Smart contracts are self-executing programs that are programmed to run commands on meeting certain conditions. Think of smart contracts as transparent on-chain “rules” for moving funds. Because they are governed by codified logic, smart contracts execute code exactly as programmed, even if it leads to undesired behavior. For example, code errors can lead to lost or frozen funds. In 2022, the crypto industry lost $3.8 billion to hacks, a large share due to exploits of smart contract errors.
That’s why it’s a good idea to only use smart contracts with a long track record of successful operation as well as contracts that were audited by knowledgeable and experienced developers.
What do we mean by “audit?” A smart contract audit is a security process where a trusted third party reviews and analyzes the codebase to detect and resolve errors and loopholes that may escalate to unintended behavior. For example, blockchain security auditors like Hacken study a smart contract code to detect and document all security issues.
Responsible auditors always follow auditing standards for consistent results. They collaborate with developers to understand the project and assess its code for vulnerabilities. Auditors conduct different kinds of tests, including automated and manual testing, to pinpoint bugs and errors in the code. The focus is on verifying security issues through manual review, and upon completion, a detailed report is provided to the development team with recommended patching approaches.
Smart contract programming language. First of all, it is important to know the details, vulnerabilities, and advantages of a smart contract language. Regardless of whether it is Solidity, Rust, or Vyper, you must be able to write and analyze unit tests.
Smart contract tools and resources. Knowing when and how to use automated tools is an important aspect of smart contract auditing and can help you identify potential vulnerabilities in the code more efficiently and effectively.
Communication. Auditors need excellent communication skills, including writing clear and concise reports and explaining technical concepts to non-technical stakeholders since they’ll deal with non-tech people.
Step 1: Blockchain and smart contracts 101
Step 2: Programming experience
Step 3: Smart contract security best practices
Step 4: Get auditing experience
Step 5: Stay up-to-date
Step 6: Obtain certifications
Before we get into the details of each step, let’s first hear from one of Hacken’s members, Seher Saylik, about her path to becoming an auditor.
tl;dr: After purchasing my first coins, my interest in crypto was ignited and I became increasingly passionate about the industry. This led me to transition from web development to becoming a dApp developer for almost two years, and eventually a smart contract auditor.
—Seher Saylik, Hacken Smart Contract Auditor
Hacken auditors provided the following recommendations for individuals interested in pursuing a career as a smart contract auditor.
While the position of a smart contract auditor differs from a blockchain developer, you must have deep knowledge of blockchain technology and cryptography. Learn about security vulnerabilities at all levels of blockchain architecture. Pay the most attention to the blockchain application layer and token standards.
To analyze and review someone else’s code, you must know how to write one yourself. Being a smart contract auditor means you know how to write a smart contract code. Our Smart Contract Auditor, Davi Coelho, provides a brilliant introduction into smart contracts and Ethereum Virtual Machine.
Dive into Johnny Time’s smart contract auditing course and get a 15% discount as a Hacken blog reader. Covering 319 videos and 50 exercises, it provides thorough insights on key topics like EVM, Flash Loan Attacks, Oracle Manipulation, Reentrancy Attacks, and more.
Computer programming. Whether in college or self-taught, you must learn computer programming. After all, a smart contract is a piece of software you control with programmable commands. You must be confident in one or more of these languages: Java, C, Python, Go, Ruby, C++, JavaScript, PHP, and Ruby.
Smart contract programming language. You should understand different data types and know how different programming models (structural, modular, and object-oriented) work. This way, it will be easier to master a new programming language for smart contracts, such as Solidity, Vyper, or Rust.
Experience in software development. A few years of experience in software development is often a must unless you look for a trainee job. Even in that case, you must know the basics of software development, debugging, version control, and QA.
The switch. Most auditors were developers at some point. Switching from something like web development to blockchain development is a monumental step in your career. However, once you accumulate months or even years of experience creating smart contracts and decentralized apps, transitioning to a smart contract auditor is easier.
When is the right time to make a switch? You may want to choose between development and auditing or even try both roles. At the end of the day, it all boils down to your personal choice: are you more passionate about creating decentralized apps, or do you feel like making Web3 safer by ensuring Web3 projects deploy a secure code? That’s your choice to make.
Smart contract security is about detecting issues that may lead to undesired behavior. For that, you have to know vulnerabilities and how attackers exploit them to steal funds.
The most authoritative resource on smart contract code issues is SWC Registry.
I would recommend going through all of the SWCs to understand current Solidity vulnerabilities.
