I have a confession. I graduated from an IT program — Software Engineering (RPL). I can build web apps. I understand how code works. But I had zero experience in cybersecurity.

Zero.

And yet, I wanted to hunt bugs in Web3. The kind of bugs that drain millions from DeFi protocols. The kind that make headlines on rektHQ. So I did what any self-aware beginner would do: I sat down with an AI and asked it to build me a roadmap. Not a generic "learn hacking" guide — a specific, structured path from where I am now to where I want to be.

The Mindset Shift Nobody Talks About

You already have the logic of a builder. Now you need to flip it — from 'how do I construct this?' to 'how do I break this logically?

That reframe stuck. As a developer, I think about making things work. As a hunter, I need to think about why things fail. And in Web3? Failures don't just leak data. They leak money.

Why Web2 Skills Still Matter (More Than You Think). I'd already spent a month on TryHackMe, grinding through labs. The AI didn't dismiss that — it built on it. Here's the thing most people miss: a huge number of Web3 hacks start from Web2 attack surfaces. DNS hijacking. XSS on DApp frontends. Leaked API keys to node providers like Infura or Alchemy.

The AI laid out what I needed to solidify:

  • OWASP Top 10 — especially IDOR and logic errors
  • Burp Suite mastery — intercepting transactions between frontends and blockchain nodes
  • JavaScript/TypeScript fluency — because ethers.js and web3.js run everything

If you're coming from web development, you're not starting from zero. You're starting from a different angle.

The Web3 Layer Cake

Once the Web2 foundation is solid, the AI mapped out the blockchain-specific knowledge:

Layer 1: Ethereum Fundamentals

  • EVM internals — bytecode, opcodes, storage layout
  • Transaction mechanics — gas, nonce, ECDSA signatures, mempool
  • Smart contract lifecycle — deployment, proxy patterns, upgradability

Layer 2: Become a Dev Before You Become a Hunter

This one surprised me. The AI was blunt:

In Web3, the best bug hunters are great developers.

The reasoning is simple. You can't find what's broken if you don't deeply understand how it's supposed to work. That means:

  • Learning Solidity beyond syntax — inheritance, interfaces, libraries
  • Mastering Foundry (the industry standard) or Hardhat
  • Actually building a DApp — a voting system, an ERC-20 token — to feel where developers make mistakes

The Attack Catalog

This is where it gets real. The AI gave me a catalog of Web3-specific attack vectors:

| Attack                | What It Does                                                 |
| --------------------- | ------------------------------------------------------------ |
| Reentrancy            | The classic. Recursive calls that drain funds (The DAO hack) |
| Flash Loan Attacks    | Borrow millions with no collateral to manipulate DEX prices  |
| Oracle Manipulation   | Trick price feeds so protocols miscalculate asset values     |
| Access Control Issues | Unprotected initialize functions anyone can call             |
| Governance Attacks    | Buy voting power to pass proposals that drain treasury       |

Each of these isn't just a "bug" — it's an economic exploit. The code might be syntactically correct but logically bankrupt.

The Bridge: Web Attack → Web3 Hunting

Because I told the AI I enjoyed web attacks on TryHackMe, it gave me a specific transition path:

Frontend → Blockchain interaction points:

  • Wallet integration (ethers.js/web3.js) — where signature requests can be manipulated
  • API security — leaked node provider keys, manipulated displayed data
  • XSS to wallet drainer — injecting scripts that swap destination addresses on "Send"

This is the sweet spot. Most Web3 security researchers focus purely on smart contracts. But the frontend attack surface? Underexplored. Less competition. Real impact.

The Hunting Workflow

The AI described how a master approaches a target:

  1. Reconnaissance — Read the whitepaper. Understand the money flow.
  2. Static Analysis — Run Slither for low-hanging fruit.
  3. Manual Review — Read code line by line. Find logic bugs machines can't detect.
  4. Proof of Concept — Write a Foundry script proving the bug drains funds.

The key insight:

The biggest bugs are often found not because of code errors, but because the business logic in the whitepaper doesn't match the code implementation.

The Arena

Where to practice, in order:

  1. CTFs — Ethernaut, Damn Vulnerable DeFi, Capture the Ether
  2. Audit Contests — Code4rena, Sherlock (learn from published reports)
  3. Bug Bounties — Immunefi (the "Final Boss" — payouts reach millions)

If you're making a similar transition — from builder to breaker, from Web2 to Web3 — the path exists. It's not easy. But it's mapped.

The question isn't whether you can learn it. It's whether you'll do the work.