https://github.com/Quillhash/QuillAudit_Auditor_Roadmap

This repository contains a mindmap and stepwise resource to get started with Smart Contract Auditing. If you find anything missing or want to update existing resources, feel free to create a pull request.
https://github.com/Quillhash/QuillAudit_Auditor_Roadmap

blockchain ethereum evm security solidity

Last synced: about 2 months ago
JSON representation

This repository contains a mindmap and stepwise resource to get started with Smart Contract Auditing. If you find anything missing or want to update existing resources, feel free to create a pull request.

• Host: GitHub
• URL: https://github.com/Quillhash/QuillAudit_Auditor_Roadmap
• Owner: Quillhash
• Created: 2022-09-06T14:16:36.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2024-01-10T17:46:11.000Z (8 months ago)
• Last Synced: 2024-06-09T04:35:11.848Z (3 months ago)
• Topics: blockchain, ethereum, evm, security, solidity
• Homepage: https://www.quillaudits.com/academy
• Size: 7.37 MB
• Stars: 445
• Watchers: 10
• Forks: 80
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# QuillAudit's SmartContract Auditor Roadmap

![](https://github.com/Quillhash/QuillAudit_Auditor_Roadmap/blob/main/files/QuillAudits_Auditor's_Roadmap.png)

Pdf Link: [QuillAudit_Auditor_Roadmap.pdf](https://github.com/Quillhash/QuillAudit_Auditor_Roadmap/blob/main/files/QuillAudits_Auditor's_Roadmap.pdf)

Xmind Link: https://xmind.works/#/share/OjLKsLSh

---

Here is the best roadmap for you to become a Smart Contract Auditor!

If you find anything missing or want to update existing resources, you can create a pull request and contribute to the project.

## Steps to Follow:

### 1. Blockchain & Ethereum Basics:

- ***Blockchain :***

    - [Blockchain Technology Explained](https://www.youtube.com/watch?v=qOVAbKKSH10)

    - [Blockchain Cryptography](https://101blockchains.com/blockchain-cryptography/)

- ***Ethereum:***

    - [Mastering Ethereum](https://github.com/ethereumbook/ethereumbook)

        - Mandatory Chapters 1,4,5,6,7,9,13 & 14

    - [Ethereum Documentations](https://ethereum.org/en/developers/)

    

### 2. Solidity Fundamentals:

- [Solidity Docs](https://docs.soliditylang.org/en/latest/)

- [smartcontract.engineer](https://www.smartcontract.engineer/)

- [Cryptozombies](https://cryptozombies.io/en/course/)

- [Solidity-by-example](https://solidity-by-example.org/)

- ***Secureum***:

    - [Secureum Solidity 101](https://secureum.substack.com/p/solidity-101?s=r)

    - [Secureum Solidity 201](https://secureum.substack.com/p/solidity-201?s=r)

- **[Solidity Gas Optimizations List](https://github.com/iskdrews/awesome-solidity-gas-optimization)**

### 3. Testing and Debugging Frameworks

- [Hardhat](https://hardhat.org/guides/waffle-testing.html)

- [Brownie](https://eth-brownie.readthedocs.io/en/stable/)

- [Foundry](https://github.com/foundry-rs/foundry)

- [Tenderly](https://tenderly.co/)

### 4. Commonly used Libraries and Token Standards:

- **ERC Token Standards:**

    - [ERC 20](https://ethereum.org/en/developers/docs/standards/tokens/erc-20/)

    - [ERC 721 (NFT)](https://ethereum.org/en/developers/docs/standards/tokens/erc-721/)

    - [ERC 777](https://ethereum.org/en/developers/docs/standards/tokens/erc-777/)

    - [ERC 1155](https://ethereum.org/en/developers/docs/standards/tokens/erc-1155/)

    - [ERC 4626](https://ethereum.org/en/developers/docs/standards/tokens/erc-4626/)

    - [ERC 2981](https://eips.ethereum.org/EIPS/eip-2981)

    

- **[OpenZeppelin Helper Library/Contracts.](https://github.com/OpenZeppelin/openzeppelin-contracts)**

- **Upgradable Contracts:**

    - [Upgradeable Contracts - Smartcontract Programmer](https://www.youtube.com/watch?v=JgSj7IiE4jA)

    - [yAcademy Proxies Research](https://proxies.yacademy.dev/)

    - [Risks of Upgradeable Contracts - Smartcontract Programmer](https://www.youtube.com/watch?v=XmxfB5JOt1Q)

    - [Different Proxy Patterns - EIPs 897, 1822, 1967, 1538, 2535](https://ethereum-blockchain-developer.com/110-upgrade-smart-contracts/00-project/)

