Hey there, I am Samrat Gupta aka Sm4rty, an Independent Smart Contract Auditor and a part-time Bug Bounty Hunter. In this blog, I will be sharing a roadmap and step-wise guide to get started with web3 and Smart Contract hacking.
There is no definite path or roadmap to learn in web3 security. You can learn any way you want, whichever way you want. But if you are a beginner, this roadmap can be helpful for you.
This will be ultimate guide and contains many resources which can help you get started with it. Learning blockchain hacking is not only about solidity and Ethereum. Being a good at it requires a good knowledge of different protocols, economics, finance, mathematics, logic etc.
Without wasting further time let’s jump directly into steps:
1. Learn Blockchain Basics and Ethereum.
First step is we need to learn basics of Blockchain technology and various terminologies like blocks, nodes, mining, hashing etc. Then we can learn Ethereum basics. Learning Blockchain basics will give us an overall idea of how this technology works and it will give you overview of what we are dealing with.
What is Blockchain?
A blockchain is a distributed database or ledger that is shared among the nodes of a computer network. As a database, a blockchain stores information electronically in digital format. Ethereum is a blockchain protocol like Bitcoin. Unlike Bitcoin, Ethereum is Turing Complete, which means it can approximately simulate the computational aspects of any other real world, general-purpose computer and run programs.
Further Reads
https://www.investopedia.com/terms/b/blockchain.asp
https://github.com/ethereumbook/ethereumbook
https://www.youtube.com/watch?v=QCvL-DWcojc
2. Smart Contracts and Programming Language.
Next we can learn about Smart Contracts and how to write Smart Contracts using programming language like solidity or vyper. Solidity is currently most commonly used programming language to write Smart-contract.
What Are Smart Contracts?
Smart contracts are simply computer programs that run on a blockchain network. The concept was first coined by computer scientist and cryptographer Nick Szabo in the late 1990s. However, they were first implemented by the Ethereum protocol.
For Solidity, We can learn it from various different sources like solidity docs, cryptozombies, YouTube Tutorials, blogs, etc. I will be providing link of few of those resources down below.
Further Reads:
https://lifemathmoney.com/what-is-a-smart-contract-explained-with-real-world-examples/
https://www.youtube.com/watch?v=_J6G5g-nKg0https://www.youtube.com/watch?v=gyMwXuJrbJQ
https://cryptozombies.io/en/course/
https://docs.soliditylang.org/en/latest/
https://solidity-by-example.org/
3. Learn Testing Frameworks like hardhat/foundry
Then we can learn Testing frameworks like hardhat/foundry which helps us to run Smart Contracts in local environments and run test for Smart Contracts. We can also use Remix IDE for it for this purpose, but for huge projects setting up local testing environment is much better. So, Learning this frameworks has many advantages and plugins which is helpful while testing or writing POCs for our attacks.
There are many Testing Frameworks. But the famous one’s are :
Foundry : In Foundry, Tests and scripts are written in Solidity.
Hardhat: In Hardhat, Tests and scripts are written in Javascript.
Brownie: In Brownie, Tests and scripts are written in Python.
Further Reads:
https://book.getfoundry.sh/
https://hardhat.org/docs
https://eth-brownie.readthedocs.io/en/stable/
4. Learn Finance Basics.
This is something not much people focus on learning. But there will be a time when you’re auditing a DeFi project that uses a lot of traditional finance terms and you don’t understand anything. When you look these terms up, you’ll get definitions that refer to even more terms that you don’t know. So, Learning Finance is very important in web3 as most of projects are related with finance.
In DeFi projects, we will be dealing with some finance terminology like shares, order book, market, exchanges, DEX, options and many more. I have put links of few resources to learn finance below.
Further Reads:
https://academy.binance.com/en
https://teachyourselfcrypto.com/#ftoc-decentralized-exchanges-dexs
https://www.khanacademy.org/economics-finance-domain/core-finance/derivative-securities
5. DEFI and DEFI Attack Vectors:
DeFi provides financial instruments without relying on intermediaries such as brokerages or banks. These applications allow users to save, borrow, lend and trade without any fees (that any financial company like the bank receives).
These are some commonly used protocols in most DeFi projects. It’s good to become familiar with them and deeply understand how they work and their nuances.
- MasterChef: The Shushiswap’s MasterChef is a staking contract where users deposit liquidity pool (LP) tokens and receive rewards proportional to their
time * stakeAmount. - Compound: Compound is the basis for all decentralized peer-to-peer lending protocols. You should know it as a lot of DeFi primitives interact with lending protocols in some way.
- UniswapV2: While Uniswap is already on V3, Uniswap V2 is significantly simpler, less gas-golfed, and still the basis for understanding automated market makers (AMMs) in general.
- Aave: Aave allows users to borrow digital assets and earn interest on deposits/loans — thanks to it being an open-source, decentralized lending protocol built on the Ethereum platform.
- Balancer: Balancer is the most flexible and versatile Automated Market Maker, giving developers unprecedented customizability.
