/not-awesome-web3-security-roadmap

Not so awesome Web3 Security Reasearcher roadmap by tpiliposian

Not so awesome Web3 Security Researcher roadmap

Of course, this is not awesome. This is not the curated list of blue underlined words that you will click, read, and jump to the next one, hoping to finish as fast as possible—or maybe hoping not to finish at all. You are going to become a security RESEARCHER. Yeah, RESEARCHER. No one is going to find vulnerabilities for you or point out the functions where they are hiding. You are going to have to dig, research, and find them yourself. So the path to becoming a security researcher? It’s all about research.

If you really want to become a Web3 Security Researcher, let’s set this straight from the start: there are no deadlines. If you are thinking “2 months, 6 months, 1 year, 10 years” to become a researcher, forget those timelines. Relax. The only rule is to never waste a single day without learning something new. And yes, read this to the end!

Tigran Piliposyan

Contents

Introduction

Alright, before we get too deep into this, let me introduce myself. I am Tigran Piliposyan (@tpiliposian), a Security Researcher at Hexens for over a year now. I’m not here to pretend I’m some all-knowing security wizard sitting and cracking smart contracts left and right. No, I’m just someone who started from ABSOLUTE zero at age 29, leaving my previous workplace, with a family and two daughters to care for, and starting something completely new. I didn’t even know that there was a Web2, and now suddenly it’s Web3, or what blockchain even was! I didn’t know any programming languages either. (A bit more about that story here).

I learned everything I could find. I went through all the roadmaps, consumed every piece of content available, and to be honest, it was kind of funny. It felt like the true start of a researcher’s journey, which I guess is the right way to begin. But once I actually started working, looking back, I realized I had wasted a lot of time simply because I didn’t know what to read or listen to first, what should come before or after. If someone had just sat down with me and told me step by step what to research, it would have been amazing.

Yes, the Hexens team helped me, but they couldn’t sit with me all day long. Plus, I was still working at the Central Bank, so I had to juggle this in parallel. It’s been a grind. And I always had this idea to write a roadmap, but I didn’t want it to be just another batch of links. Instead, I decided to write it in a way that feels like someone is sitting with you, guiding you on your journey to becoming a security researcher. But if you still prefer the traditional style—I’ve collected a few solid roadmaps in the Traditional Roadmaps section.

And if you’re reading this, I’m guessing you’re ready for the same kind of grind—minus a few bumps and bruises because, hey, I’ve made enough mistakes for both of us.

X

Let’s start with the easiest part: X (or Twitter, as many of us still call it). You might think Twitter is just for memes and celebrity drama, but for the Web3 security world, it’s the place to be. No, seriously—pretty much the entire Web3 security community lives on Twitter. It’s like a continuous stream of information, with people sharing everything from vulnerabilities to in-depth analyses and the latest research. To be honest, it’s not just for security researchers—developers or anyone who wants to be a top professional should stay tuned to updates, new technologies, and any breaking news.

The cool thing about this space is that everyone’s out there posting content. You’ll find security researchers sharing their knowledge, bug bounty hunters celebrating their discoveries, and protocols announcing bounty programs for anyone to find bugs in their smart contracts. And it’s all happening in real-time. Twitter is where you’ll get the fastest updates on new exploits, bug disclosures, and hacks, often before they even hit the news.

At first, I didn’t even have an account. When I first met with Hexens' CEO, @Hexen1337, he advised me to create one, and it quickly became a key tool for learning and growing. I followed accounts of security experts, read through long tweet threads dissecting the latest exploits, and stayed up to date with everything happening in the industry. I remember the first accounts I followed were @officer_cia, @RealJohnnyTime and @PatrickAlphaC.

So, if you’re serious about becoming a Web3 security researcher, do yourself a favor: get on Twitter, follow the right people, and dive into the flow. After reading this, you can even post about it, give your feedback, or mention me—it would be a pleasure! You can also post throughout your journey. I know people who are now very famous, and they started by sharing every step of their journey.

EVM and Solidity

Alright, by now, I assume you’ve set up your Twitter account, found some cool profiles to follow, and have started diving into the Web3 security. You’ve probably noticed how amazing the community is—everyone’s sharing what they’ve learned, posting insights, and spreading knowledge everywhere.

But now it’s time to start learning seriously. At first, I thought about splitting this into separate chapters: one for the Ethereum Virtual Machine (EVM) and another for Solidity. But then I realized that might get a bit dry. Plus, it’s much more effective to learn the theory while practicing at the same time. So, I decided to combine them into one chapter. Trust me, learning these in parallel will be more engaging and practical.

Maybe when you go to your first interview, the first questions you’ll face will be like, “What types of accounts are there in Ethereum?” or “Who is tx.origin, and who is msg.sender?”—stuff like that. A great way to learn all this is through the book Mastering Ethereum. It covers all the basics. If you’re completely new to blockchain, I recommend starting with some articles or videos to get the basic concepts of blockchain. Once you have that, dive into the Ethereum book. At the same time, I started working through CryptoZombies for learning Solidity. It’s a fun way to get hands-on with the programming language, starting from absolute zero. Another great resource is Patrick Collins on YouTube. You can find everything you need to start there, and more. Use it to learn Solidity now, and remember his channel for later. I also wanted to mention Cyfrin Updraft and Secureum Bootcamp I haven’t done myself, but I’ve seen a lot of people find success with it, so it’s definitely worth looking into.

