Web3 Leader Spotlight: Mario Poneder
This week, we had the privilege of speaking with Mario Poneder, Founder and Smart Contract Security Researcher at Decentra Vision - On-chain Security.
Mario, with a background in industrial automation and GPU-accelerated parallel computing, holds a master’s degree in engineering physics and has experience performing particle physics simulations for dark matter research. His curiosity for Web3 and DeFi sparked a passion for smart contract auditing, and he is now dedicated to making the Web3 space safer and driving its adoption.
Follow him on X @MarioPoneder.
What inspired your transition from traditional software engineering to the Web3 space, and what specifically drew you to Web3 security?
In parallel with my traditional engineering career, I had been following the blockchain ecosystem for years, initially from an investment perspective. However, when confronted with safety-critical applications and hardware-in-the-loop testing, I rediscovered my passion for pushing things to their absolute limits, finding edge cases, and eventually uncovering bugs. I was also always interested in new technologies, striving to avoid becoming stuck in my career path.
Finally, I decided to give in to my curiosity about Web3 and DeFi applications. A few months into this new journey, I discovered Immunefi and later Code4rena, which marked the beginning of my Web3 security career. At this point, there was no turning back.
Since you first entered the Web3 space, how have you seen Web3 security evolve, and what emerging trends or innovations in the field excite you the most?
When I first got involved with Web3 security, traditional audit firms and solo auditors dominated the space, while decentralized audit platforms like Code4rena and Sherlock were still emerging. Over time, more contest platforms have risen, and they are thriving, handling record-breaking numbers of parallel audit competitions.
Moreover, there has been a clear shift from solo audits to team engagements. Overall, these changes have brought more eyes from diverse technical backgrounds to codebases, leading to higher coverage and a much better overall state of Web3 security, which is a net positive for the entire blockchain ecosystem.
Furthermore, I've been following innovations like vulnerability detector bots, on-chain monitoring to front-run exploits, smart contract fuzzing, and formal verification. Each tackles smart contract security from a different angle, offering valuable additions to manual review procedures.
As a Code4rena judge, do you see emerging talents that give you confidence for the future? What qualities or skills are essential to succeed in this field?
In short, yes. When judging a contest's findings, you can typically anticipate who will be hyped on X a few months down the road. Usually, report quality, PoCs, choice of words, and the ratio of invalid submissions are clear indicators, and I continuously see new researchers who excel in these criteria, which strengthens my confidence in the future of Web3.
Furthermore, people like these are often very calm, precise, and mindful of their own and the judge's time when it comes to discussing findings at the end of a contest. They understand that the greatest return lies in moving forward to the next contest or engagement rather than engaging in ongoing discussions about past findings.
In the end, your background does not matter; it all boils down to being persistent and consistently nurturing your interest in Web3 security. All other qualities or skills required to succeed in this space are inevitable byproducts of this mindset.
What are common mistakes you see new projects make when it comes to smart contract security?
Fortunately, any project team I work with has already decided to avoid the worst and still common mistake of neglecting smart contract security altogether.
When undergoing an audit, being overly protective of your codebase and design decisions is often a major roadblock to adopting security recommendations from researchers. This can backfire in the long term. Similarly, the absence of an overall security strategy—which can involve multiple stages of audits, a bug bounty program, and on-chain monitoring once live—increases the risk of suffering a detrimental exploit later. Additionally, making unreviewed changes and additions before deployment is another common no-go.
Finally, every centralized aspect of a protocol's smart contracts is directly coupled with off-chain risks. Neglecting traditional Web2 security has led to major security incidents.
