Gonçalo Sá of ConsenSys Diligence tells the story of coming to ConsenSys and his passion for hacking and smart contract auditing.

“I promised myself I would never again put money into something I hadn’t audited myself.”

Gonçalo Sá, Hacker for ConsenSys Diligence, had three startups under his belt before joining the ConsenSys team in April 2017. A passion for hacking and a personal commitment to ensuring the security of protocols led him to the doors of ConsenSys. Since then, he has spent his days in Lisbon, Portugal working with the far-flung but tight-knit team at Diligence as they strive to break down smart contracts with the goal of making them stronger.

What initially got you involved in coding, and then eventually in blockchain?

I got into coding a long time ago. My parents gave my a computer when I was six and ever since then I have just marveled at programming. In fact, I probably started even earlier than the computer, on one of my dad’s old HP calculators. And that was it. I was hooked. I fell in love with infosec and began spending time in a lot of online forums. Now that I think about it, they were really shady forums. I didn’t necessarily do anything shady, but I was definitely learning some shady stuff.

My interest in blockchain obviously began much later. After college I had this desire to become a big time founder — like a Mark Zuckerberg or something. I started with a piece of biometric hardware, then a mobile app, and finally an ad-tech platform. My last experience was…well, I don’t know what happened. But our vision became very different than what it was in the beginning, and I became super anxious. I was going crazy. I never knew anxiety could do something like that to a person. And so one Sunday I said to myself “Ok. I’m going into the office tomorrow, and I’m forfeiting my equity.” I never stepped foot in there again. I got out empty handed, but I just couldn’t take it anymore.

At that time, I also had a mining farm with the two friends I had started the mobile app with. Well, I’m not even sure you could call it a mining farm — it was small. A few months after Ethereum launched we started building rigs and made some money from them. We mined what would now be a lot of ETH. And I convinced my friends we should put our ETH in the DAO. When the DAO started getting hacked, it was 8:00am Portugal time. We woke up around 10:30 and it was…it was total disgrace. We ended up trading for something like $0.33 on the dollar, which was a terrible decision.

It was at that moment I promised myself I would never again put money into something I hadn’t audited myself.

How did you make your way to ConsenSys?

During my time at college and at my startups, I had never stopped hacking. I did some questionable stuff, but nothing really bad. I wouldn’t say I was a black hat. I was more of a grey hat. And after the DAO I started auditing stuff for free. And by doing that I came across ConsenSys and ConsenSys spokes.

Hadrian Charlanes from VariabL was the first person at ConsenSys I reached out to. I just wanted to help them, so I offered to test their alpha for free. The VariabL team didn’t quite like my stance. They thought I was trying to do something sketchy by auditing them for free. But then I talked to Joe (Lubin) on LinkedIn and within a week I was working for ConsenSys and helping build the Diligence team.

Explain what an audit performed by ConsenSys Diligence is. What is its purpose and what is your approach to it?

During an audit you’re essentially trying to mess with your own code, or with someone else’s. What you basically have to do is put on the black hat and think “how am I going to get my money out of that contract where it’s locked up?” You have to play the part of the bad guy. There’s no real trick to it. You just have to rob yourself.

When I audit, I’m a night person — and not just because I work NYC hours. I work better at night; I can really get into it more. I’ve heard developers say they reach a “flow state of mind” — and I reach mine at night. An audit is a very manual process. There are a few automated analysis tools that can help with auditing. Like Mythril, built by Bernhard Mueller — he’s a genius. I still spend the same amount of time auditing, though. The automated tools cover all the known possible issues of a contract. But I have to spend my time exploring the new edge cases, the ones that are harder to find and more likely to be exploited.

What literature, people, or news do you follow? What influences you?

I have a little book I like a lot, and it probably kicked off my interest in reverse engineering. It’s called Reversing: Secrets of Reverse Engineering by Eldad Eilam. My other favorite book is actually a trilogy. It’s called Stealing the Network. It’s a set of novels that are all super techy. All the exploits mentioned in the novels actually existed, and were very relevant at the time of the novels. For people — the person who really has inspired my hacking and auditing for years is Piper Merriam. His audits made me enjoy what I’m doing now.

What do you wish people knew about Diligence, Ethereum, and Blockchain?

I wish more people knew just how wonderful the people in Diligence are and how flat and efficient the team is. I think people really don’t grasp just how flat we are structurally, and what that means for our productivity. About Ethereum, I wish people knew what it really was. That it’s more than a currency. It’s not just a financial app on top of a blockchain, like Bitcoin. Bitcoin is cool. Bitcoin has a lot of potential. Ethereum has more — at least, for me it does. I know many of my friends don’t fully grasp what it is, and I wish they did. If they did, there would be more minds working on this technology. So I guess that’s it — I wish more people knew what Ethereum really was so we would have more brilliant minds in this space. And about blockchain or web3, I think it’s a similar issue. People just don’t grasp what web3 and blockchain is. I wish people knew about it. Not necessarily what about it — just about it. I want them to go learn that it exists.