Introduction to smart contract security and hacking in Ethereum

Welcome!

Here you'll find resources and complementary educational material to start your journey in security and hacking of smart contracts in Ethereum.

Even if you don't want to build smart contracts, but rather break them, you'll need to understand the basics of programming, the EVM and the Ethereum network. So prior to getting into the security rabbit-hole, you can start with the basics of Ethereum here.

Index

• 📚 Books
• 💡 Challenges
• 🛠 Tools
• 🔬 Explorers
• 📜 Reports
• 💥 Vulnerabilities, common attacks and best practices
• 📰 Newsletters
• 👥 Forums, groups and bootcamps
• 💰 Bug Bounties
• 🏦 Auditing firms
• 🗂 Additional resources

Books

• Chapter 9 of Mastering Ethereum (I actually highly recommend reading the entire book)

Challenges

These challenges will help you learn about Ethereum, Solidity, the EVM, DeFi and other cool stuff about this ecosystem. Everything while you hack vulnerable implementation of contracts. If you're not fond of reading, but rather learn by doing, START HERE.

• Capture The Ether
• Ethernaut
• EVM Through CTFs
• Damn Vulnerable DeFi
• Paradigm CTF

Tools

• Vulnerability detection
  • Slither
  • MythX
  • Echidna
  • Pyrometer
• Decompilers
  • ethervm.io
  • Heimdall
  • Dedaub's online decompiler
• Transaction analysis
  • Ethereum Transaction Viewer
  • Phalcon
  • ETH Tx Info
  • Tenderly
• Contract visualization
  • Sol2UML
  • Surya
• Utilities
  • solc-select
  • cast
  • Contract diff
  • ABI encoding/decoding
  • Signatures database
• IDE plugins
  • Solidity Visual Auditor for VSCode

Explorers

• Etherscan
• Bloxy
• Dedaub Contract Library
• Oko by Palkeo

Vulnerabilities, common attacks and best practices

Take into account that these lists include vulnerabilities and attacks that are relatively basic. They're still pretty much valid, even after all these years. Still, this is definitely not everything there's to learn. To stay up-to-date with the latest type of attacks and vulnerabilities (which can be more complex and interesting), I highly recommend reading newsletters and public reports.

• ConsenSys: Known Attacks
• SWC Registry
• SCSVS Checklist
• OpenZeppelin Defender Advisor
• Solcurity
• Simple security toolkit by Nascent

Reports

• Report database by Solodit
• Reports by OpenZeppelin, ConsenSys Diligence, Trail of Bits, Sigma Prime, Spearbit.
• Bug Bounty reports by Immunefi
• Contests reports at Code4rena
• Writeups published by the Origin Protocol team

Newsletters

• Blockchain Threat Intelligence
• Rekt.news
• Week In Ethereum News --> Usually has a dedicated section for security stuff

Forums, groups and bootcamps

• ETHSecurity community
• Secureum

Bug Bounties and contests

• Immunefi
• Hacken Proof
• Code4rena contests
• Sherlock

Auditing firms

• A list by DeFiSafety

Additional resources

• Bad Things - Crypto Security
• samczsun's blog
• cmichel's blog
• My talks on Ethereum smart contract security
• Advice to be friends with your auditors
• Advice if you're launching to mainnet quickly