Starting in Web3 Security: where I’m at and where I’m going

starting-in-web3-security-where-im-at-and-where-im-going

I have been in and out of web3 security over the last few years, never having the time to properly dedicate myself to it. However, the situation has changed in the last few months.

At this point, the blockchain wave cannot be ignored. Many institutions are initiating the adoption of this technology, and it has also gained recognition in the mainstream media.

For LLM/AI, the adoption seems to be faster. Some traditional penetration testing companies are already seeking offensive security knowledge in this area. I believe the same will happen for Smart Contracts and Web3 in general as well.

In this post, I’ll share my point of view on Web3 in the security sector, discuss its possible future, and include some personal notes. This will be a sort of diary entry for me.

I’m not a seasoned hacker, so take my thoughts for what they are, with a grain of salt.

A Summary of Web3 and Blockchains

If you know nothing about Web3 and blockchain, let me catch you up to speed:

Blockchain is a technology where the ledger is a chain of blocks containing transactions, with consensus distributed across all network nodes, allowing all nodes to validate transactions.

Ethereum, the second largest blockchain to date, introduced smart contracts, programs that operate at specific network addresses, making it a “programmable blockchain”.

By design, smart contracts are immutable. This means that once a Smart Contract is deployed, it cannot be modified, with some exceptions.

Web3 represents the evolution of the internet towards decentralized applications that empower users with greater control over their data and digital interactions.

It leverages blockchain technology to create secure, transparent, and user-centric platforms, moving away from traditional centralized models.

A lot of money and brains flow into this sector. It’s a wave that comes and goes but grows each time. Soon, it will be a permanent change.

Good technology, a lot of problems

There is still a lot of skepticism and suspicion from the public. And who can blame them? Thousands of new scams emerge every day.

Additionally, numerous projects suffer breaches, resulting in the loss of millions, if not billions, of dollars. How can we expect institutions to invest in this sector, knowing there is a significant risk of losing all their money?

These issues need to be resolved if we want to achieve true adoption. We cannot expect users and institutions to embrace blockchain technology when there are so many reasons to view it with distrust.

So, what can be the solution? What is the final piece of the puzzle?

Security! The industry needs more security professionals to build a solid and trustworthy infrastructure.

This is one of the reasons I decided to study Web3 security. I know I can make a meaningful contribution, and investing my time in this field is a wiser and more valuable choice than risking my savings on some unknown project headed for the moon.

What I have studied so far

My start was without following a precise path. I learned some Solidity and some security.

I went through the Ethereum Developer Bootcamp by Alchemy, tutorials on YouTube and wrote code to practice while learning. By this point I had learned Solidity and HardHat, some security concepts and gas optimization.

I also learned some finance concepts and studied Khan Academy’s Options, swaps, futures, MBSs, CDOs, and other derivatives chapter.

Then Patrick Collins released Updraft, and I took many of the courses on the platform. I learned Foundry, I studied Solidity and security more thoroughly, to the point of gaining confidence in my beginner skills.

I definitely have some advantages coming from the traditional world of offensive security. For example, I have experience writing reports, assessing the impact of a problem, I know some fundamental concepts, and have an adversary mindset.

However, there were many concepts that were new to me; DeFi, EIP20 and EIP721 are just some examples. You also need to know how to program and much more, it’s not a skippable step.

Don’t just take my word for it; read “How to become a smart contract auditor” by Christoph Michel. You’ll see everything you need to learn.

I leave some considerations on what to study for the conclusion. Now, after all this, what have I achieved?

What have I achieved after months of study?

Right away, I saw many tools that automate the code review process. I also encountered dozens of types of vulnerabilities that I didn’t want to miss, and I knew how to program in Ruby.

For this reason, I’ve created SolidityInspector, a Solidity static analyzer tool that assesses smart contracts written in Solidity for code quality, security, and gas optimization issues.

I tested the first version of SolidityInspector with Code4rena. I managed to earn around $150 mostly with QA reports and a gas report. Nothing exciting but it was a good test to see that it was working.

I recently did arrive at the final result, with not only the detection of issues but also a complete report and the calculation of optimized gas.

I also got some results with CodeHawks First Flight Contests, challenges designed for those just starting out, to get the first results. You can find my findings here.

Finally, I’ve improved EasyG, my GitHub repo where I collect my notes, adding a section dedicated to web3.

Now, what are the next steps?

The road ahead: my next steps and goals

My goal for this year and the future is to find as many medium and high-severity vulnerabilities as possible in real audit contests. I want to reach the top 20 in Code4rena’s 90-day ranking.

I want also to find medium and high-severity vulnerabilities or even criticals on Immunefi. This platform is hardcore as the projects with an active bounty program are already audited multiple times.

I also look forward to meeting many hackers in the web3 security world, learn a lot, and create a community!

Conclusion

I’m still just starting out, I’m certainly not in a position to give anyone any advice, like maybe for bug bounty hunting. But I know how you could save yourself some time now that there are great new resources.

If you are starting now, I think the best path to follow would be to go through the courses on Updraft and follow the guide “How to become a smart contract auditor” by Christoph Michel.

There also other great resources; Block Explorer, the Code4rena reports, Solodit and Andy Li’s YouTube channel.

I really believe in the blockchain revolution. I don’t have the capital to invest in projects, so I will invest my time and knowledge instead.

By contributing in my own small way, I hope to help make blockchain technology mainstream.

Until next time! 👋

– Riccardo Malatesta





Leave a Reply

Your email address will not be published. Required fields are marked *