{"id":13421519,"url":"https://github.com/crytic/awesome-ethereum-security","last_synced_at":"2025-04-08T02:42:25.389Z","repository":{"id":40740881,"uuid":"144327211","full_name":"crytic/awesome-ethereum-security","owner":"crytic","description":"A curated list of awesome Ethereum security references","archived":false,"fork":false,"pushed_at":"2024-08-20T12:39:26.000Z","size":37,"stargazers_count":1364,"open_issues_count":24,"forks_count":198,"subscribers_count":38,"default_branch":"master","last_synced_at":"2025-04-01T01:41:50.520Z","etag":null,"topics":["ethereum","evm","security","solidity"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/crytic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-10T19:58:33.000Z","updated_at":"2025-03-30T06:41:10.000Z","dependencies_parsed_at":"2024-01-05T23:45:07.811Z","dependency_job_id":"58136d96-a842-4b62-b2d7-7d6af755cf1e","html_url":"https://github.com/crytic/awesome-ethereum-security","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crytic%2Fawesome-ethereum-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crytic%2Fawesome-ethereum-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crytic%2Fawesome-ethereum-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crytic%2Fawesome-ethereum-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/crytic","download_url":"https://codeload.github.com/crytic/awesome-ethereum-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247419854,"owners_count":20936012,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ethereum","evm","security","solidity"],"created_at":"2024-07-30T23:00:23.567Z","updated_at":"2025-04-08T02:42:25.365Z","avatar_url":"https://github.com/crytic.png","language":null,"funding_links":[],"categories":["Awesome List","Resources","GitHub Repositories","Security","miscellaneous","Community","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","Other Lists","四、安全开发与审计（重中之重）","Unicorn"],"sub_categories":["Cairo","Lists","TeX Lists","2. 审计工具与资源"],"readme":"# Awesome Ethereum Security [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)\n\nA curated list of awesome Ethereum security references, guidance, tools, and more.\n\nJoin Trail of Bits for a free Ethereum Office Hours session by [reserving a slot on Calendly](https://calendly.com/dan-trailofbits/ethereum-office-hours). An engineer from Trail of Bits will assist you in applying advanced security (tools)[#tools] and practices to your smart contract code.\n\n## Contents\n\n* [Learning](#learning)\n  * [Security references](#security-references)\n  * [Insecurity references](#insecurity-references)\n  * [Capture the Flag and Wargames](#capture-the-flag-and-wargames)\n    * [Writeups](#writeups)\n  * [Coordinated disclosure](#coordinated-disclosure)\n  * [Blogs](#blogs)\n  * [Notable blog posts](#notable-blog-posts)\n  * [Conference talks](#conference-talks)\n  * [Podcasts and Episodes](#podcasts-and-episodes)\n    * [Podcasts](#podcasts)\n    * [Episodes](#episodes)\n* [Tools](#tools)\n  * [Visualization](#visualization)\n  * [Linters](#linters)\n  * [Bug finding tools](#bug-finding-tools)\n  * [Verification tools](#verification-tools)\n  * [Reversing tools](#reversing-tools)\n* [Communities](#communities)\n* [Other Awesome Lists](#other-awesome-lists)\n\n## Learning\n\n### Security references\n\n* [Comprehensive list of known attack vectors for Solidity](https://blog.sigmaprime.io/solidity-security.html)\n* [Consensys Best Practices](https://github.com/ConsenSys/smart-contract-best-practices)\n* [Decentralized Application Security Project](https://www.dasp.co/)\n* [Solidity Security Considerations](https://solidity.readthedocs.io/en/latest/security-considerations.html)\n* [Solidity v0.5.0 Breaking Changes](https://solidity.readthedocs.io/en/latest/050-breaking-changes.html)\n\n### Insecurity references\n\n* [Awesome Buggy ERC20 Tokens](https://github.com/sec-bit/awesome-buggy-erc20-tokens)\n* [EVM Analyzer Benchmark](https://github.com/ConsenSys/evm-analyzer-benchmark-suite)\n* [Not So Smart Contracts](https://github.com/trailofbits/not-so-smart-contracts)\n\n### Capture the Flag and Wargames\n\n* [Capture the Ether](https://capturetheether.com/)\n* [Ethernaut](https://ethernaut.zeppelin.solutions/)\n* [EtherHack](https://etherhack.positive.com/)\n* [SI Blockchain CTF](https://blockchain-ctf.securityinnovation.com/)\n\n#### Writeups\n\n* [Hands on the Ethernaut CTF](https://blog.trailofbits.com/2017/11/06/hands-on-the-ethernaut-ctf/) - Writeups for various Ethernaut CTF challenge contracts.\n* [Ethernaut - Naught Coin (ERC20) Exploitation](https://medium.com/coinmonks/ethernaut-naught-coin-erc20-exploitation-218c86bb953b) - Writeup for a vulnerable ERC20 from the Ethernaut CTF.