Hey everyone, it has been a few months since I last wrote. I am sorry for being absent for so long, it is because I was busy with the Secureum Bootcamp Epoch 0.
The Secureum Bootcamp is a smart contract audit bootcamp founded by Rajeev, an ex-auditor of Trail of Bits. There are 2 phases in the bootcamp. It started with the Learn Phase in October and it lasted 8 weeks. Each week, we received learning materials in the form of Youtube videos, articles and code challenges. The videos/articles are in the form of a checklist where each list item is an Ethereum security concept. Other articles written by top auditors in the space were also given to us as reading materials. In some weeks, we were told to do coding challenges to exploit vulnerable contracts. We did Capture the Ether, Damn Vulnerable DeFi and Paradigm CTF. They were all good fun and as a programmer I found getting my hands dirty to be the most effective way to learn. By the end of each week, there was a multiple choice quiz. There were 1028 participants in the bootcamp and the top 128 candidates would make it to the next phase.
Learn Phase
Week 4: Security Pitfalls & Best Practices 101
Week 5: Security Pitfalls & Best Practices 201
Week 6: Audit Techniques & Tools 101
Don’t be fooled by the “101” titles, many concepts taught in these checklists are actually not 101 materials. I mean yes if you have been working in the crypto space for a long time, you might know many of the concepts already, but I can guarantee it is not time wasted to go through the checklists.
The quizzes were also quite difficult, they were designed in a way that confused the quiz takers. In some quizzes, we were even asked correlated questions, so if you got the first answer wrong, you were going to get the second answer wrong as well. The time constraint was also real, and it was said to recreate the real world auditing environment where everything was time-boxed and the companies are understaffed but you still have to find the vulnerabilities because people lose money if you don’t do it right. Overall I found it a good experience despite how difficult they were.
Audit Phase
The Audit Phase happened after the Learn Phase. 128 candidates were divided into 4 groups and we were each assigned a protocol to “care” for. “CARE” is not an audit, but steps to take to prepare for an actual audit. It is a project to apply our learnings. It definitely helps with the assessment if we were able to understand how the protocol works, but more importantly the objective was to find technical vulnerabilities by reading the codebase and using audit tools, rather than discovering business logic vulnerabilities or economic attack scenarios. I started with reading the documentation to understand how the protocol works, then proceeded to reading the codebase, then used tools such as MythX, slither and echidna to try and find vulnerabilities. Finally we had to write our findings in an audit format report. It is a good experience in terms of doing a project that is close to what actual auditors do. Also, you only really get to learn how to use slither and echidna after you have run into a ton of system and compilation errors. :)
After the Audit Phase
The bootcamp’s sponsors, Trail of Bits, Consensys Diligence and Sigma Prime are going to pick some participants from the bootcamp to become interns at their companies. This is a good gateway for anyone who wants to become a smart contract auditor. I would imagine it being much harder if you were to apply to these companies directly. Most of the openings are not entry level positions and security audit seems to be a field that aren’t easy to break into if you have no prior experience.
I highly encourage you to check out the next epoch which is the Epoch ∞ starting in late January. Even if you are a developer and have no plans to become an auditor, the knowledge you will learn from this bootcamp will help you secure your protocols so you don’t end up becoming famous on rekt.news. This industry is seriously understaffed on security-minded professionals (auditors and developers alike). While knowing these things and even getting an audit doesn’t stop your project from getting hacked, we should still equip ourselves with the knowledge to minimize the chance of hacks.
If I have managed to convince you to apply for the next epoch, visit https://www.secureum.xyz and join the Discord server!