By: Kong'@SlowMist Security Team
⚓️Contents
- Introduction
- Roadmap
- Preparation Required
- Getting Started
- Diving Deeper Into Smart Contracts
- Integration and Mastery
- Continuous Growth
- Acknowledgments
This skill chart is a compilation of the abilities required for SlowMist's security team's smart contract security auditors. It aims to enumerate the essential skills needed for smart contract security audits and inspire team members to adopt a mindset of research, innovation, and engineering evolution.
Smart contract security auditing skills are primarily divided into four parts: Finding the Entrance, Singing by the Door, Integrative Mastery, and Breaking Through. These stages progressively outline the expertise needed at each level. However, before diving into these, it's crucial to equip our minds with some foundational skills, which will serve as our anchor point in the audit journey.
As Abraham Lincoln once said: “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” This same approach can be applied to smart contract auditing. Strengthening our mindset before starting is essential, allowing us to move with conviction and travel further.
Cognition and execution go hand in hand. Theoretical knowledge and its practical application should align seamlessly.
- Learning should result in output, and output should be put into practice.
- SlowMist Security Team's Knowledge Base
- Embracing the open-source culture of GitHub
Ethics and the law are the foundational principles for security professionals. While staunchly adhering to these principles, security professionals must also forge strong technical skills, surprising adversaries when least expected.
- Sticking to the Basics:
- Auditors should abide by the law and uphold ethical standards
- Responsible Disclosure:
- SlowMist's alert procedure
- FIRST's code of ethics
- Hacker’s Mentality:
- While adhering to principles, prevail with unexpected strategies
- Defend Fundamentals: Approach with reverence and always adhere to basic
- Innovative: Think outside the box, be meticulous, employ reverse and open-minded thinking
The capabilities of an individual are always limited, but teamwork can effectively compensate for personal shortcomings.
- Collaborative Audit Flow:
- Collaborative auditing on the SlowMist MistPunk workbench ensures audit quality through technical means and accumulates auditing experience
- Audit Workflow:
- SlowMist's audit workflow ensures audit quality through managerial practices, serving to identify and fill in any gaps in the audit process
- Hacking Time Culture:
- Team members are encouraged to engage in spontaneous intellectual exchanges and sharing, aligning team capabilities through these collaborative interactions and thereby elevating the overall team proficiency
The development of the cryptographic world to date encompasses disciplines such as cryptography, economics, and data science. Faced with the immense volume of knowledge in the cryptographic world, determining a point of entry is crucial. In this phase, we will start by exploring Ethereum and its smart contract language, Solidity, as a gateway into the world of cryptocurrency.
Before understanding what smart contracts are, one should first comprehend the blockchain platform on which they operate.
- What is a blockchain?
- Visual demonstration of blockchain
- How cryptocurrencies work
- Reading "Mastering Bitcoin"
- Reading "Mastering Ethereum"
- Emphasis should be on Chapters 1, 4, 5, 6, 7, and 13
Different blockchains might employ various languages to develop smart contracts, such as Solidity, Move, Rust, Vyper, Cairo, C++, etc. Currently, Solidity remains the most popular and beginner-friendly smart contract language for EVM-compatible chains. It's essential to thoroughly read its language documentation. Moreover, one should understand the design standards of token contracts running on Ethereum and their specific contract implementations. Building on this foundation, it's crucial to understand how smart contracts can be made upgradable and to practically master the writing and testing of smart contracts.
Resources and Tools for Mastering Smart Contracts with Solidity
-
Essential Reading "Mastering Ethereum"
- Emphasis on reading the remaining chapters
-
Understanding Ethereum's Standard Proposals (ERC)
- ERC20: Standard for fungible tokens
- ERC165: Interface standard
- ERC173: Contract ownership standard
- ERC191: Data signature standard
- ERC601: Deterministic wallet hierarchical structure standard
- ERC721: Non-fungible token standard
- ERC777: Interoperable token standard
- ERC1155: Multi-token standard
- ERC1167: Minimal proxy contract
- ERC1967: Proxy data storage slots
- ERC2612: Token permit signature
- ERC4626: Token vault standard
-
Studying OpenZeppelin's token implementations
-
Understanding what upgradable contracts/proxy contracts are
- Introduction to different proxy contract patterns
- Proxies Deep Dive
- OpenZeppelin Proxy implementation documentation
-
Learning to Write Smart Contracts
-
Utilizing Smart Contract Build Tools
-
Popular Online IDEs
-
Familiarization with Package Managers
-
Popular Smart Contract Testing and Debugging Frameworks
- Foundry
- Convenient testing tools
- Cheatcodes
- Best practices
- Foundry
-
After mastering the fundamentals of smart contracts, it's essential to understand common vulnerabilities and the principles behind these vulnerabilities. Quillhash's vulnerability list, which aggregates multiple sources, offers a comprehensive view of the prevalent types of smart contract vulnerabilities. (For beginners, it's recommended to read through all the lists repeatedly to reinforce their understanding.)
