Exploring Blockchain Security with Cyfrin feat. Patrick Collins
Listen Now
About This Episode
In this episode of DevNTell, Narb welcomes Patrick Collins, the co-founder of Cyfrin, to discuss the critical importance of blockchain security. Patrick shares his professional journey from finance and Chainlink Labs to founding Cyfrin, which focuses on providing institution-level smart contract audits, security tools, and free education through the Cyfrin Updraft platform. The discussion delves into the immediate financial risks of Web3 compared to traditional software, the role of AI in coding, and the various methodologies used in auditing, such as static analysis, fuzz testing, and formal verification. Patrick also explains the 'Shift Left' philosophy, which aims to empower developers with security knowledge early in the development process, and details the clear career path for aspiring security researchers through competitive audit platforms like CodeHawks.
Key Takeaways
Cyfrin aims to secure the blockchain ecosystem through three main pillars: institutional audits, open-source security tools, and free developer education via Cyfrin Updraft.
The financial consequences of security breaches in Web3 are immediate and significantly larger than in Web2, with billions stolen in instant hacks.
Effective blockchain security requires a multi-layered approach involving manual code reviews, comprehensive test suites, static analysis tools (like Slither and Aderyn), and advanced fuzz testing.
The 'Shift Left' movement focuses on educating developers to be security-conscious from the first line of code, reducing the burden of finding low-hanging bugs during final audits.
Becoming a blockchain security researcher has a straightforward, performance-based career path: learn through education platforms, apply skills in competitive audits (e.g., CodeHawks), and earn rewards or job offers based on findings.
While AI is making code writing easier, it is not yet reliable enough to replace human auditors in identifying complex security vulnerabilities.
Featured Guest
Patrick Collins
Co-Founder @ Cyfrin
Timestamps(click to jump)
Episode Transcript
Read full transcriptHide transcript
GM GM. Welcome to what's going to be another fantastic episode of DevNTell. So, if you didn't know, DevNTell is a 30-minute podcast held every week, allowing founders, hackers, and anyone in between to come on the podcast and showcase their product. And today, I'm ecstatic to welcome one of the true OGs in the blockchain space in Patrick Collins, who's the co-founder of Cyfrin. So, if you didn't know, Cyfrin helps secure the blockchain and its users through institutional-level smart contract audits, tools, and education. So if you stick around for today's episode, you'll see Patrick give us an overview of the Cyfrin platform, its origin story, and how you can start get started with it today. All right. Let's get into it. But first, a word from our sponsor.
Today's episode of DevNTell is brought to you by our friends at Arbitrum. Arbitrum is a technology suite designed to scale Ethereum. You can use Arbitrum chains to do all the things you do on Ethereum, but your transactions will be cheaper and faster. With over 3.8 million ETH saved, 1.69 million active wallets, and over 1.7 billion total transactions, why would you want to settle for any less? Get started today by exploring Arbitrum's comprehensive docs and tutorials linked in the description below to help you get started launching your next dApp today. Now, onto today's show.
GM GM. Welcome to the show, Patrick. Ecstatic to have you on today, man.
GM GM. Yeah, thanks so much for having me. I just had to, uh, share the tweet of this on Twitter.
Ah, yes. Awesome, awesome. Yeah, we had, uh, quite a bit of interest for this one, so I'm glad we could get this organized for folks.
Absolutely. I was going to say, I can't see the chat, so, uh, whenever comments come in, I guess you'll just have to let me know.
Oh, sure. Uh, there should be a comments tab on your, uh, the right. If that one works for me, great. Yeah. We will post a GM for the gang here. Excellent.
Yeah, I mean, you, uh, for the Web3 enthusiast, you need no introduction, but for folks who might be new to the space, would you like to give a brief introduction about yourself?
Yeah, sure. So my name is Patrick Collins. I am the co-founder of the Cyfrin team where we do security and education, as Narb pointed out in the beginning. And absolutely love this space, love everything about crypto, love everything about Web3. And yeah, security and education is kind of the main business of Cyfrin, but we really do anything and everything possible to make this space successful because we love what this space has to offer and we're really excited for the inevitability of the entire world to go Web3.
As am I, as am I. And I guess just curious, like how did you find yourself in technology, like how did you get interested in tech itself and eventually found yourself in Web3?
Yeah, so tech itself was basically like I went to college as many people, you know, 10 years ago did when they were like, 'oh, I don't really know what the hell to do with my life next,' they just went to college. And I didn't really know what I wanted to do. I took a computer science class, I was like, 'I'm pretty good at this. Let's keep going.' I didn't have a whole lot of direction when I got out of college. I started to be like, 'no, let's like, actually do something. Let's push, let's try to learn, let's try to grow.' And I ended up kind of really luckily getting a job at like a an asset manager or hedge fund as like a as like the lowest bottom barrel, you know, dipshit software engineer you could. Like basically, my role was like, it was like alpha support or like production support. I called myself a software support engineer.
