- Introduction
- Blockchain Fundamentals
- Ethereum and Solidity Fundamentals
- Smart Contract Security
- Defi
- Zero Knowledge Protocols
- Reading Level 2
- Doing
- Reading Level 3
In the rapidly evolving world of blockchain technology, smart contracts have become the backbone of decentralized applications, facilitating secure and transparent transactions. However, their complexity can also make them susceptible to vulnerabilities and risks.
To ensure the robustness of smart contracts and protect user funds, the role of smart contract auditors has grown in significance. These skilled professionals possess a unique blend of blockchain knowledge, programming skills, and security expertise, enabling them to identify and address potential weaknesses in smart contract code.
This document serves as a comprehensive self-education roadmap for aspiring smart contract auditors. It outlines essential topics, valuable resources, and practical exercises to empower auditors in conducting thorough and effective smart contract audits. Whether you're a blockchain enthusiast, a bored-of-development engineer like me, or a security specialist seeking to specialize in smart contract auditing, this roadmap will help you gain the skills needed to kickstart your career in the field. Follow this guide and happy hacking!
P.S: This guide is for people who are already familiar with many computer science topics and are proficient in coding, architecture design, deeply understand networking, TCP/IP concepts, and are at least familiar with information security discipline (protocols, cryptography basics, penetration testing, OWASP). If you feel you're missing something from the list, it would be more efficient if you spend some time understanding the basic topics, then come back.
P.P.S: It would be even more efficient if you gain some knowledge in traditional finances. It would help you understand Defi protocols better and to pentest them more effectively.
These are some useful books I've read to understand the topic, blockchain economy, and blockchain architecture from a technical point of view.
- “Blockchain: Blueprint for a New Economy” by Melanie Swan.
- “Beginning Blockchain. A Beginner's Guide to Building Blockchain Solutions” by Bikramaditya Singhal, Gautam Dhameja, Priyansu Sekhar Panda
In this section, you can find books and other resources dedicated to Ethereum and the Solidity language (some of them are in Russian language).
- “Mastering Ethereum: Building Smart Contracts and Dapps” by Andreas Antonopoulos and Gavin Wood Ph.D.
- Ethereum learn hub - https://ethereum.org/en/learn/
- Ethereum whitepaper - https://ethereum.org/en/whitepaper/
- Official docs for Solidity language - https://docs.soliditylang.org/en/v0.8.21/
- Solidity short videos course by Smart Contract Programmer - https://youtube.com/playlist?list=PLO5VPQH6OWdVQwpQfw9rZ67O6Pjfo6q-p
- Solidity course by Ilya Krukowski - https://youtube.com/playlist?list=PLWlFXymvoaJ92awHVDO0oSy0z0ZFJifDV
- Tutorials and course videos of Dapp University - https://youtu.be/cGQHXmCS94M
- Solidity tutorial by Block Explorer - https://youtube.com/playlist?list=PLD_RqipW0-9vfAiZwpdR1VlRuJYjyCe4b
One of the most important sections of this guide, books and other resources covering smart contract security, including known vulnerabilities, attack vectors, and best practices.
- “Fundamentals of Smart Contract Security” by Richard Ma, Jan Gorzny, Edward Zulkoski.
- Ethereum.org guidelines for building secure Ethereum smart contracts - Ethereum Security Best Practices
- Smart Contract Security by RareSkills - Smart Contract Security
- Secure Development Series by OpenZeppelin - YouTube Playlist
- Smart Contract Vulnerabilities by kadenzipfel - GitHub Repository
- Solidity Best Practices for Smart Contract Security by Consensys - Solidity Best Practices
- NFT attack vectors by QuillHash - GitHub Repository
- Solidity attack vectors by QuillHash - GitHub Repository
The list of resources that helped me get into finance and learn Defi-specific stuff.