Now, let's pin down some ideas here—not just for this chapter, but for the rest of your learning journey (and maybe for life in general. Yeah, I used to laugh at philosophy when I was a student, but now I catch myself doing it sometimes, lol). If you’re learning something, make sure you understand it deeply. It might feel like a waste of time now, but it’ll save you from having to go back later and relearn what you skipped, you probably won’t have the time or even the desire to go back and fix it. And when you leave gaps like that, they turn into weaknesses.

Lastly, what I’m suggesting here isn’t the one and only way to do it. Everyone learns differently, so explore other resources too. But you don’t need to rush. Focus on understanding the basics first.

JUST DO NOT GET STUCK AT THIS STEP. When I was going through this, I collected a millions of articles, thinking I needed to read everything right away. Believe me, you’ll read them all in one day, maybe... focus on what’s in front of you right now.

DeFi

Ah, this is my favorite part, as I worked for over 10 years in traditional finance. It was my strength when I first started, as I didn’t have a technical background.

Just make sure you’re comfortable with everything up to this point and feel good about your Solidity skills. If not, don’t rush, but also don’t get stuck, cover what’s needed, and let's understand finance a bit.

Before we dive into the security side of things, it’s important to understand DeFi. You’ve probably heard terms like “liquidity pools,” or “flash loans,” etc. There are concepts in DeFi, and having a solid grasp of them is essential. I’d recommend starting with the biggest platforms like Uniswap, Aave, and Compound to see how they operate. A lot of great resources can be found on the Whiteboard Crypto YouTube channel. I learned a ton from them—it’s super easy to understand, and in my opinion, it’s all you need at this stage. Go start with their What is DeFi? video and just keep researching. There’s also Finematics, though I personally preferred Whiteboard Crypto when I was learning.

Don’t spend too long on this part either, because I strongly believe that the best way to learn deeply is during your audits. For now, you just need a big-picture understanding of everything.

Remember this book about AMMs, it's gold, now it may be a bit hard, but it’s a must-read: Automated Market Makers: A Practical Guide to Decentralized Exchanges and Cryptocurrency Trading.

X2 or Blogs

Yeah, back to Twitter again. If you’ve already found and started following some good blogs, that’s great. But if not, I want to make sure you know about a few that I personally read and have learned a lot from (and still do):

If you’re more into listening, here’s a list of podcasts worth checking out:

CTFs

Honestly, there’s not too much to say here. Some people absolutely love CTFs, I felt, especially those coming from Web2 security. Personally, I’m not a huge CTF guy, but I did go through Ethernaut and Damn Vulnerable DeFi when I was starting, and it was pretty fun. So if you’re into challenges, give them a try. They’re a great way to get hands-on experience. But the most important part comes in the next chapter.

Contests and Bug Bounties

Woah, we've made it to the most important part. Here’s where things get real. Up until now, all you needed was a solid grasp of the basics. But this is where deep learning starts.

There’s Solodit, a fantastic resource filled with millions of bug reports. It’s a great way to learn, but the best strategy isn’t just reading bug descriptions without context (especially for high or critical ones).

Here’s an ideal approach: take a scope from one of the contest platforms (I’ll list them below), try your own audit, and then review all the findings you missed. Understand them, and repeat. This is the phase for truly in-depth learning. For example, if you’re working on a liquid staking or governance project, dive into every article you can find to understand those systems inside and out—that’s how you’ll grow as a security researcher. But make sure you not only understand what you missed, but also why you missed it, and work on that constantly.

Here are the top contest platforms:

There are also bug bounty platforms where you can hunt for bugs in live contracts, like Immunefi and Remedy. By the way, I’ve collected 2023-2024 Immunefi critical bug fixes, which could be useful learning material, too!

I could go on about these infinitely, but I think you’re already getting the idea.

Continuous Learning

In this space, things are moving so fast that keeping up means committing to continuous learning. Competition’s only getting tougher. What I mean is, maybe you’ve read about the EVM and feel like you get how it works—but if you really want to know, go and read the codes. Yes, that means learning some Go first so you can dive into the details, but that’s the way. Same goes for math and computer science; you’ll want to sharpen those skills over time too. Never sit back thinking you know it all—staying competitive means pushing your growth at least as fast as the field itself. Keep reading, keep experimenting, and surround yourself with others who are just as passionate.

Closing Remarks

I hope this guide has given you a solid starting point. My own journey has been a blend of trial and error, hands-on learning, and a lot of curiosity. If there’s one thing I want you to take away, it’s this: stay curious, stay persistent, and don’t be afraid to ask questions. Consistency is key—yes, there will be good days and bad days. Don’t set rigid deadlines for “success.” Everyone’s journey is unique, so just aim to be a bit better than you were yesterday.

As you’ve probably noticed, I’ve shared less detail toward the end—that’s because I believe you’re already starting to understand all this, maybe even better than I. I believe in you. Keep going.

Traditional Roadmaps

  1. OffcierCia/DeFi-Developer-Road-Map
  2. razzorsec/AuditorsRoadmap
  3. Anugrahsr/Awesome-web3-Security
  4. saeidshirazi/Awesome-Smart-Contract-Security
  5. Quillhash/QuillAudit_Auditor_Roadmap