And I really wanted to get into finance and use my like tech background because I was fascinated by finance. I was like, you know, I was like, 'how do these giant hedge funds work? How does money work?' You know, I just didn't know, and I wanted to learn as much as possible. So I got to work at this hedge fund and I got to see exactly how it was like a 35-billion dollar hedge fund. I got to see how like one of these hedge funds worked like end-to-end. So I was in charge of what's called alpha production, which everything all these hedge funds they're always looking for this thing called alpha, so a little bit of a finance learning for people watching. Alpha is basically the amount gained like above some benchmark. The benchmark is often called like the beta. So you want to like outperform other benchmarks, right? So like, the S&P or like index funds, indexes are often like the benchmark. So how much better is your hedge fund performing than, you know, an index fund? In this way you can go to clients, you can go to enterprise people and say, 'hey look, here's how much more money you would have made with us than if you had just invested in the S&P 500,' right? So they're always looking for alpha. So alpha production is the... I might maybe I'm being too laborious with this intro here. Alpha production is the is the process of them, you know, running all these models, these simulations, collecting data, and just running all their algorithms for like what stocks are we going to trade today? What are we going to buy, what are we going to sell? That's it, right? So I got to see this whole thing and I was absolutely blown away and I was so excited that I got to learn all this stuff, but I also got to see where a lot of the issues were. Where are the slowdowns, where is it not fair, where are the information asymmetries? And after I left there, I worked for a data provider for a little bit, they sold like basically stock data, like data that these hedge funds would ingest to, you know, put into their alpha production cycles.
And when I was there was when I started to learn about smart contracts. Historically, crypto to me was just like a thing you buy and sell as with most people. And then I learned about smart contracts, I learned you could put data on those smart contracts, and I kind of was like super nerd sniped by that by itself. Really, really interesting, but then as I kind of started going deeper into it, I was just kind of blown away by, 'oh my god, how much of a crazy equalizer this could be, how much basically like from my perspective I was like, why does the stock market even exist when we have this objectively better system?' And so to me I was like, 'holy shit, this is inevitable, I want to work on this,' right? This sounds really cool. And even more than that, like one of my favorite kind of examples that I give now is, you know, a lot of people meme on stablecoins, but stablecoins are this amazing product that we've never seen before in history. This is the first time in history, in the world's history where you have a chance to be financially free being born anywhere in the world. Historically, if you're born in a country where the government is doesn't have their shit together, your financial freedom is bastardized because you rolled, you know, you lost the being born lottery. You were born in the wrong country and now you're financially screwed forever. That's insane to me. This is the first time in history where everyone on the planet can have access to the same financial products and have access to financial freedom no matter where you're born. And so to me that's wildly insane and I don't know why that isn't like the most exciting, the most cool industry on the planet to work on.
So, yeah, I was like, 'all right, this is amazing, let's go deep into this.' And I started working at Chainlink Labs for a few years. Absolutely loved working there. Fantastic, fantastic place. I still love the products, still love the technology. But towards the end of my time there, I was getting more and more frustrated with people getting hacked because what we do is a double-edged sword, right? On the plus side, it's this amazing equalizer. Anybody on the planet can have access to this incredibly neutral financial system, this incredibly neutral technology. But the downside is something breaks, you have no one to go to. You just lose all your money.
And so, yeah, kind of towards the end of my time at Chainlink Labs, I was like, 'why the hell is everyone getting hacked? And it's the same stupid hack, and oh my god, why won't anyone do something? Why won't anyone fix this?' and, uh, yeah basically me and a few other kind of Web3 natives... I actually hate that term, but Web3 natives if you will. We were like, 'okay, we're going to start a company. We are going to fix this. We are going to be the ones to to jump in because we're not happy with the state of things.' And we wanted to do things differently, and I'm very happy... so Cyfrin, we've been around for around two and a half years now, I'm very proud of the work that we've done and I'm really excited for the work that we're going to do. So we approach this problem of security very differently than a lot of the other security firms. Yes, you know, we work with some of the largest smart contract clients in the industry. You know, we work with Metamask, Linea, zkSync, the new Metamask update with 7702, like EIP-7702. You know, we did the audit for the delegation of that. So if you use Metamask as of today, you're probably working with Cyfrin audited code. So we work with some of the best people in the industry and we work one-on-one and we help one-on-one and we help as many big projects as possible. But we also think that that's not enough.
If we go around one at a time, you know, we'll help one project at a time when it's the whole industry we need to level up. And that's why we pour so much energy into education, making sure people know themselves how to level up as auditors, how to level up as developers because we think that's the only way to bring this whole space to fruition. And from a business perspective, it's actually quite stupid that we do this because we will get into bidding wars with Cyfrin Updraft graduates who learned security from us.
And, uh, yeah, from a business perspective it's kind of really stupid to bring to literally be like, 'hey come to our industry and come learn this stuff,' but we think it's so important that we still do it. And yeah, like at the end of the day, we're going to do whatever whatever it takes to make this industry safer and we have a lot of issues in this industry and we're fighting really, really hard to to fix it either through education, directly working with clients, building open-source tooling, we build a ton of open-source tooling and just everything. So that's my super long-winded intro. Sorry that was a long 10 minutes.
