For Aspiring Auditors¶
Build skill by pairing exploit history, ecosystem-specific testing, audit reports, and repeatable review artifacts. The goal is not to collect tools. The goal is to reason from code and state to exploitability, impact, and remediation.
30 / 60 / 90-day path¶
| Window | What to do | Evidence to keep |
|---|---|---|
| 30 days | Read three public audit reports, reproduce two historical bugs, and set up Foundry plus one non-EVM test stack. | Notes, fork tests, traces, failing tests, fixed tests. |
| 60 days | Build a review notebook with assets, actors, invariants, trust assumptions, privileged roles, and known unknowns. | Threat model, invariant list, issue template, severity rubric. |
| 90 days | Review a small open-source protocol or toy scope and publish a responsible non-sensitive write-up. | Report excerpt, PoC tests, remediation notes, reviewer feedback. |
Must-read pages¶
- AI-era smart contract auditor
- Analysis methods
- Reports and vulnerability intelligence
- Solana testing and audit tooling
Checklists to use first¶
First 10 resources¶
- OWASP SCSVS
- OWASP SCSTG
- Solodit
- DeFiHackLabs
- OpenZeppelin EIP-4337 audit
- Solana Program Security course
- Mollusk
- Anchor LiteSVM
- Tenderly docs
- BlockSec Phalcon simulator
Common failure¶
New auditors often jump from tool output to severity without proving the exploit path. Treat every tool result and AI suggestion as a hypothesis until a test, trace, invariant violation, or source-level argument proves it.