If you are set to found a protocol in this industry, you must have had to ask yourself this question during your research face, “How come many protocols similar to what I want to build are no longer around today?”
This is a valid question and introspection; it shows you want to build something that lasts, which is commendable.
Have you ever tried to send funds to your friend in Syria or Nigeria with Stripe or Paypal? Then you will get what I mean. Incredibly, crypto is the first payment system that broke down the walls of international payments for everyone regardless of where they live: lower barrier of entry and incredible speed. Indeed, it is a game-changer. At the same time, I have met people who do not take the idea of crypto seriously. You might ask, “C’mon, everyone sees how easy this system is, why would anyone not like it?” I am a crypto-native, but I must also agree that these people who don’t take crypto seriously are not entirely wrong. I am mainly writing this for my fellow builders, so we can build what more people will take seriously. This is more like mainstream feedback we all can use to build better products and a saner ecosystem. The Parallel of Ponzi and Meme Economy This is the pattern of ponzi programs: people rush into it, so they can cash out and dump on others. So the first set of people gain by using the last sets as exit liquidity. Unfortunately, this same pattern powers some crypto projects at the moment. They claim to have some utilities, which are either unrealistic or even worthless. Then they pump millions into these tokens to attract people. As people buy into it, a point will come when demand will stop, and the token will no longer be worth anything. Some call this the meme economy, but we all know it is extremely fraudulent and simply a pyramid scheme. Yes, some traders often gain from these meme projects because they are after their bags. But from any ecosystem perspective, I do not fancy the idea of meme tokens; they misrepresent us to the wider world. Frequent Cases of Security Breaches Anyone building a financial product in any industry should be security-minded, whether Web3 or Web2. However, the cases of hacks in Web3 are way too much. Do hacks happen in Web2? Yes, but the number is not close to Web3’s. From a financial perspective, people put their money where they trust. To be honest, who would want to put their life savings in an industry where they can wake up tomorrow and someone would have stolen everyone’s funds? That is why some people will always prefer to keep their funds in banks where they are double-sure it will be safe. People don’t really care about decentralization or any grammar we cook up, they care about the overall safety of their funds. They want to come back in the next 6 years and see their funds intact. People want financial security, they can’t play with it. As a founder of a crypto product, work hand-in-hand with nerdy and insanely good security researchers to secure your DApp. You owe your users that duty of care. Transaction-related Frictions I am a Technical Content Manager in a company where I also have the authority to pay the content creators I manage. I can remember a month when I wanted to pay a staff from my wallet, and I couldn’t because I could only pay gas fees with ETH. In my mind, I wondered, “Since I have USDC in this wallet, why then can’t I simply pay the gas fee with USDC?” I mean, isn’t that the similitude of what banks do? This is my feedback for builders: build products that are easy to use. It is that simple. Feedback to Get Better As I mentioned earlier, I mainly wrote this for other founders to build products people can trust and easily use. I believe crypto will go mainstream in the future. And no, the memecoin projects won’t take us to the limelight. Crypto products that are safe and easy to use will take us far. I am not a bystander, I am building too, so—like I said—this is a note to other passionate builders.
Smart contracts, unlike what most people think, are not smart in themselves. Humans write them, and humans are imperfect; therefore, smart contracts often contain vulnerabilities. There are tales of reputable protocols that hackers drained. Should I start with the story of The DAO hack? Or should I talk about the Euler Finance hack? Numerous incidents of hacks threaten the prosperity of Web3. This is where Web3 auditors and security researchers come in. They help review smart contracts and protocols and detect their vulnerabilities on time. Thereby helping the team to fix up. Within a short time, Web3 security has also become a recognized business like the general cybersecurity in Web2. Spearbit DAO, one of the leading security firms in Web3, pays their junior researchers $3k weekly, and lead researchers take home nothing less than $20k weekly. Yes, the Web3 security space is that lucrative. However, I must also be honest and clear to say that a greater percentage of researchers don’t even earn anything close to the above figures. You can ask anywhere. So, how do you stand out and build a profitable audit firm or solo career? I explained everything here. Be Technically Sound “You cannot build something on nothing and expect it to stand.” – Justice Niki Tobi of Blessed memory To thrive in Web3 security, you must know your onions. As the founder, you have to be technical; you should know about security yourself, too. Once a good number of your clients get hacked, you start getting bad PR in the industry as incompetent. Most leading firms or auditors with no record of their clients getting hacked are always topping in the space. Now, how do you become technically sound in security? Go take the Secureum Bootcamp, learn from Damn Vulnerable DeFi, and participate in CTFs. Of course, you should have learned languages like Solidity, Rust, Cairo, or anyone that catches your fancy. Apart from that, read audit reports. Don’t only read for the sake of reading it, critically study and know how blackhats think. Everything I have mentioned above is good, but they are insufficient to make you a sound researcher. You need to start auditing. Become a security researcher on Code Arena, Code Hawks, Sherlock DeFi, and Immunefi. Roll your sleeves and get into audit contests; that will sharpen your skills and make you have testaments of brilliance. Again, I emphasize being technically sound. Before learning about the business side of things, you must be exceptionally good. Quality services, like I always say, are easier to sell. Learn and Master Sales The difference between profitable and not-too-profitable auditors is not necessarily skills. As a matter of fact, there are a lot of skilled auditors in the space. If you want to build a business in the security space, you need to realize that tech is one thing, and business is another thing in its entirety. Start to think like an entrepreneur. For a moment, drop everything you know and start learning about marketing. Learn about customer journey, conversion, and retention. How do you brand and sell your service? What gives you an edge over other solo auditors or firms? Do you know who your target audience should be and how you can talk to them? As a founder, this is more of what you will do as time progresses. Don’t delegate sales. You have to do it yourself. Get your first 10 and 50 clients with whatever you have learned in sales. I may write more about this in the future. Get More Brilliant Auditors Onboard Initially, I told you to be exceptionally good at Web3 security. That is valid. Without prejudice, it is sheer arrogance to think you are the only best researcher in the world. No, no. There are other exceptional people around. Look for them and tender your offer. Having more brilliant people in your team will help you provide more bespoke audit services. Two good heads, they say, are always better than one. Don’t pick based on familiarity or closeness when hiring people to join you. Check out the most promising security researchers in audit contests. Use meritocracy in choosing your team members. By the way, you do not have to look far when assembling brilliant people into your team. They are always around you. When I kicked off my company, I realized some of my friends were exceptionally good, and I am now building with them. So, while you are objective enough to look outside, don’t forget that Twitter bro you did peer-audit together the last time and discovered critical vulnerabilities in a contract. Put Structure Into The Business I worked in a Web3 security firm earlier this year, and I enjoyed the structure of the business. It enhanced efficiency for everyone. As a founder, you must realize that you, as the leader, only need to focus on the most essential things for the company to move forward with an impressive face. Don’t be the only one managing payment, accounting, client communication, etc. You must entrust responsibilities to other members of the team as well. Who will manage your social media? Who will attend events and represent the companies? Who will always be available to hold discovery calls with clients? How will you maintain relationships with clients post-audit? You need to answer these questions and put structures in place accordingly. When that is fixed, you, as the founder, can decide to be the lead security researcher and catch any bug your teammates might have missed. The goal of having a structure is to optimize for performance and efficiency. Attend Web3 Events I have heard many people say events are a total waste of time and that any serious developer or researcher should not bother attending them. Those who hold this view are equally right and wrong in some contexts. Know this: You should never jeopardize the primary purpose of your firm, which is excellent security research, by merely attending events. I mean, your researchers should not get too busy
