Co-Funder of
@ShieldifySec
🛡️Blockchain security audits. Your security partner, for the long term. We have audited Lido, IPOR, Colb, Ion, Kroma, Pear and more.
List of 32 Smart Contract Vulnerabilities Which every Alpha Smart Contact Auditor should know immediately 😈
l’d appreciate a retweet, spread the knowledge 🫡
This is gold! 🪙
How to become a Smart Contract Security Researcher in 2024 - Roadmap!!
I’d appreciate a repost, spread the knowledge 🫡
Now follow the thread 👇
TOP 20 public smart contract audit repositories by TOP audit companies, You Must Go Through. 🥇
Everyone chooses whether to be the Alpha Guardian of the smart contracts, Make your choice now! 👊
Retweet this post and let us all become Alpha 😈Guardians
Now follow the thread 👇
In one post - Bookmark % Repost 🫡
You must read these papers if you're auditing ________
1. Lending Protocol
- Lending and Borrowing:
Link:
- Liquidations:
Link:
- Rewards:
Link:
- Typical
If you want to learn Uniswap V2 read this book:
Link:
If you want to learn Compound V3 read this book:
Link:
If you want to learn Zero Knowledge read this book:
Link:
If you want to learn Gas Optimization
The repository contains a list of 54 Basic Solidity Attack Vectors 🪲
A must read for every Alpha Auditor 😈
I’d appreciate a retweet, spread the knowledge 🫡 👇
Smart Contract Audit Process
1. First read the f*cking docs
2. Read the code line by line
3. Add comments to the code (I use Inline bookmarks)
4. Back to docs again
5. Run the tests
6. Try to find vulnerabilities and write a PoC
Black Hat Rust
You are a developer and want to learn security?
You want to learn real-world and idiomatic rust practices?
You want to start making money with bug bounty programs?
You are a security engineer and want to learn Rust programming?
LINK:
This is gold! 🪙
Solana/Rust Auditing and Security Resources:
A collection of resources to study Solana smart contract security, auditing, and exploits.
I’d appreciate a retweet, spread the knowledge 🫡
I remember when I was working at my 8 hour job and I dreamed of becoming an Independent Smart Contract Auditor, yes I was afraid to take that risk...
But, in the end, I did, I quit my job and why?
- To focus 100% in Web3 Security and give my best!
Was It Worth It?
- Haha that
A Curated List of Web3 Security - Wargames, Challenges, and Capture the Flag (CTF) competitions and solution writeups!
All Web3 Security resources to learn are absolutely free and shared daily
All you need is a desire to learn!
Smart Contract Security
This article serves as a mini course on smart contract security and provides an extensive list of the issues and vulnerabilities that tend to recur in Solidity smart contracts.
List of 16 Known Solidity Compiler Vulnerabilities + Preventative Techniques which every Alpha Smart Contract Auditor should know very well 😈👇
l’d appreciate a retweet, spread the knowledge 🫡
Web3 Security is one of the few space where everyone shares knowledge, helps others and motivates, it's just amazing
Аll stuff you need to learn to become a Аlpha are free on Twitter/Github/Medium and Youtube but most people just don't realize it
I'm glad to be a part of it
Amazing List of Foundry Resources!
- Tools (Frameworks, plugins and utilities for Foundry)
- Solidity templates, libraries or utilities that use Foundry
- Tutorials
- Projects Using Foundry
I’d appreciate a repost, spread the knowledge! 🫡
If you're auditing ZK (Zero Knowledge) Protocol you must read these papers! 🪙
1. A curated list of awesome ZK resources, libraries, tools and more
Link:
2. Security Reviews
Link:
3. ZK Bug Tracker - Common Vulnerabilities
Link:
Flash Loans and how to hack them: a walk through of ERC 3156
This article describes the ERC 3156 flash loan specification as well as the ways flash lenders and borrowers can be hacked
Thanks
@RareSkills_io
If you're doing an audit of ERC-4337(Account Abstraction) you must read:
1. All About ERC-4337 (Account Abstraction):
Link:
2. Account Abstraction Security Guide:
Link:
3. ERC4337 Audit Checklist
Link:
SOLC(solidity compiler) Internals in three parts:
Part 1: Calling Conventions:
Link:
Part 2: Data Locations
Link:
Part 3: Quirks & Optimizations:
Link:
Become a Blockchain Dev and then an Independent Smart Contract Auditor...
Wrong....
Become an Independent SM Auditor directly and don't waste your time because you might miss the Unique opportunity right now! 😈
Easy question:
When you call the `anon` function, what will it return and why?
1. The address of the caller(user wallet)
2. The address of the contract A
3. The address of the contract B
The big mistake of everyone who starts Web3 Security
Don't chase money!
Knowledge will help you find the vulnerabilities and the money will come by itself, Knowledge is power!
What is a Merkle Tree?
Merkle tree is a generalisation of a hash list or a hash chain. It has “leaf” nodes, each of them have a cryptographic hash of a data black they’re accossiated with. Every node that is not a “leaf” (they’re called branch or inner node) is labelled with the
Being an Independent Smart Contract Auditor is the amazing thing, but...
But few can take that risk, to quit their 8 hour job and focus 100% on Web3 Security
Are you ready to take that risk?
