Hacken Token
$ -- --.--
How to become a Smart Contract Auditor

How to become a smart contract auditor

One of the fundamental technologies behind cryptocurrency is the self-executing smart contract. These pieces of code store the details of the execution of terms between parties in a transaction on the blockchain. There are both straightforward and complex smart contracts. Straightforward smart contracts are used only for simple transactions e.g. sending a currency from wallet A to B while complex smart contracts have multiple participants, conditions, and outcomes such as sending assets across chains. 

Developers that create smart contracts sometimes unwittingly make mistakes and leave vulnerabilities that can be exploited, leaving the funds on a chain vulnerable to attacks. Due to this, the need for smart contract audits and therefore smart contract auditors have seen a massive increase. 

What is a smart contract audit, what is its importance, and how is it conducted?

Smart contracts audit is the process wherein an auditor reviews the code of a crypto or blockchain project – among other things – for security issues, bugs, and errors that could expose the system or its users. There are various projects, like Hacken, that offer blockchain cybersecurity services to tier one crypto projects to bolster their security. 

Smart contract audit allows projects to address vulnerabilities in their code, including critical ones, that when exploited can result in a large volume of assets lost. According to Chainalysis, the level of cryptocurrency theft reached $3.2B in 2021, +516% vs 2020. In 2021, 49% of all crypto hacks were attributable to code exploits and flash loan attacks. According to Immunefi, there were almost 150 hacks recorded in 2021 (123 in 2020). Thus, close to 70 projects were compromised due to vulnerabilities or mistakes in smart contracts. In DeFi, 69% of all hacks were attributable to vulnerabilities in smart contracts. As a result of hacks, projects also experience reputational collapse and sharp price drops. 

This tendency has created the need for consistent reviews of code to ensure the security of projects and their users’ funds. 

Smart contract security audits are conducted using a set of standards and procedures.The smart contract audit process depends on the scope and size of the project. Generally, an auditor or team of auditors will follow a few standard steps:

  1. Specifications

The team will assess the project’s documentation to get a better understanding of the project and its intended use cases, architecture, and design. Collaboration between the auditor’s and project teams is essential so that auditors can gain a complete understanding of contract functions and an explanation of how the contracts should work together. 

  1. Checks

Check the project’s code against the standard list of vulnerabilities. Auditors launch a set of typical attacks against the project to see if any of the attacks could be successful. After this, the severity of vulnerabilities is determined and the project can realize whether there are any immediate points of concern that need to be addressed. 

  1. Testing 

The audit team then conducts different kinds of tests to pinpoint bugs and errors in code. These tests can range from unit testing – targeted at certain functions – to integration testing, which is broader in terms of scope and volume of code. Usually, both automated and manual testing is used to check a project. If the audit team sees a large amount of failed tests, a temporary pause might be suggested if significant changes need to be made to the code-base.

Automated testing is conducted using special software to identify inputs and outputs of financial assets in the project. These tools make it easier for the team to monitor what happens in the workings of the project, making it easier for the auditing team to locate common hurdles. Some of the tools auditors generally use are Manticore, Solium, Smart Check, and others. Also by allowing software to do easy monotonous tests auditors can focus on more complex problems.

Manual testing is conducted when automated tools can no longer interpret the developer’s intentions. A quality auditing team will take in all of the specifications and then determine whether everything is working as intended. Upon detecting any bug, they will notify the development team and provide recommendations on how to fix the issues.

The primary focus is to verify security issues that are the biggest threat to the long-term implementation of smart contracts by manual review. 

  1. Reporting

When the audit is complete, the auditing team provides a detailed report specifying all the checks that have been performed and the findings thereof. Collaboration with the development team can also be done so that they understand all detected issues and recommended patching approaches. 

What should a smart contract auditor know? What courses can be taken?

Smart contracts auditors review the code of a crypto project to ensure there are no vulnerabilities. Auditors need to have a deep understanding of how blockchain technology and coding work. Mainly because they need to interpret someone else’s code and know how the shortcomings can lead to vulnerabilities or entry points in smart contracts. 

To read code, an auditor must understand it, and programming is the best way to learn this. A good place to start as a beginner is by doing courses on JavaScript because it’s well documented, beginner-friendly, and its syntax is close to Solidity (language used to code smart contracts on Ethereum). Skills in JavaScript can also open up the doors to other career paths like front-end/ back-end development. 

If you already know how to code then the next point is to start learning some blockchain and Solidity fundamentals. Future auditors should be asking themselves “How do blockchains and smart contracts work?” A good starting point is to read the Ethereum documentation and do courses on fundamental blockchain technology. 

