Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesCopyBotsEarn
Tips for Solidity Code Auditors

Tips for Solidity Code Auditors

Officer's BlogOfficer's Blog2023/10/22 21:27
By:Officer's Blog

Gaining the most elusive of tips.  Add  your input and let’s  collect  them all!

General Tips Suggestions

  1. Did you know that you  can  utilize  VSCode  on your iPad ( preferably  with a Magic Keyboard) using the  Blink App ? If not, watch the  following video ! I hope you find this  tip  useful in your work!

  2. Clone any project, then upload extension into  vscode ,  2nd link  -> add key from  sourcegraph , select the contract and the AI analyzes the structure of your project for you! Check out this  example !

  3. Try  auditwizard.io  - revolutionize your workflow today!

  4. Check out pre-built  security properties  for commonly forked DeFi protocols.

  5. MEV / Sandwich / Front-run Back-run:  Compilation    advanced  info.

  6. Try  Slither Detectors by Pessimistic.io   check out  SolCurity .

  7. Give a try:  Pyrometer    Sporalyzer .

  8. Explore Web3 with full confidence guarded by  Web3Antivirus security browser extension    learn evm attacks !

  9. Try using obsidian.md for notes!   check out  Audit Quality !

  10. Check out  R.xyz ( link! ) and apply for a closed beta ( here )!

  11. Follow my  own blog    Hexens' blog !

  12. This project was created to support  Code4rena Bot Races with useful  stats and tools. Read more about it  here   try  4naly3er !

  13. Bot Racing: The Rise of Web3 Bots.    Code4Rena Bot Racing explained !

  14. Check out GasBad which is an open-source project that evaluates  gas efficiency in Solidity  libraries!

  15. Try out this tool - it scans constructor of  solidity smart contract for checks  to zero address.

  16. DeFi Common Fork Bugs List .

  17. Try using  Semgrep rules for smart contracts  based on DeFi exploits!

  18. Complete this  set of tasks   check out this curated  list of web3Security materials and resources  For Pentesters and Bug Hunters!

  19. Let's break down such a concept as mind-mapping -  study this list   check out  AuditorsRoadmap  mind-map!

  20. How To Learn Fast?

Tools Services

  • sol2uml

  • tx2uml

  • EVM - Draw    link

  • openchain.xyz

  • Vscode Solidity Inspector

  • EVM Slot Reader

  • heimdall-rs

  • EVM Bench

  • Function Selector Miner

  • explorer.swiss-knife.xyz

  • Solhunt

  • Solsec

  • Gas Gauge

  • ityfuzz

  • evmdiff.com

  • contract-diff.xyz

  • x48.tools/diff

  • bytegraph.xyz

  • lcov-parse

  • EVM cfg

  • Check external calls in a contract

  • evm.storage

  • contractreader.io

  • Tatum Explorer

  • cadcad.org

  • With this tool you can search across a half million git repos!

  • Hardhat Gas Reporter

  • Get Ethereum block number by a given date.

  • Hardhat plugin for exporting the contract storage layout.

  • Allowing smart contract developers to do simulation driven development via an EVM emulator.

  • Memory Strux

  • tecommons.org

  • Octopus

  • Solidity rlp Encode

  • Dune to CSV

  • Duneanalytics Tools

  • machinations.io

  • tenderly.co

  • impersonator.xyz

  • A 4-hr smart contract fuzzer speed run.

  • Fuzzing cryptographic libraries. Magic bug printer go brrrr.

