Getting started with web3 security can be a daunting task! There are lots of things to check out, learn, read, and do. Your first challenge is to overcome the analysis paralysis and actually get started.
So where do you actually start? Do you dive into bug bounties and code4rena? Do you read all the links in all the roadmaps? Do you dive deep into a boot camp like Secureum?
I'm not going to tell you which resources or activities to focus on. At least, not in this post. Instead, I'll try to give you a compass of sorts, a more high-level way of figuring out if what you're doing is what you need to be doing.
The Two Pillars of Becoming a Web3 Security Specialist
When we talk about breaking into the realm of web3 security, I feel like things fundamentally boil down to two key pillars— Foundational Knowledge and the Attacker Mindset.
This is the bare bones "how do things actually work" type of knowledge that's instrumental to the web3 security process. It's security agnostic in that it's just about how things fit together. It's also incredibly important for you to get down, as it allows you to fully comprehend how a smart contract works.
A good goal is to build an understanding of DeFi and smart contracts that matches or even exceeds 80% of the smart contract developers.
Understand Deeply - This is one of the core lessons of the book "The 5 Elements of Effective Thinking". The authors note that what sets experts apart from amateurs is their mastery of the basics.
In security, a deeper understanding will mean you know exactly how the EVM works such that when a developer makes a reasonable but false assumption about how things work, you'll be there to catch it!
What would happen if you took an elite web2 hacker and gave them a smart contract? My guess is that they would tear it apart and find lots of interesting bugs. This is because they've built up the mental machinery of taking a piece of software and looking at it from lots of different perspectives. Perspectives that the developers of that software haven't considered. Perspective, which makes potential issues appear to be obvious.
Building the attacker mindset is all about building the mental tricks of playing with an idea or a piece of software and being able to see the issues that the developers missed.
🧰 In "How to solve it" the author explains a similar phenomenon in mathematicians. He has a simple puzzle where mathematicians have a unique & effective approach because of the tricks they've picked up as they solved more and more math problems.
Unfortunately, it's difficult to rely on the attacker mindset. There is no universal set of thinking patterns that you can build. Neither is it possible to build an infallible attacker mindset. Each person will build their own tricks and perspectives (which is why you always want multiple auditors). Building an attacker mindset isn't a fast approach to becoming a good security researcher. It takes time and practice.
The Two Pillars in Practice
In a way, security research is all about asking (the right) questions.
Here is an example (fictional) dialogue that demonstrates how a security researcher applies foundational knowledge & the attacker mindset to ask the right question and to answer the questions quickly:
- This piece of code seems to liquidate a position with an incentive for the liquidator to pay out of the treasury.
- Q: If the holder of the position doesn't pay for the incentive, then would I make a profit if I liquidated my own position? ( attacker mindset )
- A: Yes ( code understanding )
- Q: Cool! Can I make this profit instantly? ( attacker mindset )
- A: Sort of. You have to use two transactions. One to open and the other to close. ( code understanding )
- Q: Hmm, do I run the risk of someone interfering? ( attacker mindset )
- A: Yes! Someone can interpose. ( foundational knowledge )
- Q: Can I avoid this? ( attacker mindset )
- A: Yes! A flashbots bundle will reduce the risk of someone interposing our attack. ( foundational knowledge )
Getting There - Becoming a Web3 Security Specialist
So how do you actually work on these two pillars?
Remember, building out your foundational knowledge is about building a thorough understanding of smart contracts and the environment they operate in.
To start building here, you're looking for your traditional sources and activities. Read a bunch of blog posts (tip: there is a variety of roadmaps available online that give you lots of awesome resources). Build a project that involves various areas of the space (for example: build a tool that might benefit auditors or developers). Follow a course or other compilation of content that dives deep into a specific topic.
⚠ Don't make the mistake of sticking to "security" focussed resources only. Your foundational knowledge is foundational.
The attacker mindset is probably what you're most interested in!
Building the attacker mindset will involve deliberate practice, which means you got to get your hands dirty! CTFs are a useful tool to get some practice in. However, more recently, code contests have proven an almost perfect way of implementing deliberate practice.
Here is how you should tackle it: Participate in a code contest and try to find as many bugs as you can. Then wait for the final report to come through. Now, look for the things you missed and analyse those issues thoroughly. Make notes for each issue and formulate how you'll change your approach to ensure you'll catch this issue in the future.
This last part works best when you've made an attempt at auditing the codebase yourself before analysing what others have found. That said, it's still worthwhile to read audit reports and bug reports with the same approach: analyse & make your own. Each time you read an issue report, try to distil the issue and figure out what core idea/perspective helped the security researcher find this issue. Once you understand how the researcher found this issue, you can make that way of thinking part of your own toolbox!
Paths and Quests
To help put these high-level recommendations into practice, I've published the following:
🛣️ Path - The Ultimate Path to DeFi security research
This path contains various bite-sized ( you can do them in a couple of hours ) quests. Each quest is designed with these two pillars in mind, providing you with a balance between foundational knowledge and the attacker mindset.
This is a great place to get started once you've finished reading this article.
Staying There - How to keep on top of things
At some point, you'll have made it. You'll have got the foundations under your belt and have a laser-like attacker mindset. It's important at this point to keep putting in the work to stay on top of your game!
It's important to always stay exploring; there are always new things popping up that are worth learning about. Take a deep dive into zero-knowledge tech, or learn about fuzzing. In anything, focus on building a deep understanding.
Example: When you're playing around with fuzzing, dive deep and learn about how fuzzers are put together. Maybe even build your own!
You'll build a very good understanding that will empower you to use fuzzers much more effectively than someone who's only played around with fuzzers a bit. You'll know what fuzzers are good at and what they suck at. You'll find opportunities to use fuzzers where you would've otherwise gotten stuck and given up.
Maintaining and continuing to grow your attacker mindset is all about continuing the practice and building good information feeds. I think there are two main things to focus on:
issues that get overlooked -> post-mortems & bug bounty reports
issues that regularly appear in codebases you might encounter -> audit reports & code contests
Apply the same method from the Getting There section: Distill the issues into their essence, and make them your own!
💡 It can be worth it to go back and see if you missed this particular type of bug in any of the projects you recently looked at.
To become a rockstar in web3 security, you need to balance both pillars—Foundational Knowledge and the Attacker Mindset. Learn deeply, and apply deliberate practice to build your attacker mindset. It's an asset that goes beyond just web3 security; it's a unique perspective that can be your guiding star in solving complex problems.
tl;dr Don't get stuck focusing too much on one of the pillars. You'll get stuck if you keep reading blogpost and never try your hand at finding bugs. You'll also get stuck if you only try to find bugs and never read any blog posts.
Just do both 🙌.