No, no, that was amazing. That was wonderful. And thank you for getting into so much detail. I mean, I was going to ask you some some of those questions you already touched on. Um, but like yeah, myself, I got introduced to yourself when you're at Chainlink. Actually learned my first smart contract coding from some of your videos when you were doing the Chainlink demos. Yeah, and I have taken some of your course content from Updraft as well.
So, yeah, you guys are doing wonderful work, saints work, so definitely keep it up. And I mean, we need we need more people being security-conscious around smart contract development. So I know you're like, 'oh, it's kind of like cannibalizing your own market share,' but like I think it's for the better, like as long as people are making people know how to properly code smart contracts, I think it's worthwhile.
Definitely. 100%.
Yeah, and you're also quite the avid lifter as from some videos. I'm a lifter myself, so yeah, just curious, like how did you get into lifting?
Um, so I'm I call myself like a backyard athlete. I'm like a very true I consider myself like a very true CrossFitter in the sense that I will never be the strongest lifter, I will never have the highest endurance, but I will be pretty good at both. Like I can rock up to a weightlifting competition and hold my own, I could go run a marathon, it would be a terrible marathon but like I could do it. I like being able to just be fit, you know, and that's kind of what I wanted to... that's how I got into it.
So, when I graduated school, like I did kind of the whole like, you know, classic bodybuilder split, you go to the gym, you do like push-pull legs or whatever. And I would be super active for like two months and then I I hated it. I hated being the gym for like 90 minutes and just being like, 'all right, now I got to do my curls, and now I got to do my whatever the hell you do in like at the gym for a classic...' I hated it. I hated it. I hated like being alone and putting my headphones on. And I was like, 'okay, like sports. I like sports, like let me go play a sport.' But I wanted to play a sport where I would get like in better shape and be more fit, and I felt like none of the sports like I wouldn't be as fit as I would want to be, like cause I could go like play basketball and then like still feel like I would need to go to the gym.
And then I felt CrossFit, which is like the sport of fitness, which is like kind of silly, and I remember being like thinking it was so stupid and the pull-ups are so dumb and... but then I started doing it, I had a really good time, you know, it's got an amazing community and I had never done like Olympic lifting before, and Olympic lifting is like the most fun thing ever. Do you do Olympic lifting or is it more powerlifting?
Uh, it's more of like a hybrid between like bodybuilding and powerlifting.
Hell yeah, okay cool. Cool. So if you ever get a chance, you got to try Olympic lifting. Olympic lifting, so it's really hard and it takes like six months to even feel competent with what you're doing because it's so technical. But oh man, like hitting hitting like a like a heavy clean, oh you feel like you're the just like such a badass. Yeah, like hitting hitting like a heavy bench, you're like 'gah, like I'm sick,' or like a heavy squat, but like hitting a heavy clean, oh man like there's it's just so explosive. Narb, I highly recommend, if you're ever in Boston, man, I'm being dead serious, I've actually brought clients to CrossFit with... really? Yeah, I've brought audit clients to CrossFit, I'm like, 'yo you got to work out with me,' blah blah blah. Yeah, if seriously, if you're ever in Boston, I would love to lift with you, dude. I think that'd be so fun.
Hell yeah, man. Yeah. Oh yeah, if I'm ever in town I'll hit you up.
Yeah. What about you? What got you into lifting?
Yeah, for me, personally, like when I was a bit younger, I was a bit overweight, so I kind of just started lifting and lost a bunch of weight and it kind of just stuck on to me as like a habit that I can't and won't ever get rid of. Hell yeah, good for you. It's just like it's just like a magic pill, right? It's like brushing your teeth or yeah brushing your teeth. Yeah, you just like up and at 'em, just an hour in, heavy lift. Yeah. Dude, it's such a mood, a mood like uplifted, you're like frustrated with work or something goes bad, you go to the gym and you just get your ass kicked for an hour and yeah it's it's actually surprisingly like a pretty big thing in the security community. Like a lot of like a lot of the security people like they are all like avid lifters, um, which I think is awesome because it's also like promoting you know more healthy habits, getting out the door, like I consider myself a hardcore like nerd, like you know, like if I if I didn't have the gym, I wouldn't leave my apartment. Like I'm you know, like I would go hang out with my girl, you know, and that's like it, other than that I would just stay in these four walls. You know what I mean? So yeah get out the door, get healthy, you know, it's it's good for your brain. It's good for your brain.
100%, man. Yeah. I can't agree more. Uh, but yeah, that's that's awesome. I mean, yeah, if you're watching this today, maybe maybe go hit the gym for the first time, you won't regret it. Or hit hit us up on Twitter, ask for we'll give you the bro tips, because neither one of us are actual fitness instructors, we'll just be like 'yeah, just push-pull legs, baby!' 'Hit a sick clean, dog!'
That's right, that's right. Hell yeah.
But yeah, I guess without further ado, I will bring up the stuff you have prepared for us. Great. Yeah. The stage is yours, my man. Great, one second here.