\n* [EtherHack CTF Writeup](https://blog.positive.com/phdays-8-etherhack-contest-writeup-794523f01248) - Writeup for EtherHack CTF challenges.\n* [PolySwarm Smart Contract Hacking Challenge Writeup](https://raz0r.name/writeups/polyswarm-smart-contract-hacking-challenge-writeup/) - Demonstrates advanced use of Manticore\n\n### Coordinated disclosure\n\n* [Blockchain Security Contacts](https://github.com/trailofbits/blockchain-security-contacts) - Security contact info for blockchain projects\n\n### Blogs\n\n* [Hacking Distributed](http://hackingdistributed.com/) - Emin Gün Sirer, professor in Cornell Tech’s IC3 lab focused on blockchain security.\n* [Phil Does Security](https://pdaian.com/blog/) - Phil Daian, grad student behind KEVM, Hydra, and other Ethereum academic projects\n* [Trail of Bits](https://blog.trailofbits.com/) - Cybersecurity R\u0026D firm with a blockchain security practice\n* [Martin Holst Swende](http://swende.se/) - Martin Swende, programmer and appsec consultant\n* [SmartDec blog](https://blog.smartdec.net/) - Company blog about security issues and practices within blockchain ecosystem\n\n### Notable blog posts\n\n* [Contract upgrade anti-patterns](https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns/)\n* [How the winner got Fomo3D prize — A Detailed Explanation](https://medium.com/coinmonks/how-the-winner-got-fomo3d-prize-a-detailed-explanation-b30a69b7813f)\n* [How to debug Solidity Smart Contracts with Tenderly and Truffle](https://medium.com/tenderly/how-to-debug-solidity-smart-contracts-with-tenderly-and-truffle-da995cfe098f)\n* [Lashing out at a Spank Channel](https://medium.com/coinmonks/lashing-out-at-a-spank-channel-2b42b23f0dc6)\n* [Malicious GasToken Minting](https://medium.com/level-k/public-disclosure-malicious-gastoken-minting-236b2f8ace38)\n* [Missing return value bug in ERC20 tokens](https://medium.com/coinmonks/missing-return-value-bug-at-least-130-tokens-affected-d67bf08521ca)\n* [Not A Fair Game – Fairness Analysis of Dice2win](http://blogs.360.cn/post/Fairness_Analysis_of_Dice2win_EN.html)\n* [Initial Formal Verification of Ethereum Casper Protocol](https://runtimeverification.com/blog/runtime-verification-completes-formal-verification-of-ethereum-casper-protocol/)\n* [Security considerations for Shamir's secret sharing](https://ethresear.ch/t/security-considerations-for-shamirs-secret-sharing/4294)\n* [SmartDec smart contract audit beginner's guide](https://blog.smartdec.net/smartdec-smart-contract-audit-beginners-guide-d04cc7f1c571)\n* [The Anatomy of a Block Stuffing Attack](https://osolmaz.com/2018/10/18/anatomy-block-stuffing/)\n* [The phenomenon of smart contract honeypots](https://medium.com/@gerhard.wagner/the-phenomena-of-smart-contract-honeypots-755c1f943f7b)\n* [Use our suite of Ethereum security tools](https://blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/)\n* [Vertcoin (VTC) was successfully 51% attacked](https://medium.com/coinmonks/vertcoin-vtc-is-currently-being-51-attacked-53ab633c08a4)\n\n### Conference talks\n\n| Title | Conference | Year |\n| --- | --- | --- |\n| [Predicting Random Numbers in Ethereum Smart Contracts](https://schd.ws/hosted_files/appseccalifornia2018/00/AppSecCali%202018%20-%20Predicting%20Random%20Numbers%20in%20Ethereum%20Smart%20Contracts.pdf) | OWASP AppSec | 2018 |\n| [Blockchain Autopsies - Analyzing Smart Contract Deaths](https://github.com/trailofbits/publications/tree/master/presentations/Blockchain%20Autopsies%20-%20Analyzing%20Smart%20Contract%20Deaths) | Blackhat USA | 2018 |\n| [Rattle - an EVM binary analysis framework](https://www.trailofbits.com/presentations/rattle/) | reCON | 2018 |\n| [Blackhat Ethereum](https://github.com/trailofbits/publications/blob/master/presentations/Blackhat%20Ethereum) | CanSecWest | 2018 |\n| [Smashing Ethereum Smart Contracts for Fun and Profit](https://github.com/b-mueller/smashing-smart-contracts) | HITB Amsterdam | 2018 |\n| [Automatic Bug Finding for the Blockchain](https://github.com/trailofbits/publications/blob/master/presentations/Automatic%20bugfinding%20for%20the%20blockchain) | EkoParty | 2017 |\n\n### Podcasts and Episodes\n\n#### Podcasts\n\n* [CoinSec Podcast](https://coinsecpodcast.com/)\n* [The Smartest Contract](http://www.thesmartestcontract.com/)\n* [Zero Knowledge](http://www.zeroknowledge.fm/)\n\n#### Episodes\n\n* [The Smartest Contract #15](http://www.thesmartestcontract.com/15) - Trail of Bits’ Outlook on Security w/ JP Smith\n* [The Smartest Contract #8](http://www.thesmartestcontract.com/8) - Smart Contract Security and Honeypots w/ Gerhard Wagner\n* [Zero Knowledge #29](http://www.zeroknowledge.fm/29) - The DAO, the White Hat Hacker Group \u0026 Giveth w/ Griff Green\n* [Zero Knowledge #16](http://www.zeroknowledge.fm/16) - Talking security with JP Smith from Trail of Bits\n* [Risky Business #488](https://risky.biz/RB488/) - JP Smith about all things blockchain\n\n## Tools\n\n### Visualization\n\n* [ethereum-graph-debugger](https://github.com/fergarrui/ethereum-graph-debugger) - A graphical EVM debugger. Displays the entire program control flow graph.