Awesome
Awesome-Smart-Contract-Security
Table of Contents
Blogs
- Ethernaut CTF walkthrough with Brownie framework
- Sizing Solidity Audits
- Reversing Ethereum Smart Contracts
- Emin Gün Sirer, professor in Cornell Tech’s IC3 lab focused on blockchain security.
- Phil Daian, grad student behind KEVM, Hydra, and other Ethereum academic projects
- Cybersecurity R&D firm with a blockchain security practice
- Martin Swende, programmer and appsec consultant
- Company blog about security issues and practices within blockchain ecosystem
- Solidity Security: Comprehensive list of known attack vectors
- Use cryptography in mobile apps the right way
- Subzero is an HSM-backed method for cold storage of Bitcoin developed by Square
- Contract upgrade anti-patterns
- How the winner got Fomo3D prize — A Detailed Explanation
- How to debug Solidity Smart Contracts with Tenderly and Truffle
- Lashing out at a Spank Channel
- Malicious GasToken Minting
- Missing return value bug in ERC20 tokens
- Not A Fair Game – Fairness Analysis of Dice2win
- Initial Formal Verification of Ethereum Casper Protocol
- Security considerations for Shamir's secret sharing
- SmartDec smart contract audit beginner's guide
- The Anatomy of a Block Stuffing Attack
- The phenomenon of smart contract honeypots
- Use our suite of Ethereum security tools
- Vertcoin (VTC) was successfully 51% attacked
- Smart contract security audit: tips & tricks
Papers
- Security Strengths and Weaknesses of Blockchain Smart Contract System: A Survey
- Ethereum smart contract security research: survey and future research opportunities
- Smart contract security: A software lifecycle perspective
- Ethainter: a smart contract security analyzer for composite vulnerabilities
- NeuCheck: A more practical Ethereum smart contract security analysis tool
- Smart contract: Attacks and protections
- Smart contract vulnerability analysis and security audite
- Security analysis methods on ethereum smart contract vulnerabilities: a survey
- Smart contract privacy protection using AI in cyber-physical systems: tools, techniques and challenges
- LedgerHedger: Gas Reservation for Smart-Contract Security
- Combining graph neural networks with expert knowledge for smart contract vulnerability detection
- Security checklists for Ethereum smart contract development: patterns and best practices
- Exploring Security Practices of Smart Contract Developers
Books
- Fundamentals of Smart Contract Security
- Hands-On Smart Contract Development with Solidity and Ethereum
- Mastering Ethereum
Security Journal list
- IEEE Transactions on Information Forensics and Security [web]
- Computer & Security[web]
- IET Information Security[web]
- ACM Transactions on Information and System Security[web]
- International Journal of Information Security[web]
- Security and Communication Networks[web]
- IEEE Security & Privacy[web]
- IEEE Transactions on Dependable and Secure Computing [web]
- Security and Communication Networks[web]
- Computer Fraud & Security[web]
Trainings
- SEC554: Blockchain and Smart Contract Security
- SecDim
- Ethereum Smart Contract Security
- Solidity, Blockchain, and Smart Contract Course
- Smart Contract Security 101
- Certified Blockchain Security Professional (CBSP)
- Learn blockchain security
Tools
Visualization
- ethereum-graph-debugger - A graphical EVM debugger. Displays the entire program control flow graph.
- Slither - Slither can map method visibility and modifiers, state variables that are read and written, calls, and can print the inheritance graph of a smart contract
- Solgraph - Generates DOT graphs with function control flow of a solidity contract
- Surya - Generates various visual outputs of function call graphs
- sol-function-profiler - Solidity contract function profiler
Verification
- KEVM - K Semantics of the Ethereum Virtual Machine (EVM)
- Manticore - Symbolic execution tool for EVM
Linters
- Remix - Browser-based Solidity IDE with linting features
- SmarrtCheck - A linter for Solidity and Vyper that checks code for security issues and bad practices.
- Solhint - Linter for both security and style-guide validations. It strictly adheres to the Solidity Style Guide.
- Solium - Linter for both security and style-guide validations. Does not strictly adhere to the Solidity Style Guide.
