Smart Contract Security

Even though things are still quite experimental, real money always is on the line, so learning about smart contract security and testing is outmost important.

Blog posts, guides and learning materials

Smart contract best practices  – by ConsenSys
Frontend securitybest practices
SWC Registry  – registry of code weakness and test cases
Comprehensive list of known attack vectors for Solidity  – and common anti-patterns
Solidity Documentation Security Considerations  – security considerations in the Solidity official learning material
Smart Contract Security Verification Standard  – checklist created to standardize the security of smart contracts at every stage of the development cycle for developers, architects, security reviewers and vendors
Ethernaut  – a game in which you hack smart contracts to learn about security
Capture the Ethergame in which you hack Ethereum smart contracts to learn about security
Cryptopals  – different way to learn about crypto, by providing a collection of 48 exercises that demonstrate attacks on real-world crypto
Securing smart contracts  – 6 Solidity vulnerabilities and how to avoid them
Open Zeppelin / Onward with Ethereum Smart Contract Security  – some recommended strategies to improve smart contract security
246 Findings From our Smart Contract Audits  – aggregate data from all Eth code audits executed by Trail of Bits team
The crypto in cryptocurrencies  – series of posts covering everything a generic developer would need to know about cryptography in order to understand blockchains at a fundamental level
The Security Series: A Look at Ethereum’s Smart Contractsa first look into the strength of the smart contract layer of Ethereum
Protecting Against Front-Running and Transaction Reordering  – explanation of the problem, and a list of solutions with explanations
Factories Improve Smart Contract Security  – an example: if the factory pattern had been used, the vulnerability would have been much less severe
Deconstructing the DAO Attack  – the bug that caused the $50 million theft
Hacking an Ethereum contract  – reconstruct the $1,000,000 hack of PoWHCoin
Ethereum Threat Actors  – 3 part mini-serie analyzing a phishing tactic that used a smart contract address
Vulnerability in MakerDAO governance  – using different automatic analysis tools with faulty MakerDAO contracts
The 0x vulnerability  – signature verification vulnerability explained
The Livepeer slashing vulnerability  – improper input validation meant that the same claim could be submitted twice as proof of transcoder double claiming
Critical Vulnerability in a New AirSwap Smart Contract  – steps taken to prevent the vulnerability from being exploited
Vulnerability in Curve contractthe discovery and the rescue
Critical Flaw in Trezor Hardware Walletsway to extract seeds from cryptocurrency hardware wallets
Auditing Smart Contracts with Web3jWeb3j can provide specific information about the features and potential vulnerabilities detected
Stack exhange security tag  – see what people ask about security

Formal Verification

Formal Verification for n00bs  – in 3 part serie
Formal Verification: Why and Howbeginner’s guide to the K framework
How Formal Verification Can Ensure Flawless Smart Contracts  – how to eradicate errors in the Ethereum bytecode
How Formal Verification Could Help to Prevent Gridlock Bug  – review of the Gridlock bug and how formal verification can help to prevent this type of bugs
Ethereum Formal Verification  – overview of the formal verification projects
Formal Verification of ERC20 implementations with VeriSol  – how we can use a formal verification tool like VeriSol to check functional properties for a ERC20 implementation
K vs. Coq as Language Verification Frameworks  – highlighting some of the important ways in which K and Coq differ as formal verification frameworks for languages through a working example
A Formal Model in K of the Beacon Chain  – Ethereum 2.0’s primary proof-of-stake blockchain

Resources 

Awesome Ethereum Security  – curated list of awesome Ethereum security references, guidance, tools, and more
Awesome Cryptocurrency security  – curated list about cryptocurrency security
Safety wiki  – Ethereum Foundation wiki on safety
Ethereum Developer Tools List  – section security tools