Open in app

Sign in

Write

Sign in

5 Years Bootstrapping in Crypto

Peteris Erins
7 min readDec 18, 2023

Auditless is a web3-native protocol studio focused on protocol strategy, design & development. We help crypto protocols improve their performance through strategic advisory and protocol development.

Five years ago (in December 2018), I left my job at McKinsey to start Auditless and build crypto developer tools focused on security.

I kept exploring various product ideas while consulting crypto companies, building developer tools and smart contracts.

It was easily the hardest and most rewarding part of my professional career.

Today feels like Day 1 again.

We are working on what we think will be some of the highest impact projects in the space, onboarding and accepting new clients and hiring for a bunch of exciting roles across strategy & development.

✨ Interested in working at Auditless? Please check out the Jobs page!

It doesn't get more Day 1 than Pallet Town.

But the path to get here has been painful and slow at times.

And while I wouldn't change anything, there are a few things I would tell my older self to get here faster.

It's also a good time to revisit whether I'd choose bootstrapping again if I got started today.

Let's rewind to 2018…

Finding vulnerabilities in smart contracts

It all started with trying to find vulnerabilities in smart contracts.

I spun up web3.py, wrote some simple smart contracts using Truffle and built a simple reinforcement learning agent using OpenAI Gym and SimPy.

The audit industry was just emerging and I (as many people) had the mistimed (or misguided?) view that AI could entirely automate vulnerability finding.

LLMs weren't really viable then but neither was reinforcement learning.

The problem with reinforcement learning is that it's really good at optimizing values rather than finding inflection points in functions.

Vulnerabilities were a step function — finding one is more important than optimizing the exploit for maximum impact…

So it was back to the drawing board.

Trying formal verification

The next idea was to use a solver like Z3 to identify vulnerabilities in smart contracts.

So I started tinkering with Bounded Model Checking (a technique that a formal verification tool like Halmos uses).

Custom debugging UI for the formal verifier

It quickly became clear that encoding vulnerabilities without access to specs is a lost cause.

So instead of trying to find vulnerabilities — what if we helped users generate test cases instead?

I repurposed the solver to find gaps in byte code coverage and then generate valid test cases for smart contracts.

Unfortunately in the course of doing this I learned a lot about the limits of solver performance.

In short — smart contracts that contain even a normal amount of “hard to model” functions like divisional or modular arithmetic cannot be subjected to black box analysis.

It became clear that formal verification would be a game of helping users create annotations and specs and then verifying them.

(Note: I think Certora have built exactly the right kind of company to help smart contract developers with this.)

My goal, however, was to find a SaaS product that could help a broader set of users.

Smart contract debugging

If the goal was to help people with understanding smart contracts, perhaps there was a better way to do this?

Having built a low-level debugger for the formal verifier that came in handy, I was looking for something similar for Solidity.

But debugging Solidity transactions was notoriously difficult (compared to, for instance, debugging a Rust program).

This didn't make sense as smart contracts feature no non-determinism and are pretty well-behaved state machines.

So we set out to build the best possible time traveling debugger for Solidity.

Here's a preview of what it looked like:

The best Solidity debugger that never was

It encapsulated in one interface many breakthrough ideas that debuggers still don't support:

  • Fast interaction
  • Instant breakpoints
  • State change overviews
  • Low-level debugging (gas & opcodes)

The UI got great feedback from some of the best Solidity developers in the space but was never remotely bug free.

Debugging is actually a significant back-end challenge.

Not only do you essentially have to build your own VM hook, you have to keep up with network, library and compiler upgrades constantly.

I still think we discovered a better interface for smart contract debugging but for several reasons it doesn't lead to a great business:

  • Smart contract developers are usually pretty advanced and have their own workflows that help them avoid debugging rather than rely on it
  • Most people develop locally and it's really hard to create a seamless user experience for local debugging with a UI (it still hasn't been done in 2023)
  • Existing pricing schemes for tools like Tenderly reflect that users don't really value debugging instead opting to pay for security related features like monitoring
  • Crypto has an open source ethos and many people felt that the debugger should be developed for free.

