditor

Learning Web3 security

This page has resources that I found useful when learning and leveling up my web3 security skills. I estimate under 1000 people in the world really understand crypto security in depth, so you still have time to get in at the ground level. The biggest cybersecurity conference in the world (focused mostly on web2), DEFCON, sees 30,000 participants each year. Web3 security will need even more security people than normal technologies, so demand will increase as crypto grows.

What’s the pay like?

You can make money on a platform like code4rena as a part-time job or full-time. The top people on code4rena make 6 figures per year.

cmichel, the #1 on the code4rena leaderboard, estimates a $100/hr salary for junior level and $250+/hr for senior security people.

Top audit firms normally pay a set salary, so what path you choose depends on what benefits and tradeoffs you want to prioritize.

If you want to go big, you can try to find security issues in big projects to receive a bug bounty reward of $10 million on Immunefi. If you think this is impossible, Immunefi already paid a $10 million bounty and a $6 million bounty in Q1 and Q2 2022. The Immunefi leaderboard has their full stats.

Where to start

Note: cmichel has a well-regarded guide which outlines a similar process.

Step 1: Learn solidity (1 month)

Step 2: Learn common solidity security issues (1-2 months)

CTFs (Capture the Flags)

Replay Hacks

Other Resources

Step 3: Apply your knowledge & learn more (1-2 months)

Join a learning program for crypto security.

  1. I participated in a 1 month long fellowship with the yAcademy Fellowship. This 1 month program should be held 3-4 times per year and I am now one of the leaders. So obviously I recommend it, but it’s considered to be for “advanced” crypto security people while the other ideas below are easier to apply to.
  2. Secureum bootcamp is another security training option.
  3. Even audit firms like Trail of Bits have an apprenticeship program, and Mixbytes has a training course that is a pathway to join their crowdsourced auditor group

After accumulating foundational knowledge, you need to apply it to find your weaknesses and what to learn next. Participate in code4rena contests or Sherlock contests. Make sure you spend at least 5 hours per contest for your first few contests if you are looking for security issues. I prefer to spend even more time if I am try to find high risk issues because it takes time to read all the code, understand what the protocol is trying to do, and then find problems with the code. Even if you don’t find much, you get paid if you find anything.

Step 4: Test and grow your skills

Common Mistakes to Avoid

Happy Hunting