How to Become Smart Contract Auditor in 2024

Introduction

Hey there, future smart contract security auditors! 🛡️

At ExternalShield, we often find enthusiasts reaching out, seeking a clear roadmap to kickstart their journey in the smart contract security auditing. We get it – the abundance of information out there can be overwhelming. That's why we've created a step by step guide for you with a focus on the EVM based ecosystem ( Ethereum, BSC, Polygon etc. ), which remains a hotspot for development and auditing.

In the following guide, we'll lay out the steps, resources and practical insights that we believe form a comprehensive approach to becoming a skilled smart contract security auditor. Our goal? To provide a structured and digestible roadmap, steering you away from the noise and setting you on a course for success.

Ready to deep dive? Let's dive in! 🚀

1. Learn Solidity

Learning Solidity is crucial to becoming a smart contract security auditor or providing smart contract audit services. If you already know JavaScript, you should have no trouble understanding the concepts of Solidity.

There are many courses available for learning Solidity, but we recommend starting with the

• Ethereum Blockchain Developer Bootcamp With Solidity (2024)

This course will provide you with a comprehensive understanding of Solidity. You may wonder whether advanced Solidity is necessary for auditing. It is, but it requires practice. However, you will learn advanced Solidity along with your journey in auditing, so there's no need to worry about it now.

Other Resources:

• cryptozombies.io/en/course
• solidity-by-example.org
• smartcontract.engineer

2. Solidity Testing & Debugging Frameworks

Choosing the right testing framework is essential for seamless Solidity code testing. The process of testing Solidity code involves some critical steps, including unit tests for individual functions to ensure isolated functionality and integration tests for realistic scenarios with multiple functions or contracts. These tests can be written in Solidity, Python, JavaScript, or TypeScript, depending on your preferred language.

Here's a list of our favourite frameworks:

1. Foundry ( Solidity )
2. Hardhat ( JavsScript or TypeScript )
3. Brownie ( Python )

Our top choice is Foundry because it's faster than Hardhat and Brownie. It comes with built-in fuzz test functionality. Plus, we can write tests in Solidity, which is a significant advantage.

If you prefer JavaScript or TypeScript, then Hardhat is an excellent choice for you. On the other hand, if you prefer Python, then Brownie would be the perfect option.

Now you selected the framework that fits your choice, practice it by writing test cases by yourself. It will help you while auditing, when you need to verify your finding or write Proof Of Concept ( POC ) for it.

3. Learn about ERC standards, Libraries

Now that you have learned Solidity and written test cases for it, it's time to explore the different ERC standards available in the Ethereum blockchain. The most popular ones are ERC20, ERC721 and ERC1155. To help you with this, you can use the OpenZeppelin library which contains pre-tested code libraries. With this library and the ERC standards, you can create your token and wallet.

Here are some resources you can use to get started:

• ERC20
• ERC721
• ERC1155
• ERC4626
• OpenZeppelin

4. Learn About the Most Common Vulnerabilities & Attack Vectors:

The next step is you need to learn about the most common vulnerabilities and attack vectors of smart contracts.

To audit smart contracts effectively, learning about the most common vulnerabilities and attack vectors is important.

The following resources can be helpful:

• https://swcregistry.io/
• https://github.com/KadenZipfel/smart-contract-attack-vectors
• https://secureum.substack.com/p/security-pitfalls-and-best-practices-101
• https://secureum.substack.com/p/security-pitfalls-and-best-practices-201

By familiarizing yourself with these resources, you will gain knowledge about the best practices to follow and the most common vulnerabilities and attack vectors to look out for. This will help you in identifying bugs and potential security threats during the auditing process.

5. Capture The Flags (CTFs)

CTFs are web3/solidity based wargames or security challenges that require you to exploit the smart contract by hacking it. Participating in CTFs is a great way to test your auditing and solidity skills. You can join CTFs live and earn recognition by scoring high and making it to the leaderboard.

You can find all the past CTFs problems and solutions at

• auditortools.io/ctfs

We recommend solving the CTFs in the following order (from easy to hard):

1. Capture The Ether
2. Ethernaut
3. Damn Vulnerable DeFi
4. Paradigm CTF 2021
5. Paradigm CTF 2022
6. Paradigm CTF 2023

Initially, solving CTFs can be time-consuming, so it's okay to look at the answers sometimes. We recommend solving CTFs whenever you find time along with your auditing career. It's not a good idea to complete all the CTFs first and then dive into real-life auditing. It's up to you to decide what suits you best.

6. Compete in Audit Contests and Test Your Skills

Participating in an audit contest can help you test your skills and find vulnerabilities in code. If you're unsure about what to look for in contests, reading past audit reports can be helpful.

There are several best platforms where you can compete, such as

• Externalshield.com
• Code4rena.com
• Sherlock.xyz
• CodeHawks.com
• Bug Bounty on Immunefi.com

Making it to the leaderboard on these platforms can increase your chances of being hired by auditing firms.

7. Learn Finance & Math

When you start an auditing process, you might come across various protocols that involve finance-related concepts. To carry out a thorough and efficient audit of these protocols, it is advisable to have a basic understanding of finance and mathematics. This will help you to better understand the code's inner workings and identify any potential issues or vulnerabilities that may arise. Simply going through the code without a solid grasp of these concepts may result in a less comprehensive and less accurate audit.

We recommend taking KhanAcademy's free course on finance and capital markets to improve your knowledge.

• https://www.khanacademy.org/economics-finance-domain/core-finance

Other Resources:

• https://www.youtube.com/playlist?list=PLjrTIwaNiTwn39tg3sR_bPBWGHoznv47D

https://www.youtube.com/playlist?list=PLO5VPQH6OWdX-Rh7RonjZhOd9pb9zOnHW

8. Keep Updated with Security

It is essential to stay informed about the latest security attack vectors to ensure the safety of smart contracts. There are excellent web3 newsletters that provide valuable insights, updates and hacks news.

Several great web3 newsletters:

• Blockchain Threat Intelligence
• Week In Ethereum
• rekt.news

Conclusion

If you want to become a skilled smart contract auditor, there's one thing you need to know - there are no shortcuts to success. It takes time, effort and a whole lot of practice to master the art of auditing smart contracts. But don't let that discourage you. Think about it - the demand for skilled auditors is skyrocketing and the potential rewards are enormous. So, don't settle for mediocrity. Instead, put in the work, stay committed and get ready to take your auditing skills to the next level.