And folks, as Patrick is going through his content, if you have any questions, please post them in the chat and we will get those questions answered for you.
It's a little warm here in Boston, not quite as warm as it was in France, but a little warm here. Uh, yeah, so today we're going to do a little brief rundown of just introduction to security and auditing basically. You know, so a lot of people who have gone through the security curriculum on Cyfrin Updraft, this will be a refresher for you. But if you've never done anything in security, this is perfect for you. If you have done something in security and you want to learn more, if you want to kind of be informed about what this process looks like so that when you build a protocol, you can know you know exactly what your auditors are doing, this is for you. Or if you want to be a developer and you want to have your code actually be good, like this is important to to know.
So one of the things that we've seen kind of in in this industry, especially with the rise of AI, writing code is becoming easier and easier to do, which is good. You know, we want it to be cheap to write code because AI can help you a lot of times with writing code. However, writing good code is still pretty much just as hard, right? So, you know, you can write a protocol where an AI can help you write most of it, but you still need a human being to go through your code to make sure it's secure because there's been a lot of advances with AI's you know, finding bugs, but it's still not good enough to rely on, not even close to good enough to rely on. So no matter what, at the moment, like this is still important. And one of the main differences between Web2 and Web3 security... I should I should stop using those terms... about traditional engineering and blockchain engineering is in traditional engineering, if you build a website and your website is like, 'look, save pictures of your cat,' you know, if that website gets hacked, 'oh no, like all the pictures of my cat have been, you know, out on the internet for free, woe was me.' You know, or my data has been released, although data being released is actually quite bad for other reasons. But usually kind of the the damage can be kind of a little bit abstract. Whereas in blockchain world, the damage is immediate and it's financial.
We've seen the largest hack of all time happen a few months ago in the Bybit hack. 1.4 billion dollars stolen in an instant. 1.4 billion dollars. That's bigger than I'm pretty sure that's bigger than any bank heist that's ever happened, and it was instant, right? So the the risks of getting something wrong in this industry are quite high. So you really, really, really, really, really, really, really want to make sure you have this down. And we're basically we're moving to a meta where the best developers are security researchers themselves because of how high the risks are. So basically, if you want to be a good developer, you need to know everything we're going to be talking about here. So with that being said, let's go in. Uh, just kind of a quick refresher, once again I'm CEO and co-founder of Cyfrin. Uh, yeah, we work with, like I said, Metamask, Consensys, Chainlink, zkSync, Circle, I'm a developer and security researcher. I've been in this industry for you know five or six years now. And I'm also the lead instructor on Cyfrin Updraft, which is our education platform. You can go get certified in different skills like smart contract development, wallet signatures, and you can learn everything for absolute free because we believe that knowledge wants to be free. That's something we hold very, very strongly.
So here's kind of the agenda of what we're going to go through. You know, why security, what is Web3 security, you know, what's the opportunity, some prerequisites, talk about the audit process and go through some tools. Um, and then these are kind of some of the tools that we're going to go through. So this is going to be a real just kind of a primer on security, what is security smart contract security, how does it work, and then any questions that you guys have like as we go through, please feel free to ask, and then questions at the end as well. So a bit of a quick primer, although I pretty much already talked about this is you know why is Web3 security so important? And this is why. So this is a list of this website Rekt News, rekt.news. The eco-friendly rug pull. Uh, so this is a website, absolutely love Rekt News, um they very humorously kind of go over different attacks that happen in the industry.
And if you'll notice... July 3rd, July 2nd, June 22nd, June 24th, this is like about a week, and this is four high-profile hacks that made the news. 12 million, 10 million, 200k... oh this was this was actually much bigger because the tokens dumped to 99, the token value went to zero in an instant. Uh, so you can see these happen quite often, which this is basically what I was reading when I worked at Chainlink Labs and I was quite frustrated that this happened. So, these hacks happen quite often, unfortunately, and for a lot of money. Like I said, Bybit 1.4 billion dollars, it's the largest hack of all time. Not just Web3, that 1.4 billion dollars that was stolen in an instant, that is the largest heist of all time.
So why is security so important? Well, spending 2 million dollars on security versus getting hacked for 200 million dollars is a 99% reduction in costs. So it maths out quite well. Now this is kind of like a humorous way to put this, but usually in most protocols, this 200 million is not your money. This is 200 million dollars of somebody else's money, of your client's money. It is quite unacceptable to lose somebody else's money. Um, so yeah, if you're going to build a protocol where other people's money is going to be on-chain, you damn well sure better take the time to make sure it's secure. This chart is a little bit outdated, but yearly total value stolen in crypto hacks and the number of hacks kind of across the years, we can see 2021, 2022 have the biggest numbers, but you can actually see the total number of hacks kind of still has this upward trend. 2021, 2022 the the amount of money in the industry was was a lot higher and people were a lot less secure. We're getting more secure, but attackers are also getting more aggressive. And especially with stablecoins kind of having this dominant play, we are about to see a lot more money enter the industry. Robinhood just launched an announcement with Arbitrum, sponsor of this show, thank you Arbitrum. So we're expecting to see you know more money coming into the industry and therefore we're probably going to see this number go up and up and up. How much time do I have left by the way? I'm already like going taking too much time.