    - [Openzeppelin Proxy docs](https://docs.openzeppelin.com/contracts/4.x/api/proxy)

    

### 5. Solidity Security Standard & Best Practice:

- [solidity-patterns](https://github.com/fravoll/solidity-patterns)

- [solcurity](https://github.com/transmissions11/solcurity)

- [Smart Contract Security Verification Standard](https://github.com/securing/SCSVS)

- [Consensys Smart-contract-best-practices](https://consensys.github.io/smart-contract-best-practices/)

- [Security Pitfalls & Best Practices 101](https://secureum.substack.com/p/security-pitfalls-and-best-practices-101)

- [Security Pitfalls & Best Practices 201](https://secureum.substack.com/p/security-pitfalls-and-best-practices-201)

### 6. Smart Contract Vulnerabilities:

- [SWC Registry](https://swcregistry.io/)

- [Kaden: Smart Contract Attack Vectors](https://github.com/KadenZipfel/smart-contract-attack-vectors)

- [Solidity Attack Vectors](https://github.com/Quillhash/Solidity-Attack-Vectors)

- [Common Vulnerabilities in Smart contracts MindMap](https://github.com/Anugrahsr/Awesome-web3-Security/blob/main/image/Vulnerabilities_in_Smart_contracts.png)

### 7. CTF Challenges:

- [Ethernaut](https://ethernaut.openzeppelin.com/)

- [Capture The Ether](https://capturetheether.com/)

- [QuillCTF](https://www.quillaudits.com/academy/ctf)

- [Curta CTF](https://www.curta.wtf/)

- [Paradigm CTF](https://ctf.paradigm.xyz/)

- [ciphershastra CTF](https://ciphershastra.com/index.html)

- [Damn Vulnerable DeFi](https://www.damnvulnerabledefi.xyz/)

- [unhackedctf](https://github.com/unhackedctf)

**100+ CTF blockchain challenges:** [https://github.com/minaminao/ctf-blockchain](https://github.com/minaminao/ctf-blockchain#ethereumcontract-basics)

### 8. Finance and DeFi:

- **Finance:**

    - [Khan Academy’s Finance](https://www.khanacademy.org/economics-finance-domain/core-finance/derivative-securities)

- **DeFi (Decentralized Finance)**

    - [DeFi - Teachyourselfcrypto](https://teachyourselfcrypto.com/#ftoc-module-4-decentralized-finance-defi)

    - [Finematics - DeFi](https://www.youtube.com/watch?v=pWGLtjG-F5c&list=PLjrTIwaNiTwn39tg3sR_bPBWGHoznv47D)

    - [Smart Contract Programmer - DeFi](https://www.youtube.com/watch?v=qB2Ulx201wY&list=PLO5VPQH6OWdX-Rh7RonjZhOd9pb9zOnHW)

- **Well known DeFi Protocols:**

    - [Uniswap](https://mvpworkshop.co/blog/uniswap-v3-explained-all-you-need-to-know/)

    - [Compound](https://mvpworkshop.co/blog/uniswap-v3-explained-all-you-need-to-know/)

    - [Aave](https://www.youtube.com/watch?v=WwE3lUq51gQ)

    - [Balancer](https://medium.com/token-terminal/eli5-what-is-balancer-labs-16c8cfe092d9)

- **Common DeFi Attack Vectors:**

    - [Flash Loan Attack](https://www.moonpay.com/blog/defi-flash-loans-explained)

    - [Price Oracle Manipulation](https://medium.com/beaver-smartcontract-security/defi-security-lecture-7-price-oracle-manipulation-d716cdeaaf77)

    - [Front-Running](https://www.securing.pl/en/front-running-attack-in-defi-applications-how-to-deal-with-it/)

    - [Exit Scams](https://www.acamstoday.org/cryptocurrency-exit-scams-what-they-are-and-how-to-avoid-them/)

    - [Sandwich attacks](https://trustwallet.com/blog/how-to-protect-yourself-from-sandwich-attacks)

    - [Unlimited Token Allowance](https://kalis.me/unlimited-erc20-allowances/)

    

### 9. Auditing Tools and Techniques:

- **Auditing Tools:**

    - [Slither](https://github.com/crytic/slither)

    - [Mythril](https://github.com/ConsenSys/mythril)

    - [Mythx](https://mythx.io/)

    - [Echidna](https://github.com/crytic/echidna)

    - [Foundry FUZZ](https://book.getfoundry.sh/forge/fuzz-testing)

    - [Manticore](https://github.com/trailofbits/manticore)

    - [Surya](https://github.com/ConsenSys/surya)

- **VS Code Extensions**

    - [Solidity Visual Developer](https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-visual-auditor)

