1. Master Solidity

To perform an effective code review, at the very least, your knowledge of the language and ecosystem must be on par with the developers writing the code. Otherwise, how can you expect to identify their mistakes?

Deep Solidity and EVM knowledge is not optional. It allows you to spot subtle edge cases and identify “sneaky” vulnerabilities that less experienced researchers often miss.

Take the classic abi.encodePacked() hash collision issue as a simple yet important example. Different inputs can produce the same packed byte representation, leading to unexpected behavior. An experienced researcher will identify this issue almost immediately, but a new researcher may miss it entirely if they lack Solidity fundamentals.

Even if your long-term goal is to audit smart contracts outside the EVM ecosystem (such as Solana/Rust), I still strongly recommend starting with Solidity. The security intuition and EVM fundamentals transfer surprisingly well across ecosystems, making it significantly easier to adapt later on.

The following materials will help jumpstart your mastery of Solidity and the EVM:

1. CryptoZombies
   An excellent hands-on platform for learning Solidity, blockchain concepts, and EVM fundamentals through interactive exercises.
   
   
2. Mastering Ethereum
   A comprehensive resource covering Ethereum, the EVM, smart contracts, and blockchain fundamentals. Essential reading for serious security researchers.
   
   
3. Rareskills interview questions
   Over 150 Solidity and EVM questions ranging from beginner to advanced difficulty. If you can answer most of them without help, you are likely ready to begin finding serious bugs.

2. Practice, practice, practice

Repetition is the path to mastery. You must consistently dedicate time to practicing audits every single day. Before jumping into live audits, I recommend gaining experience through the following:

1. Solve CTFs
   Damn Vulnerable DeFi is an excellent resource for this, where you can gain hands-on exploitation skills and vulnerability pattern recognition. Many walkthroughs and solutions are available online if you get stuck.
   
   
2. Perform Shadow Audits
   Find a recent audit contest or public security review within a protocol category that interests you (AMMs, lending, etc.).
   
   Make sure the review contains at least one high severity finding – but don’t read the findings yet. Proceed with auditing the codebase yourself in the same time frame as the original review. Once completed, compare your findings against the published report. If you consistently identify high-impact vulnerabilities, you are ready to begin live audits.

Your goal during an audit should be to have a complete understanding of the entire in-scope codebase.

Personally, I aim to understand the protocol even better than the developers themselves. Even if this goal is not fully achieved, the process itself dramatically increases the likelihood of identifying a high-impact finding. 

AI can also be a useful tool for understanding unfamiliar code or accelerating research, but it should only be an assistant at most.

In my experience, the most critical vulnerabilities often hide within the most mentally exhausting and complex parts of the code.

Many researchers unconsciously avoid these areas because they are difficult to fully reason about. One tool that helps me stay organized when I encounter these complex paths is the Solidity Visual Developer extension for writing audit notes (@audit-info, @audit-issue, etc.), as legendary researcher cmichel explains in his 2021 post: “How to become a smart contract auditor”.

3. Specialize In A Niche

Researchers with only broad, generalized knowledge often limit themselves to only surface-level findings.

Nearly all top security researchers specialize deeply in at least one protocol category or ecosystem. This specialization allows them to provide significantly more value to clients, outperform their peers, and identify vulnerabilities far more efficiently than researchers unfamiliar with the domain.

A great example was the 2025 Infrared contest on Cantina.

Infrared is tied to Berachain infrastructure and validator mechanics, making it significantly easier for researchers with prior blockchain infrastructure experience to reason about the protocol’s assumptions and attack surface.

Top security researcher Haxatron, who specializes in blockchain infrastructure projects, spent only a few hours on the contest and still received an $11k payout. In his own words:

“Spent few hours on this contest with knowledge of beacon-kit and got a yummy payout.”

This is the power of domain-specific expertise.

Researchers with specialized knowledge quickly recognize dangerous assumptions and edge cases that generalists may completely overlook despite understanding the Solidity code itself.

To select a niche, begin by auditing protocols across different domains such as AMMs, lending, cross-chain, or blockchain infrastructure projects. Simply choose the niche you find most interesting and intellectually rewarding.

Once you identify that niche, deeply study the most battle-tested protocols within it. These protocols establish the baseline assumptions and design patterns that many newer projects inherit or build upon.

