Awesome-Smart-Contract-Security

Table of Contents

• Blogs

• Papers

• Books

• Trainings

• Tools

  • Visualization
  • Verification
  • Linters
  • BugHunting
  • Reverse Engineering

• Awesome-Smart-Contract-Security !awesome

• Table of Contents

• Blogs

• Papers

• Books

  • Security Journal list

• Trainings

• Tools

  • Visualization
  • Verification
  • Linters
  • BugHunting
  • Reverse Engineering

• Labs

• Capture the Flag and Wargames

• Talks

• Misc

• Podcasts

• Cheat Sheets

• Checklists

• Bug Bounty & Writeups

• Bug Bounty Platforms & Project

Blogs

• Reversing Ethereum Smart Contracts
• Emin Gün Sirer, professor in Cornell Tech’s IC3 lab focused on blockchain security.
• Phil Daian, grad student behind KEVM, Hydra, and other Ethereum academic projects
• Cybersecurity R&D firm with a blockchain security practice
• Martin Swende, programmer and appsec consultant
• Company blog about security issues and practices within blockchain ecosystem
• Solidity Security: Comprehensive list of known attack vectors
• Use cryptography in mobile apps the right way
• Subzero is an HSM-backed method for cold storage of Bitcoin developed by Square
• Contract upgrade anti-patterns
• How the winner got Fomo3D prize — A Detailed Explanation
• How to debug Solidity Smart Contracts with Tenderly and Truffle
• Lashing out at a Spank Channel
• Malicious GasToken Minting
• Missing return value bug in ERC20 tokens
• Not A Fair Game – Fairness Analysis of Dice2win
• Initial Formal Verification of Ethereum Casper Protocol
• Security considerations for Shamir's secret sharing
• SmartDec smart contract audit beginner's guide
• The Anatomy of a Block Stuffing Attack
• The phenomenon of smart contract honeypots
• Use our suite of Ethereum security tools
• Vertcoin (VTC) was successfully 51% attacked

Papers

• Security Strengths and Weaknesses of Blockchain Smart Contract System: A Survey
• Ethereum smart contract security research: survey and future research opportunities
• Smart contract security: A software lifecycle perspective
• Ethainter: a smart contract security analyzer for composite vulnerabilities
• NeuCheck: A more practical Ethereum smart contract security analysis tool
• Smart contract: Attacks and protections
• Smart contract vulnerability analysis and security audite
• Security analysis methods on ethereum smart contract vulnerabilities: a survey
• Smart contract privacy protection using AI in cyber-physical systems: tools, techniques and challenges
• LedgerHedger: Gas Reservation for Smart-Contract Security
• Combining graph neural networks with expert knowledge for smart contract vulnerability detection
• Security checklists for Ethereum smart contract development: patterns and best practices
• Exploring Security Practices of Smart Contract Developers

Books

• Fundamentals of Smart Contract Security
• Hands-On Smart Contract Development with Solidity and Ethereum
• Mastering Ethereum

Security Journal list

• IEEE Transactions on Information Forensics and Security [web]
• Computer & Security[web]
• IET Information Security[web]
• ACM Transactions on Information and System Security[web]
• International Journal of Information Security[web]
• Security and Communication Networks[web]
• IEEE Security & Privacy[web]
• IEEE Transactions on Dependable and Secure Computing [web]
• Security and Communication Networks[web]
• Computer Fraud & Security[web]

Trainings

• SEC554: Blockchain and Smart Contract Security
• SecDim
• Ethereum Smart Contract Security
• Solidity, Blockchain, and Smart Contract Course
• Smart Contract Security 101
• Certified Blockchain Security Professional (CBSP)
• Learn blockchain security

Tools

Visualization

• ethereum-graph-debugger - A graphical EVM debugger. Displays the entire program control flow graph.
• Slither - Slither can map method visibility and modifiers, state variables that are read and written, calls, and can print the inheritance graph of a smart contract
• Solgraph - Generates DOT graphs with function control flow of a solidity contract
• Surya - Generates various visual outputs of function call graphs
• sol-function-profiler - Solidity contract function profiler