\n* [Slither](https://github.com/trailofbits/slither) - Slither can map method visibility and modifiers, state variables that are read and written, calls, and can print the inheritance graph of a smart contract\n* [Solgraph](https://github.com/raineorshine/solgraph) - Generates DOT graphs with function control flow of a solidity contract\n* [Surya](https://github.com/ConsenSys/surya) - Generates various visual outputs of function call graphs\n* [sol-function-profiler](https://github.com/EricR/sol-function-profiler) - Solidity contract function profiler\n\n### Linters\n\n* [Remix](https://remix.ethereum.org/) - Browser-based Solidity IDE with linting features\n* [SmarrtCheck](https://tool.smartdec.net/) - A linter for Solidity and Vyper that checks code for security issues and bad practices.\n* [Solhint](https://github.com/protofire/solhint) - Linter for both security and style-guide validations. It strictly adheres to the [Solidity Style Guide](https://solidity.readthedocs.io/en/latest/style-guide.html).\n* [Solium](https://github.com/duaraghav8/Solium) - Linter for both security and style-guide validations. Does not strictly adhere to the Solidity Style Guide.\n\n### Bug finding tools\n\n* [Echidna](https://github.com/trailofbits/echidna) - Fuzzer for Ethereum smart contracts. Uses property testing to generate malicious inputs that break smart contracts.\n* [Manticore](https://github.com/trailofbits/manticore) - Symbolic execution tool for Ethereum smart contracts that includes detectors for common security flaws\n* [Mythril OSS](https://github.com/ConsenSys/mythril/) - Open-source security analysis tool for Ethereum smart contracts built around detector modules\n* [Securify](https://github.com/eth-sri/securify) - Static analysis tool from ChainSecurity\n* [Slither](https://github.com/trailofbits/slither) - Static analysis framework, written in Python, with detectors for many common Solidity issues\n\n### Verification tools\n\n* [KEVM](https://github.com/kframework/evm-semantics) - K Semantics of the Ethereum Virtual Machine (EVM)\n* [Manticore](https://github.com/trailofbits/manticore) - Symbolic execution tool for EVM\n\n### Reversing tools\n\n* [abi-decompiler](https://github.com/beched/abi-decompiler) - EVM reverse engineering helper utility\n* [ethereum-dasm](https://github.com/tintinweb/ethereum-dasm) - EVM disassembler with static and dynamic analysis abilities, including function signature lookup\n* [Ethersplay](https://github.com/trailofbits/ethersplay) - Visual disassembler for EVM bytecode built on Binary Ninja\n* [evmlab](https://github.com/ethereum/evmlab) - Utilities for interacting with the Ethereum virtual machine\n* [IDA-EVM](https://github.com/trailofbits/ida-evm) - IDA plugin to view EVM instructions\n* [Panoramix](http://eveem.org/about)\n* [pyevmasm](https://github.com/trailofbits/pyevmasm) - EVM assembler and disassembler with a CLI and a Python API\n* [Rattle](https://github.com/trailofbits/rattle) - EVM binary static analysis framework. Produces SSA representations of EVM code.\n\n### Custody\n\n* [Subzero](https://medium.com/square-corner-blog/open-sourcing-subzero-ee9e3e071827) - Subzero is an HSM-backed method for cold storage of Bitcoin developed by Square\n\n## Communities\n\n* [Enterprise Ethereum Alliance Security Task Force](https://entethalliance.org/working-groups/)\n* [Empire Hacking Slack](https://empireslacking.herokuapp.com/) #ethereum\n\n## Other Awesome Lists\n\n* [Awesome AppSec](https://github.com/paragonie/awesome-appsec)\n* [Awesome Ethereum Virtual Machine](https://github.com/pirapira/awesome-ethereum-virtual-machine)\n* [Awesome Solidity](https://github.com/bkrem/awesome-solidity)\n* [Crypto projects that might not suck](https://github.com/sweis/crypto-might-not-suck)\n\n## Contributing\n\nWe welcome contributions that help curate this awesome list. Please refer to the [contributing guidelines](CONTRIBUTING.md) when submitting PRs. Thanks!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrytic%2Fawesome-ethereum-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcrytic%2Fawesome-ethereum-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrytic%2Fawesome-ethereum-security/lists"}