- DASP Top 10
- SWC Smart Contract Weakness Classification
- Smart Contract Security Guide
- Kaden: Smart Contract Attack Vectors
- Quillhash: Solidity Attack Vectors
- RareSkills Smart Contract Security
As auditors, it's crucial to be familiar with the best practices and security standards of smart contracts. Best practices serve as a reference in identifying security issues during an audit, while security standards provide a basis for any security issues raised.
- Solidity Patterns
- Solcurity
- ConsenSys Smart Contract Best Practices
- Solidity Security Pitfalls and Best Practices 101
- Solidity Security Pitfalls and Best Practices 201
- SCSVSv2
- EEA EthTrust Certification
- Foundry Testing Best Practices
After acquiring foundational knowledge about blockchain, smart contracts, and common vulnerabilities, it's beneficial to consolidate and apply this knowledge through basic Capture The Flag (CTF) challenges.
Having grasped the basics of blockchain and smart contracts, we've essentially opened the door to Solidity smart contract security auditing. Beyond this door, the world of smart contracts is still vast. In this stage, we'll delve deeper into the expansive realm of smart contract applications, starting with decentralized finance (DeFi).
Blockchain and smart contracts have made the construction of DeFi possible, and the emergence of DeFi has spurred the rapid development of blockchains like Ethereum. Before delving further, one should understand: What is DeFi?
- Read "How To DeFi: Beginner"
- Read "How To DeFi: Advanced"
- Introduction to different types of DeFi
- Understand what each type of DeFi is
- Grasp basic economic knowledge and common terminologies
- Introduction to fundamental financial strategies
- Economics Model 101
After an initial understanding of what DeFi is, it's important to delve deeper into what these platforms have achieved and how they achieved it. This can be accomplished by reviewing the technical documentation of the current leading DeFi protocols to gain preliminary insights into their implementations.
- MakerDAO (Collateralized Debt Position)
- AAVE (Lending)
- Compound (Lending)
- Uniswap (Decentralized Exchange)
- Curve (Decentralized Exchange)
- Technical Documentation
- Algorithm Overview
- Detailed Explanation of Curve's Newton Iteration
- Chainlink (Oracle)
- Price Oracles
- VRF (Verifiable Random Function)
- Convex Finance (Yield Optimization)
- Protocol Overview
- Technical Documentation
- Yearn Finance (Yield Aggregator)
- GMX (Derivatives)
- Nexus Mutual (Insurance)
- OpenSea (NFT Marketplace)
- Set Protocol (Index Funds)
- Lido (Liquid Staking)
- ... and more
Many DeFi projects currently interrelate and combine, with some leading DeFi protocols forming the cornerstone of complex DeFi combinations. Hence, mastering the implementation of these DeFi initiatives is critical. After an initial understanding of DeFi's workings through protocol documentation, further comprehension can be achieved by studying the complete source code to grasp specific logic and economic models.
DeFi isn't solely about smart contracts; the frontend and backend are vital components. Most users interact with DeFi through the frontend. Therefore, after understanding DeFi's operations and implementations, it's essential to learn and practice its risks through frontend security measures, backend security configuration requirements, and historical vulnerabilities in the DeFi sector.
- Understanding Web Frontend Security
- Read the "SlowMist Web Frontend Security Best Practices Guide"
- Dive deeper into "Web Frontend Hacker Techniques Revealed"
- Understanding DeFi Hacks
During an audit, an individual's perspective may miss certain aspects and cannot cover all scenarios. Therefore, reading other people's audit reports is crucial to learn different methods of vulnerability discovery and various auditing thought processes.
