Why are you not an Elite Smart Contract Security Researcher?

I'll go straight to the point. Some people make it to the top of the chain, some don't. Why? Just talent? How does one succeed in reaching the elite level in the Smart Contract Security space? I believe I may have the answer. But you might not like it...

Lion looking into the horizon - courage, strength, endurance
Photo by Andrew Liu / Unsplash

I'll go straight to the point. Some people make it to the top of the chain, some don't. Why? Just talent? How does one succeed in reaching the elite level in the Smart Contract Security space?

I believe I may have the answer. But you might not like it...

Join us (Simpson's meme)

The current state of the field

The field of Smart Contract Security is getting absolutely filled with industry leaders, dazzling the space with their complex bug findings and their insane payouts and wages. By now, even Google's AI can tell you about the largest bug bounty payout in history - a whopping $10m for a whitehat on Immunefi.

Google's answer to prompt "largest bug bounty payout"
Google's answer to prompt "largest bug bounty payout"

It's also no secret that the top auditors get paid quite handsome quantities, not just on auditing contests but also on a regular basis on auditing firms such as Spearbit.

Spearbit's tweet on Researchers's weekly salaries

At the same time as the heroes of the Web3 security space are thinking about where to put all that money, more and more aspiring researchers are joining the junior ranks, dreaming of eventually reaching the altitude of legendary names like pwning.eth, Christoph Michel, Tincho Abbate, and many more.

It would be erroneous to say that such junior dreamers are entering the space "just for the money". Money is good for sure, or rather money promises the achievement of greater goods in life. Quite fitting to the blockchain ethos, an economic incentive is a great motor. But it's not just the money. Knowledge, fame, influence, helping the industry, all these come in play.

However, even though there is still quite a lot of room for newcomers in the space, a very small percentage of these dreamers actually break through and achieve the high rewards. But... Why?

Penguin meme falling with a slap
The industry does slap you sometimes...

The DREAM and the Underachievers

Ah yes, to dream is a marvellous thing. The Web3 space is not unfamiliar with promises of new frontiers, new fortunes, new groundbreaking products. Legendary payouts, as well as inspiring whitehat success stories, also fuel this hope for a great epic ROI.

The Web3 security space still has a ton to grow, and there's still room for many more researchers and auditors and whitehats and whatever. So why is it that the huge majority of researchers don't actually make it...? I thought that... wagmi....

wagmi right...?

Well, it turns out that oaspouagmi - only a small portion of us are gonna make it. That's as truthful as the terrible it sounds. Because Jeffrey Scholz has so eloquently phrased this in a masterpiece article at RareSkills, I'll just quote the whole thing.

Smart contract auditing recently has been perceived as a desirable field to work in due to the perception that it is lucrative. Indeed, some bug bounty payouts have exceeded 1 million dollars, but this is the exceedingly rare exception, not the norm.
Code4rena has a public leaderboard of payouts from competitors in their audit contests, which gives us some data about success rates. There are 1171 names on the board, yet:
- Only 29 competitors have over $100,000 in lifetime earnings (2.4%)
- Only 57 have over $50,000 in lifetime earnings (4.9%)
- Only 170 have over $10,000 in lifetime earnings (14.5%)

Well, to be honest, those are not terrible numbers. The number of researchers doing full-time C4 is probably pretty small as well, so these are not exactly negligible earnings. They are not, however, quite the metrics one is dreaming of...
Anyways, let's just turn our eyes to the Immunefi leaderboard.

Immunefi whitehat leaderboard
Ah yes, this feels cozier...

The Answer?

Let me go back to Jeffrey's article and quote him again:

But for those reading this article in hopes of making a career out of smart contract security, it is important to clearly understand that the odds of obtaining a lucrative career are not in your favor. Success is not the default outcome. (...)
It can be done of course (...). But it will nevertheless require herculean perseverance on your part to master the mountain of rapidly evolving knowledge ahead of you and hone your intuition for spotting bugs.

Success is NOT the default outcome. Damn, life is unfair sometimes.