DeFi Attack Vectors:
After learning DeFi i.e. Decentralized Finance next is learning some common attack vector and mitigations. Below are few DeFi attack vectors and mitigations:
1. Flash Loan -Price Oracle manipulation
2. Reentrancy attack
3. Rug pull.
Further Reads:
https://teachyourselfcrypto.com/#ftoc-module-4-decentralized-finance-defi
https://academy.moralis.io/blog/defi-deep-dive-explaining-defi-attack-vectors-and-prevention
https://crypto.com/research/attacks-and-exploits-in-defi
6. Learn Commonly used Libraries and Token Standards:
There are certain contracts, patterns or even algorithms that you will see over and over again during your auditing career. It’s good to become familiar with them and deeply understand how they work and their nuances.
- Token contracts: The most used token standards are EIP20 for fungible tokens, and EIP721 for NFTs. There are many more, but these two are all you need to know in the beginning. There are also other standards like ERC777, ERC1155, ERC2646 ERC2981 etc.
- Upgradable Contracts: Ethereum contracts are not upgradeable. If you want to update the code, you need to deploy a new contract. There are many different proxy implementations, have a look at the OpenZeppelin Proxy.
- Openzeppelin Helper Library: It is a library for secure smart contract development. Build on a solid foundation of community-vetted code.
i. Implementations of standards like ERC20 and ERC721.
ii. Flexible role-based permissioning scheme.
iii. Reusable Solidity components to build custom contracts and complex decentralized systems.
Further Reads:
https://github.com/OpenZeppelin/openzeppelin-contracts
https://www.youtube.com/watch?v=JgSj7IiE4jA
https://ethereum.org/en/developers/docs/standards/tokens/
7. Learn common Smartcontract bugs, Tools and best Practices
The SWC registry provides a collection of classifications that contain a list of known attacks to date. The SWC registry provides an SWC identifier (ID), title, and list of code-related samples.
There are common attack factors that a smart contract auditor must look into, such as Access Control Issues, Integer Overflows and Underflows, and reentrancy vulnerabilities (for DApps written in Solidity).
Most Common Tools:
i. Slither: Detects vulnerable Solidity code with low false positives.
ii. Echidna:Echidna is a program designed for fuzzing/property-based testing of Ethereum smarts contracts.
iii. Surya: It provides a number of visual outputs and information about the contracts’ structure.
iv. Eth Security Toolbox: It is Docker container preinstalled and preconfigured with all of Trail of Bits’ Ethereum security tools
Solidity Best Practices:
You can learn solidity best practices from consensys blog, or you can prefer Secureum blog (Part1 and Part2) for understanding best security practices.
Further Reads:
https://swcregistry.io/
https://secureum.substack.com/p/audit-techniques-and-tools-101
https://secureum.substack.com/p/security-pitfalls-and-best-practices-101
https://secureum.substack.com/p/security-pitfalls-and-best-practices-201
8. Complete CTF challenges.
Once we learned basics Ethereum, Solidity and Testing Frameworks and some common Smart Contracts vulnerabilities. We can then move to CTF to test our learning of all our learnings. There are many CTF for Smartcontract like Ethernaut, Damnvulnerabledefi, or Capture The Ether, You can complete them. Also if you want solve more difficult CTF, you can try out paradigm ctf. Below are links to these CTFs.
9. Read Audit Reports and Postmortem Blogs:
This is the most important phase, try to read as much reports you can find. It will help you to understand various logical bugs and will help you understand thought process which auditing.
You can find audit reports of many protocols in the link below:
10. Continuous Learning and Research
Web3 is is very dynamic in nature. So you will need to get updated with all research and novel attacks. You can follow the below resources to get updated to latest news, attacks, research etc.
Newsletters : Blockthreat, HashingBit, Immunefi
Discord Communities: Immunefi, Secureum, Blockchain Pentesting, QuillAudits, etc.
Blogs: Immunefi, Coinmonk, TrailOfBits, Secureum Openzeppelin, QuillAudits, etc.
Twitter: Be active on Twitter and follow up with latest research and attack vectors.
[OPTIONAL] Learn Mathematics:
If you’re planing to settle in the blockchain in the long run is to slowly start Math now but not to precipitate.
Further Reads: https://medium.com/@TrustChain/do-you-need-math-to-get-started-in-smart-contract-hacking-443ff52b418d
[-] Start your Bug Bounty Journey
You can start you Web3 bug hunting journey at Immunefi which is largest web3 bug-bounty platform. Apart from Immunefi there are platform like Hakenproof or Code4rena, which you can go for. Below are the links of the platforms.
Credits:
https://medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b
https://cmichel.io/how-to-become-a-smart-contract-auditor/
https://secureum.substack.com/
RazzorSec Auditors mindmap
If you are interested in enrolling in the “Smart Contract Hacking Course,” I have some good news for you! By using my referral link, you can avail yourself of an exclusive discount of $50 on the course.
👉Here’s the link: https://smartcontractshacking.com/?referral=sm4rty
