Play & Learn Smart Contract Hacking:

• capturetheether.com

• ethernaut.openzeppelin.com

• cryptozombies.io

• dappuniversity.com

• damnvulnerabledefi.xyz

• github.com/blockthreat/blocksec-ctfs

• w3bs3c.com/about

• useweb3.xyz/code-challenges

• speedrunethereum.com

• based.builders

• eth.build

• github.com/fvictorio/evm-puzzles

• github.com/daltyboy11/more-evm-puzzles

• cryptohack.org

• Etherhack

• Security Innovation Blockchain CTF

• Ciphershastra CTF

• Defi Hack, (1)

• github.com/blockthreat/blocksec-ctfs

---

Follow:

• Smart contract auditor pathway 

• All known smart contract-side and user-side attacks and vulnerabilities

• DeFi developer roadmap

• OfficerCIA database

• Channel tag cloud

• Join my chat

• Join developer communities & chats

DeFi RoadMap:

• French

• Gujarati

• Korean

• Italiano

• Spanish

• Chinese

• Main

Practice:

• Use just about everything from my special compendium: telegra.ph/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31 and https://telegra.ph/Solidity-Catsheets-Pack-03-20 ❗️❗️❗️

• Study: quillaudits.substack.com/p/openseas-official-discord-compromised and rekt.news

• Separately, you'll need to study the audit checklists: t.me/officer_cia/177

• twitter.com/0xBlasco/status/1500455598684618753 - these courses

• Blockchain security framework - t.me/officer_cia/232

• Tokenomics simulation tools t.me/officer_cia/69 and understand it (resources) t.me/officer_cia/89

• speedrunethereum.com or cryptozombies, capture the ether or ethernaut.openzeppelin.com (see my selection - the very first link in the article, there is a section about gamification)

• Study very carefully github.com/Rari-Capital/solcurity and cmichel.io/how-to-become-a-smart-contract-auditor and pentacle.xyz/projects/security

• The internal security of the project - docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit

---

Learn active defense techniques:

• smartcontractresearch.org/t/mitigations-against-flash-loan-enabled-attacks/615 and arxiv.org/abs/2003.03810 

• smartcontractresearch.org/t/from-zapper-post-mortem-to-using-front-run-in-project-defense-theory-post/545 

• Tenderly.co alerts - officercia.medium.com/tenderly-app-a-swiss-pocketknife-for-the-web3-developer-89bb904bee46

• github.com/pr0toshi/rateLimit

• github.com/Rari-Capital/solcurity

• Study medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b and wufflz.notion.site/Blockchain-security-guide-b26aec3d920e414d8a354618d3e36eb4

  https://link.medium.com/NBANM4gOirb

• And you can also study github.com/0xsanny/solsec

• All audit/security tools - telegra.ph/ETHSec-Tools-02-13, github.com/nascentxyz/simple-security-toolkit

• Check resources here t.me/cryptooffensive

• OpSec Principles - graph.org/Key-principles-of-storing-crypto-cold-wallet-attacks-defense-methods-best-practices--Bonus-04-23 github.com/undergroundwires/privacy.sexy , web.archive.org/web/20220302223645/https://anonymousplanet.org/guide.html

• Forensics/Research in Crypto: t.me/officer_cia/236 mirror.xyz/officercia.eth/BFzv17UwH6QG4q711NAljtSiP8eKR17daLjTdmAgbHw

• All TX analysis tools list graph.org/TX-Analysis-tools-04-19

• Honeypot detection tools graph.org/A-Short-List-of-the-Rug-Checker-Tools-04-09

• Bugs and vulnerabilities that exist in Web2 and Web3 - www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf

• All about MEV - t.me/officer_cia/146

• Be sure to study defieducation.substack.com/p/how-to-read-smart-contracts-part?s=r and blog.trustlook.com/understand-evm-bytecode-part-1/ and all the posts by these Authors

• start.me/p/QRg5ad/officercia - peruse my Awesome Blogs section and Sec section (on the right side, just below the defi map-tree)

• telegra.ph/Article-08-08 - frontend security

• NFT security telegra.ph/NFT-security-01-28

• Explore hack cases newsletter.blockthreat.io

• Study github.com/emilianobonassi/security-toolkit and www.smartcontractresearch.org/t/research-summary-a-systematic-literature-review-of-blockchain-cyber-security/1299

• Attack Vectors - github.com/sirhashalot/SCV-List github.com/KadenZipfel/smart-contract-attack-vectors swcregistry.io

• Study the Framework securing.github.io/SCSVS/SCSVS_v1.1.pdf and github.com/securing/SCSVS

• Read posts on Medium by Mudit Gupta, Immunefi and BlockSec team, also twitter.com/officer_cia/status/1519371437068505089 all 4 threads, arxiv.org/pdf/2106.10740.pdf and arxiv.org/pdf/2109.06836.pdf

Check out first:

• cmichel.io/how-to-become-a-smart-contract-auditor

• devansh.xyz/blockchain-security/2021/09/17/genesis-0x01.html

• www.notonlyowner.com/learn/intro-security-hacking-smart-contracts-ethereum

Practice once again!

