What Does It Mean To Be A Blockchain Security Researcher At Ulam Labs - Employee Story
April 29, 2022
What can go wrong in a decentralized world where everything looks secure and is highly automated? The problem often lies in… people. Those who build on blockchains and create smart contracts. Who therefore makes sure those applications work as expected?
Read our interview with Paweł Rejkowicz, our Blockchain Security Researcher.
Who is a Blockchain Security Researcher? What does this role imply and what are the key responsibilities?
Blockchain Security Researcher is a white-hat hacker who tries to find system vulnerabilities before the potential attackers do so. Those issues can be exploited to one’s benefit at the expense of users.
The main tasks of a Blockchain Security Researcher are: installing or browsing the application, then going through all possible paths and looking for ways to break something, steal it or block it. Finally, create a report that is presented to the client. It happens that the client does not believe that a given error or a threat happened. This is why it might come in handy to visualize a potential attack.
Sounds a bit like a tester job and bug finding. What is the difference between these positions?
The perfect tester report says that he has gone through all the functionalities and described everything that works. A Researcher only writes about things that don't work. So the perfect application test report is one in which nothing was found.
Such reports, however, are rare. The reason is obvious: there are always things that cannot be completely eliminated or are not connected to the creators and owners of the application. That's why it's hard for me to imagine such a report.
Another difference between a tester and a researcher is that the researcher has to find errors that do not result from the specification. He has to check even such paths that the developer or the user will not find under normal circumstances. The researcher has to keep in mind that the attacker can initiate those paths for e.g. by directly using scripts.
Do you contact the client on a daily basis?
I try to keep in touch with the client on a regular basis, but it is not always necessary. I do not present my findings separately. We meet with the client once a week, present everything I found in bulk, and the next day we usually discuss how to fix them.
In short projects, I often find threats first, and only report them at the end of the audit. Each such interaction raises questions and discussions from the client, which in a quick audit would only extend the process.
I usually talk to the lead developer on the project, but project managers or CEOs are also present at those meetings.
How did you choose this path for yourself? What were you doing previously?
I have always liked to perfect my software, which is very important in blockchain. A possible attack is irreversible and therefore this role is maybe even more crucial.
I specialize in C ++, but during my professional experience, as a hobby and during my studies, I have dealt with many different programming languages. Such versatility is a great asset, especially when I need to quickly enter a new technology that uses its own language or a language that I don't know yet.
The basis for this position is C / C++ or Rust knowledge, i.e. languages that require deep, low-level understanding of programming. It’s also hard to work efficiently without knowing other languages used to create smart contracts, such as JS or Python.
Blockchain Security Researcher is quite a niche position. What does the demand look like?
Every application based on blockchain undergoes an audit - and not only one audit, so this profession is very much needed. Depending on the company's funds, even several audits of one application are ordered from several companies that deal with it. For regular applications, this is not necessary, but when we talk about blockchain, not auditing can even be considered reckless. I imagine that the number of auditors will increase linearly with the number of developers on the blockchain, and this is growing day by day.
Who can become a Blockchain Security Researcher? What competences, skills or experience do you need to have?
A lot of people are moving towards the role of a Blockchain Security Researcher directly from the security industry. They are often developers related to software, e.g. for medical equipment or airplanes, i.e. software where security is crucial and where there is no room for errors.
The ability to quickly assimilate knowledge is required, because projects are written in different technologies, different frameworks. The ability to read the code with understanding is also crucial, because documentation is rarely available at the pre-publication stage of the audit. Usually it is only the code.
You also need analytical thinking to be able to associate attack categories with specific functionalities. Finally, you need to know the scripting language to simulate an attack.
This may sound like a very technical role, but you also need some soft skills - especially patience and sensitivity in communicating with the client. A researcher writes directly to the developer, but the management is watching, so you need to know how to communicate gently and correctly. We must remember that we are verifying a project that has been considered (almost) finished and which most frequently performs financial operations. These are quite delicate topics. Communication is key, because we need to remember that this client might come with another audit and hence we want to maintain a good business relationship.
What would you recommend to someone who wants to work in this position? What courses, materials?
At the beginning, I would recommend reading content, mainly on Medium.com, where auditing companies write blog posts like "10 most common mistakes made by a blockchain developer". Such articles, despite their clickbait titles, have a lot of truth in them and, contrary to appearances, are not for everyone. You have to be knowledgeable to understand them. After reading a few articles, we already have a basic idea of where to start.
The second source is blockchain documentation. In that type of documentation, we find described functionalities or frames with exclamation marks and warnings like "Be aware of that!!" - and this is something interesting for a security researcher.
The last way to learn is through the source codes and questioning the security features described in the code. This is my favorite source. While browsing the code of these programs on blockchain, we find various assertions (errors reporting under a certain condition). This learning method enables me to think: what can I do to provoke this error and how could I possibly fix it?
What earnings can Blockchain Security Researcher count on?
By working with a company that offers audit services, such as Ulam Labs, we can count on a remuneration of: 20,000 - 40,000 PLN net per month. An attractive addition is the so-called "Bug bounty".A researcher can get paid for finding bugs in a program that is already in use.
What was the most expensive mistake you found?
It was a stock market with a serious error valued at $ 250 million.
Do you find bugs in every application?
Yes, the problem is that most often companies forget to make the blockchain application as simple and easy to verify as possible. It is probably the main reason why we hear about burglaries every now and then.
How to prepare for the recruitment process for this role? What were the questions you had to answer during your interview?
One of the basic questions is "how do you understand the security of an application?". There was also a question on how I find security problems. I was also supposed to read the smart contract code, analyze it and say if there are any bugs or dangerous structures in it.
It is worth noting that you do not need to immediately experience such serious problems as breaking into the system. In fact, any unexpected error that may occur in a working environment can endanger security.
Is the blockchain industry a future-oriented industry?
In my opinion, it is a very promising path for developers. Current technologies may be outdated in a few years. Personally I can imagine that soon legal documentation or contracts will be digitalized.
I think that blockchain solves the popular problem of distrust in the digital (and not only digital) world and therefore it is a very future-proof solution. More and more industries are moving into the virtual world, new applications are being created on the blockchain, and when applications are created, the demand for developers and security researchers will also not diminish.