After gaining the necessary theoretical knowledge, those who want to start coding smart contracts in an environment can check out RemixIDE and OpenZeppelin. Becoming deeply knowledgeable about the most commonly used smart contracts and how they work is essential to the ability to find problems with them. Auditors should also be aware of the most prevalent vulnerabilities and methods to attack smart contracts. Some of these include reentrancy attacks, timestamp dependence, over-and underflow attacks, gas-related vulnerabilities, and costly loops. 

At the end of the day, practice and experience are extremely important factors. There’s no better way to combine learning Solidity with learning about ETH security than solving CTFs (Capture The Flags). CTFs are security challenges where vulnerable code is presented and players need to write a smart contract to exploit the vulnerability. Also participating in Github and working on open source projects is a good way to learn and gain real experience in a development like environment. 

An added benefit could be to learn some finance basics, as auditors regularly work with decentralized finance (DeFi) platforms that use a lot of traditional finance terms. Places like Khan Academy and Coursera can teach the basics and terminology for finance concepts. With the majority of smart contracts written in Solidity, most opt for this language, but as more chains come about it might be necessary to expand your repertoire of languages. For example, Cardano uses Haskel and Solana uses Rust and C++. 

Where to get real experience as a smart contract auditor?

To gain some real experience one can start participating in bug bounties on Hackenproof or audit contests on Code4rena. Contests vary in size and scope, with some granting prizes of $70,000 for submitting the winning finding. Contestants can be anonymous, but many developers get jobs through winning bug bounties, and they also look good when adding them to a CV.

What tools are needed to audit smart contracts?

Some auditors don’t use any tools that directly perform vulnerability analysis. A well-recommended extension is the “Solidity Visual Developer” VSCode extension that highlights storage variables and function parameters.

However, some software packages that are used are :

  • Manticore
  • Solium
  • Smart Check
  • Oyente
  • Slither

Mythril, which can be used for detecting unit overflows and underflows. Another tool is Etherscrape, used here to scrape live Ethereum contracts for reentrancy bugs when send() is being used. There are also decentralized auditing platforms like Bountyone that bring together companies and freelance auditors when tools aren’t enough. 

Where to find a smart contract auditor job?

As the crypto industry experiences a massive growth spurt, new crypto-specific job sites have come around to connect talented individuals with the Web 3.0 world. After gaining the necessary skills (which isn’t a walk in the park) potential auditors can look on Web 3.0 specific job boards to find auditing jobs. 

The top-3 job search sites in blockchain and Web 3.0:

  1. Crypto Jobs List

It is the biggest platform to find and post jobs in web 3.0, cryptocurrency, and blockchain companies. Since 2017 they’ve been the go-to hiring resource for over 2,000 leading cryptocurrency, DeFi, and NFT companies, such as Ethereum Foundation, ConsenSys, MetaMask, OKEx, Huobi, Parity Technologies, Argent wallet, Status.im, PayPal, GameStop, and others.

  1. Crypto Jobs

The platform is used by more than 1,000 crypto companies to find talents. It is trusted by BlockFi and Cardano Foundation. 

  1. Cryptocurrency Jobs

This platform has been connecting people to the crypto industry since 2017 and has posted more than 8,000 job ads from over 1,000 companies.

What is the salary of a blockchain smart contract auditor?

Generally, hourly rates for auditors are determined according to their experience and complexity of the problem they solve, but it’s roughly:

Junior: 100$/h

Experienced: 100$-250$/h

Top Auditors: 250$-1000$/h

Companies like Chainlink Labs offer salaries between $100k and $150k per annum. 

There is also the opportunity to make money by participating in bug bounties and industry competitions. 

Can’t find too much info on auditor’s job and salary? Hacken will provide you with all necessary information.

Subscribe to our research

Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.

    Tell us about your project

    • This field is required
    • This field is required
      • whatsapp icon WhatsApp
      • telegram icon Telegram
      • wechat icon WeChat
      • signal icon Signal
    • This field is required
    • This field is required
    • This field is required
    • This field is required
    This field is required
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo

    800+ projects with $250B protected MarketCap

    companies logos

    Apply for partnership

    • This field is required
    • This field is required
    • This field is required
    • This field is required
      • Foundation
      • VC
      • Angel investments
      • IDO or IEO platform
      • Protocol
      • Blockchain
      • Legal
      • Insurance
      • Development
      • Marketing
      • Influencer
      • Other
    This field is required
    This field is required
    departure icon

    Thank you for your request

    Get security score on

    • certified logo
    • coingeco logo
    • coin market cap logo

    800+ projects with $250B protected MarketCap

    companies logos
    hackenproof logo

    The world trusted Bug Bounty Platform. Run custom-tailored Bug Bounty Programs to secure your business and assets.

    hackenproof logo

    The world trusted Bug Bounty Platform. Run custom-tailored Bug Bounty Programs to secure your business and assets.