Why Security Researchers Should Consider Smart Contract Auditing

TL;DR

• Smart contract auditing and web3 security are growing fields that pay well
• Do CTF challenges like Ethernaut and Damn Vulnerable DeFi
• Read up on past smart contract hacks
• Learn Solidity and EVM security concerns and anti-patterns)

The target audience for this post is security researchers, however the information is general enough that it will benefit anyone looking to get started in smart contract auditing. I’ll break down what smart contracts are, why you should care, and how to start hacking them.

What are smart contracts?

A smart contract is code that runs automatically when certain conditions are met. These programs live on a blockchain like Ethereum or Solana. They are immutable and cannot be easily patched like traditional software. This means vulnerabilities in the code need to be found and fixed before the smart contract is deployed to mainnet (production). Which is why having skilled security researchers audit the code is crucial.

BTW: the term “smart contract” is kind of a misnomer. They are neither smart nor a contract.

Why should security researchers care about smart contracts?

I get it, the crypto space has a bad reputation. There are a lot of scammers, rug pulls, and annoying crypto bros. However, blockchain security is still immature and really needs the help that established security professionals can provide. Cryptocurrency exchanges, DeFi protocols, and user wallets have lost billions of dollars due to preventable hacks.

I encourage traditional security researchers to view smart contracts just like any other research target. You have security researchers who may specialize in browsers, operating system internals, or mobile phones. Similarly, smart contracts are another area to specialize in.

Detach yourself from the crud and get paid for your research - you deserve it.

Some advantages of auditing smart contracts:

• High payouts. Finding a critical bug in a smart contract can net you way more than a zero-day in some obscure driver or video game. Check out this Twitter thread on web3 contest payouts.
• True remote work. Most top auditing firms are fully remote, so you can hack from your couch or a beach in Bali.
• Early adopter advantage. Smart contract security is still young. The developers are still learning too and the scene is not oversaturated like it is in traditional web bug bounty hunting. It’s like getting into binary exploitation back in the early 2000s.
• Growing industry. DeFi and smart contracts are exploding. Big players like Shopify now accept stablecoin payments.

Game plan for learning smart contracts

As a security researcher you are already skilled at quickly picking up new technology and learning how to attack it. If you can read code and find bugs then you are gtg.

Currently, Ethereum is the primary blockchain that smart contracts are built on. There are some other popular chains like Solana, but the EVM is still where most developers chose to launch their projects. You should learn Ethereum first, then branch out to alt-chains once you have a solid foundation.

Smart contracts are written in languages like Solidity, a high-level language with syntax similar to JavaScript. It gets compiled into bytecode that runs on Ethereum nodes. Users interact with smart contracts through transactions, kinda like function calls that cost a small fee called “gas”.

Resources for learning

I think the best way to learn a new security topic is via Capture The Flag (CTF) challenges. Try these to get hands-on experience with Solidity, the EVM, and DeFi:

• Ethernaut: A classic for learning Solidity and EVM quirks.
• Damn Vulnerable DeFi: Awesome for diving into DeFi-specific bugs.
• Hack The Box: Has a few blockchain CTFs—fun, but not mandatory.

For Ethernaut, I recommend using this GitHub repo. It enables you to run the levels locally instead of on a testnet (which can be difficult to set up). Additionally, it uses Foundry, so you will also be learning a testing framework at the same time!

If you are like me, you will get stuck on the beginner CTF challenges since Solidity can be a very confusing language for the uninitiated. I recommend going through one of the following resources to learn Solidity:

• Solidity by Example
• Cyfrin Updraft
• Solidity docs

Read about smart contract security and Solidity anti-patterns:

• Smart Contract Security from RareSkills
• Solidity Security
• Solidity Security Considerations

Study famous real-world attacks to see how things go wrong:

• The 2016 reentrancy DAO hack
• The recent 2025 ByBit hack overview and explained in detailed
• Parity Wallet first hack and second hack, both occurring in 2017

Stay up to date on the latest hacks and security news:

• Rekt news articles
• Blockchain Threat Intel newsletter

Get comfortable with tools used for auditing and testing smart contracts:

• Testing frameworks: Foundry is the go-to for writing tests in Solidity. Hardhat and Truffle are older but still used by some projects.
• Static Analyzers: Slither and Aderyn catch low-hanging fruit.
• Fuzzers: Tools like Echidna, Medusa, or Foundry’s built in fuzzing help find deeper bugs and test invariants.

Audit competitions - get paid to hack

Audit competitions are timed security assessments where people are paid for submitting valid vulnerabilities. There are a lot of platforms popping up that host audit competitions, but they are not all created equally. Code4rena and Immunifi are some trusted, well-established platforms. Read this post from Zellic on choosing an audit competition platform.

These are perfect for learning how protocols work while earning some side cash.

If audit competitions are too overwhelming, try a First Flight from Cyfrin. These are mock audits on smaller code bases. A great way to build confidence and get used to submitting findings!

What bugs matter in audits?

• Low hanging fruit. Missing input validation, integer overflows, or not following CEI (Checks-Effects-Interactions). Tools like Slither catch these fast.
• Attacks & hacks. Stealing funds or locking assets in the contract. Includes reentrancy attacks, front-running, and denial of service attacks.
• Code quality. Poor documentation? Deprecated functions? Centralization risks? Call it out. You are here to improve the quality of the project as a whole. Reference the Blockchain Maturity Evaluation guide from Trail of Bits for more.
• Business logic. Does the code do what the project says it should? Are invariants (key assumptions) holding up? If not, that’s a finding.

But I don’t like writing reports

I don’t blame you. Thankfully, a lot of report writing is boilerplate and LLMs are actually helpful here. The Smart Contract Security course from Cyfrin has a section on writing findings and reports.

For inspiration, read reports from top auditing firms like Zellic or Trail of Bits to get an understanding of what high quality reports look like. If you’re stuck on wording a bug, Solodit lets you search similar findings for ideas. Links to finished audit reports can be found in the resources section at the end of this article.

Other areas of web3 security

Smart contract auditing isn’t for everyone. Web3 has other areas where your skills can shine:

• Blockchain Analysis: Track transactions and uncover illicit activity.
• Incident Response: Help projects recover from hacks or vulnerabilities.
• Tool Development: Build the next Slither or Echidna and become a legend.
• Wallet Development: Create secure software or hardware wallets to store user’s private keys.

Final thoughts

Smart contract auditing offers security researchers a rare opportunity: a fast-growing, high-impact field where your skills can directly prevent multi-million dollar hacks. Yes, the crypto space can be noisy, but underneath the hype lies a real need for rigorous, thoughtful security work. If you can reverse engineer binaries, fuzz kernels, or exploit websites, you can absolutely learn how to break smart contracts — and get paid well doing it.

Treat smart contracts like any other research target: dig into the code, understand the execution environment, and question the assumptions. Whether you’re doing CTFs like Ethernaut, diving into DeFi bugs, or competing in audit contests, this space rewards curiosity and persistence.

You don’t need to be a blockchain expert on day one. Just start experimenting, follow your instincts, and learn as you go. The space is still young, and there’s room for new voices.