• arxiv.org/pdf/2106.10740.pdf - Threat Modeling

---

• arxiv.org/pdf/2109.06836.pdf - User-Side Attacks

---

• arxiv.org/pdf/2203.02662.pdf - Metaverse Security

---

• github.com/xf97/JiuZhou - Bugs in Solidity

| Also check out: github.com/sigp/solidity-security-blog & graph.org/Solidity-Cheatsheets-Pack-03-20

---

• blog.embarklabs.io/news/2020/01/30/dapp-frontend-security/index.html - DApp frontend security.

• www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf - Learning Best Practices from Web Applications to Avoid Similar Security Vulnerabilities in Decentralized Applications.

---

• arxiv.org/pdf/2106.09349.pdf

• twitter.com/officer_cia/status/1422785502634196996 & twitter.com/officer_cia/status/1409537800022659074 - More about Oracle attacks

• blog.euler.finance/uniswap-oracle-attack-simulator-42d18adf65af?gi=8ad59382eefb - UniV2 Oracle attack simulator.

---

Awesome Bonus:

• github.com/KadenZipfel/smart-contract-attack-vectors - All known Smart Contract Attack Vectors

• graph.org/NFT-security-01-28 - NFT security

• graph.org/ETHSec-Tools-02-13 - All ETH security tools existing

• www.phishfort.com/blog/web3-phishing-has-finally-arrived - Web3 phishing

• bloom.co/blog/6-ways-a-site-can-attack-your-metamask/ - MetaMask targeted attacks.

• newsletter.blockthreat.io - All hacks and security incidents in Web3 timeline.

• graph.org/Key-principles-of-storing-crypto-cold-wallet-attacks-defense-methods-best-practices--Bonus-04-23

• github.com/uni-due-syssec/eth-reentrancy-attack-patterns

• blog.chain.link/defi-security-best-practices

• a16z.com/2022/04/23/web3-security-crypto-hack-attack-lessons

• medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b

---

Cool Data:

• swcregistry.io - Smart Contract Bug Database

• arxiv.org/pdf/2105.06974.pdf - A Survey of Security Vulnerabilities in Ethereum Smart Contracts

• www.researchgate.net/publication/353794368_SMART_CONTRACTS_VULNERABILITIES_AND_REAL_ATTACKS - General Overview

• www.researchgate.net/publication/338926064_Smart_Contract_Attacks_and_Protections - General Overview

• www.ndss-symposium.org/wp-content/uploads/NDSS2021posters_paper_2.pdf - Attacks on RPC

• eprint.iacr.org/2021/1147.pdf - Automated Analysis of Economic Security in Smart Contracts

• arxiv.org/abs/2003.03810 - Literally the best study about flash-loan attacks

• github.com/felixnan88/fallback-attack - All about fallback attack

• github.com/uni-due-syssec/eth-reentrancy-attack-patterns - Reentrancy Attack Patterns

• github.com/freight-chain/defi-sec & github.com/freight-trust/defi-threat - DeFi Threats List

• arxiv.org/pdf/2103.02873.pdf - Hunting For DeFi Attacks on Blockchain

• defi-sandwi.ch & pub.tik.ee.ethz.ch/students/2021-FS/BA-2021-07.pdf - A tool to check whether a transaction is susceptible to sandwich attacks and to find a suitable order split was released on.

• gasgauge.github.io, arxiv.org/pdf/2112.14771.pdf - A security analysis tool for smart contract out-of-gas vulnerabilities

• Tutela.xyz - tornado cash pool analyzer.

• github.com/OffcierCia/DeFi-Developer-Road-Map#security--safety - CIA compilation of reads.

• library.dedaub.com - Smart Contract Library

• github.com/christoftorres/ConFuzzius - a Fuzzer

All smart contract security tools:

• arxiv.org/pdf/2112.03426.pdf

• papers.ssrn.com/sol3/papers.cfm?abstract_id=3769774

• publik.tuwien.ac.at/files/publik_278277.pdf

• arxiv.org/pdf/2008.02712.pdf

Watch:

Working-in-web3:

Jobs:

| Read: web3.smsunarto.com

• twitter.com/jobsincrypto

• twitter.com/CryptoJobsList

• t.me/dailyapehr

• t.me/lobsters_hr

• t.me/solidity_learning

• t.me/dev_solidity

Grants & DAOs:

• twitter.com/developer_dao

• twitter.com/LidoGrants

• twitter.com/gitcoin

• twitter.com/web3grants

• questbook.xyz

Bounties:

• github.com/sw33tLie/bbscope

• immunefi.com

• code4rena.com

• github.com/blockthreat/blocksec-ctfs

Bonus! (awesome Discord chat)

Awesome smart contract audit checklists:

• blog.openzeppelin.com/follow-this-quality-checklist-before-an-audit-8cc6a0e44845/

• consensys.github.io/smart-contract-best-practices/

• ethereum.stackexchange.com/questions/8551/security-review-checklist-for-a-smart-contract/8593#8593

• github.com/Rari-Capital/solcurity

• github.com/cryptofinlabs/audit-checklist

• securing.github.io/SCSVS/

• our.status.im/what-is-a-security-audit-when-you-should-get-one-and-how-to-prepare

• github.com/nascentxyz/simple-security-toolkit#readme

• bowtiedisland.com/how-to-read-a-smart-contract-audit-report

• How to not suck an audit

---

If you want to support my work, you can send me a donation to the address:

• 0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A or officercia.eth — ETH, BSC, Polygon, Optimism, Zk, Fantom, etc

• 17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU - BTC

• 4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds - Monero XMR

Thank you! ❤️