All information was original created by 0xRajeev that he has developed from other public sources. This content is for the Secureum Epoch0 Bootcamp for Smart Contract auditing. The plan is to grow this over time. Pull requests accepted.
Information I would like to add (my wish list):
- Solidity example where applicable
- Add Forge examples for relevant topics
Please report any errors or rendering issues. Happy to accept PR's that improve upon the content.
The impetus for this project was self-edification as well as providing better accessibility to the content 0xRajeev has produced. Plus, I really wanted to make some cool graphs and play with Obsidian. :)
If you open this in Obsidian you can graph the notes.
Here is an awesome resource from patrickd who is in Epoch0: Link (Place in the contracts folder on Remix)
Slot 1 - Ethereum101
- Read the Ethereum whitepaper: https://ethereum.org/en/whitepaper/
- Read the Ethereum yellow paper: https://ethereum.github.io/yellowpaper/paper.pdf
- Read Chapters 1, 2, 3, 4, 6, 13 and 14 from “Mastering Ethereum”: https://github.com/ethereumbook/ethereumbook and other references in Secureum’s “Ethereum 101” article
- Browse through topics at https://ethereum.org/en/developers/docs/
- Explore blocks, transactions and other protocol internals at https://etherscan.io/
Slot 2 - Solidity101
- Read Chapter 7 from “Mastering Ethereum”: https://github.com/ethereumbook/ethereumbook/blob/develop/07smart-contracts-solidity.asciidoc
- Understand Solidity syntax and semantics implemented in OpenZeppelin’s ERC20 contract: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/ERC20.sol
- Understand Solidity syntax and semantics implemented in OpenZeppelin’s ERC721 (NFT) contract: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC721/ERC721.sol
- Understand Solidity syntax and semantics implemented in OpenZeppelin’s security-related contracts Ownable, Pausable and ReentrancyGuard: https://github.com/OpenZeppelin/openzeppelin-contracts/tree/master/contracts/access and https://github.com/OpenZeppelin/openzeppelin-contracts/tree/master/contracts/security
- Experiment with the various Solidity concepts using https://remix.ethereum.org/
Slot 3 - Solidity201
- Understand all the OpenZeppelin Library contracts (many of which are widely-used): https://github.com/OpenZeppelin/openzeppelin-contracts/tree/master/contracts
- Understand Solidity syntax and semantics implemented in Uniswap V3 contracts and related dependencies: https://github.com/Uniswap/uniswap-v3-core/tree/main/contracts
- Understand Solidity syntax and semantics implemented in Fei Protocol contracts and related dependencies: https://github.com/fei-protocol/fei-protocol-core/tree/master/contracts
- Understand Solidity syntax and semantics implemented in Chainlink contracts and related dependencies: https://github.com/smartcontractkit/chainlink/tree/develop/contracts/src/v0.4
- Understand Solidity syntax and semantics implemented in Opyn Gamma Protocol contracts and related dependencies: https://github.com/opynfinance/GammaProtocol/tree/master/contracts/core
Slot 4 - Pitfalls and Best Practices 101
- Explore the SWC Registry list and test cases: https://swcregistry.io/
- Watch “Intro to Security First Development” by Gonçalo Sá @GNSPS, ConsenSys Diligence: https://www.youtube.com/watch?v=72K57I9yvyI
- Watch “Protect your Crypto and Avoid Getting Hacked” by Mehdi Zerouali @ethzed, Sigma Prime: https://www.youtube.com/watch?v=L2DRC6PjTgk
- Watch “DeFi Security: With So Many Hacks, Will It Ever Be Safe?” on Unchained Podcast with Dan Guido @dguido (Trail of Bits) and Taylor Monahan (MyCrypto): https://www.youtube.com/watch?v=Sc5fZ-Wprx8
- Attempt CTF: https://capturetheether.com/
Slot 5 - Pitfalls and Best Practices 201
- Read https://samczsun.com/so-you-want-to-use-a-price-oracle/ and https://samczsun.com/the-dangers-of-surprising-code/
- Watch “Security By Design & Smart Contract Audits” by Shayan Eskandari, Ex-ConsenSys Diligence: https://www.youtube.com/watch?v=gfD1KBtLWZI
- Watch “How to Build Secure Smart Contracts” by Josselin Feist (@Josselin Feist - Trail of Bits), Trail of Bits: https://www.youtube.com/watch?v=yP01yH4plT8
- Watch “White Hat Panel: DeFi Exploits”: https://www.youtube.com/watch?v=Df2zzfoTfMc
- Attempt CTF: https://www.damnvulnerabledefi.xyz/
Slot 6 - Audit Techniques & Tools 101
- Read the following:
- How to Prepare for a Smart Contract Audit: https://consensys.net/diligence/blog/2019/09/how-to-prepare-for-a-smart-contract-audit/
- What is a Security Audit, When You Should Get One, and How to Prepare (by @petty) : https://our.status.im/what-is-a-security-audit-when-you-should-get-one-and-how-to-prepare/
- 246 Findings From our Smart Contract Audits: An Executive Summary: https://blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/
- Run MythX on Fei Protocol contracts and analyze the reported findings: https://github.com/fei-protocol/fei-protocol-core/tree/master/contracts
- Run Slither on Uniswap V3 contracts and analyze the reported findings: https://github.com/Uniswap/uniswap-v3-core/tree/main/contracts
- Watch “The Evolution of Smart Contract Security” by Dan Guido, Trail of Bits: https://www.youtube.com/watch?v=fOkQuNzVn_Q
- Attempt Paradigm CTF: https://github.com/paradigm-operations/paradigm-ctf-2021
Slot 7 - Audit Findings 101
- Read the audit report along with the smart contracts to understand all the reported findings for Fei Protocol: https://consensys.net/diligence/audits/2021/01/fei-protocol
- Read the audit report along with the smart contracts to understand all the reported findings for Uniswap V3: https://github.com/Uniswap/uniswap-v3-core/blob/main/audits/tob/audit.pdf
- Read the audit report along with the smart contracts to understand all the reported findings for Chainlink: https://github.com/sigp/public-audits/blob/master/chainlink-1/review.pdf
- Read the audit report along with the smart contracts to understand all the reported findings for Opyn Gamma protocol: https://blog.openzeppelin.com/opyn-gamma-protocol-audit/
- Watch: OpenZeppelin @tinchoabbate's “Secure Development Series”: https://www.youtube.com/playlist?list=PLdJRkA9gCKOONBSlcifqLig_ZTyG_YLqz
Slot 8 Audit Findings 201
- Read the audit report along with the smart contracts to understand all the reported findings for 1inch Liquidity Protocol: https://consensys.net/diligence/audits/2020/12/1inch-liquidity-protocol/
- Read the audit report along with the smart contracts to understand all the reported findings for Origin Dollar: https://github.com/trailofbits/publications/blob/master/reviews/OriginDollar.pdf
- Read the audit report along with the smart contracts to understand all the reported findings for Synthetix EtherCollateral: https://github.com/sigp/public-audits/blob/master/synthetix/ethercollateral/review.pdf
- Read the audit report along with the smart contracts to understand all the reported findings for Holdefi: https://blog.openzeppelin.com/holdefi-audit
- Stay updated with Ethereum security articles/news:
- WeekInEthereumNews (security section): https://weekinethereumnews.com/
- BlockThreat Newsletter: https://www.blockthreat.io/
- Rekt: https://rekt.news/
- Secureum Newsletter: https://secureum.substack.com/