Building A Web3 Audit Firm From Scratch with Owen Thurm, Co-Founder of Guardian Audits

Author :
Daniel Goodluck
November 19, 2023

Web3 Leader Spotlight: Owen Thurm 

This week, we had the opportunity to chat with Owen Thurm, Co-Founder at Guardian Audits, an up-and-coming audit firm built to deliver first-rate security best practices with a fairer business model and price point for Web3 entrepreneurs. 

To date, the startup has solved over 100 critical vulnerabilities for a spectrum of Web3 projects, DeFi through to NFTs, such as Beefy Finance, GMX & Ethernote.

How did you start in Smart Contract Security, and what drew you to specialize in this field?

In early 2021, my SaaS company faced a setback when the platform we relied on changed its ToS, forcing us to shut down. In search of a new opportunity, I recalled Warren Buffet's quote about the speed of the stream. “Sometimes it's not how fast you row your boat. It's how fast the stream is going.” I knew wherever I did end up next, I wanted it to be a roaring stream.

Around the same time, Bitcoin crashed from $65,000 to $30,000. Despite having no prior interest in crypto, reading "Mastering Ethereum" opened my eyes to blockchain’s unlimited potential.

 Inspired, I delved into the DeFi space, investing in various applications and learning the intricacies of smart contract development. Feeling particularly enamored by the mechanics of Olympus DAO, my co-founder Daniel and I created our own DeFi protocol which optimized the ROI for rebase token holders.

 Building this protocol taught us valuable lessons about smart contract development and Web3 security. Despite having our project fully-audited, a critical bug emerged days after our launch, prompting us to rescue user funds. Fortunately, we were successful.

 However, it was this experience that revealed to us major flaws in the smart contract auditing space, and ultimately leading us to founding Guardian Audits. An audit firm built on a Pay-Per-Vulnerability model where projects pay a downpayment to reserve their audit spot and only more if veritable vulnerabilities are uncovered.

 

What emerging trends or challenges are you seeing in Smart Contract Security today?

In the future, I believe web3 security will likely shift towards decentralization, with small teams and individual auditors entering the scene, fostering increased security reviews and faster development. This influx may erode market share for larger firms and lead to more accessible audit prices, enabling entrepreneurs with smaller budgets to contribute to mass adoption

 This is exactly what I hope for! This space needs much more widely available security forces to enable rapid iteration at a lower cost point for entrepreneurs to thrive and achieve mass adoption.

 AI is set to play a crucial role in decentralizing the auditing industry, providing leverage for small teams to generate infinite QA/fuzzing tests, understand code rapidly, and scan for vulnerabilities. While DeFi applications predominantly use Solidity/EVM, focusing on Solidity remains fruitful. However, auditors can relatively easily transition to new languages/VMs without starting from scratch through leveraging the same auditing approach and “sixth-sense” for vulnerabilities.

 

How does Guardian Audits uniquely differentiate itself from other audit firms?

 Guardian offers a Pay-Per-Vulnerability model where projects pay a downpayment to reserve their audit spot and only more if veritable vulnerabilities are uncovered.

 This is not only a risk-free offer for the project, but it incentivizes our team to uncover as many bugs and vulnerabilities as possible.

Any specific advice for aspiring Smart Contract auditors? Key skills or experiences to focus on?

Once you understand the basics of Solidity, Security, and DeFi, mastering Web3 Security is a matter of putting in the work. Get to 1,000 hours spent auditing and you will start to see results.

 The only way to shortcut this is to work with skilled security researchers who have spent the thousands of hours already, one hour working with an experienced security researcher can be more effective for your learning than 50 hours on your own.