Uh, just do your thing. Don't worry about it.
Okay. I'll try to hit the beyond the hour here. Uh, so what is Web3 security involve? Well, it involves a lot of things, some of the most common ones are going to be the audit, a bug bounty, and sleuthing. And these are kind of what what I consider kind of the three you know big parts kind of like of post-development security. Now this is kind of kind of not totally true because security starts from when you write the first line of code. You know, if you architect a protocol poorly, you could start have to start over, right? So you really want to be thinking about security from day one. And this is why, you know, Cyfrin Updraft and us so importantly are like, 'hey, we want to shift security left onto the developers.' So that's kind of the narrative Shift Left, make developers more aware of security. And again, that's one of these things that other audit firms might not do because they want to shift everything right because that's how they get paid. We think that's net bad for the industry. We want developers to be smarter, to be more informed, to write code better, and then actually we think that will be better for us in the long run because then you know when the code gets to us, it will actually be high quality and we don't have to spend a lot of time like on really silly low-hanging fruits or or silly bugs that you know somebody else could have found. And we can focus all of our time of finding those really tough-to-find ones, right? So the audit is going to be kind of this basically a security review of what is this code, is it secure? Basically you have, you know, one or several security researchers who literally go line by line reading every single piece of code trying to find hey where does this code not do what it's supposed to do. Bug bounties are this really important narrative right now. Immunefi is one of the largest bug bounty platforms in the industry where once you deploy your code to production, you have some type of way for people who find bugs in live code to a get rewarded for finding the bugs and then b responsibly disclose those vulnerabilities. And that's really important, this concept of responsible disclosure, but I'm not going to spend too much time talking about that. And then sleuthing or tracing, what a lot of people call them, is like you know when a hack does happen, how do you find out who did it or follow the money, um that way you know you can figure out how to go after these people who have conducted a hack. So like Etherscan, TRM, Chainalysis, these are some of the tools that we'll do that.
So, a typical protocol kind of the the end-to-end kind of security flow is they're going to use these different security tools. They're going to use security tools to build. They're going to get a security review/audit before they deploy. And then after they deploy their protocol, they're going to monitor the codebase, they're going to post bug bounties, maybe set up a security council, but like kind of these are some of the main things to think about when you're building a protocol. So the opportunity. Why get into security? Why is it why would it be cool for someone to become a security researcher to become a you know somebody who's into you know hunting for bugs? And it goes back to this: there's definitely a monetary aspect here. You know, there's a lot of money to be made in in the security field. Like I said, spending 2 million dollars on security is a whole lot better than spending 200 million dollars getting hacked, right? So you can do very well in the security field if you're amongst the best. Now that's the hard part is you do have to be kind of cream of the crop. This is one of those industries where the best people get most of the clients and rightfully so, right? Because as a protocol, as a client, I only want to work with you know the people who are actually going to make sure all my all my bugs... well, actually going to give me a higher security assurance.
But the beauty is the path is the most straightforward out of any career in my opinion in the entire world. People are always asking me, 'Patrick, how can I get a job? How can I get an internship? How can I do this? How can I start making money?' For most jobs, the path is like kind of fuzzy. It's like, 'oh hey, go learn this stuff and then go apply and then try to you know make some projects and then hopefully somebody notices you, hopefully you get an interview,' and you're kind of there's a lot of like hopefully somebody picks you up. In the security realm, there is no hopefully. You will earn money if you find bugs. That is that is it. So the path: go to Cyfrin Updraft, go to the we have a careers page actually, if I go to Updraft, explore our courses, career track... If you go to the career track there is a Security Auditor career track. Take these courses in the in the career track, that's step one. Then go to competitive audit platforms like CodeHawks, go to bug bounty platforms like Immunefi, and you will make money. That's it. If you perform well, if you find bugs, you will make money right away. If you find a lot of bugs, if you find a lot of issues, people will want to hire you. That's it. It's super straightforward. Now the downside of this is just because it is straightforward doesn't mean it is easy. You have to find bugs that everyone else couldn't find. So it is not easy, but it is straightforward, and I want to make that that very clear. Learn, apply and earn, repeat. That's it. That's the path. So go to CodeHawks, go to C4, Immunefi, find bugs. And the thing is your first couple of competitive audits, your first couple of bug hunts, you won't find anything and you will get your ass handed to you and you will perform very poorly. But that's fine. Everyone started, the first time everyone did this they were terrible, right? You just keep trying to get better and better and better and eventually you will find stuff that nobody else can find and you will get better.