We wanted to build the best debugger and charge for it to warrant building a team, not a monitoring service in order to subsidize a debugger.

And we had more ambitious ideas than for what would have been possible with an open source tool.

To do it as a bootstrapped company just didn't make sense anymore.

Having said that, it was pretty tough to stop working on a product you know “should” exist and that users want to use.

Why bootstrap

Many people (including investors) ask me why Auditless is bootstrapped when there is so much capital available.

To be honest, I didn't think I would.

In fact, I was interviewed by YCombinator in 2018 (they weren't convinced developer tools in crypto was a big enough market).

The only decision I made at that point was to postpone investing until I find product-market fit with a product.

I had seen too many highly skilled Founders raise pre-product market fit and end up downsizing the company.

This was a failure mode I wanted to avoid at all costs.

So I bootstrapped.

As time went on, I also realized I'm not the right person to try and build a public company.

I realized I want to chip away at this for decades rather than push for a liquidity event.

Without that mindset of fighting the best possible exit for a company, I couldn't possibly responsibly take on capital.

The one thing that worked

Throughout all of the product experimentation, I still carried on doing consulting.

None of it was supported by any kind of sales our outreach process, instead I was responding to referrals and requests from people I already knew.

These were projects in developer tools, smart contract design, smart contract development, periphery tools, market maker tooling, even doing product strategy work for a fund.

One one hand I still had the desire to develop a product (these are so much easier to scale).

On the other, consulting allowed me work on products together with companies that were better capitalized and could exploit these opportunities.

And it worked well.

So earlier in 2023, I finally decided to double down on consulting full-time, focusing on strategic product advisory and development for high-performing crypto companies and startups.

What changed

I'm finally convinced that we could build a large and fast growing company built around these service lines.

This realization didn't come overnight.

In fact, my experience of consulting had been tainted by blue chip management consulting in McKinsey and I was very aware that it had taken a 100 years to build that business.

(It's a great business but I don't have 100 years.)

It came from figuring out two things that management consulting Firms never figured out (or didn't have to):

  • How to scale distribution;
  • How to scale delivery.

To be fair, some of these opportunities are highly contingent on the technologies and networks available today and the specific nature of the crypto industry.

And that's why I'm particularly excited to exploit them.

What did I learn

There are too many takeaways to list but here are five:

  • Make sure you know what kind of company you are building (venture funded or bootstrapped) and vet opportunities accordingly. Both models are great but they each have ideas that are not compatible with the model.
  • Bias on doing more in public rather than in private. People love to see half-baked products and your thinking. Lean on oversharing to get more feedback faster.
  • Don't pattern match with other companies. Instead focus on what works and eliminating bottlenecks to scale that. Unique and iconic businesses are only built this way. Learn to be unbiased and to enjoy the things that are working rather than to only work on the things you are enjoying.
  • Pick the right market and stick to it. I honestly think that one of the biggest reasons Auditless is still around and thriving (other than stubbornness) was the choice to start with crypto. Every failure we've had along the way has given us a level of experience and process knowledge that is highly useful to companies in 2023.
  • Most importantly — Have integrity. I've probably lost a significant amount of money by not making certain trades or recommending certain products. That has bought me the right to keep working with other high integrity people on meaningful long-term work.

I will make THAT trade any day.

On that note, I'm incredibly appreciative of everyone who has been or continues to be a part of this journey but there are two people who helped define the trajectory: Tarun Chitra and Jesse Beyroutey. You shouldn't hesitate to work with them if you get the chance.

📬 Want more research from Auditless? Subscribe to the Newsletter.

✨ Interested in helping us develop historic crypto projects? See Jobs!

Bootstrapping
Crypto
Auditless

--

--

Peteris Erins

Written by Peteris Erins

645 Followers

Founder @auditless Prev @mckinsey @twitter @google · @p_e · peteriserins.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams