Pentesting Smart Contracts

Minimalist resources to learn about security and pentesting smart contracts, from lab to practice, ctf and some recommendations. (Updated – 26/06/2022)

Summary

Resources

• fwhibbit.es/pentesting-smart-contract-introduccion – Pentesting a Smart Contracts.
• notonlyowner.com/learn/intro-seguridad-hacking-ethereum – Introducción a Seguridad y Hacking en Ethereum.
• consensys.github.io/smart-contract-best-practices – Ethereum Smart Contract Security Best Practices.
• github.com/tinchoabbate/intro-seguridad-smart-contracts – Introducción a Hacking y Seguridad en Smart Contracts.
• Docs.google.com – Example report – General Analysis and Compiler Audit.
• https://github.com/xf97/JiuZhou – JiuZhou is a data set of Ethereum bug smart contracts (ICSME 2020).
• github.com/5049504F/cryptocurrency-security – Document created to serve as a first step to learn about blockchain and smart contract security.
• a16z.com/2022/04/23/web3-security-crypto-hack-attack-lessons/ – Web3 Security: Attack Types and Lessons Learned.

Tools

• Smart contract security service for Ethereum – MythX – Smart contract security service for Ethereum

Labs – CTF

• damnvulnerabledefi.xyz/ – Damn Vulnerable DeFi is the wargame to learn offensive security of DeFi smart contracts.
• ethernaut.openzeppelin.com – The Ethernaut is a Web3/Solidity based wargame inspired on overthewire.org, played in the Ethereum Virtual Machine. Each level is a smart contract that needs to be ‘hacked’.

Version Control

• Git Version – TheCyberpunker/smartcontracts
• Web Version – thecyberpunker.com