My own tailored roadmap, to my web3 / smart contract auditor knowledge.
The primary purpose of this road map is to document the resources that piqued my interest throughout the studies of the security perspective and the underlying technologies of this ecosystem.
This is not in any way the ultimate roadmap, nor the best, neither a good one. It's just what I considered while I was studying my way through web3 security, particularly evm-based content. I'm in need to clarify this because there has been at least more than 20 "ultimate roadmaps++" since I, at least, started learning, and each one of them are clearly subjective, so you need to create your own roadmap according what you want to learn. Wat you need to do first is learn the minimum necessary to have an idea of what you want to learn following your needs or objectives.
⭐ → highlighted article
👌🏽 → personal liking
- Introduction to Blockchain
- Blockchain fundamentals (⭐) by Dan Boneh
- Blockchain demo (interactive) (
♦️ ) — I always use this when I have to explain the basics!
- Introduction to Solidity
- Quick start
- Solidity walk-through — suuper quick glance at Solidity
- 🧟 CryptoZombies — brief but entertaining
- Solidity by example (⭐) — check video explanations!
- Ideal
- HardHat's tutorial (👌🏽) — first tooling experience
- FreeCodeCamp 32 hours course (⭐👌🏽) — totally recommended (uses Hardhat)
- Tic Tac Token — select a kata, and start a short project on Foundry
- Additional
- 🏃🏾♀️SpeedrunEthereum (⭐)
- ‣ — suggestions after scaffold-eth
- 🐰 RabbitHole — L2, DeFi, NFT, DAOs!
- Quick start
- Introduction to the EVM
- Quick start
- Take glimpse over Yul — the intermediary language
- EVM Codes
♦️ — incredible tool and resource - EtherVM ⭐ — read at least once
- https://github.com/fvictorio/evm-puzzles https://github.com/daltyboy11/more-evm-puzzles 👌🏽— play with these challenges
- solving more-evm-puzzles diferrently by matta. 👌🏽
- Strongly recommended
- 🧩 yet-another-evm-puzzle by matta. ⭐ — puzzles with a realistic twist
- Solving yet another EVM puzzle by tincho ⭐ — amazing write-up
- Further reading
- Solidity data representation
- The EVM Handbook — large collection of sources
- Quick start
- Skim through / read a bit of / know that this exists and is important
- Latest Solidity documentation
♦️ — official readthedocs for Solidity - OpenZeppelin's contracts ⭐ — most reused Solidity code on the blockchain
- What’s a computer hacker? and other popular questions — seeking motivation?
- Latest Solidity documentation
- Road-maps / general guides / classes / courses
- Quick reading
- A Journey Into Smart Contract Security (👌🏽) — short collection of articles I’ve written
- How to become a smart contract auditor (⭐👌🏽) by cmichelli
- How to Develop Smart Contracts for Ethereum Blockchain by web3.career
- Roadmap for Web3/Smart Contracts hacking 2022 by sm4rty
- Will take a while
- Working in Web3: The handbook (⭐) by smsunarto
- https://github.com/fravoll/solidity-patterns (👌🏽) — Some known Solidity patterns
- Buckle up
- Cryptocurrency Class 2022 by Patrick McCorry (Infura)
- Useful solidity patterns (👌🏽)
- Alternative
- How to become an auditor & hunter by CIA Officer 👮🏻♂️
- ‣
- Quick reading
- Security specific content
- Hack the blockchain: Blockchain Security Guide. — very long, and similar to this list
- Good practices and patterns
- Solidity security anti-patterns — a great list
- DeFi security practices
- https://github.com/crytic/building-secure-contracts
- https://github.com/sigp/solidity-security-blog — list of known attack vectors and common anti-patterns
- Check out the ultimate checklist
- Understand SWC Registry
- Check out the following repositories
- ‣ — Smart Contract Security Verification Standard
- https://github.com/Rivaill/CryptoVulhub — attack events or vulnerabilities
- more repos at the end
- theauditorbook.com — a book about high to mid vulns from Codearena & Sherlock
- Play a bit with
- Real-scenarios alike
- 👾 Damn Vulnerable Defi (
♦️ ) by tinchoabbate - https://github.com/eugenioclrc/DeFi-Security-Summit-Stanford — short and interesting
- Follow the solutions with my walk-through (⭐) — I really did put effort on this serie
- 👾 Damn Vulnerable Defi (
- Some more
- 🧑🏽🚀 Ethernaut (⭐)
- Solutions by cmichel
- ✊🏽 Capture the ether by smarx
- Ethereum Hacker
- 🧑🏽🚀 Ethernaut (⭐)
- Find more under CTFs category below
- Real-scenarios alike
- Create content on your own
- Quick start
- Post on forum / social network about something you’ve found useful
- Post your solution for a challenge
- A step further
- Create a challenge and share it!
