We are launching a series of interviews with the speakers of ETHSofia 2024 to help you grasp their expertise, experience, and crypto journey. Find out what inspired and motivated them to join the inaugural edition of ETHSofia. To kick this initiative off, we are happy to share our conversation with Krum Pashov.

Why are there an increasing number of smart contract auditors in Bulgaria, who are consistently ranking at the top in auditing competitions on platforms like Code4rena and others?

The Bulgarian community in web3 security is incredibly strong.  Bulgarians are excelling in web3 security, audits, and bug bounties on Immunefi. Many Bulgarians have also launched successful security companies. 

My IT-focused Discord community has contributed significantly to this trend. Initially, I discussed IT technologies, then shifted to web3, and eventually to auditing. This initial push helped many people in my server, and now, they are earning impressive amounts monthly by finding bugs and securing large amounts of total value locked in the space. There are also many others outside my server who are doing an excellent job. It's amazing to see hundreds of Bulgarians involved, with many from my Discord community. The trend is likely to continue as community members hire, mentor, and support each other. I am very proud and happy about this.

How can one become a smart contract editor?

To become a smart contract auditor, having some coding experience will help you a lot. Knowing coding languages, particularly Solidity—the main language for the Ethereum network and all EVM-based blockchains—is essential. Once you are good at Solidity you can start by reading audit reports from security contests and companies that publish their work. And this will help you learn about common problems in smart contract development, how to identify and fix them, and understand security vulnerabilities. 

Next, participate in coding contests. These contests are fully permissionless. You just need to register, provide your wallet address, and you can start contributing. You'll gain hands-on experience looking for bugs and even get paid for your findings. This is the way I and many others started. It's the easiest and most accessible way to break into smart contract auditing, and I strongly recommend it.

What advice can you give to those starting a career in blockchain security or smart contract auditing?

The harder you work and the more hours you put into it, the better and faster results you will get. Many people who are excelling in this space have been dedicating more than 12 hours a day to it for quite a while. Although I'm not working such long hours now, I did for over a year, and the results were worth it—I won a coding contest and gained many solo audit clients. Hard work and reading all the articles you can find are essential. Practice a lot, this is key. Just dive into it, and you won't regret it.

Can you walk us through your typical smart contract audit process?

Many people are curious about the process auditors use. My approach is very simple,  because I believe simplicity is key to success in audit security. I start by reading the code line by line, analyzing each line, each character, and even each empty space. I read all the documentation thoroughly. If there's any part I don't understand, I refer back to the documentation or other resources and then move forward. It's as simple as that.

Is the way smart contracts are written changing? How will the role of smart contract auditors change in the coming years? Do you think we will see fewer and fewer vulnerabilities?

Developers have certainly improved, and auditors have become much more experienced. Despite this, we still find a lot of bugs in almost every audit, including critical vulnerabilities. Some issues that were common in the past are less frequent now, but they still appear. Developers are learning at a slower pace compared to hackers and white hat auditors, making it challenging for them to keep up.

I’d love to see more improvement in tooling and web3 security, but progress has been slow. As smart contracts evolve, the role of auditors will remain crucial, and while we may see fewer vulnerabilities over time, the continuous advancement of hacking techniques means that vigilance and ongoing learning will be essential for auditors.

What do you think is the role of AI in smart contract auditing?

AI is a frequently mentioned term in cybersecurity. While the integration of AI promises progress and innovation, its practical application in smart contract auditing is not yet fully realized. I've seen some impressive developments, but they have not been tested extensively in practice.

In reality, current AI tools aren't as effective as they should be. Although improvements are needed, I’m skeptical about significant advancements happening soon. This isn't due to economic or monetary interests, but rather a realistic assessment of the current state of AI in this field. Despite having some of the smartest people and a lot of money in the space, there hasn't been any AI tool good enough for practical use, at least not publicly available. At this point, we do not use AI in our job.

Why are you joining ETHSofia, what do you want to contribute to the people who will hear you during the event?

I'm joining ETHSofia because I've always wanted to engage more in public speaking, especially in Sofia, and it's an honor for me to be a part of this event. Some great people took the initiative to organize this event, and I'm eager to contribute as a guest speaker by sharing my insights and experience in web3 cybersecurity with both the local community and international attendees. 

I've gained valuable knowledge from others, and now I'm eager to give back in the same manner. I'm excited about this opportunity, and I assure you my talk will be well-prepared. Don't miss it, and I look forward to meeting everyone soon.