So competitive audits if you've never seen these before, these are this fantastic security kind of primitive that we have these days where you take a codebase, you basically put a bounty on it, you say 'hey, whoever finds the most bugs on this codebase in this short amount of time wins X amount of dollars.' So and you can kind of see like a leaderboard here from CodeHawks, that is one of the platforms that the Cyfrin team runs. And this is a way to to win money, help secure the codebase, and we've seen fantastic security results from these competitive audits for the clients as well because when you have you know a hundred people looking at the codebase, that can often perform better than you know just two or three. There's a lot of distinctions between competitive and private audits, they both have advantages and disadvantages but from my perspective, competitive audits and bug bounties are still the best way to get into security full stop. So let's talk about the audit process. There's no silver bullet to the audit process. There's no silver bullet to you know finding bugs, but there's typically kind of a a process... a four-step process here essentially. Like the actual process kind of varies. But first, for any audit, you first want to figure out what the scope of the review is. What specific contracts are you reviewing? How many lines of code is it? What is the commit hash? What exactly are you reviewing? Because if I have some code and I forgot to add a function and I add the function later, but my security researchers are you know doing the code without the function, you know maybe that function is super key to the security of the whole system, right? So what exactly are we auditing so that the auditors don't waste time on things that aren't going to be in the code or are going to be the code or etc., right? So this is the scoping phase. What exactly are we auditing? Then you get into what's what I call the recon phase. And this is where the auditors are kind of doing the grunt of the work or the brunt of the work, excuse me. They're manually reviewing the code, they're literally reading your documentation, they're reading your code, they're looking for issues. They're using tools as well, maybe they're fuzzing, static analysis tools, maybe they're using AI. Vulnerability identification, obviously as they're doing this they're looking for bugs. And then the final step is actually reporting. And this is actually a really important step. If you find bugs but you can't communicate that effectively to your partner to your client, it's worthless, right? Like you need to be able to effectively tell them hey here's the bugs, here's how you fix them, and there needs to be an understanding, right? And this actually can kind of go both ways because oftentimes a lot a lot of time junior new security researchers they go, 'oh my god I found a bug and I can destroy this codebase and blah blah blah,' and then when they go to report it, the client will go, 'oh no it that actually doesn't work and here's why,' and you know not having and and having like the feedback from the client can can be really really important. And that reporting phase is really important because that will also give you feedback on did you you know do you know what the hell you're talking about, right? There's there's some pretty famous stories of like security firms reporting bugs, um the client then saying like oh those bugs don't exist and then the security firm you know looked kind of embarrassed.
Uh, yeah, so a lot of this a lot of this is going to be just like reading code. So like this is kind of a little bit more in-depth of the job, like you are most of the job of security researchers is just like reading. Uh, you do a lot of a lot of reading. Um, this joke is kind of outdated because nobody uses Stack Overflow anymore, everyone uses Cursor or Claude or whatever. Um, but you know there is always this kind of like joke of like trying random stuff instead of like reading the docs. As a security researcher, you are doing a lot of reading and you have to do a lot of reading to be good at what you do because you're the main thing that you need to do is you need to understand what the protocol should do. And what you're essentially doing is you're looking for asymmetries between what the protocol should do and what the protocol actually does. And then just with this like anything you know repetition is the mother skill, the more you do this you know the better and faster you get at it. So as a really simple example here, you know, we have like a a a codebase here it's called contract CaughtWithTest, you know, you have this setNumber functionality. If you don't know what this setNumber function is supposed to do, you might look at this and go, 'oh this this looks fine, there's no issues here.' But you know maybe you read the documentation and it says, 'oh setNumber is supposed to set the number to the new number,' then you would go, 'ah okay well it's doing new number plus one, that's clearly wrong, you know that's a that's a vulnerability here we need to we need to fix that.' But with this kind of contract as written, there's no kind of documentation here, you know it's really you know you could kind of infer that setNumber shouldn't be adding one um but without the documentation you can't be sure, right? So this is why you know from a protocol perspective, writing documentation will actually improve your security because you can define exactly what the code should do, right? So that the manual reviewers can can get it right. All right, now let's talk a little bit about tooling. So like I said or yeah we'll get into some specifics here: what are the tools that security researchers are using today? Manual reviews, like I said, actually going through the code reading by line by line. Test suites are super important, so like Foundry, Hardhat, Moccasin, ApeWorx, Truffle's dead so I got to get rid of that. Um, security researchers they they write proof of codes which is like proof that a bug exists in these test suites. Whenever you find a bug you you really want to prove that it actually exists and that it's exploitable. So these are some of the main tools people use as of today. Foundry is definitely the most popular by far, which is why we teach it on Cyfrin Updraft as well. Although Hardhat just had this amazing revitalization um so they're a great to check out. Moccasin's one that we made for the few Vyper developers out there. Um, and there's some other frameworks as well like Anchor for Solana etc. etc.