Verification

• KEVM - K Semantics of the Ethereum Virtual Machine (EVM)
• Manticore - Symbolic execution tool for EVM

Linters

• Remix - Browser-based Solidity IDE with linting features
• SmarrtCheck - A linter for Solidity and Vyper that checks code for security issues and bad practices.
• Solhint - Linter for both security and style-guide validations. It strictly adheres to the Solidity Style Guide.
• Solium - Linter for both security and style-guide validations. Does not strictly adhere to the Solidity Style Guide.

BugHunting

• Echidna - Fuzzer for Ethereum smart contracts. Uses property testing to generate malicious inputs that break smart contracts.
• Manticore - Symbolic execution tool for Ethereum smart contracts that includes detectors for common security flaws
• Mythril OSS - Open-source security analysis tool for Ethereum smart contracts built around detector modules
• Securify v2.0 - Static analysis tool from ChainSecurity
• Slither - Static analysis framework, written in Python, with detectors for many common Solidity issues
• Octopus - : Blockchain Smart Contracts (BTC/ETH/NEO/EOS)

Reverse Engineering

• abi-decompiler - EVM reverse engineering helper utility
• ethereum-dasm - EVM disassembler with static and dynamic analysis abilities, including function signature lookup
• Ethersplay - Visual disassembler for EVM bytecode built on Binary Ninja
• evmlab - Utilities for interacting with the Ethereum virtual machine
• IDA-EVM - IDA plugin to view EVM instructions
• Panoramix
• pyevmasm - EVM assembler and disassembler with a CLI and a Python API
• Rattle - EVM binary static analysis framework. Produces SSA representations of EVM code.

Labs

• Smart Contract Labs
• ChainLink Lab
• A lab that focuses on smart contract security

Capture the Flag and Wargames

• Capture the Ether
• The Ethernaut
• Etherhack
• Security Innovation Blockchain CTF
• Ciphershastra CTF
• Defi Hack
• Gacha Lab (BSC Testnet)

Talks

Misc

• Hacking Smart Contracts: Beginners Guide
• Security Pitfalls & Best Practices 101
• A guide to smart contract security best practices
• Decentralized Application Security Project (or DASP) Top 10
• Solidity Security Considerations
• A Collection of Vulnerabilities in ERC20 Smart Contracts
• Examples of Solidity security issues
• A guide to smart contract security best practices
• A guide to EOS smart contract security best practices

Podcasts

• CoinSec Podcast
• The Smartest Contract
• Zero Knowledge

Cheat Sheets

• Solidity Cheat Sheet
• Solidity Cheatsheet and Best practices
• Ethereum Cheat Sheet
• The Ultimate Blockchain Cheat Sheet

Checklists

• Solidity Auditing Checklistt
• SMART CONTRACT SECURITY CHECKLIST
• Smart Contract Security Audit: Intro & Top 5 Best Practices
• Smart Contract Security Verification Standard
• Security checklists for Ethereum smart contract development

Bug Bounty & Writeups

• Hands on the Ethernaut CTF - Writeups for various Ethernaut CTF challenge contracts.

• Ethernaut - Naught Coin (ERC20) Exploitation - Writeup for a vulnerable ERC20 from the Ethernaut CTF.

• EtherHack CTF Writeup - Writeup for EtherHack CTF challenges.

• PolySwarm Smart Contract Hacking Challenge Writeup - Demonstrates advanced use of Manticore

• Write up of Metaplex Vuln 2022

• Smart Contract security audit reports

Bug Bounty Platforms & Project

• Immunefi
• hackenproof
• ETHEREUM Bounty Program
• Etherscan Bugbounty Program
• Parity Bug Bounty Program
• Gitcoint project
• Code Arena Bugbounty project
• Smartlink Dapps