Logo notonlyowner

On the new waves and ways in smart contract security


Article cover

Whether for the purpose, the thrill, or the gold, there is a new wave of security enthusiasts adventuring into the Ethereum ecosystem.

The ever-brighter billboards we’ve been long setting up are finally paying off.

Auditing companies played a role in kickstarting the process. They craved for new talent to staff their own teams - how would they otherwise keep up with the growing demand ? Although they couldn’t afford to fully onboard those that wouldn’t join them. They set the bar for what professional security reviews of smart contracts are meant to be. But they couldn’t spend much time easing the journey for everyone to get there.

As these companies grew and established, they joined forces with independent researchers. From this synergy we got more wargames, workshops, open office hours, forums, wikis and bootcamps. On top of the long-held tradition of public reports. Surely not the most inviting and welcoming industry yet - but hey, we were working on it.

It wasn't long until new players joined. They brought about a complementary approach to Ethereum application security. Instead of selling the time of highly-skilled in-house experts, the teams behind these new businesses built platforms to crowdsource security work. Bug bounty programs and auditing contests landed on Ethereum, eager to spice up the game of application security. Not without their own challenges.

Because crowdsourcing required, well, a crowd.

For bounties and contests to thrive, anyone must be able to swiftly jump into finding and reporting security issues. Yet only a handful of people knew how to professionally do smart contract security reviews. Most of them already too busy to be educating newcomers. Also, even if the industry somehow managed to lower the barriers to entry, the crowd still needed incentives to cross them. Strong ones.

So far, auditing firms had kept relatively closed salary ranges and pricing models. In a bold move, the new businesses decided to be more transparent. We began seeing open pricing strategies, discussions on salaries, and of course, public payouts with more zeros than anywhere else. The offer for the crowd was on the table. Would they dare to take it ?

Not until outstanding security researchers paved the way with their time, effort and sweat. They lighted the first sparks that, at last, rouse outsiders. Once big wins hit the headlines, everyone was hooked. People began producing, sharing and consuming more and more web3 security content. Projects started competing to attract the top independent hackers. Payouts and prize pools grew even larger. Somehow, the lonesome act of staring hard at poorly written code had become cool and profitable. Who wouldn’t want to do it?

It was a matter of time before crowdsourced security got... crowded.

"Farming issues” became a thing. The sheer amount of spam reports forced everyone to have stricter policies and a more defensive attitude when triaging issues. Private disclosures lost the personal touch. Security work in the wild became a PvP game, and competition heated up. Suddenly the pie wasn’t growing as fast as the amount of hungry guests bawling for more. If actual payouts weren’t getting lower, they may have gotten slower, or more unpredictable. Yet the industry thrived on, in spite of hiccups.

Stubborn as an ox, the demand for web3 security services continued to be oblivious of the bulls and the bears. Businesses just grew. Best of all, new and old ones naturally positioned themselves to offer, not one, but many onboarding ramps for the latest wave of application security people on Ethereum.

From the fresh web3-native security enthusiasts to the converted seasoned web2 hackers, now they could all start onboarding themselves to the smart contract security space. Some in more traditional ways. Others, why not, perhaps first building a public image and pocketing a few bucks along the way. If diminishing returns ever arrived, they could always migrate to greener pastures. From which there are plenty to choose nowadays.

The look-alike contest platforms of different flavors and rules. The fresh auditing shops, with a more open and transparent DAO-like culture. The in-house security teams of VCs, DAOs or product-oriented companies. The always present jobs at traditional auditing firms. The lone-wolf private engagements. The part/full-time bug hunting on the highest-paying bounty programs.

Opportunities feel as endless as the amount of roadmaps and threads and articles and spot the bug challenges and questions and newsletters and CTFs and tools and spot the bug challenges and issues and talks and workshops and spot the bug challenges and apprenticeships and interviews and reports in the wild.

We're in a nascent industry. The chances for shaping and pushing it forward are still real. That’s the actual offer on the table.

To take it, above all, we must have something meaningful and lasting to contribute back. Beyond the zeros, the leaderboards, the drama, the likes, the followers, the stars. Without mindlessly trying to be outcompeting each other to see who's better at selling their skills to the best bidders.

The dazzling lights of these ever-brighter billboards only serve to reveal the amount of work ahead. We have the most unpleasant but effective of the reminders almost every week.

Now that we're more than ever, let us not lose sight of what matters. Because no new wave will wash away our responsibility to secure the applications that genuinely contribute to Ethereum’s long-term game.