Day in the Life of a Smart Contract Auditor

# Day in the Life of a Smart Contract Auditor

Ever wondered what smart contract auditors actually do all day? This is a realistic look at the life of a professional auditor at a security firm.

7:00 AM — Coffee & Prep

Start the day reviewing overnight messages. Clients are global, so there's always activity.

Check:

• Discord/Telegram: Client questions on active audits

• GitHub: New commits to audited codebases

• Twitter: Any exploits overnight (we analyze these for techniques)

8:00 AM — Standup with Team

Quick sync with the audit team:

• Progress updates: Each auditor shares findings from yesterday

• Blockers: Unclear specs, missing documentation

• Focus areas: Divide today's scope

Today's project: A new DeFi lending protocol (week 2 of 3).

8:30 AM — Deep Dive: Liquidation Logic

Focus on the liquidation module — this is where most DeFi hacks happen.

Initial Read

function liquidate(address borrower, address collateral) external {
    require(isUndercollateralized(borrower), "Healthy position");

    uint256 debt = getDebt(borrower);
    uint256 collateralAmount = getCollateral(borrower, collateral);
    uint256 liquidationBonus = collateralAmount * 5 / 100;

    // Transfer collateral to liquidator
    collateralToken.transfer(msg.sender, collateralAmount + liquidationBonus);

    // Burn debt
    _burnDebt(borrower, debt);
}

Red Flags Spotted

No reentrancy guard — collateral transfer before state update

No liquidation cap — liquidator can take entire position

Bonus calculated on collateral, not debt — wrong incentive

No price staleness check — oracle manipulation risk

9:30 AM — Threat Modeling

Before flagging issues, verify exploitability.

Issue 1: Reentrancy

// Attack contract
contract Exploit {
    Lending target;

    function attack() external {
        target.liquidate(victim, address(this));
    }

    // Reentrancy hook
    function onERC777Received(...) external {
        if (target.getDebt(victim) > 0) {
            target.liquidate(victim, address(this)); // Re-enter
        }
    }
}

Severity: Critical. Liquidator can drain all collateral.

Issue 2: Incorrect Bonus Calculation

// Should be:
uint256 liquidationBonus = debt * 5 / 100;

// Not:
uint256 liquidationBonus = collateralAmount * 5 / 100;

Severity: High. Liquidators are over-incentivized, causing unnecessary losses for borrowers.

11:00 AM — Write Finding Reports

Document each finding with:

# [H-1] Reentrancy in liquidate() allows draining collateral

Description
The liquidate() function transfers collateral before updating state,
enabling reentrancy via ERC777 hooks or fallback functions.

Impact
An attacker can repeatedly call liquidate() to extract all collateral
from a position while only repaying debt once.

Proof of Concept

solidity

[Attack code here]

## Recommended Mitigation
Apply nonReentrant modifier
Follow checks-effects-interactions pattern
Update state before external calls

diff

function liquidate(address borrower, address collateral) external {

+ require(!locked, "Reentrant call");

+ locked = true;

require(isUndercollateralized(borrower), "Healthy position");

uint256 debt = getDebt(borrower);

uint256 collateralAmount = getCollateral(borrower, collateral);

uint256 liquidationBonus = debt * 5 / 100;

+ _burnDebt(borrower, debt); // State update BEFORE transfer

collateralToken.transfer(msg.sender, collateralAmount + liquidationBonus);

• _burnDebt(borrower, debt);

+ locked = false;

}

## References
Reentrancy on Ethereum Smart Contract Best Practices

## 12:30 PM — Lunch & Learning

Lunch while reading:
Latest Immunefi bug reports
New audits from Trail of Bits, OpenZeppelin
DeFi exploits this week (learn attacker techniques)

1:30 PM — Fuzzing with Echidna

Write property tests to find edge cases:

solidity

contract TestLending is Lending {

function echidna_no_undercollateralized() public view returns (bool) {

// Protocol should never be insolvent

return totalCollateral >= totalDebt;

}

function echidna_liquidation_profitable() public view returns (bool) {

// Liquidators should always profit (or break even)

// If not, liquidations won't happen → protocol risk

return true; // Test logic here

}

}

Run:

bash

echidna-test TestLending.sol --config echidna.yaml

Result: Found an edge case where liquidation bonus exceeds collateral value when price drops rapidly.