Seher Saylik, Hacken Smart Contract Auditor
Our Most Common Smart Contract Vulnerabilities article explains external calls to arbitrary addresses, checks-effects-interactions pattern violation, reentrancy, missing validation or input validation violation, flashloan attack, inconsistent data, and floating pragma.
For writing code, follow the official Solidity documentation to get started. OpenZeppellin provides a comprehensive Solidity library used by many developers that will show you how to write smart contracts.
However, it’s not enough to write a smart contract code. You must know how to review it for security. For best practices, see EEA EthTrust Security Levels Specification, an industry-wide effort to bring common auditing standards.
It’s time to get your hands dirty and find vulnerabilities in the codebase of Web3 projects. Smart contracts are public, so you’ll have no trouble locating them using a real-world example from your favorite DeFi project.
If you don’t know where to start, look through Hacken’s audit reports and try to emulate our specialists’ steps. A smart contract audit contains the following key processes:
Carefully understand the code. Start with specifying functional requirements. In other words, keeping in mind the business logic, describe what each function is supposed to do. Identify key privilege roles too.
Framework. You can write unit tests in different languages/environments: Hardhat (JavaScript), Truffle (JavaScript), and Brownie (Python).
I strongly recommend you follow the Hardhat stack. It’s the most complete framework today and will help you a lot as a blockchain developer.
Davi Coelho, Hacken Smart Contract Auditor
Davi “strongly recommends” Hardhat; still, the choice is yours.
Testing. You need to practice writing unit tests. Unit tests play an important role during the implementation of a project. Their purpose is to catch initial errors and ensure that the mechanism of the system’s operation is implemented as desired.
Line-by-line review. This is where all your knowledge enters the stage. You have to examine every line of code and outline each identified problem. Try to match the found issues with those outlined in SWC, as well as possible data manipulations, access violations, and flash loans. To take things one step further, you have to verify that the code adheres to code-style guides and industry best practices that you’ve learned from previous stages.
External tools. You’ll also need to learn automated tools for smart contract auditing. The most popular include Mythril, Slither, Manticore, Oyente, and Securify. However, don’t get a misleading picture that automated tools would do everything for you. You must have the expertise to verify that the tool has done well. Here is a great thread from our Head of Smart Contracts Audits, Yevhenii Bezuhlyi, on using GPT-4 in auditing.
Another thing I would recommend is staying up to date with the language and the networks you’re developing/auditing because every version update will have different vulnerabilities. Blockchain is a fast-growing field. Therefore, you should follow new version releases, network updates, and network improvement proposals.
Seher Saylik, Hacken Smart Contract Auditor
Adding on Seher’s advice, we recommend becoming a member of an open-source community by contributing to a development environment, smart contract library, tool, or language. Being an active part of blockchain is vital to growing as a specialist. Join the Ethereum community or any other network for that matter. Moreover, subscribe to the Hacken blog where we post insights straight from Hacken auditors.
While certification is optional, it will make your profile more attractive to potential employers. For example, Hacken auditors have the highest number of CCSS, CEP, and CBP certifications from the C4 among all blockchain security companies. While C4 produces outstanding certifications and standards, as our L1 Auditor and Researcher Bartosz Barwikowski explains at ETH Denver, you may go for other options, such as CBSP and CSCD.
Following these steps may give you a headstart on the job market.
When updating this article, we had two open positions: Trainee Solidity Smart Contract Auditor and Rust Smart Contract Auditors. Both are full-time and fully remote. Go to the websites of other blockchain security companies and see their available positions. This is the best way to find a job, as top players in blockchain security are always looking for new talents.
The exact figure depends on your prior experience, position level, work arrangement, and region. For example, the US has the highest salaries, averaging $130K per year. In Europe, the average income per year is $70K. As a freelancer, your hourly rate ranges between $30 and $80. Veteran auditors with strong references may charge up to $120 per hour. Setting up a winning account on a freelance platform is time-consuming and doesn’t guarantee results.
That’s why many Web3 developers, including auditors, choose platforms for crowdsourced security. Indeed, Web3 projects can pay you money for reporting bugs in their codebase. Take a look at rewards for finding different levels of vulnerabilities inside the five smart contracts of NEAR Protocol at HackenProof. Bounties allow you to monetize your auditing experience, and your pay depends entirely on your successes. Most auditors have profiles on bug bounty platforms, treating them as another source of income. It is also a great entry point to try out your skills.
Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.
Table of contents
Tell us about your project
10 min read
Discover
6 min read
Discover
11 min read
Discover