Home

Awesome

Update: Head to Cyfrin Updraft

ℹī¸ Important: This repo is no longer maintained; we invite all people learning Solidity to head to Cyfrin Updraft! The 100% free #1 smart contract education platform on earth. Developed with love by Patrick & Cyfrin <3

Hardhat Security

This is a section of the Javascript Blockchain/Smart Contract FreeCodeCamp Course. This part of the course is to help users understand basic security and some fundamentals of auditing.

This repo has a few contracts with big flaws, see if you can see them, and see if the tools help you find them!

This repo has been updated for Sepolia over Goerli.

⌨ī¸ (31:28:32) Lesson 18: Security & Auditing

Full Repo

This project is apart of the Hardhat FreeCodeCamp video.

What is an Audit?

An audit is a security focused code review for looking for issues with your code.

Help your auditors!

When writing good code, you 100% need to follow these before sending you code to an audit.

Tweet from legendary security expert Tincho

"At this time, there are 0 good auditors that can get you an audit in under a week. If an auditor says they can do it in that time frame, they are either doing you a favor or they are shit. " - Patrick Collins, March 4th, 2022

Process

An auditors process looks like this:

  1. Run tests
  2. Read specs/docs
  3. Run fast tools (like slither, linters, static analysis, etc)
  4. Manual Analysis
  5. Run slow tools (like echidna, manticore, symbolic execution, MythX)
  6. Discuss (and repeat steps as needed)
  7. Write report (Example report)

Typically, you organize reports in a chart that looks like this:

impact image

Resources

These are some of the best places to learn even MORE about security:

PRs welcome to improve the list.

Tools

Games

Blogs

Audit Examples:

Articles

Getting Started

Requirements

Quickstart

git clone https://github.com/PatrickAlphaC/hardhat-security-fcc
cd hardhat-security-fcc
yarn set version 1.22.19   # can skip if your default version is already 1.x.x
yarn

(Yarn version 1 is recommended because auto-migration of this repo to yarn v2 doesn't go well. If your node version is incompatible with this, try node 16.19.1.) Then, go right into usage

No Typescript Support

Sorry! Feel free to make a PR if you'd like to see typescript here.

Optional Gitpod

If you can't or don't want to run and install locally, you can work with this repo in Gitpod. If you do this, you can skip the clone this repo part.

Open in Gitpod

Usage

Slither

Open the docker shell:

yarn toolbox

Then, run:

slither /src/contracts/ --solc-remaps @openzeppelin=/src/node_modules/@openzeppelin --exclude naming-convention,external-function,low-level-calls

To exit:

exit

Echidna

Open the docker shell:

yarn toolbox

Then, run this:

echidna-test /src/contracts/test/fuzzing/VaultFuzzTest.sol --contract VaultFuzzTest --config /src/contracts/test/fuzzing/config.yaml

To exit:

exit

Linting

To check linting / code formatting:

yarn lint

or, to fix:

yarn lint:fix

Formatting

yarn format

Thank you!

If you appreciated this, feel free to follow me or donate!

ETH/Polygon/Avalanche/etc Address: 0x9680201d9c93d65a3603d2088d125e955c73BD65

Patrick Collins Twitter Patrick Collins YouTube Patrick Collins Linkedin Patrick Collins Medium