Useful Resources — by officercia.eth

  • Navigation Page

  • BalancerV1 Integration Tips

  • Meta-Transactions: General Overview

  • CurveV1 Integration Tips

  • Auditing Projects on the NEAR Blockchain: From Zero to Hero

  • Reentrancy Attacks on Smart Contracts Distilled

  • Gas Gauge: Pressure Control

  • Short Types in Solidity: Rare Tricks Uncovered

  • Fuzzing Solidity Smart Contracts with Echidna: Die-Hard Level Tips

  • Slither: An Auditor’s Cornucopia

  • Per Aspera ad Astra: How to become a smart contract auditor bugbounty-hunter

  • Tenderly App — a Swiss Pocketknife for the Web3 developer

  • Convex Finance DeFi Integration Tips

  • Auditing Tips for NFT Projects

  • AAVE V3 DeFi Integration Tips

  • AAVE V3 DeFi Integration: Specifications

  • Slitherin Timeline 2.0

  • Compound v2 DeFi Integration: Specifications

  • Compound v2 DeFi Integration Tips

  • Oracles, Entropy Chainlink VRF Secure Integration Tips

  • Chainlink VRF Secure Integration Tips: Specifications

  • Auditor’s Notes: Semantic Grep Solidity

  • Price Reward Manipulation Attacks Distilled

  • Read-only Reentrancy: In-Depth

  • Web3 Security Distilled

  • Arbitrum: Basic Features, Technical Details and Differences from Ethereum

  • AMM (Automatic Market Makers) Integration Tips

  • Web3 Security Distilled 2.0

  • Auditor’s Notes: Semantic Grep Solidity 2.0

  • Auditor’s Notes: ERC20 Integration Tips

  • Auditor’s Advice: Math, Solidity Gas Optimizations | Part 1/3

  • Auditor’s Advice: Solidity Checklist Reentrancy Attack | Part 2/3

  • Auditor’s Advice: EVM Limitations Assembly Auditing Tips | Part 3/3

  • Auditor’s Notes: Initializing, Proxy, Oracles Multi-Chain

  • Auditor’s Notes: Tokens, EIP-712 Meta-Transactions

  • Remediate Web3: R.xyz

  • Arbitrary Calls New Slitherin Detector Release

Awesome GitHub Lists

  • DeFi Developer Road Map

  • Awesome On-Chain Forensic HandBook

  • Ultimate DeFi Blockchain Research Base

  • The Atypical OSINT Guide

Additional Resources

  • MVP for OpSec

  • The ultimate framework to best secure your Dapp and optimize the money spent on security reviews.

  • Zk Proofs Explained

  • On Bitcon Custody...

  • Join my TG folder!

  • All About Tenderly Sandbox

  • Vault Math - How much shares to mint? How much token to withdraw?

  • Foundry Cheatsheet

  • Yet Another Audit DB

  • Template repository intended to ease fuzzing components of Solidity projects, especially libraries.

  • An interactive Solidity shell with lightweight session recording and remote compiler support.

  • Gas Numbers Every Solidity Dev Should Know!

  • This repository contains projects implementing both low-level and high-level concepts of Solidity in an incremental learning pattern!

  • Learn how to build on Ethereum; the superpowers and the gotchas.

  • This is a course for hackers, programmers, and software engineers who learn by doing!

  • Smart Contracts Security by Ethereum.org

  • Re-entrancy Attack Patterns List

  • This project aims to curate a comprehensive list of independently hosted bug bounty programs within the Web3 ecosystem that offer substantial rewards, with payouts ranging into six figures.

  • To learn common smart contract vulnerabilities using Foundry!

  • The difference between Auditor and Security Researcher

  • This Repository contains list of Common NFT Attack Vectors.

  • NFT Attacks List

  • Single-command flamegraph profiling Tool

  • High Severity Findings List

  • An Ethers.js compatible signer that connects to AWS KMS.

  • Ethereum EVM illustrated

  • Blockchain dark forest selfguard handbook. Master these, master the security of your cryptocurrency.

  • Smart Contract Security Verification Standard

  • Immunefi PoC Templates

  • Foundry Forge Coverage

  • Audit Techniques Tools 101

  • State of the art of detection evasion, for web3 malware.

  • EEA EthTrust Security Levels Specification v1

  • Flash Crash for Cash: Cyber Threats in Decentralized Finance

  • This repo contains a comprehensive list of smart contract auditor tools and techniques that can be utilized by both smart contract auditors and blockchain developers for developing secure smart contracts

  • Robust, open-source contract verification for the EVM.

  • Roadmap for Web3/Smart Contract Hacking | 2022

  • Information about web3 security and programming tutorials/tools

  • What happens when you send 1 DAI

  • How to Read Smart Contracts

  • Bytes032 Blog

  • Pentacle Security List

  • list of FREE resources to make Web3 accessible to everyone.

  • How to understand EVM byte code...

  • Awesome Blogs    Explanation

Front-end Security

  • Frontend Security, Web2 vs Web3 Bugs

  • Scroll Workshop Rust House

  • DApp Frontend Security

  • MVP for OpSec

Work…?

  • Web3 Security Distilled 2.0

  • Crypto Jobs List - Main

  • web3.smsunarto.com

  • hexens.io/careers

  • 2023 Global Crypto Events Hackathons

  • Check out  R.xyz ( link! ) and apply for a closed beta ( here )!

  • Crypto Telegram Discord Channels Chats

  • Jobsincrypto

  • CryptoJobsList

  • Jobs TG Folder

  • LobsterHR

  • DeveloperDAO

  • LidoGrants

  • GitCoin

  • anonfriendly.com

  • Web3grants

  • hackathons.live

  • hackenproof.com

  • bbscope

  • immunefi.com

  • code4rena.com

  • sherlock.xyz

  • spearbit.com

  • Web3SecurityDAO

  • WHITE HAT DAO

  • Hats.Finance

  • crypto-jobs-fyi.github.io

  • auditjobs.xyz

  • intropia.io/hire

  • solodit.xyz

  • www.jobstash.xyz

  • frontrunnrs.xyz

  • www.jobprotocol.xyz

Support

The best thing is to support me directly by donating to my address on Ethereum Main-net or any of the compatible networks or to any address from the list below:

  • 0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A  — ERC20 ETH  officercia.eth

  • 17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU  — BTC

  • 4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — Monero/XMR

  • You can also support me by minting one of my  Mirror articles NFTs !

Thank you!

0

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.
APR up to 10%. Always on, always get airdrop.
Lock now!