BugHunting
- Web3 Decoder - Web3 Decoder is a Burp Suite Extension that helps to analyze what is going on with the operations involving smart contracts of the web3
- Echidna - Fuzzer for Ethereum smart contracts. Uses property testing to generate malicious inputs that break smart contracts.
- Manticore - Symbolic execution tool for Ethereum smart contracts that includes detectors for common security flaws
- Mythril OSS - Open-source security analysis tool for Ethereum smart contracts built around detector modules
- Securify v2.0 - Static analysis tool from ChainSecurity
- Slither - Static analysis framework, written in Python, with detectors for many common Solidity issues
- Octopus - : Blockchain Smart Contracts (BTC/ETH/NEO/EOS)
- L3X - AI-driven Smart Contract Static Analyzer
Reverse Engineering
- abi-decompiler - EVM reverse engineering helper utility
- ethereum-dasm - EVM disassembler with static and dynamic analysis abilities, including function signature lookup
- Ethersplay - Visual disassembler for EVM bytecode built on Binary Ninja
- evmlab - Utilities for interacting with the Ethereum virtual machine
- IDA-EVM - IDA plugin to view EVM instructions
- Panoramix - Ethereum decompiler
- pyevmasm - EVM assembler and disassembler with a CLI and a Python API
- Rattle - EVM binary static analysis framework. Produces SSA representations of EVM code.
- Solidity Bytes32 Converter Online - Convert Solidity bytes32 to utf8 string or integers and vice versa.
- Online Solidity ABI Encoder - Online Solidity ABI Encoder to encode smart contract arguments, and also perform read and write operations on the blockchain.
- Ethereum Unit Converter - Online tool to convert the different ethereum denominations (wei, gwei, ether).
Labs
Capture the Flag and Wargames
- Capture the Ether
- The Ethernaut
- Etherhack
- Security Innovation Blockchain CTF
- Ciphershastra CTF
- Defi Hack
- Gacha Lab (BSC Testnet)
- Damn Vulnerable DeFi
Talks
Title | Conference | Year |
---|---|---|
6th Workshop on Trusted Smart Contracts | WTSC 2022 | 2022 |
Smart Contract Security: a Practitioners’ Perspective | ICSE 2021 | 2021 |
Predicting Random Numbers in Ethereum Smart Contracts | OWASP AppSec | 2018 |
Blockchain Autopsies - Analyzing Smart Contract Deaths | Blackhat USA | 2018 |
Rattle - an EVM binary analysis framework | reCON | 2018 |
Blackhat Ethereum | CanSecWest | 2018 |
Smashing Ethereum Smart Contracts for Fun and Profit | HITB Amsterdam | 2018 |
Automatic Bug Finding for the Blockchain | EkoParty | 2017 |
Misc
- Security Pitfalls & Best Practices 201
- Hacking Smart Contracts: Beginners Guide
- Security Pitfalls & Best Practices 101
- A guide to smart contract security best practices
- Decentralized Application Security Project (or DASP) Top 10
- Solidity Security Considerations
- A Collection of Vulnerabilities in ERC20 Smart Contracts
- Examples of Solidity security issues
- A guide to smart contract security best practices
- A guide to EOS smart contract security best practices
Podcasts
Cheat Sheets
- Solidity Cheat Sheet
- Solidity Cheatsheet and Best practices
- Ethereum Cheat Sheet
- The Ultimate Blockchain Cheat Sheet
Checklists
- Solidity Auditing Checklistt
- SMART CONTRACT SECURITY CHECKLIST
- Smart Contract Security Audit: Intro & Top 5 Best Practices
- Smart Contract Security Verification Standard
- Security checklists for Ethereum smart contract development
Bug Bounty & Writeups
-
Hands on the Ethernaut CTF - Writeups for various Ethernaut CTF challenge contracts.
-
Ethernaut - Naught Coin (ERC20) Exploitation - Writeup for a vulnerable ERC20 from the Ethernaut CTF.
-
EtherHack CTF Writeup - Writeup for EtherHack CTF challenges.
-
PolySwarm Smart Contract Hacking Challenge Writeup - Demonstrates advanced use of Manticore