But it CAN be done. If you've watched Zach Obront's interview on Andy Li's podcast, you've heard that Zach made a lot of auditing money in just months from starting out. Trust hopped from the Web2 security world to reach the Code4rena top as rapid as pwning.eth made $8m in Immunefi payouts. Leastwood also made a huge jump from mid-level to Spearbit LSR in just a year.

How are they doing this?? Are they all geniuses???

By the way, just massive shout out to Andy Li's Podcast, I mean what a great way to hear about the process and the journey of top researchers in the field.

OK, first things first. Yes, those guys are special for sure. Some bugs they report in audits are just beautiful. Some of them have also reported bugs on Immunefi, not to mention the wonderful findings of pwning.eth.
What I'm saying is that many times there's obviously natural talent involved, or insane background. Then they are extremely knowledgeable. You saw what the RareSkills man said, one needs to keep up with the rapidly evolving knowledge.

But the key thing is something else. It's that herculian perseverance. It's the mental strength. It's the focus. The discipline.

What a wise man, we should all follow him on Twitter

Of course one needs smartness and a great amount of knowledge and work. But none of that can ever appear without the work ethics and the focus required to achieve the top level. This applies almost everything in life.

Call to Action!

For Narniaaaaa!

So why are you not an Elite Researcher in the Smart Contract Security space? You're not putting enough sweat and blood. I get asked loads of times by aspiring researchers how one can get a job in the space, find vulnerabilities, become bytecode masters. It doesn't fall from the sky. I got my first smart contract development job after sending my resume to over 50 companies. You gotta fight for it.

This does not mean you need to put in 12 or 14 hours a day and just breathe smart contract security, though Pashov will for sure tell you it pays off. But Pashov wouldn't be a legend solo auditor in the space if those hours weren't being well spent.

You need focus and discipline.

There are lots of ways you can improve in this part of your life. I'll just leave you with some practical suggestions so that you might actually start doing stuff, but feel free to do whatever the hell you want.

  • Wake up early and on time. Jump out of bed, enough with laziness! Tackle the first moment of your day like a lion (lions sleep up to 21 hours per day... but ignore that)
  • Create a work schedule and work it. Write up all you are to do, all the work, all the study, and just do it (*insert Shia LaBeouf's meme*)
  • Stop wasting time on socials. Man, the internet and the technological progress is both amazing and a pain. So many distractions! Don't succumb to those. Timebox the amount of time you spend on Twitter, put your phone away. As a personal advise, embrace the Digital Minimalism way of living.
  • Be disciplined in all aspects of your life. Easier said than done, obviously. But this will help you in your work and study. Workout, stay sharp and strong, clean up your desk, maintain an ordered and healthy life.

I won't lie, these things ain't easy. But hey, that's what separates the researchers in the top. What, you think Patrick Collins was born ripped? Hmm maybe...

Almost as impressive as a 32hour tutorial

A Note on Intuition and Experience

Again, there is no denying that some people have a natural intuition that is hard to get without genetically modifying yourself. Magnus Carlsen, the highest-rated chess player in the world, dazzles the chess world with his amazing natural intuition. His prodigious memory also has a big role in his skills. But intuition is also something built. And experience enters into play here.

Speaking of chess, there's a great book by former World Chess champion and all-time legend Garry Kasparov called How Life Imitates Chess. It's not actually about chess though, rather it's about life lessons that Kasparov took from being at the top of this intellectual game for about 20 years. But it's interesting to see that experience is key in chess. Not just that, but studying past games and tournaments is a must if one wants to be a Grand Master (GM). You train that pattern recognition muscle.


The same goes for smart contract security. The more experience you have, the more reports you read, the more you understand and study and memorize, the better you'll be at smelling vulnerable development patterns, and your intuition will be built on top of that knowledge foundation.

OK now you know the role of studying and experience. How does one get all of that? Again, focus, concentration, perseverance.

Stay strong, my friend.

Go eat some cookies, you deserve it