Awesome Ethereum Security
A curated list of awesome Ethereum security references, guidance, tools, and more.
Join Trail of Bits for a free Ethereum Office Hours session by reserving a slot on Calendly. An engineer from Trail of Bits will assist you in applying advanced security (tools)[#tools] and practices to your smart contract code.
Contents
Learning
Security references
- Comprehensive list of known attack vectors for Solidity
- Consensys Best Practices
- Decentralized Application Security Project
- Solidity Security Considerations
- Solidity v0.5.0 Breaking Changes
Insecurity references
Capture the Flag and Wargames
Writeups
- Hands on the Ethernaut CTF - Writeups for various Ethernaut CTF challenge contracts.
- Ethernaut - Naught Coin (ERC20) Exploitation - Writeup for a vulnerable ERC20 from the Ethernaut CTF.
- EtherHack CTF Writeup - Writeup for EtherHack CTF challenges.
- PolySwarm Smart Contract Hacking Challenge Writeup - Demonstrates advanced use of Manticore
Coordinated disclosure
- Blockchain Security Contacts - Security contact info for blockchain projects
Blogs
- Hacking Distributed - Emin GΓΌn Sirer, professor in Cornell Techβs IC3 lab focused on blockchain security.
- Phil Does Security - Phil Daian, grad student behind KEVM, Hydra, and other Ethereum academic projects
- Trail of Bits - Cybersecurity R&D firm with a blockchain security practice
- Martin Holst Swende - Martin Swende, programmer and appsec consultant
- SmartDec blog - Company blog about security issues and practices within blockchain ecosystem
Notable blog posts
- Contract upgrade anti-patterns
- How the winner got Fomo3D prizeβββA Detailed Explanation
- How to debug Solidity Smart Contracts with Tenderly and Truffle
- Lashing out at a Spank Channel
- Malicious GasToken Minting
- Missing return value bug in ERC20 tokens
- Not A Fair Game β Fairness Analysis of Dice2win
- Initial Formal Verification of Ethereum Casper Protocol
- Security considerations for Shamir's secret sharing
- SmartDec smart contract audit beginner's guide
- The Anatomy of a Block Stuffing Attack
- The phenomenon of smart contract honeypots
- Use our suite of Ethereum security tools
- Vertcoin (VTC) was successfully 51% attacked
Conference talks
Title | Conference | Year |
---|---|---|
Predicting Random Numbers in Ethereum Smart Contracts | OWASP AppSec | 2018 |
Blockchain Autopsies - Analyzing Smart Contract Deaths | Blackhat USA | 2018 |
Rattle - an EVM binary analysis framework | reCON | 2018 |
Blackhat Ethereum | CanSecWest | 2018 |
Smashing Ethereum Smart Contracts for Fun and Profit | HITB Amsterdam | 2018 |
Automatic Bug Finding for the Blockchain | EkoParty | 2017 |
Podcasts and Episodes
Podcasts
Episodes
- The Smartest Contract #15 - Trail of Bitsβ Outlook on Security w/ JP Smith
- The Smartest Contract #8 - Smart Contract Security and Honeypots w/ Gerhard Wagner
- Zero Knowledge #29 - The DAO, the White Hat Hacker Group & Giveth w/ Griff Green
- Zero Knowledge #16 - Talking security with JP Smith from Trail of Bits
- Risky Business #488 - JP Smith about all things blockchain
Tools
Visualization
- ethereum-graph-debugger - A graphical EVM debugger. Displays the entire program control flow graph.
- Slither - Slither can map method visibility and modifiers, state variables that are read and written, calls, and can print the inheritance graph of a smart contract
- Solgraph - Generates DOT graphs with function control flow of a solidity contract
- Surya - Generates various visual outputs of function call graphs
- sol-function-profiler - Solidity contract function profiler
Linters
- Remix - Browser-based Solidity IDE with linting features
- SmarrtCheck - A linter for Solidity and Vyper that checks code for security issues and bad practices.
- Solhint - Linter for both security and style-guide validations. It strictly adheres to the Solidity Style Guide.
- Solium - Linter for both security and style-guide validations. Does not strictly adhere to the Solidity Style Guide.
Bug finding tools
- Echidna - Fuzzer for Ethereum smart contracts. Uses property testing to generate malicious inputs that break smart contracts.
- Manticore - Symbolic execution tool for Ethereum smart contracts that includes detectors for common security flaws
- Mythril OSS - Open-source security analysis tool for Ethereum smart contracts built around detector modules
- Securify - Static analysis tool from ChainSecurity
- Slither - Static analysis framework, written in Python, with detectors for many common Solidity issues
Verification tools
- KEVM - K Semantics of the Ethereum Virtual Machine (EVM)
- Manticore - Symbolic execution tool for EVM
Reversing tools
- abi-decompiler - EVM reverse engineering helper utility
- ethereum-dasm - EVM disassembler with static and dynamic analysis abilities, including function signature lookup
- Ethersplay - Visual disassembler for EVM bytecode built on Binary Ninja
- evmlab - Utilities for interacting with the Ethereum virtual machine
- IDA-EVM - IDA plugin to view EVM instructions
- Panoramix
- pyevmasm - EVM assembler and disassembler with a CLI and a Python API
- Rattle - EVM binary static analysis framework. Produces SSA representations of EVM code.
Custody
- Subzero - Subzero is an HSM-backed method for cold storage of Bitcoin developed by Square
Communities
Other Awesome Lists
- Awesome AppSec
- Awesome Ethereum Virtual Machine
- Awesome Solidity
- Crypto projects that might not suck
Contributing
We welcome contributions that help curate this awesome list. Please refer to the contributing guidelines when submitting PRs. Thanks!