Web3 Leader Spotlight: Tigran Piliposyan
This week, we had the pleasure of engaging in conversation with Tigran Piliposyan, PhD, Security Researcher at Hexens, a leading Web3 cybersecurity provider safeguarding assets worth over $55 billion.
Tigran holds a PhD in Mathematics and boasts a decade of experience in portfolio management and financial risk management at the Central Bank of Armenia. He utilizes his advanced understanding of mathematics and finance to lead innovation in cybersecurity, specializing as a smart contract auditor and blockchain security researcher.
Feel free to follow him on Twitter and explore his contributions on GitHub.
What attracted you to make the transition from TradFi Risk Management to Web3 Security, and how did you find the adjustment process?
Yeah, it's a long and interesting story, but to keep it short, I'll say that what primarily attracted me was the realization that in this space, hard work pays off, and there's no upper limit to earning and learning, unlike in TradFi. At that point in my career, after ten years, making the decision to start anew from ground zero was quite difficult. However, fueled by my eagerness to learn and grow, I decided to take the leap. Perhaps one might wonder why I chose to change careers. I'd say it's disheartening when someone in their late twenties stops learning new things.
I found myself mostly engaged in managerial tasks, rather than actively learning in this rapidly evolving world. So, I opted to explore a field where learning is incessant—where you can absorb as much knowledge as you can stay awake for! It took me eight months of relentless day-and-night learning alongside my full-time job at the central bank.
Looking back now, I realize it was the best career decision I've ever made.
Additionally, why did I choose security? It's simple. Working as a risk manager, you learn not to trust anything. So, in security, it's the same.
What is your typical day-to-day as a Security Researcher?
I would say it's a real adventure every day. I start by planning tasks for the next day, but upon waking up, I often find that there's a new attack vector, hack, or article that needs analysis. Nevertheless, there are some things I do almost every day. Firstly, I head to our Hexens office, usually being the first person to arrive that early, to be honest. I always have a lot of articles to read and absorb for personal growth. So during my early mornings I read one or two articles, mainly about bug write-ups. Additionally, I engage in Brazilian Jiu-Jitsu four to five times a week, which not only keeps me healthy but also motivated. I often find parallels between martial arts and my work, most of which I share on my Twitter.
After returning to the office, I began reviewing smart contracts. We almost always have 2-3 scopes in parallel, so I audit as much as I can. I continue reading during the audits, focusing on articles related to the current scope. Currently, I'm also working as a triager at Remedy. Throughout the day, I triage the bugs reported on Remedy, adding to my learning experience. I can confidently say that I'm learning new things every single day, which makes me happy. In the evenings, I spend time with my family, resting and preparing for another day filled with exciting opportunities.
What emerging threats have you observed in Web3 recently, and what are the most proactive measures a web3 builder can take to create safe smart contracts?
Yeah, there's not much to add here, but I strongly believe that security should be a top priority in this space. I've noticed cases where projects disregard security, even when whitehats identify vulnerabilities and try to reach out to them. Some projects have even labeled these individuals as scammers, only to fix the bug after public pressure. There have been numerous instances where projects launch without proper audits, only to suffer security breaches on their very first day.
In my opinion, projects should prioritize audits, allocating as much budget as possible for them. Even if the budget is limited to hire companies, there are independent auditors available who can provide assistance. Personally, I'm willing to offer my help to projects to ensure their safety. In my view, projects should undergo multiple audits, public audit contests, and implement bug bounty programs upon going live. By doing so, they can engage the community in identifying and fixing vulnerabilities. By the way, in Remedy it's absolutely free.
For individuals aspiring to enter the field of smart contract auditing, what advice would you offer them?
I might be posting motivational content every day, but one thing I emphasize repeatedly is that many individuals entering this field expect quick success. When they don't achieve it, they often leave the space. Everyone has their unique journey, strengths, and path to success. My advice would be not to rush things, not to give up easily, and not to compare oneself to others in the field. The only person you need to compete with and defeat on a daily basis is yourself. So, make it a habit to learn new things every single day. This is what I believe in and what has worked for me.