Play & Learn Smart Contract Hacking:
https://telegra.ph/All-resources-to-become-a-smart-contract-auditor-09-11
Follow:
• Smart contract auditor pathway
• All known smart contract-side and user-side attacks and vulnerabilities
• Join developer communities & chats
https://telegra.ph/Retrospective-hacks-in-web3-10-24
DeFi RoadMap:
Practice:
-
Use just about everything from my special compendium: telegra.ph/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31 and https://telegra.ph/Solidity-Catsheets-Pack-03-20 ❗️❗️❗️
-
Study: quillaudits.substack.com/p/openseas-official-discord-compromised and rekt.news
-
Separately, you'll need to study the audit checklists: t.me/officer_cia/177
-
twitter.com/0xBlasco/status/1500455598684618753 - these courses
-
Blockchain security framework - t.me/officer_cia/232
-
Tokenomics simulation tools t.me/officer_cia/69 and understand it (resources) t.me/officer_cia/89
-
speedrunethereum.com or cryptozombies, capture the ether or ethernaut.openzeppelin.com (see my selection - the very first link in the article, there is a section about gamification)
-
Study very carefully github.com/Rari-Capital/solcurity and cmichel.io/how-to-become-a-smart-contract-auditor and pentacle.xyz/projects/security
-
The internal security of the project - docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit
Learn active defense techniques:
-
smartcontractresearch.org/t/mitigations-against-flash-loan-enabled-attacks/615 and arxiv.org/abs/2003.03810
-
Tenderly.co alerts - officercia.medium.com/tenderly-app-a-swiss-pocketknife-for-the-web3-developer-89bb904bee46
-
Study medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b and wufflz.notion.site/Blockchain-security-guide-b26aec3d920e414d8a354618d3e36eb4
-
And you can also study github.com/0xsanny/solsec
-
All audit/security tools - telegra.ph/ETHSec-Tools-02-13, github.com/nascentxyz/simple-security-toolkit
-
Check resources here t.me/cryptooffensive
-
OpSec Principles - graph.org/Key-principles-of-storing-crypto-cold-wallet-attacks-defense-methods-best-practices--Bonus-04-23 github.com/undergroundwires/privacy.sexy , web.archive.org/web/20220302223645/https://anonymousplanet.org/guide.html
-
Forensics/Research in Crypto: t.me/officer_cia/236 mirror.xyz/officercia.eth/BFzv17UwH6QG4q711NAljtSiP8eKR17daLjTdmAgbHw
-
All TX analysis tools list graph.org/TX-Analysis-tools-04-19
-
Honeypot detection tools graph.org/A-Short-List-of-the-Rug-Checker-Tools-04-09
-
Bugs and vulnerabilities that exist in Web2 and Web3 - www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf
-
All about MEV - t.me/officer_cia/146
-
Be sure to study defieducation.substack.com/p/how-to-read-smart-contracts-part?s=r and blog.trustlook.com/understand-evm-bytecode-part-1/ and all the posts by these Authors
-
start.me/p/QRg5ad/officercia - peruse my Awesome Blogs section and Sec section (on the right side, just below the defi map-tree)
-
telegra.ph/Article-08-08 - frontend security
-
NFT security telegra.ph/NFT-security-01-28
-
Explore hack cases newsletter.blockthreat.io
-
Study github.com/emilianobonassi/security-toolkit and www.smartcontractresearch.org/t/research-summary-a-systematic-literature-review-of-blockchain-cyber-security/1299
-
Attack Vectors - github.com/sirhashalot/SCV-List github.com/KadenZipfel/smart-contract-attack-vectors swcregistry.io
-
Study the Framework securing.github.io/SCSVS/SCSVS_v1.1.pdf and github.com/securing/SCSVS
-
Read posts on Medium by Mudit Gupta, Immunefi and BlockSec team, also twitter.com/officer_cia/status/1519371437068505089 all 4 threads, arxiv.org/pdf/2106.10740.pdf and arxiv.org/pdf/2109.06836.pdf
https://github.com/SunWeb3Sec/DeFiHackLabs
Check out first:
-
devansh.xyz/blockchain-security/2021/09/17/genesis-0x01.html
-
www.notonlyowner.com/learn/intro-security-hacking-smart-contracts-ethereum
Practice once again!
- arxiv.org/pdf/2106.10740.pdf - Threat Modeling
- arxiv.org/pdf/2109.06836.pdf - User-Side Attacks
- arxiv.org/pdf/2203.02662.pdf - Metaverse Security
- github.com/xf97/JiuZhou - Bugs in Solidity
| Also check out: github.com/sigp/solidity-security-blog & graph.org/Solidity-Cheatsheets-Pack-03-20
-
blog.embarklabs.io/news/2020/01/30/dapp-frontend-security/index.html - DApp frontend security.
