From petroleum engineering to app development, and now Web3 security, Windhustler’s journey is anything but typical. Welcome to a fresh edition of "Coffee with Calyptus," where we sit down with Windhustler, a former Petroleum Engineer turned Web3 security expert. In this interview, he shares the challenges and breakthroughs in DeFi security, discusses the importance of rigorous smart contract practices, and highlights the crucial balance between in-house and external audits.
A little insider info before the interview…Did you know you can earn points on Calyptus by completing your profile and verifying your skills and experience? The more points you collect, the more visibility and exclusive rewards you unlock. Start climbing the leaderboard today and boost your chances of landing your dream job. Check it out here.
What inspired you to join the Web3 space, and what specifically drew you to focus on Web3 security?
I graduated with a Master’s Degree in Petroleum Engineering in 2015. After spending a few years working as a Petroleum Engineer, I’ve taught myself how to code. In 2018, I left the Oil & Gas Industry and became a full-time software developer.
Since then, I’ve been soul-searching. I’ve tried:
- Building Android apps
- Working as an enterprise-level Java/Kotlin backend developer
- Working as a full-stack developer
All of these fields are very mature with little innovation going on and didn’t bring too much excitement to my professional life.
I entered the web3 space in 2021, started to code in Solidity, and immediately got hooked.
It’s a very lightweight programming language - no frameworks, no libraries - what you write you need to understand in-depth. Completely different from your typical web2 project where you need to ship tons of code.
Last year seeing the freelance auditing market getting traction I’ve decided to take a leap into web3 security. The number of opportunities - bug bounties, private/competitive audits, consulting work - made me never look back, and I’m very optimistic about the future of this field.
Do you believe the industry has learned valuable lessons to minimize the occurrence of DeFi hacks, or are we still repeating the same mistakes?
I believe there has been significant progress in how protocols address security concerns. Tools and practices have advanced considerably, and there is a greater awareness of common vulnerabilities, such as reentrancy and oracle manipulation. However, the field is still relatively young. We are likely 5-10 years away from developing robust frameworks and procedures for consistently building secure smart contracts.
A crucial, often overlooked aspect is the mindset shift needed within the community. Smart contracts should be built with the same rigour as mission-critical software, similar to the standards used in aviation systems.
In your opinion, should projects rely solely on in-house security researchers for auditing their smart contracts, or is it crucial to always engage external auditors? What are the benefits and potential drawbacks of each approach?
Security is an ongoing process that benefits from the involvement of multiple parties. Projects should have both in-house security researchers and external auditors. External audits are crucial as they provide an independent verification of your code, which builds trust with users and adds an extra layer of scrutiny. They offer users confidence that their funds are safe and that the code has been thoroughly examined.
The question most projects have is what is the most cost-effective way to launch their products safely. External audits can be very expensive, so it’s crucial to time them properly. The primary role of the in-house researcher is to guide the development process. Identify early core architectural issues and set the stage for the external audit, where only a handful of bugs are discovered and fixing them doesn’t require major code changes.
On the other hand, teams without in-house security experts might conduct external audits too early, leading to multiple audit rounds and continuous code refactoring, which can be inefficient and costly.
What is a common mistake you see new projects make when it comes to smart contract security, and what would be your advice to help them avoid these pitfalls?
New projects often make these three mistakes:
- Relying solely on outsourcing security: Some projects try to outsource all their security needs and don’t invest into in-house researchers. It's important to have internal experts who understand and can spot issues early, be up to date with the latest hacks and exploits, and guide your development process.
- Neglecting comprehensive testing: Many developers focus only on basic unit and integration tests while overlooking advanced testing methods like fuzzing and invariant testing. No amount of audits can replace a comprehensive testing suite.
- Choosing external auditors based on brand rather than competence: Projects sometimes engage with auditing firms based on their brand rather than their actual expertise. Lately, we saw a huge rise in solo/freelance auditing services which cut the middle-man, are cost-effective and can provide greater value as compared to traditional firms.