What could drive a surgeon to trade the operating room for blockchain security?
In this edition of Coffee with Calyptus, we sit down with Osman Özdemir, a blockchain security researcher at Guardian Audits whose journey from urological surgery to smart contract auditing is as inspiring as it is unconventional. Osman shares what drew them from the healthcare frontline to the forefront of Web3 security, the challenges he faced transitioning to tech from a medical background, and the principles that guide his approach to secure blockchain architecture.
Your career transition from a urological surgeon to a cyclist courier and eventually to a smart contract security researcher is fascinating. What motivated these drastic changes, and how did your previous experiences influence your current work in blockchain security?
There are two parts of the story: deciding to quit medicine for good and choosing what to do next. Although I enjoyed being a surgeon, I had already started questioning whether this was the path I wanted to continue, particularly during the final years of my surgical training. Then, the pandemic struck. The first wave of the pandemic made me realize just how hard I had been working all those years and how underappreciated I was. After that, I continued working for one more year during the subsequent waves, but I knew I wouldn’t work in healthcare anymore. So, I quit and started over.
After quitting medicine, I needed a physical job. No responsibility, no mental load, just pure physical work. You could call it a rebound job! I started working as a bicycle courier, but I knew it was only temporary. I had already been a crypto user for some time and had an interest in blockchain. Even when I was a doctor, I followed crypto hacks and was curious about them. So, why not make it my new career? I spent my mornings learning new skills for my future job and my evenings delivering food. A few years later, voilà! I started working full-time as a blockchain security researcher.
Web3 and blockchain auditing require a unique skill set. What were the most challenging skills or concepts to master as you shifted from a non-tech background to becoming a smart contract auditor, and how did you approach these challenges?
For someone who knew nothing beyond the human body, everything related to computers felt daunting at first. Understanding blockchain architecture as a complete novice was particularly challenging. But anything that can be learned can be learned—it might just take more time, and that’s okay.
However, there are different challenges for people like me: behavioral ones. Not jumping from tutorial to tutorial is a challenge. Avoiding FOMO is a challenge. Not losing hope is a challenge. The key is not to rush and to remain consistent. There are no shortcuts. Accepting that it will be a long journey, staying patient, and putting in the hard work is the only way forward.
How do you handle the uncertainty and pressure in competitive environments, especially in the high-stake security audits?
I enjoy competition and don’t feel pressured by it at all, but I don’t like uncertainty. What I particularly dislike is the escalation phase of an audit competition. It can be distracting, annoying, and sometimes even frustrating. This is one of the many reasons I chose to work full-time at an audit company and move away from public competitions. Not having to debate with random people online to defend a finding and instead focusing solely on the work itself is far more productive for me.
From your perspective, what are some of the common misconceptions or over-promises in the Web3 security space? How do you navigate through the noise to focus on delivering real value to the projects you work on?
Whether I like it or not, there is a marketing side to the business, and people often over-promise to attract more clients. For example, last year was the “solo auditor” trend, and social media feeds were filled with “DM for audit” posts. I couldn’t believe how someone could be so confident in offering solo audits after just three months of contest experience. Perhaps this happened because the sector is still in its infancy, or maybe it feels wrong to me due to my medical background. In medicine, the first rule is “Primum non nocere,” which means “First, do no harm.” I still apply this principle to my current work, and from my perspective, providing a security audit without the relevant experience can cause more harm than good by giving a false sense of security.
I’m glad that solo auditing is now in decline and that team audits have become more popular. Instead of navigating through the noise, I prefer not to hear it at all. I don’t use social media as much as I did before, especially after starting to work full-time. I avoid engaging with marketing posts and only read content from specific accounts that truly provide value. To stay up-to-date, I follow Web3 security newsletters. Essentially, I just keep my head down and focus on the work.
Working with platforms like Code4rena, Sherlock Defi, and now Guardian Audits, what have been the most important lessons you've learned in terms of best practices for ensuring smart contract security and preventing vulnerabilities?
Simplicity in the codebase is key to ensuring smart contract security. The more complex a codebase becomes, the more potential there is for vulnerabilities to be introduced. Complex logic and intricate interactions can obscure security flaws, making them harder to detect and mitigate. Keeping the code straightforward and streamlined helps auditors analyze it more effectively and reduces the chance of hidden bugs slipping through the cracks.
Additionally, having more features that will rarely be used can introduce significant risks. Even if these features appear harmless or add some perceived value, they can become sources of critical bugs that may go unnoticed. It’s crucial to evaluate whether each feature is truly essential and justifies its potential security trade-offs. By prioritizing simplicity and focusing on core functionality, developers can better ensure their smart contracts remain secure and resilient against vulnerabilities.