-
www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf - Learning Best Practices from Web Applications to Avoid Similar Security Vulnerabilities in Decentralized Applications.
-
twitter.com/officer_cia/status/1422785502634196996 & twitter.com/officer_cia/status/1409537800022659074 - More about Oracle attacks
-
blog.euler.finance/uniswap-oracle-attack-simulator-42d18adf65af?gi=8ad59382eefb - UniV2 Oracle attack simulator.
https://docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit
Awesome Bonus:
-
github.com/KadenZipfel/smart-contract-attack-vectors - All known Smart Contract Attack Vectors
-
graph.org/NFT-security-01-28 - NFT security
-
graph.org/ETHSec-Tools-02-13 - All ETH security tools existing
-
www.phishfort.com/blog/web3-phishing-has-finally-arrived - Web3 phishing
-
bloom.co/blog/6-ways-a-site-can-attack-your-metamask/ - MetaMask targeted attacks.
-
newsletter.blockthreat.io - All hacks and security incidents in Web3 timeline.
-
a16z.com/2022/04/23/web3-security-crypto-hack-attack-lessons
-
medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b
https://telegra.ph/Cross-chain-bridge-attacks-A-Z-05-07
Cool Data:
-
swcregistry.io - Smart Contract Bug Database
-
arxiv.org/pdf/2105.06974.pdf - A Survey of Security Vulnerabilities in Ethereum Smart Contracts
-
www.researchgate.net/publication/353794368_SMART_CONTRACTS_VULNERABILITIES_AND_REAL_ATTACKS - General Overview
-
www.researchgate.net/publication/338926064_Smart_Contract_Attacks_and_Protections - General Overview
-
www.ndss-symposium.org/wp-content/uploads/NDSS2021posters_paper_2.pdf - Attacks on RPC
-
eprint.iacr.org/2021/1147.pdf - Automated Analysis of Economic Security in Smart Contracts
-
arxiv.org/abs/2003.03810 - Literally the best study about flash-loan attacks
-
github.com/felixnan88/fallback-attack - All about fallback attack
-
github.com/uni-due-syssec/eth-reentrancy-attack-patterns - Reentrancy Attack Patterns
-
github.com/freight-chain/defi-sec & github.com/freight-trust/defi-threat - DeFi Threats List
-
arxiv.org/pdf/2103.02873.pdf - Hunting For DeFi Attacks on Blockchain
-
defi-sandwi.ch & pub.tik.ee.ethz.ch/students/2021-FS/BA-2021-07.pdf - A tool to check whether a transaction is susceptible to sandwich attacks and to find a suitable order split was released on.
-
gasgauge.github.io, arxiv.org/pdf/2112.14771.pdf - A security analysis tool for smart contract out-of-gas vulnerabilities
-
Tutela.xyz - tornado cash pool analyzer.
-
github.com/OffcierCia/DeFi-Developer-Road-Map#security--safety - CIA compilation of reads.
-
library.dedaub.com - Smart Contract Library
-
github.com/christoftorres/ConFuzzius - a Fuzzer
All smart contract security tools:
Watch:
https://www.youtube.com/watch?v=0FTLC8JnWp0
https://www.youtube.com/watch?v=-469Gcye-ZE&t=1s&ab_channel=AndyLi
https://www.youtube.com/watch?v=C9C4zgskHwg
https://www.youtube.com/watch?v=I6VDBvX9Pkw
https://youtube.com/playlist?list=PLCwnLq3tOElpIi6Gci36PnvrrS8ljBHkq
Working-in-web3:
Jobs:
| Read: web3.smsunarto.com
Grants & DAOs:
Bounties:
Bonus! (awesome Discord chat)
Awesome smart contract audit checklists:
-
blog.openzeppelin.com/follow-this-quality-checklist-before-an-audit-8cc6a0e44845/
-
ethereum.stackexchange.com/questions/8551/security-review-checklist-for-a-smart-contract/8593#8593
-
our.status.im/what-is-a-security-audit-when-you-should-get-one-and-how-to-prepare
https://twitter.com/officer_cia/status/1570208171259568128?s=20&t=NjwotDBJ1Xke1l8oWAxaWA
If you want to support my work, you can send me a donation to the address:
-
0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A or officercia.eth — ETH, BSC, Polygon, Optimism, Zk, Fantom, etc
-
4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds - Monero XMR