1. You're a Blockchain Dev
2. You're a Smart Contract Auditor/Researcher
We need you:
1. To build really cool protocols
2. To secure these cool protocols
The only way for Web3 Space to grow!
If you are doing an audit of DeFi protocol (CDP/Lending, LSD, AMM).
You should read these articles:
Typical vulnerabilities in lending and CDP protocols:
Link:
Typical vulnerabilities in LSD protocols:
Link:
Typical
There is no easy money made from Web3/Web3 Security
- A lot of hard work required
- Sometimes sleepless nights
- Work almost every weekend minimum 5/6 hours
Would you sacrifice your time for a more secure Web3 Space?
If you're doing an audit of Liquid Staking protocol you must read:
1. Staking withdrawals
Link:
2. How Do Ethereum Withdrawals Work
Link:
3. EIP-4895: Beacon chain push withdrawals as operations
Link:
4.
ZK Journey
Journey into learning ZK. It is NOT a list of awesome resources; it’s the path I’ve taken in demystifying ZK
- Core Beginner Resources
- Theoretical Deep Dives
- Practical Deep Dives
- ZK Vulnerabilities
If you're auditing protocol integrates with external Oracle smart contracts you must read these papers!
1. All about Oracles
Link:
2. The Dangers of Price Oracles in Smart Contracts:
Link:
3. TWAP Oracle Manipulation Risks, Mudit
Common ERC20 token Vulnerabilities:
- ERC20: Fee on transfer
- ERC20: rebasing tokens
- ERC20: ERC777 in ERC20 clothing
- ERC20: Not all ERC20 tokens return true
- ERC20: Address Poisoning
- ERC20: Just flat out rugged
What will you add?
If You Want to Learn More about EVM bytecode with the Huff Language. This github repo is for you!
A series of puzzles that go from very easy to more difficult so that you can have a hands-on introduction
A very useful Resource for ZK Bug Tracker + Common Vulnerabilities - for Alpha Smart Contract Researchers who will be participating in C4's upcoming $1,100,000 Audit Competition - (ZK Circuits) 🫵✌️
Understanding Smart Contract Metadata!
When solidity generates the bytecode for the smart contract to be deployed, it appends metadata about the compilation at the end of the bytecode. We will examine the data contained in this bytecode.
If you're doing an audit of Cross Chain Protocol ( LayerZero) protocol you must read:
1. Best Practice
Link:
2. A Deeper Look Into DeFi's Cross-Chain Tech
Link:
3. LayerZero Omnichain Contract Examples
Link:
4.
Smart Contract Audit Process in 2023
1. First read the f*cking docs
2. Read the code line by line
3. Add comments to the code (I use Inline bookmarks)
4. Back to docs again
5. Run the tests
6. Try to find vulnerabilities and write a PoC
In 2024, what changed for you?
Nice Book About - How to DeFi: Advanced
- What is DeFi and their differences with traditional finance
- What is Ethereum and its role in DeFi
- Step-by-step guides in using the various DeFi applications
- Real-life use cases of DeFi
And more
PDF LINK:
Every Web3 Researcher should have watched this YT video about -> EVM: From Solidity to byte code, memory and storage! 🙃
I’d appreciate a repost, spread the knowledge!
1/ Stack: - EVM Opcodes pop information from and push data onto the stack.
2/ CallData: - Transaction
Why be a full-time Independent Smart Contract Researcher?
A combination of many things:
- Decentralization
- Lifestyle
- Community
- Innovative technology
- Protection of a lot of money
- Business opportunities
- Valuable protocols
- learn new things every day
- Much work
How to become a Better Smart Contract Auditor?
It's simple, put maximum time into it and do it willingly, every single day, no Excuses
First is learning, then the first letter of the word Learn is removed
Oracle Manipulation 🧐
It is one of the most common attack vectors in DeFi, so both auditors and protocols need to learn what it is and how to deal with it, so get your notepads out and dive into our thread.
📍Oracle Manipulation: Theory
Firstly, let’s figure out how and why
There will be so many opportunities in Web3 Security/Web3 space this year, just don't miss them!
That's why
@ShieldifySec
already works with nearly 10-13 Top Smart Contract Auditors in the Web3 Space
for Solidity, Vyper, Rust/Solana, Go and Cairo!
I remember when my colleagues at my last 8 hour job told me that very few people succeed in becoming Independent Smart Contract Auditors...
- It is very difficult...
- Why do you want to do that...
- You will fail...
Never listen to other people's opinions.
Just because they
Stress doesn't come from hard work, the stress primarily comes from not taking action over something that you can have some control over
Stress comes from working hard on something that u don't want to work on
Stress comes from ignoring things that shouldn't be ignoring
Inflation Attack - examples + code
We will deep dive into the third high-severity finding in
@code4rena
's KelpDAO contest.
In simple terms, wardens had to audit a vault, node delegators (they’re used to invest in strategies), rsETH token (vault token) and oracle to calculate
Typical Vulnerabilities in Lending and CDP protocols⚔️
Еxplains the security of a popular pattern in the decentralized finance — the CDP(collateralized debt position)
l’d appreciate a retweet, spread the knowledge 🫡
Repository Reproduces ECDSA Signature Vulnerabilities:
This repo contains different chapters each focusing on one attack:
- ECDSA signatures are malleable.
- ECDSA signatures are not unique.
- ECDSA signatures can reveal your private key if you use the same random number (aka