For example, if you specialize in AMMs, you should develop a strong understanding of protocols such as Uniswap V2, V3, and V4. Many future audits will either directly resemble or integrate with them.

4. Start Hunting

At this stage, you should have enough Solidity and EVM knowledge, along with sufficient vulnerability pattern recognition, to begin identifying impactful bugs in live codebases.

Start hunting on Immunefi or HackenProof, and regularly check Sherlock and Cantina for active contests. Select a project that genuinely interests you, preferably one slightly above your current skill level. Auditing challenging codebases will force you outside your comfort zone and accelerate your growth significantly.

Don’t assume a protocol is secure simply because it has undergone multiple audits or has been battle-tested for years.

Through experience, I’ve learned that even elite researchers can miss critical vulnerabilities, and some of the most dangerous bugs remain hidden for years before eventually being discovered.

A perfect example of this is the November 2025 Balancer V2 exploit, where attackers drained over $120M by exploiting subtle rounding behavior inside composable stable pools.

Despite having undergone multiple audits from top-tier firms, the vulnerable attack path had existed since July 2021, more than 4 years before the exploit occurred. Whether this happened because the industry still lacks enough experienced white hats, or because attackers often avoid heavily reviewed protocols, the lesson remains the same:

Never assume battle-tested smart contracts are bug-free.

However, finding bugs is only one part of breaking into the industry. Publicly documenting your work is one of the fastest ways to build credibility in Web3 security. Whether it’s an informational finding or a critical vulnerability, share your discoveries on X and explain your thought process whenever possible. This helps security firms, protocols, and other researchers to recognize your abilities over time.

I also strongly recommend maintaining a portfolio (such as GitHub) where you showcase past audits, writeups, tooling, and research. This not only helps others learn, but also establishes your reputation as a serious security researcher within the industry.

5. Additional Advice

1. Read reports from elite researchers
   Solodit is one of the best resources for studying public findings and expanding your vulnerability pattern recognition. Elite researcher deadrosesxyz once mentioned that one of the biggest factors behind his early growth was to open Solodit and read through rare 0x52’s submissions.
   
   Studying high-quality reports consistently will expose you to attack vectors and patterns you may never discover on your own.
   
   
2. Keep tracking protocols after the audit ends
   Some researchers earn massive bounties simply by continuing to monitor changes (i.e., through GitHub) made to protocols after contests or audits conclude.
   
   Developers frequently introduce new vulnerabilities while fixing old ones, refactoring logic, or adding features.
   
   A great example is researcher WhiteHatMage, who placed top 9 in the Story Protocol contest on Cantina, but continued reviewing subsequent code changes afterward. Soon after, he discovered a critical vulnerability that earned a $100,000 payout.
   
   This demonstrates an important lesson that security reviews do not end once the initial review is complete.
   
   
3. Don’t fear AI
   Top security firms are still actively hiring because AI is far from replacing strong researchers.
   
   While AI can accelerate research and help explain unfamiliar code, it still misses many obvious vulnerabilities. The best researchers will use AI as a tool rather than a replacement for deep reasoning and intuition.
   
   
4. You do not need a traditional coding background
   Many successful security researchers started without any coding background. The key difference is that they did not allow this to become an excuse.
   
   You don’t have to build complex software to become an excellent auditor, you just need to know how to read it.
   
   
5. Protect your focus
   Modern distraction is one of the biggest enemies of deep security research. You need consistent focus for long uninterrupted periods of time to be productive.
   
   Personally, I use Opal app to block distracting apps throughout the day and brain.fm to help maintain focus during long audit sessions (not affiliated).
   
   
6. Persistence matters more than most people realize
   Many elite researchers spent months auditing consistently before ever receiving a single payout.
   
   Breakthroughs often happen only after long periods of frustration and what may seem like invisible progress. The researchers who make it are the ones who continue showing up even when results are not immediate.

6. Conclusion

Web3 security is one of the most difficult and cognitively demanding fields to break into as a full-time researcher. Even individuals with strong mathematical or computer science backgrounds struggle to make progress early on.

As the industry evolves through AI advancements and changing audit ecosystems, what worked for researchers a year ago may no longer work today.

The ability to continuously adapt is one of the most important skills a security researcher must have. If you build strong fundamentals, practice consistently, specialize deeply, you will place yourself in an excellent position to succeed long term.

More importantly, you will help secure an industry that still desperately needs skilled white hats.