- Create a post sharing something you’ve found useful
- Quick start
- Bounties
- Blockchain & Web3
- 👽 Immunefi — web3 bug bounty platform
- ⌛ Code4rena — crowdsourced web3 bug bounty platform
- ⭕ HackenProof — web3 bug bounty platform
- 🪙 GitCoin bounties — bounty collaboration
- General purpose platforms
- Blockchain & Web3
- Projecting jobs? Go back to 2. as well
- Differentiate where your skills excel and look for project's affinity
- Involve / engage more in communities / projects that you like
- Recommended discords
- WebtrES (Spanish)
- ManijasDev (Spanish)
- EthSecurity (English)
- Recommended discords
- Look for apprenticeships / fellowships / internships
- Or even your first job too! — thanks @tomasfrancisco for contributing with links
- ‣ — replace etherscan.io/[tx] with etherscan.deth.net/[tx] and see what happens ;)
- 🔎 4byte directory | sig.eth — a database with known function selectors
- 🔪 dETH tools — encoding, decoding, function selectors, abi and more
- Cyberchef
♦️ — general purpose tool, excellent for CTFs and web2 audits - https://github.com/apoorvlathey/impersonator — impersonate any account with impersonator.xyz
- https://github.com/samczsun/abi-guesser — Abi Guesser by samczsun
- ‣ — EVM lab utilities
- https://github.com/Jon-Becker/heimdall-rs 🔥 — advanced EVM toolkit
- ethTX — ethereum transaction decoder
- Phalcon by blocksec — transaction Explorer (works on several networks)
- tx.eth.samczsun.com/ — ethereum transaction viewe by sam
- Breadcrumbs.app — open blockchain analytics platform
- Event & Function signature Sleuthing — investigate events and functions further 🕵️
- NansenAI — paid subscription, blockchain analytics platform
- SocketScan — track transactions across bridges (all chains)
- A bigger list with more block explorers!
- https://github.com/crytic/ethersplay — EVM plugin for Binary Ninja
- https://github.com/eveem-org/panoramix — another decompiler
- ethervm.io — online decompiler
- ABI for unverified contracts
- https://github.com/Jon-Becker/heimdall-rs — also includes a decompiler
- Slither - Static analysis from Trail of Bits.
- Echidna - Fuzzing from Trail of Bits.
- Manticore - Symbolic execution tool from Trail of Bits.
- MythX - Paid service for smart contract security from Consensys.
- Mythrill - MythX free edition.
tintinweb.vscode-ethover— ethereum account address hover info and actionsesbenp.prettier-vscode— prettify all the things!NomicFoundation.hardhat-solidity— Solidity and Hardhat supporttintinweb.vscode-solidity-flattener— flatten your projectstintinweb.vscode-solidity-language— language support, highlighting, and themestintinweb.solidity-visual-auditor— source exploration and visual linting, among otherstintinweb.vscode-decompiler— decompile the $h*! out of things
- ETH Security Toolbox - Docker containers with Trail of Bits security tools.
- Consensys Security Tools - A list of Consensys tools.