So, static analysis. This is a tool you pretty much should always be running as even as developers before it even gets to the security researchers. These are kind of what I call like dumb um tools where they just kind of like automatically check the code they look for pattern matching. Uh two of the biggest ones are Aderyn, that's one that we actually build, and Slither, that's by the Trail of Bits team. Um, and yeah, essentially they're just looking for for patterns, right? Like a common one is going to be like a reentrancy vulnerability. You know if um if you have code that can call itself back, um that's like a reentrancy that's pretty easy to find with one of these static analysis tools. It's called static analysis because you don't actually run any code. It's like a tool can just like look for patterns um and just like read and can find these by by reading the code. Like AI in a sense could also be considered like a static analysis tool. 'Hey, read this code and look for you know look for bugs.' Kind of the next level up after static analysis is going to be fuzz testing. This is another one of these tools that developers should be very good at and should be very familiar with. Fuzz testing also known as fuzzing basically involves providing random data as inputs during testing. So kind of as an analogy, um if you're if you're testing the you know the strength of like a hat, for example, like if that's you know what you're doing, fuzzing would be like doing different things to the hat to try to like break it. Like maybe you karate chop it and then you go 'okay karate chop didn't work,' you throw it... okay be like 'all right throwing didn't work,' maybe you take some scissors and cut it and be like 'oh scissors scissors I was able to cut it.' So you're basically like doing random stuff to some smart contracts to try to break it um and this is in my opinion one of the most effective techniques especially when it comes to smart contract development. However kind of knowing where the limitations of fuzzing are are really what makes fuzzing kind of difficult. Um you know if you just say 'oh yeah like you can um let's fuzz this smart contract and just allow any byte code in the world to you know be sent to it while you know it's going to take a computer you know millions of years to come up with like every different scenario.' So you really want to scope it. Like, 'okay we're going to say this subset of random data or blah blah blah.' And this kind of gets into the the tooling. So Echidna, Medusa, Foundry, these are also some of the most popular fuzzers. Medusa is kind of the one that's one of the front-runners as of today. There's also some paid fuzzers like GetRecon, Consensys Diligence Fuzzing um that do really well and yeah fuzzing is really really important to your security journey.
And then kind of one of the final tools that a lot of people in the smart contract space use is this thing called formal verification. And the definition here is basically just kind of converting your your code to a mathematical proof. So yeah, it's a generic term for applying formal methods to verify the correctness of hardware. And so in the smart contract space we kind of consider smart contracts like hardware. Um, usually kind of people's eyes glaze over when I when I say the actual definition of formal verification. So then I usually just say, 'yeah, take Solidity math, take Solidity function and turn into math. Math can be solved, solve for X,' right? That's formal verification. So one of the most popular ways to do the formal verification is this thing called symbolic execution, which is the actual process of like converting it to math. You basically convert your functions to a mathematical expression um and then you say, 'okay, can um you know can X be you know what it shouldn't be or blah blah blah.' So some of the most popular formal verification tools are going to be like Certora, Halmos, Solidity actually comes built in with an SMT checker, which is a type of formal verification tool. Um, and this is a much more niche tool formal verification because it it most of the time fuzzing is going to do what formal verification does for like 1/10th of the effort. Um, whereas formal verification, you know, it's going to be quite time-laborious uh depending on the on the methodology, right? It can be a little bit more time-intensive for not that much more gain, right? So this is another one of these tools that in my opinion if you know how it works you will figure out kind of the niche scenarios to apply it to. Um, it's definitely very cool, it's definitely a fun nerd snipe. Yeah.
Finally, AI tools. AI is getting much better than when I made this screenshot. So this is like, we're just which is heavier, 10 kilograms of iron or 10 kilograms of cotton? And it's like you know ChatGPT, 'iron's heavier than cotton.' Like come on, they're both 10 10 kilograms, fam. Um, but they're getting much better. So uh Dation our audit lead at or audit manager at the Cyfrin team, he actually recently did some really cool stuff with kind of priming an AI. You know, we're doing a whole lot of research with AI. Um they're getting much better, but they still have a a lot to go. So like they're getting better to the point where they can kind of help catch a lot of kind of low-hanging fruit um but like replacing auditors they're just they're not quite there yet. So, um, so I went way over here. Um, so happy to to take any questions. Oh cool, I do see some questions in here.
Yeah, yeah. We got some questions in and no worries man. Uh, so we can bring up Henry's first. Uh, so Henry's currently learning on Cyfrin, content is so great, agreed. Um, however is the security market really expanding? I feel like there aren't as many competitive audits available.
Yeah, great question. So the competitive audits market is is really interesting um for a lot of reasons. So you know I think so C4 basically pioneered it back in 2020 I want to say where they kind of um took this formula of hey let's do these open competitions brought it to the Web3 space. And then I want to I feel like yeah like 2022 2023 is when they started really like kind of being in their heyday um doing really really well. There's been a lot of different approaches to competitive audits and the market is there's a lot of competitive audit platforms um so we're kind of seeing a lot of the the margins on a lot of these kind of go down. So like a lot of these companies from my perspective this is just you know so I obviously have a platform CodeHawks and you know everyone should use CodeHawks and I I do think I I do think CodeHawks is the best objectively product uh out there. Um, but I also understand that like uh with so much competition the margins are a little bit slimmer. It's harder to it's harder for just anybody running one to want to do one. You know, we've seen a lot of the competitive audit companies also spin up a private audits branch where the margins are a little bit better. Um so there's that, which to me is kind of a travesty because the competitive audits themselves, I think are some of the best you know dollar-for-dollar security that you can get if your goal is to mainly squash bugs. Um, they do do a great job at that. Um whereas private audits um are a lot better um at like having a certain expert on some type of of some type of feature, getting kind of more tailored feedback, maybe more than just like oh here are bugs. Like competitive audits are really like here are bugs, whereas private audits can be more, 'oh here's how we can increase your testing and you didn't think about this and you know you can have a more lot more kind of strategic feedback to your protocol.' As well as kind of getting specific experts and then there's hybrid approaches of the two.