- SlowMist Audit Reports
- Solodit Aggregation
- Code4rena Audit Reports
- Consensys Audit Reports
- QuillAudits Audit Reports
- Spearbit Audit Reports
- Sherlock Audit Reports
- ADBK Audit Reports
- BlockSec Audit Reports
- Certik Audit Reports
- ChainSecurity Audit Reports
- Cyfrin Audit Reports
- PeckShield Audit Reports
- OpenZeppelin Audit Reports
- Complete List of Security Audit Reports
Engage in more advanced CTF challenges to test new skills and grow
- EtherHack
- SI Blockchain CTF
- QuillCTF
- Curta CTF
- Paradigm CTF
- Cipher Shastra CTF
- Damn Vulnerable DeFi
- unhackedctf
Through the exploration of leading DeFi platforms, a profound understanding of DeFi will be established. Moving forward, by learning from the foundational layer of EVM to the upper economic models of DeFi, we can continue to deepen our grasp on smart contracts. During this process, independently auditing complex smart contracts can help solidify one's own audit methodology.
The EVM (Ethereum Virtual Machine) is responsible for executing smart contract instructions. A comprehensive understanding of the EVM aids in a more in-depth grasp of the deployment, invocation, execution, and data storage of smart contracts. This foundational knowledge is also pivotal for Gas optimization and discovering vulnerabilities.
- About EVM
- The EVM From Scratch Book
- Noxx's In-depth Research on EVM
- Parsing Solidity Slot Data
- Ethereum Yellow Paper
- Quillhash EVM Mastery
- EVM Implementation Examples
All on-chain transactions incur Gas costs. For complex contracts, optimizing Gas can reduce user interaction costs, thereby attracting more users. This demands that auditors have a certain understanding of Gas optimization design.
The economic model is a core component of DeFi products, so it's essential to understand the risks associated with these models. Throughout the learning process, one should develop and consolidate their perspectives and methodologies.
After mastering these skills, auditors should be capable of dissecting and analyzing complex, highly innovative DeFi protocols.
- To be released...
Learning from other outstanding peers who are researching various topics can provide us with more insights and broaden our horizons.
- Bytes032
- Noxx
- Mixbytes
- Samczsun
- Cmichel
- Pessimistic
- OfficerCia
- Smart Contract Research Forum
- Zefram
- Alin Tomescu
- Christoph Michel
- Kyrian Alex
- And more
After independently auditing numerous complex projects, accumulating extensive knowledge, and experiencing various business scenarios, auditors should be able to respond quickly to unforeseen security incidents and conduct rapid analysis and reporting. Here are some commonly used analysis tools:
- Contract Decompilation Tools
- Transaction Analysis Tools
- Others
Engaging in real-world scenarios is the best way to test your skills.
- Immunefi
- BugRap
- Code4rena
- HackerOne
- HackenProof
- HatsFinance
- And more
After entering the world of Solidity smart contracts, one should not be content with circling within a single domain. Instead, you should crystallize your own methodology, boldly carve out a new path, break through, and expand into other areas while deepening your expertise in the current field.
- Don't confine yourself to Solidity; explore other smart contract languages like Rust, Vyper, Cairo, and Move
- Don't limit yourself to smart contracts; understand popular public blockchains like BTC, Cosmos, Solana, Starknet, EVM L2, and more
- Beyond blockchain, gain insights into areas like Web2.0 and mobile development
- Dive deeper into the field of cryptography
- And more
After mastering the skills of smart contract security auditing, you can develop your own methodology. This helps you quickly identify the core issues and determine problem-solving approaches. A good methodology can greatly increase your efficiency.
- Methodology for auditing work
- Methodology for smart contract security practices
- Approaches to problem-solving
- Building a thinking framework
Creativity is the weapon that allows us to conquer challenges and the essential attribute for progress. After acquiring skills systematically, nurture your creativity to advance further.
- Cultivate curiosity
- Learn new things
- Don't limit yourself to your circle, profession, or field
- Pursue knowledge relentlessly
- Approach knowledge with reverence
- Explore new realms of knowledge
- Embrace the hacker mindset
- Staying true to principles while thinking outside the box
- Be adept at research
- Aim for practical results and publish research
- Implement engineering principles
- Turn ideas and research into practical solutions and test them in real-world
- SlowMist MistEye Monitoring System
- SlowMist Contract Visibility Analysis Tool
- SlowMist Static Vulnerability Scanner
- And more
- Turn ideas and research into practical solutions and test them in real-world
Special thanks to friends who provided valuable feedback:
Thanks to Jian for the English translation and to Hik3 for designing the cover image.