Title: Down the Rabbit Hole: My Adventures as a Web3 Smart Contract Security Researcher

Billy McDavid
3 min readFeb 10, 2024

The world of web3 is a fascinating and exciting one, where decentralized applications (dApps) run on smart contracts that are executed by a network of nodes without intermediaries or central authorities. These dApps offer various benefits such as transparency, immutability, censorship-resistance, and user sovereignty. However, they also pose significant challenges and risks, especially in terms of security.

As a web3 smart contract security researcher, I have been exploring and investigating the vulnerabilities and attacks that threaten the integrity and functionality of these dApps, especially in the domain of decentralized finance (DeFi). DeFi is a fast-growing and innovative sector that aims to provide financial services such as lending, borrowing, trading, and investing, using blockchain technology and smart contracts. DeFi has the potential to democratize and revolutionize the financial system, but it also attracts malicious hackers who seek to exploit its loopholes and weaknesses.

My journey down the rabbit hole began when I stumbled upon a blog post that detailed how a hacker managed to drain $25 million worth of cryptocurrency from a DeFi protocol called dForce. The hacker exploited a flaw in the smart contract code that allowed him to manipulate the exchange rates of the tokens and withdraw more than he deposited. I was intrigued by how such a simple and clever attack could cause such a huge damage, and I decided to dig deeper into the technical details and the underlying mechanisms.

Since then, I have been hooked on learning and discovering more about the security aspects of web3 and DeFi. I have been reading articles, watching videos, listening to podcasts, and joining online communities that share my passion and curiosity. I have also been participating in bug bounty programs and hackathons, where I can test my skills and knowledge, and contribute to the improvement and innovation of the web3 ecosystem.

Through my research, I have encountered various types of vulnerabilities and attacks that affect web3 and DeFi, such as reentrancy, front-running, flash loans, oracle manipulation, economic exploits, and more. I have also learned about the best practices and tools that can help prevent and mitigate these issues, such as code audits, formal verification, testing frameworks, security standards, and monitoring services.

However, I have also realized that web3 and DeFi security is not a static or solved problem, but a dynamic and evolving one. As the technology and the industry advance and grow, new challenges and opportunities emerge, requiring constant vigilance and adaptation. Moreover, web3 and DeFi security is not only a technical or engineering problem, but also a social and economic one. It involves human factors such as trust, incentives, governance, and education, that shape the behavior and interaction of the users, developers, and stakeholders.

Therefore, as a web3 smart contract security researcher, I see myself not only as a hacker or a defender, but also as a learner and a teacher, an explorer and a guide, a critic and a supporter. I am doing my utmost to be a guardian of web3 and DeFi security, but I am also aware of my limitations and responsibilities. I am not here to save or destroy the web3 and DeFi world, but to understand and improve it, and to share and inspire others to do the same.