From Developer to Smart Contract Auditor

Hi Carlos! Could you tell us a bit about yourself and your current role as a smart contract security auditor at Sigma Prime?

I’m just doing what I was doing before, but now I’m getting paid well :D

I could explain my job with lots of complex, fancy words if I wanted to, but basically, my job is to read code and think about whether it's doing something unexpected.

The fancy way: I review and test distributed software systems to assess their use case reliability and sustainability, in order to provide protection against exploitation risks by malicious counterparties or accidental actions.

Cutting the fanciness — as of today, most of the cybersecurity work in Smart Contracts is just reading code and thinking creatively about what could go wrong.

• Which input could I use to get more money than I should?
• How can I interact with the network to take advantage of the public data blockchains have?
• What happens if I call this function first and then another one?

In general, I mentally fuzz test the code and debug it. We also write some tests, and if the bug isn’t “too obvious,” we code Proof of Concepts (PoCs) to showcase the issues.

Furthermore, in between audits, I have some “free time” which you’re supposed to use to learn new technologies, attack vectors, etc.

Outside of that free time, I’d say the work distribution looks like this (though it varies from review to review):

• 5% writing tests and PoCs
• 10% writing up the issues
• 75% reading code and thinking

How did you get into smart contract auditing?

I was already into blockchain development for a year, and two years into software in general. I dropped out of Uni in my second year because Spanish university is — allow me the intensity of the phrasing — inefficient as f*ck. So I started learning faster and better with free resources online.

It just happened that one of the guys I followed because of the quality of his teachings (Patrick Collins) launched CodeHawks, his company’s competitive audits platform.

And I was like, wait a minute… I can get paid for reading code? Omg — no more hours and afternoons debugging and testing the same code, and I even get to see different code every 3 weeks?? (intellectually stimulating). No way, I gotta check this out.

So I started participating in CodeHawks, and then checked out other competitive platforms like Code4rena, Sherlock, and Cantina. I built my skills and CV and then started applying to some companies. Sigma Prime accepted me the fastest — and here I am now.

For those unfamiliar with what competitive auditing is:

• A company puts X$ as rewards for people who find bugs.
• They give you a time constraint — 1 week, 3 days, 1 month…
• If someone finds and submits a valid bug, the money gets distributed among those people.
• It’s like a traditional bug bounty program but with a time constraint and gamified to attract more people, since the X$ is usually given for sure, no matter how many bugs or how severe they are.

What advice would you give to an aspiring smart contract auditor?

• IT IS HARD. Don’t fall for the marketing strategies of these companies showing you big numbers. A super, super small percentage of people actually make that kind of money. You can read more about the numbers in a short article I wrote (available via Google Drive or download below).

• It takes time. There are people who make it in 6 months — but that is not the norm. Most people take years of constant practice (like I did). The marketing was toxic for me and many others. I felt like a loser, like I couldn't do this. But yes, you can. That same marketing affected even one of my teammates — who now is also making good money at another company.
• Keep pushing. Consistent effort is most likely what you’ll need. Some of you reading this might be those geniuses who find stuff super quick — congrats to you, can we swap brains please? xdBut still, we can all reach expert levels with practice.
• This is a skill, not a gift.

As for learning resources — Owen Thurm’s advanced auditing tutorials and Cyfrin Updraft (Co-founded by Patrick Collins) are the best out there right now.

This question (and getting asked for advice so often) made me realize I should just make a tweet thread for beginners — a hub with all the advice posts I’ve made.

What auditing tools do you recommend? Have you utilized AI at all in your role?

I’m a ChatGPT basic guy — I pay 25€/month for it and that’s enough for now.

Finding issues with AI? Not valuable ones in contests. Everyone will find what AI finds. In private audits, automated tools and bots (like AST analyzers — not really AI) are useful though.

Some automated tools — not AI, but useful: Slither, Aderyn, etc. Check out my friend Deivito’s auditor toolbox. It’s a Docker container packed with useful Web3 auditing tools.

AI is currently useful for:

• Searching for and digesting info
• Improving the write-ups of audit reports

AI is NOT useful for:

• Reasoning on top of smart contracts — it's horrible at that, at least for now.

I’ve been trying Claude too — and in my experience, it reasons better than GPT when it comes to code logic.  But still, I don’t think it’s worth paying for both, so I’ve stuck with GPT for now.

I’ll probably explore this more when I get some research/free time at work — which is amazing  to say. I get paid to learn, be curious, and keep leveling up my knowledge. I truly feel like I’m dreaming. xd

How has being active in the blockchain community impacted both your personal and professional life?

Allow me again the intense wording: it’s been crazy good — the impact this community has had on both my personal and professional life.

Before all this, I felt alone. Now I don’t. I’ve found people who are curious like me, people who question things, who seek to thrive — not just in coding or cybersecurity, but in life.

This industry is full of passionate, curious people who genuinely want to improve the world. To some extent, we share values that are hard to find all together in one person nowadays — drive, curiosity, freedom, community, creation.

It’s given me balance and responsibility. I can’t just party three times a week like I did back at uni xd. But now I’ve got money, freedom, wisdom… and all just from doing something that comes naturally to me: asking questions. This time, about software and code.

I’ve been lucky, yeah — but also, I went for it. I chased it with restless, consistent effort. People say success is where luck meets hard work — and yeah, I think that’s true. I’ve lived that.

Honestly, the impact has been the same on both sides — personal and professional. I found something that matches my attitude toward life and where my natural skills actually fit. That alignment has changed everything. I'm now happier and as less stressed as I’ve ever been, this kinda vibe: https://i.kym-cdn.com/entries/icons/original/000/038/426/unboth.jpg .

Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?

• Dancing
• Hanging out with friends — just talking or doing some activity like ping pong, pool, laser tag, whatever we come up with
• Parties — especially if I can dance xd
• Training calisthenics and flexibility outdoors in parks — sometimes I climb a tree too xd

Lastly, where can people connect with you or follow your work online?

My X account is more focused on the security side: @carlos_alegre.

Though sometimes I talk about my philosophy and life project: "Cheerfulism".

Summed up, it’s a philosophy that granted me success — and I think it can help people build utopia societies. Ambitious as f*ck — that’s why it’s a life project xd

Feel free to hit me up on X. I don’t have much time, so maybe all I can do is redirect you to the hub tweet I mentioned above. But hey, maybe I’m a bit more free and can answer more than expected — like in life, go for it.

Good luck to all readers — and if you’re just starting, even more luck to you! Have a nice day. :D

Wrapping Up

Thanks for reading! We are always looking to improve the platform and love receiving feedback from readers. Feel free to send a message on LinkedIn or Twitter.

We sell mugs and comfy clothing guaranteed to please your inner hacker. Check it out at https://shop.jasonturley.xyz/