Welcome to the repository for the Wallet & Post-Deployment Security Course by Cyfrin Updraft!
This repository houses the written content of our courses, organized to facilitate easy access and contribution from our community. Please refer to this for an in-depth explanation of the content:
- Website - Join Cyfrin Updraft and enjoy 50+ hours of smart contract development courses
- Twitter - Stay updated with the latest course releases
- LinkedIn - Add Updraft to your learning experiences
- Discord - Join a community of 3000+ developers and auditors
- Newsletter - Weekly security research tips and resources to level up your career
- Codehawks - Smart contracts auditing competitions to help securing web3
This was considered part 2 of the security and auditing course, but now, it's it's own living breathing course!
- Wallet & Post-Deployment Course
- Introduction, Resources, and Prerequisites
- Section 1: Wallet & Key Management
- Section 2: Post-deployment
- Congratulations
- Thank you
β οΈ All code associated with this course is for demo purposes only. They have been audited, but we do not recommend them for production use and should be used at your own risk.
Join Cyfrin Updraft for the best learning experience!
- AI Frens
- ChatGPT
- Just know that it will often get things wrong, but it's very fast!
- Phind
- Like ChatGPT, but it searches the web
- Bard
- Other AI extensions
- ChatGPT
- Github Discussions
- Ask questions and chat about the course here!
- Stack Exchange Ethereum
- Great place for asking technical questions about Ethereum
- Peeranha
- Decentralized Stack Exchange!
- TBD...
Note: We do not endorse any of the following wallets. All we have done is take a look to see if these wallets pass a small series of tests to make sure code that the developers release can be verified.
An intermediate understanding of solidity. You don't need to be a pro, but you should be familiar with:
- Blockchain basics (transactions, blocks, decentralization, etc)
- Running a smart contract test suite (hardhat, foundry, truffle, etc)
- Solidity basics (variables, functions, structs, etc)
- Understand the potential dangers of different wallets
- Understand how, as a protocol/developer, you should choose a wallet
- Understand what you need in place after you deploy your contracts
Q: Why are we giving guidelines and not strict recommendations?
A: The wallet industry is constantly changing, and takes a LOT of work to assess how good different wallets are. Additionally, if you know what to look out for, that is more valuable than us giving you point-in-time recommendations.
- Article
- Custodial Wallets
- "Hot" Wallets
- Metamask
- Frame
- Rabby
- Rainbow
- Where is my private key stored?
- Where does metamask store my seed?
- "Cold" Wallets
- Lattice
- Trezor
- Hacked hardware wallet
- Multi-sig (Yes - Set one up)
- 1 of 1, or x of y
- Case Study: Vulcan
- Future: Account Abstraction
Tl;dr - the same things you'd look for in a protocol!
- Open source
- Active development
- Audit history (Who did the review? What did they find? How good is the group?)
- non-custodial
- Do they have a security bounty program
- If they ask you to wear your wallet around your neck, stay far away from them
- Interview with Wallet Scrutiny
- Store the private key, not the secret phrase
- Paper wallet
- "brain" wallet
- Encrypted file
- Case Study: LastPass
- Case Study: Mixin
- Rotate keys
- Physical security
- Social recovery
- Wallets
- Foundry's cast
- Joinfire
- Metamask snaps
ππππππππππππππππππππππππππ
π Exercises:
- Set up your Safe!
- Review classic key leeks
.envleak with private keys- Research one private key leak from rekt.news
- Check out keepmesafe
- Coming soon
ππππππππππππππππππππππππππ
(back to top) β¬οΈ
Ideally, you'll want all of this setup before you go to production.
- Have a security contact / bug bounty / safe harbor before you deploy
- Setup monitoring before you deploy
- Run a disaster recovery drill before you deploy
- Never exploit a smart contract without working with those responsible
- Even if you have good intentions
- The only caveat is maybe if the transaction is already in the mempool
- Get familiar with responsible disclosure
- Get familiar with toolings & platforms:
- Bug bounties
- Blockchain sleuthing
Watch this video from DeFi security summit
- Written & tested incident response plan
- Remember the rekt-test
- Have a "security contact" email in your code
- If you're a DAO, potentially elect a security officer
- Setup your monitoring system for invariants
- Setup your bug bounty/safe harbor program
- Example Openzeppelin
- Contact information
- Bug Bounty
- Security Patches / Disclosures / Advisories
- Safe Harbor
- Additional Audits
- Roll your own
- Immunefi
- HackerOne
Do not exploit it
- Responsible Disclosure
- Steps:
- Contact the team / those resonsible / bug bounty program
- Optionally, if they have a bug bounty/responsible disclosure procedure, use that
- SEAL 911 (or other 911 groups) is always a good option
- "Close the windows and blinds"
- Make sure you're on a secure chat channel, for example an E2E encrypted signal channel
- Verify the bug with the team / those responsible
- Come up with a game plan to fix
- This is where things get hard. Potentially pause the protocol, try to sneak it past governance, etc.
- Use a MEV-proof RPC
- Deploy and execute your fix in 1 single transaction, potentially with a whitehat kit to batch your transactions together.
- They don't have a security contact or bug bounty
- If there is really no one responsible for the code (this is web3 after all) you may have to announce and give people a long window of opportunity for them to leave the protocol, before announcing the issue.
- They ignore the bug?
- Give them a window to fix or acknowledge it, otherwise tell them you'll need to go public with the information. Give people the chance to leave the protocol before you publically disclose the issue. Use this as a last resort!
- They don't pay you for your work?
- Difficult one. You can always blast them on Twitter, but that can backfire. Ideally everyone works together.
- If you start to negotiate a bounty, you are now a black hat.
- The transaction is already in the mempool?
- This is the only time it might be ok to exploit it, by front-running the attack. However, there still may be legal ramifications.
-
Blockchain sleuthing
- Metadoc
- Phalcon
- OpenChain
- Dune analytics
- Tenderly
- Up and coming
-
White/No/Black Hat Case Studies
- Nohats
- Balancer
- Vyper
- Whitehats
- Astaria
- ParaSpace
- Blackhats
- Euler
- Many more
- Nohats
π π π π π π π π π π π π π π π π π π π π π π π π π π π
- Coming soon...
(back to top) β¬οΈ
ππππππππππππ Completed The Course! ππππππππππππ
If you've made it this far... wow.
Coming soon: The EVM, Assembly, and Formal Verification Course!!
- Competititve Audits
- CodeHawks
- We are working on many things to get you more deals. Stay tuned...
- Code4rena
- Hats Finance
- CodeHawks
- CodeHawks Discord
- Start marketing your services
- Twitter, Farcaster, LinkedIn, etc
- Blogging: Medium, Mirror, etc
- Bug Bounties
- Patrick Collins YouTube
- Solodit
- Block Threat Intelligence (Referral Link)
- Consensys Diligence Newsletter
- Owen Thurm YouTube
- The Red Guild YouTube
- Cyfrin YouTube
The Cyfrin team runs CodeHawks, Cyfrin Updraft, and private security reviews. They are an advisor to the Peeranha project, and run various blockchain nodes like Chainlink & Ethereum. Additionally, the are responsible for the creation of the Aderyn and Solodit tools.
- XXXX
Thanks to everyone who is taking, participating in, and working on this course. These courses are passion project data dumps for everyone in the web3 ecosystem.
Let's level up so we can keep web3 safer, and thank you again for taking this course!
(back to top) β¬οΈ