- Finance and capital markets by Khan Academy - Khan Academy
- Teach Yourself crypto, defi - Teach Yourself Crypto
- Defi by Finematics - YouTube Playlist
- Defi by Smart Contract Programmer - YouTube Playlist
- Defi attack vectors by QuillHash - GitHub Repository
Very interesting and promising subfields of blockchain technology that is a must-read:
- Zero Knowledge Mastery by Quillhash - GitHub Repository
- Awesome zero knowledge proofs - GitHub Repository
- Zero Knowledge Proofs: An illustrated primer - Blog Post
- Demystifying zero-knowledge proof - YouTube Video
- Introduction to SNARKs/STARKs - YouTube Video
- On Interactive Proofs and Zero-Knowledge - Medium Article
- ZK Basics Cheatsheet - GitHub PDF
- A Non-Mathematical Introduction to Zero Knowledge Proof - Medium Article
- The ‘zk’ in zkLink - Zero Knowledge Proofs - Blog Post
- What are Zero Knowledge Proofs? - Decrypt Article
In this section, you can find a mix of in-depth articles and other types of information related to Ethereum core, smart contract security, coding best practices, design patterns, L2 chains, interesting protocols, tutorials, and public audit reports.
- Contract upgrade anti-patterns by Trail of Bits - Blog Post
- Polygon blockchain explained: A beginner’s guide to MATIC - CoinTelegraph Article
- ChainLink oracle - YouTube Channel
- An Introduction to BNB Smart Chain (BSC) - Binance Academy Article
- Optimism - Optimism Community
- EVM handbook, which is a gem, a complete list of topics - Notion Document
- Open Zeppelin public audit reports - Security Audits
- The Art of Oracle Manipulation by Ferdous Niloy - LinkedIn Article
- OpenZeppelin Security Reports in their blog - Blog
- Getting Deep Into EVM: How Ethereum Works Backstage - Medium Article
- A Comparative Analysis of Smart Contract Fuzzers’ Effectiveness - Research Paper
- Advanced gas optimization tips for Solidity - Dev.to Article
- A beginner's guide on algorithmic stablecoins - CoinTelegraph Article
- What Are Stablecoins - Chainlink Education Hub
- Writing cheaper contracts in Solidity - BetterProgramming Article
- Multichain Auditor by 0xJuancito - GitHub Repository
- Crypto bits by Ilya Krukowsi (in Russian) - YouTube Playlist
- DeFi Hacks Analysis - Root Cause by DeFiHackLabs - Web3sec Notion
- All awesome oracle manipulation related content by 0xcacti - GitHub Repository
- Lens Protocol Workshop - Chainlink Spring 2023 Hackathon - YouTube Video
- Cryptography 101 for Blockchain Developers (3 Parts) - YouTube Playlist
- AAVE whitepaper - GitHub PDF
- Blockchain Oracle Design Patterns - ArXiv Paper
- Blockchain Security Audit List by 0xNazgul - GitHub Repository
- Security Pitfalls & Best Practices 101 - Secureum Substack
- Security Pitfalls & Best Practices 201 - Secureum Substack
- Audit Techniques & Tools 101 - Secureum Substack
- Audit Findings 101 - Secureum Substack
- Audit Findings 201 - Secureum Substack
This section covers all of the hands-on staff including CTF games to learn Solidity and smart contract vulnerabilities, coding tools, and well-known bug bounty programs where you can test your knowledge and start actual pentesting and earning.
- Ethernaut - Ethernaut Game
- CryptoZombies - CryptoZombies Course
- Capture the ether - Capture the Ether Game
- Damn Vulnerable Defi - Damn Vulnerable DeFi
- QuillCTF - QuillCTF
- Curta CTF - Curta CTF
- Alchemy University - Alchemy University
- Reproduce DeFi hack incidents using Foundry - GitHub Repository
- Solhint - GitHub Repository
- Slither tool - GitHub Repository
- Mythril tool - GitHub Repository
- Diligence Fuzzing - Consensys Diligence
- Immunefi bug bounty platform - Immunefi
- CodeArena bug bounty platform - CodeArena
In this section, I've collected sources for daily reading and learning such as newsletters, channels, and influential figures in the field.
- CoinMarketCap newsletter - Newsletter
- Decrypt newsletters - Newsletter
- BlockWorks newsletters - Newsletter
- Whiteboardcrypto - Whiteboardcrypto
- Decenter(Russian) - Telegram Channel
- Bankless news - Bankless
- The Block newsletter - Newsletter
- (to be continued)
Thanks for using my guide and feel free to contribute!