Interview with Nonseodion
November 13, 2024
For our featured auditor this week, we have the privilege of Nonseodion joining us. He is currently ranked #15 auditor for 2024 and #97 all time on Code4rena. Nonseodion also placed 2nd in our DittoETH audit contest back in April.
1. Thank you for joining us! To start, could you introduce yourself and share your journey into the auditing space in Web3 and Ethereum? What space did you come from and what got you here?
Hi, my name is Ifebhor Odion Nonse. I am an independent Security Researcher and I've been auditing smart contracts on Ethereum for a little over a year now.
I started out as a blockchain developer in 2021 and I've worked in the Web3 space since then. I decided to go into Smart contract auditing after I was convinced by a friend around June/July of 2023. Since then I've audited protocols across different platforms like Code4rena, Cantina and Codehawks.
I haven't audited traditional applications. I started out as a smart contract auditor and I've faced quite a few challenges.
2. In your experience, what are the most common mistakes developers make when writing smart contracts that lead to security vulnerabilities?
First is inadequate tests. Some developers do not write adequate tests for their code. While some do not write tests at all. Writing tests allows a developer to catch low hanging bugs and this saves security auditors a lot of time since they won't need to focus on these.
I also find unfamiliarity with common bugs is another. Some developers are unfamiliar with common security vulnerabilities like precision loss and reentrancy or do not possess sufficient knowledge to prevent them. This inadvertently allows for introduction of bugs into their code. This is why smart contract developers should also be invested into security research.
3. With the rapid development of new protocols, how do you stay updated on the latest security practices and vulnerabilities?
I stay up to date with Twitter and some newsletters that I subscribe to. News of hacks and new vulnerability patterns are always published somewhere on Twitter. I am not as active but anytime I go there, there's always something new coming up. I follow a lot of security people so it always ends up in my feed. For the newsletters I am subscribed to DefiHackLabs, Chainlight, Olympix and Web3SecNews. I have got some others too. I also listen to podcasts like Scraping Bits and Bankless.
4. Are there any particular books that have significantly influenced your thinking or approach to your work?
The only book I have on auditing and I am still reading is "Automated Market Makers" by Miguel Ottina and co. It's more of a DeFi book but it dives into AMMs like Uniswap V3. And I've always been interested in that.
5. What are some values or principles that guide your work in auditing and the tech industry as a whole?
I don't really have specific principles per se, but I just love to dig and keep on digging anytime I am interested in a new technology or I am learning a new programming language. I think one thing that has helped is realizing that I just need to sit behind my desk for long hours if I want to get good at anything in Web3.
6. If you weren’t working in Web3, what alternative career path do you think you might have pursued?
If I wasn’t working in Web3 I would be working in a traditional technology company. Most probably as a fullstack developer. I actually started coding with frontend development. Although I did learn a bit of Solidity before then.
7. Two part question, looking forward what innovations or practices do you think will shape the future of smart contract auditing? What do you feel is the most compelling thing being built on Ethereum right now?
Automated tools supported with AI is something to watch out for. As technology advances, we are seeing generative AI can create various content, including code that can streamline routine tasks, allowing programmers to focus on complex problem-solving. AI already used as a collaborative tool that is boosting programmers' capabilities. It is an interesting time for time, and emphasis the need for continuous learning to thrive in the evolving tech landscape.
For the second question, I'd say app chains like the Unichain. It's compelling because it will drive the emergence of more app chains and force us to innovate on cross chain communication which will help solve liquidity fragmentation.
That is it for our interview with Nonseodion. Follow him on Twitter and make sure to subscribe to his substack at https://rehackt.substack.com/, where he analyses hackers and how they exploited vulnerabilities on smart contracts.
Thank you for reading. If you are interested in being part of an interview for any talks about the latest and top of mind on Ethereum, just send me a message on X @dittoproj or email me at support@dittoeth.com.