    - [Solidity Metrics](https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-metrics)

    - [Slither VSC](https://marketplace.visualstudio.com/items?itemName=trailofbits.slither-vscode)

    - [EthOver](https://marketplace.visualstudio.com/items?itemName=tintinweb.vscode-ethover)

- **Auditing Books and Guides**

    - [The Auditors Book](https://theauditorbook.com/)

    - [Audit Hero](https://audit-hero.com/search-findings)

    - [solodit.xyz ](https://solodit.xyz/dashboard)

    - [Audit Checklist](https://github.com/tamjid0x01/SmartContracts-audit-checklist)

- **[Complete List of Web3 Security Tools](https://github.com/Quillhash/Web3-Security-Tools)**

### 10. Postmortem & Audit Reports:

- **Postmortems:**

    - [Immunefi](https://medium.com/@immunefi)

    - [QuillAudits](https://quillaudits.medium.com/)

    - [BlockSec](https://blocksecteam.medium.com/)

    - [SlowMist](https://slowmist.medium.com/)

    - [Rekt News](https://rekt.news/)

    - [Neptune Mutual](https://medium.com/@neptunemutual)

    - [PeckShield](https://twitter.com/peckshield)

    - [hacxyk](https://medium.com/@hacxyk)

    - [Coinmonk](https://medium.com/coinmonks)

    - [TrailOfBits](https://blog.trailofbits.com/)

    - [Secureum](https://secureum.substack.com/)

    - [Openzeppelin](https://blog.openzeppelin.com/security-audits/)

    - [OfferCIA](https://officercia.mirror.xyz/)

- **Audit Report Reading**

    - [QuillAudits](https://github.com/Quillhash/QuillAudit_Reports)

    - [Code4rena](https://code4rena.com/reports)

    - [Sherlock](https://github.com/sherlock-audit)

    - [Spearbit](https://github.com/spearbit/portfolio/tree/master/pdfs)

    - [Consensys](https://consensys.net/diligence/audits/)

    - [Openzeppelin](https://blog.openzeppelin.com/security-audits/)

    - [Chainsecurity](https://chainsecurity.com/audits/)

    - [Ackee Audit Reports](https://ackeeblockchain.com/blog/)

    - **[Complete List of Audit Reports](https://github.com/0xNazgul/Blockchain-Security-Audit-List)**

### 11. Keep Yourself Updated:

- **Newsletters**: [Blockthreat](https://newsletter.blockthreat.io/), [Hashingbits](https://quillaudits.substack.com/), [Immunefi](https://immunefi.com/)

- **Discord Communities**: [QuillAudits](https://discord.gg/b8y4Z8p7Qg), [Immunefi](https://discord.gg/immunefi), [Secureum](https://discord.gg/vGebCTSfNx), [Blockchain Pentesting](https://discord.gg/5JZERC5Vxs), [OpenSense](https://discord.gg/opensense), [Web3SeucurityDAO](https://discord.gg/9SQqMHkQxK), [DeFiHackLabs](https://discord.gg/HtqdYn2ECa)

- **Twitter**: [Mudit Gupta,](https://twitter.com/Mudit__Gupta/)  [Samczun](https://twitter.com/samczsun), [Certik Alert](https://twitter.com/CertiKAlert), [PeckShieldAlert](https://twitter.com/PeckShieldAlert), [QuillAudits](https://twitter.com/QuillAudits), [BlockSec](https://twitter.com/BlockSecTeam), [BeosinAlert](https://twitter.com/BeosinAlert), [Officer_CIA](https://twitter.com/officer_cia)

### 12. Miscellaneous Resources:

- [Security and Audting Course by Cyfrin Updraft](https://updraft.cyfrin.io/courses/security)

- [Web3 Security Course by Gateway](http://course.intogateway.com)

- [Smart Contract Hacking Course by JohnnyTime](https://smartcontractshacking.com/)

- [Web3Suggests](https://web3suggest.xyz/)

- [Web3-Security-Library](https://github.com/immunefi-team/Web3-Security-Library)

- [TeachYourselfCrypto](https://teachyourselfcrypto.com)

- [w3bs3c](https://www.w3bs3c.com/)

- [Awesome Web3 Security](https://github.com/Anugrahsr/Awesome-web3-Security)

- [Learn Blockchain, Solidity, and Full Stack Web3 Development with JavaScript](https://www.youtube.com/watch?v=gyMwXuJrbJQ)

- [Learn Blockchain, Solidity, and Full Stack Web3 Development with Python](https://www.youtube.com/watch?v=M576WGiDBdQ)

### Credits:

[**Auditor Mindmap by Razzorsec**](https://github.com/razzorsec/AuditorsRoadmap)