EatTheBlocks – Smart Contract Security 101 (2022)
Security Course 101
The objective of this course is to understand how to develop a smart contract in the safest way possible. For this, we need to keep in mind not only what we want to create in the contract, but how to generate security-focused code.
To achieve this purpose, since the contracts in a large percentage represent real money, we need to be updated as developers on the most known vulnerabilities and know how old hacks worked so as not to repeat those same errors.
This course not only focuses on the most known vulnerabilities currently but is also good practices, explanation of patterns and problems of these, for example, conflicts when using upgradeable contracts or how to obtain random numbers within a deterministic blockchain.
All this knowledge will be useful not only to develop smart contracts but also to audit them. Therefore, it is a core knowledge of smart contracts.
What will you learn in this course?
In this course you will learn:
- Understanding security in a Blockchain Application.
- How does an attack on a Smart Contract work?
- Known attacks and how to fix them (Reentrancy, Overflow, Replay Attack, DoS, weak randomness, and much more).
- Best practices and security patterns.
- Understand how three famous hacks happened.
- How to test your contract
- How to know the coverage of your test?
We will use:
- Hardhat
- Solidity
- OpenZeppelin
- Javascript
- Ethers.js
- Chainlink library
- Chai.js
- Coverage
Pre-requisites:
- Web Development (Javascript, NodeJS)
- Blockchain Development (Ethereum, Solidity, Hardhat)
Your Instructor
https://www.linkedin.com/in/santiago-julian-moreno
CoinFabrik
Course Curriculum
1. Welcome
- 1.1. Introduction (3:24)
- 1.2. Understanding Security Importance (4:28)
- 1.3. Prerequisites
- 1.4. Resources
- 1.5. Q&A
2. Access Control
- 2.1. AgreedPrice (1:34)
- 2.2. AgreedPrice Tests (4:44)
- 2.3. Require Statement Solution (4:06)
- 2.4. Custom Modifier Solution (5:28)
- 2.5. Community Vetted Code (2:35)
- 2.6. Ownable Solution (3:09)
- 2.7. Q&A
3. Unencrypted Data
- 3.1. Unencrypted Data Introduction (0:51)
- 3.2. Vault Contract (2:35)
- 3.3. Storage Layout (2:07)
- 3.4. Peeking in the storage (4:12)
- 3.5. Conclusions (0:52)
- 3.6. Q&A
4. Overflow
- 4.1. Overflow Introduction (3:50)
- 4.2. SimpleToken (Victim) (2:07)
- 4.3. Exploit (5:35)
- 4.4. Overflow Soltuions (5:07)
- 4.5. Conclusions (1:33)
- 4.6. Q&A
5. Contracts Interactions
- 5.1. Contracts Interactions Introduction (1:46)
- 5.2. Call(), send(), transfer() (2:33)
- 5.3. SavingsAccount & Investor contracts (2:11)
- 5.4. Interactions Tests (6:40)
- 5.5. Q&A
6. Reentrancy
- 6.1. Introdiction (2:06)
- 6.2. SavingAccounts V2 & InvestorV2 (2:18)
- 6.3. Reentrancy Attack (5:39)
- 6.4. Reentrancy Solutions (4:40)
- 6.5. Q&A
7. Tx.origin
- 7.1. Introduction (2:20)
- 7.2. SmallWallet & Attacker (2:19)
- 7.3. Exploit (3:31)
- 7.4. Solution (1:28)
- 7.5. Q&A
8. Denial Of Service
- 8.1. Introduction (1:38)
- 8.2. Auction Contract (2:38)
- 8.3. Attack (5:34)
- 8.4. Solution – Auction V2 (6:06)
- 8.5. Q&A
9. Upgradeability
- 9.1. Introduction (1:58)
- 9.2. How Delegatecall Works (3:49)
- 9.3. Storage Collisions (7:58)
- 9.4. Custom Solution And Related Vulnerabilities (4:53)
- 9.5. Q&A
10. Weak Randomness
- 10.1. Introduction (1:44)
- 10.2. Lottery Contract (2:53)
- 10.3. The Path Of A Transaction (2:17)
- 10.4. Miner Attack (5:16)
- 10.5. Replicated Logic Attack (3:11)
- 10.6. Chainlink VRF (5:50)
- 10.7. Q&A
11. Replay Attacks
- 11.1. Introduction (1:48)
- 11.2. Signing a message off-chain with a wallet (1:33)
- 11.3. MultiSigWallet Contract (2:12)
- 11.4. Replay Attack on MultiSig (3:06)
- 11.5. Replay Attack Fix (2:52)
- 11.6. Q&A
12. Real Life Hacks
- 12.1. Introduction (0:50)
- 12.2. The DAO (5:22)
- 12.3. The King Of Ether (2:41)
- 12.4. Parity Multi Sig Wallet (5:49)
13. Conclusion
- 13.1. Conclusion (1:27)