This article is for students with a math or computer science background interested in learning more about decentralized finance (DeFi), developing analytical skills, and earning lucrative income by helping secure software. Demand for strong security researchers is high and there’s a lot of opportunity for smart and determined researchers.
We’ll give an overview of DeFi and smart contracts, then dive into the security concerns and the various methods for minimizing them.
What is DeFi
DeFi stands for Decentralized Finance, which refers to financial applications such as lending and borrowing platforms, stablecoins, and exchanges built on a blockchain. These platforms are permissionless, meaning anyone can interact with them. For example, anyone worldwide can borrow and lend on a banking protocol, with minimal intermediaries, giving both the lender and the borrower a better rate than traditional banks.
These applications are enabled by smart contracts. While Bitcoin is a blockchain that stores how much of the asset each address owns, i.e. a decentralized ledger, on Ethereum and other smart contract platforms, the blockchain stores the code and execution data for programs, called smart contracts. These programs can be invoked on each blockchain transaction to compute the new blockchain state. This is what makes the permissionless nature of DeFi possible. While the technical background of Ethereum or other networks like Solana is too vast to go into in this article, there are countless interesting problems within each of them that make securing smart contracts that much more interesting.
Permissionlessness and openness make DeFi protocols interesting, but these qualities also make it easier for bugs to be exploited by malicious actors. Every transaction made on the blockchain is visible to everyone in real-time. Combined with the fact that hackers can steal millions, if not billions, of dollars, it is clear that security for such systems is paramount. Unlike traditional software, DeFi protocols are usually small, usually on the order of thousands of lines of code. However, they secure billions of dollars of value. Thus, the value per line of code is unprecedentedly high. This makes such systems a perfect fit for applying formal verification, as verification can be a high effort, but the means are justified.
Finding Bugs in DeFi
Bug hunting in DeFi is an interesting puzzle. There are varying styles like manual review, fuzzing, and formal verification, but all involve breaking the developers' assumptions and harming the system. The openness of DeFi systems and the constant innovation create a breeding ground for interesting and unique bugs. The uniqueness of the bugs requires a thorough understanding of the code base and a creative approach.
Learning about this space will require a somewhat multidisciplinary approach, but many newcomers have shown that creativity and determination are most important. Many new entrants join audit contests hosted on platforms like Code4rena and Cantina to improve their skills and earn rewards. Audit contests are fixed-duration contests with a fixed prize pool. Participants review the code and submit any vulnerabilities they find. The most severe and unique vulnerabilities are valued the most. The fact that the top 10 in the Code4rena leaderboard in 2022, 2023, and 2024 have minimal overlap proves that newcomers with determination and creativity can do well in this space.
Formal verification contests are a subtype of audit contests in which users are rewarded for verifying smart contracts and finding bugs. Verification is conducted using the Certora Prover, which compiles smart contract bytecode and the specification and uses SMT solvers to evaluate code correctness. Formal verification is particularly challenging for people because it requires an analytic mind capable of seeing abstract ideas and high-level properties within concrete software. This skill is most common in individuals with mathematical backgrounds. This is why, to date, over $600k in rewards have been distributed, but only among around 100 participants! Check out the formal verification contest leaderboard here. The space is growing, with our next contest having a $100k prize pool!
Next Steps
The biggest audit and formal verification contest ever is starting September 4th and will run until September . With over $2.35 million up for grabs and $100k exclusively for formal verification, now is the time to dive into web3 security. Although it may seem overwhelming, previous first-time participants have had great success, and with this contest running for a month, it’s a great opportunity to learn and earn.
>> Register for the Uniswap contest <<
Further Reading and Other Resources
To understand DeFi and smart contracts, you can check out Ethereum Foundation's articles here and here or the solidity course by Cyfrin updraft here. As for formal, check out the Certora Prover tutorials to get started. This information will be emailed to you once you register for the Uniswap contest above.
To participate in the Uniswap contest, you'll need an account with Cantina, the platform hosting this contest, and a wallet address. To set up a wallet, you need to install the metamask chrome extension, create a wallet and save your private key. For more detailed instructions, check out this article.
Certora will host a beginner workshop on September 2nd at 16:00 UTC, 2 days before the start of the contest. If you’d like to join, you can use this link:
https://lu.ma/7q1xbdnx?tk=8SgTFF