3:00 PM — Client Call

Weekly sync with the protocol team:
Present findings so far: 3 Critical, 5 High, 12 Medium
Clarify spec questions: "Is liquidation supposed to be partial or full?"
Discuss mitigations: Some findings already fixed, re-audit needed

Client pushes back on one finding:
> "We think this is by design, not a bug."

Response: Explain the risk clearly. If they accept the risk, document as "Acknowledged" in final report.

4:00 PM — Code Review with Team

Peer review: another auditor found an interesting issue.

solidity

function setPriceOracle(address newOracle) external onlyOwner {

priceOracle = newOracle;

}

Issue: No timelock or multisig. Owner can rug-pull by setting a malicious oracle.

Severity: Critical (centralization risk).

Discussion: Is this in scope? Check audit agreement. Yes — flag it.

5:00 PM — Research: Novel Attack Vector

Came across a new MEV attack in the wild: "Just-In-Time (JIT) Liquidity Attacks."

Take 30 minutes to:
Understand the attack
Check if this protocol is vulnerable
Add to internal knowledge base

Finding: Protocol is vulnerable. Add to report as informational (not directly exploitable, but risky pattern).

5:30 PM — Draft Sections for Final Report

Start writing the executive summary:

markdown

# Executive Summary

We audited XYZ Lending Protocol (v1.2.0) from April 1-21, 2026.

The audit covered 2,500 lines of Solidity across 12 contracts.

Key Findings

• 3 Critical severity issues

• 5 High severity issues

• 12 Medium severity issues

• 8 Low/Informational issues

Critical Issues

Reentrancy in liquidate() (FIXED)

Unchecked return value in token transfers (FIXED)

Missing access control on setOracle() (ACKNOWLEDGED)

Recommendations

• Implement comprehensive reentrancy guards

• Add multisig + timelock for admin functions

• Increase test coverage to >90%

```

6:00 PM — Wind Down

End-of-day tasks:

• Push finding notes to internal repo

• Update audit tracker (% complete)

• Respond to client messages

• Plan tomorrow's focus (oracle module)

Evening — Optional

Some auditors participate in:

• Audit contests (Code4rena, Sherlock) — find bugs competitively for prizes

• Bug bounties (Immunefi, HackerOne) — earn rewards for responsibly disclosing vulnerabilities

• Twitter threads — share learnings (building reputation)

Tools Used Today

VS Code + Solidity extension

Slither — static analysis

Echidna — fuzzing

Foundry — testing

Surya — call graphs

Dedaub — decompiler (for comparing bytecode)

Notion — audit tracking

Discord/Telegram — client comms

Skills Required

Technical

• Solidity mastery: Read 1000+ LOC/day

• EVM internals: Opcodes, gas, storage layout

• DeFi knowledge: How protocols work (AMMs, lending, oracles)

• Security patterns: Common vulnerabilities, exploits

Non-Technical

• Communication: Explain complex issues to non-technical founders

• Time management: Balance depth (finding issues) with speed (deadlines)

• Collaboration: Work with team, review each other's findings

Career Path

Junior Auditor: Assist seniors, handle low-hanging fruit (access control, input validation)

Mid-Level: Own modules, write detailed reports

Senior Auditor: Lead audits, threat modeling, client relations

Principal/Partner: Business development, final report sign-off

Compensation

• Junior: $80k-$120k

• Mid: $120k-$180k

• Senior: $180k-$300k

• Independent: $200-$500/hour (after reputation is built)

Pros & Cons

Pros

• High impact (prevent hacks)

• Intellectually stimulating (every project is different)

• Remote-friendly

• Strong demand (more protocols than auditors)

Cons

• High pressure (mistakes cost millions)

• Long hours during audits (tight deadlines)

• Constant learning required (new attack vectors weekly)

• Burnout risk (every line of code is adversarial)

How to Break In

Learn Solidity: Build projects, read production code

Study exploits: Rekt news, post-mortems

Practice: Ethernaut, Damn Vulnerable DeFi, Capture the Ether

Contribute: Audit contests (Code4rena), open source reviews

Build reputation: Write about findings, Twitter threads

Apply: Security firms hire based on demonstrated skill, not degrees

Key Takeaway

Auditing is detective work. You're hunting for edge cases, race conditions, and logic errors that devs missed. It requires deep technical knowledge, adversarial thinking, and meticulous attention to detail.

Every day is a puzzle. And when you find a critical bug before an attacker does, you've potentially saved millions.