Um, but yeah so we have seen less there still are a lot there still are a lot and um I think the security market is still expanding we're seeing so much money kind of flow into the industry especially with stablecoins and all these traditional finance people coming and um competitive audits I think are still some of the best money you know companies can spend. And they are still even if they're super hard, they're still where security researchers should start because you will get feedback immediately. Most platforms um are pretty objective with their judging and with their scoring. Um you learn so much so quick and then also actually if you're getting into the industry and you want to you know get started with kind of this quick feedback, this quick turnaround on CodeHawks we have these things called First Flights, which are beginner-friendly audits where we've put in kind of dummy bugs um in them so you can get started, you can get that that turnaround you can feel confident in doing these competitive audits because you already know what they feel like um so yeah it's definitely expanding. Um I think the market is going in a lot of different directions especially when it comes to these competitive audits and I see yeah people um having different opinions on where these should go. I think yeah but like I said, lot of money coming into this industry especially with stablecoins and all these traditional finance people coming and uh competitive audits I think are still some of the best and we will continue to see competitive audits for a long long time. So yes.
Hell yeah. Hell yeah. Great question, great answer. Uh, we'll squeeze one more in before we conclude today. Uh, James asks: what's the typical timeframe a developer can effectively learn about security? I mean, it's probably not one size fits all but like...
You got it, Narb. You got it. So it's um it's different everybody's different. Um so I've seen people go to Cyfrin Updraft and start making money in in security in as little as two months. Um that's like some of the quickest that I've seen. And that is a crazy pace. That is like them you know waking up living on Cyfrin Updraft and then hammering the competitive audits scene. That is like you are living in Web3, okay? Um I've also seen people in my opinion have a more realistic timeline of of like a year and a half, two years, right? Um they spend you know three to six months on Cyfrin Updraft, they start doing some competitive audits kind of gaining growing getting better and better. And yeah, like a lot of Cyfrin Updraft graduates work in some of the best places in the industry, right? We've we've got people who work at um Trail of Bits, OpenZeppelin, you know Metamask, Chainlink, you know you name it, right? Like there's Cyfrin Updraft graduates all over the place. So, uh, yeah a more realistic timeline is like um you know like a year or two. Um but if you're super motivated if that is if you're like I am hell-bent on making money as soon as possible, you can do it in as quickly as two months. I will say it is very difficult to do that, um don't have that be your expectation there's very very few people who have done that but if you have a realistic expectation of like a year or two absolute you can absolutely make money uh and get a job in in two years. If you uh yeah if you perform really well you make sure you just every time you don't do well you find out why how can I be better how can I improve you know what bugs did I miss what do I need to learn what do I need to know uh you will get there 100%. The path like I said the path is the most clear to success for security researchers but just because it's clear doesn't mean it's easy. So but it is the most clear. Great question.
Just like just like heavy lifting, right? You just take that same mentality. It's like full stop. Like if you want to lift a shit ton of weight, the path is super clear. Go to the gym five times a week and lift heavy weight. Doesn't mean that that's not easy. It's you got because you got to do that for months and months, right? It's exactly the same thing. Yep. Yep. Yep. It's interesting how many parallels you can make to to real life from just the things you do at the gym. But uh anyhow, uh yeah Patrick, uh thank you so much um again for taking the time out of your day um to come on the show. Um it was wonderful. Um I know I learned a lot. I'm sure folks learned a lot. Um final uh closing thoughts um just if people joined late um what's the best way for people to get started with Cyfrin today?
Yeah, so um if you want to get started with Cyfrin and you want to learn, head over to updraft.cyfrin.io or just go to cyfrin.io you'll find all the links there and you can start learning like I said for free, start with blockchain basics and uh go as far as you want. If you want to just get jumped jumping right into security head over to CodeHawks um do some of our competitive audits do some of our first flights if you want to go there. Um if you're a protocol looking to get secured go to our website uh and hit request a quote we would love to speak with you um and uh yeah and if you're a developer and you want to help contribute to a lot of the open source initiatives that we're working on, feel free to make a pull request, make an issue, or just jump into our Discord and say hi. So lots lots of ways to engage uh and reach out.
Boom, there you go. And with that, I just want to wish everybody a very happy start to their week um and that we will catch you back here on Friday actually for another episode of DevNTell. All right all. With that, catch you next time.
Thanks all. Cheers.
Listen On
Resources & Links
Share This Episode
Share on XWatch Episodes Live!
Subscribe to our event calendar and never miss a live episode.
View Event Calendar