- https://github.com/nccgroup/web3-decoder — BurpSuite extension for web3
- Eth Build — An Educational Sandbox For Web3
- Ethereum developer tool-list by Consensys — +100 tools
- TheGraph — indexing protocol for querying networks like Ethereum and IPFS
- Filecoin — a descentralized storage network
- Moralis — web3 development platform, build dApps
- Alchemy — build and scale you dApps
- Dune — explore, create and share crypto data
- CREATE3 | Deploy contract with same address to al blockchains
- Cipher Shastra CTF-like challenges
- 🏁 Paradigm CTF 2021 — solutions by cmichel
- 🏁 Paradigm CTF 2022 (0xMonaco)
- 📃 Ethernaut DAO CTF — Challenges & WriteUps
- White Noise CTF
- OpenZeppelin's Ethernaut Challenges 📺
- Damn Vulnerable DeFi solutions 📺 by SmartContractProgrammer
- CryptoCTF
- EtherHack at Positive
- https://github.com/blockthreat/blocksec-ctfs
- NodeGuardians
Security related
@tinchoabbate, @samcszun, @0xZachxBT, @officer_cia, and me @mattaereal.
General purpose
@smsunarto, @austingriffith, @0xcygaar, @programmersmart, @web3isgreat.
Fun / Parody
- Use Web3 website: challenges, tutorials, grants, and more!
- The story behind the alternative genesis block
- Upgrading Ethereum “The ETH2 book”— A technical handbook on Ethereum's
- Beginner's Guide to Bitcoin Mixing
- A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography
- Devcon 6 Security track
- Ethereum smart contracts security recommendations and best practices
- Relevant Security GitHub repositories
- ‣ — list of security practices for DeFi protocols.
- https://github.com/blocksecteam/defi_poc — PoC for DeFi Vulnerabilities
- https://github.com/YAcademy-Residents/CommonWeb3SecurityIssues — common security findings in smart contracts
- Tech & VC: The Foundation
- https://github.com/coinspect/learn-evm-attacks — Learn & Contribute on previously exploited vulnerabilities across several EVM projects.
- https://github.com/0xNazgul/Blockchain-Security-Audit-List — A list of notable Blockchain Security audit companies.
- https://github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap — DeFi, Blockchain and crypto-related OpSec researches and data terminals.
- DeFi security small write-up series part I, part II, part III by Halbron
- Introduction to markets by UniswapBooksV3
- The Uniswap Standard, from Zero to Mastery
Link compilation credits to CIA Officer
- cadcad.org — An open-source Python package that assists in the processes of designing, testing and validating complex systems through simulation.
- tecommons.org — Sustainable & Ethical Design for Token Ecosystems
- machinations.io — Predict Game Economies & Systems
- https://github.com/jpantunes/awesome-cryptoeconomics #1 — ‣ #2
- https://github.com/melonattacker/utility-token-price-simulator — simulates general token price when setting parameters.
- https://github.com/tokenspice/tokenspice — EVM agent-based token simulator
- Trending NFT Collections by Sales
- Real-time NFT insights and high-fidelity data
- Your go-to destination for Web3 Social Intelligence
- The #1 source for NFT rarity
- Optimizers guide to Solidity
- Up to 4 functions are ordered by their function selector when calling. After 4 functions, it’s done by binary search.
- Using custom errors consumes less gas than other options.
extcodecopycodecopyare cheaper thanssloadsstore.(bool success, bytes memory returnData) = target.call()automatically copies the return data to memory even if you omit the returnData variable. If a relayer executes transactions with such calls it can lead to a gas-griefing attack. The proper way to handle this is to do a low-level Yul "call" instead, with "out" and "outsize" argument values are zero. It looks likesuccess := call(gas, target, value, add(calldata, 0x20), mload(calldata), 0, 0)where the last 2 args are "out" & "outsize" and are both 0 — by pashov- In cases where you don’t need to use 32 bytes variables, in order to save gas, you should pack multiple variables inside the same slot using bit manipulation. Caveats: losing type safety.