Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Quillhash/QuillAudit_Auditor_Roadmap

This repository contains a mindmap and stepwise resource to get started with Smart Contract Auditing. If you find anything missing or want to update existing resources, feel free to create a pull request.
https://github.com/Quillhash/QuillAudit_Auditor_Roadmap

blockchain ethereum evm security solidity

Last synced: 7 days ago
JSON representation

This repository contains a mindmap and stepwise resource to get started with Smart Contract Auditing. If you find anything missing or want to update existing resources, feel free to create a pull request.

Awesome Lists containing this project

README

        

# QuillAudit's SmartContract Auditor Roadmap

![](https://github.com/Quillhash/QuillAudit_Auditor_Roadmap/blob/main/files/QuillAudits_Auditor's_Roadmap.png)

Pdf Link: [QuillAudit_Auditor_Roadmap.pdf](https://github.com/Quillhash/QuillAudit_Auditor_Roadmap/blob/main/files/QuillAudits_Auditor's_Roadmap.pdf)

Xmind Link: https://xmind.works/#/share/OjLKsLSh

---
Here is the best roadmap for you to become a Smart Contract Auditor!
If you find anything missing or want to update existing resources, you can create a pull request and contribute to the project.

## Steps to Follow:

### 1. Blockchain & Ethereum Basics:

- ***Blockchain :***
- [Blockchain Technology Explained](https://www.youtube.com/watch?v=qOVAbKKSH10)
- [Blockchain Cryptography](https://101blockchains.com/blockchain-cryptography/)
- ***Ethereum:***
- [Mastering Ethereum](https://github.com/ethereumbook/ethereumbook)
- Mandatory Chapters 1,4,5,6,7,9,13 & 14
- [Ethereum Documentations](https://ethereum.org/en/developers/)

### 2. Solidity Fundamentals:

- [Solidity Docs](https://docs.soliditylang.org/en/latest/)
- [smartcontract.engineer](https://www.smartcontract.engineer/)
- [Cryptozombies](https://cryptozombies.io/en/course/)
- [Solidity-by-example](https://solidity-by-example.org/)
- ***Secureum***:
- [Secureum Solidity 101](https://secureum.substack.com/p/solidity-101?s=r)
- [Secureum Solidity 201](https://secureum.substack.com/p/solidity-201?s=r)
- **[Solidity Gas Optimizations List](https://github.com/iskdrews/awesome-solidity-gas-optimization)**

### 3. Testing and Debugging Frameworks

- [Foundry](https://github.com/foundry-rs/foundry)
- [Hardhat](https://hardhat.org/guides/waffle-testing.html)
- [Brownie](https://eth-brownie.readthedocs.io/en/stable/)
- [Tenderly](https://tenderly.co/)

### 4. Commonly used Libraries and Token Standards:

- **ERC Token Standards:**
- [ERC 20](https://ethereum.org/en/developers/docs/standards/tokens/erc-20/)
- [ERC 721 (NFT)](https://ethereum.org/en/developers/docs/standards/tokens/erc-721/)
- [ERC 777](https://ethereum.org/en/developers/docs/standards/tokens/erc-777/)
- [ERC 1155](https://ethereum.org/en/developers/docs/standards/tokens/erc-1155/)
- [ERC 4626](https://ethereum.org/en/developers/docs/standards/tokens/erc-4626/)
- [ERC 2981](https://eips.ethereum.org/EIPS/eip-2981)

- **[OpenZeppelin Helper Library/Contracts.](https://github.com/OpenZeppelin/openzeppelin-contracts)**

- **Upgradable Contracts:**
- [Upgradeable Contracts - Smartcontract Programmer](https://www.youtube.com/watch?v=JgSj7IiE4jA)
- [yAcademy Proxies Research](https://proxies.yacademy.dev/)
- [Risks of Upgradeable Contracts - Smartcontract Programmer](https://www.youtube.com/watch?v=XmxfB5JOt1Q)
- [Different Proxy Patterns - EIPs 897, 1822, 1967, 1538, 2535](https://ethereum-blockchain-developer.com/110-upgrade-smart-contracts/00-project/)
- [Openzeppelin Proxy docs](https://docs.openzeppelin.com/contracts/4.x/api/proxy)

### 5. Solidity Security Standard & Best Practice:

- [solidity-patterns](https://github.com/fravoll/solidity-patterns)
- [solcurity](https://github.com/transmissions11/solcurity)
- [Smart Contract Security Verification Standard](https://github.com/securing/SCSVS)
- [Consensys Smart-contract-best-practices](https://consensys.github.io/smart-contract-best-practices/)
- [Security Pitfalls & Best Practices 101](https://secureum.substack.com/p/security-pitfalls-and-best-practices-101)
- [Security Pitfalls & Best Practices 201](https://secureum.substack.com/p/security-pitfalls-and-best-practices-201)

### 6. Smart Contract Vulnerabilities:

- [SWC Registry](https://swcregistry.io/)
- [Kaden: Smart Contract Attack Vectors](https://github.com/KadenZipfel/smart-contract-attack-vectors)
- [Solidity Attack Vectors](https://github.com/Quillhash/Solidity-Attack-Vectors)
- [Common Vulnerabilities in Smart contracts MindMap](https://github.com/Anugrahsr/Awesome-web3-Security/blob/main/image/Vulnerabilities_in_Smart_contracts.png)

### 7. CTF Challenges:

- [Ethernaut](https://ethernaut.openzeppelin.com/)
- [Capture The Ether](https://capturetheether.com/)
- [QuillCTF](https://www.quillaudits.com/academy/ctf)
- [Curta CTF](https://www.curta.wtf/)
- [Paradigm CTF](https://ctf.paradigm.xyz/)
- [ciphershastra CTF](https://ciphershastra.com/index.html)
- [Damn Vulnerable DeFi](https://www.damnvulnerabledefi.xyz/)
- [unhackedctf](https://github.com/unhackedctf)

**100+ CTF blockchain challenges:** [https://github.com/minaminao/ctf-blockchain](https://github.com/minaminao/ctf-blockchain#ethereumcontract-basics)

### 8. Finance and DeFi:

- **Finance:**
- [Khan Academy’s Finance](https://www.khanacademy.org/economics-finance-domain/core-finance/derivative-securities)

- **DeFi (Decentralized Finance)**
- [DeFi - Teachyourselfcrypto](https://teachyourselfcrypto.com/#ftoc-module-4-decentralized-finance-defi)
- [Finematics - DeFi](https://www.youtube.com/watch?v=pWGLtjG-F5c&list=PLjrTIwaNiTwn39tg3sR_bPBWGHoznv47D)
- [Smart Contract Programmer - DeFi](https://www.youtube.com/watch?v=qB2Ulx201wY&list=PLO5VPQH6OWdX-Rh7RonjZhOd9pb9zOnHW)
- **Well known DeFi Protocols:**
- [Uniswap](https://mvpworkshop.co/blog/uniswap-v3-explained-all-you-need-to-know/)
- [Compound](https://mvpworkshop.co/blog/uniswap-v3-explained-all-you-need-to-know/)
- [Aave](https://www.youtube.com/watch?v=WwE3lUq51gQ)
- [Balancer](https://medium.com/token-terminal/eli5-what-is-balancer-labs-16c8cfe092d9)

- **Common DeFi Attack Vectors:**
- [Flash Loan Attack](https://www.moonpay.com/blog/defi-flash-loans-explained)
- [Price Oracle Manipulation](https://medium.com/beaver-smartcontract-security/defi-security-lecture-7-price-oracle-manipulation-d716cdeaaf77)
- [Front-Running](https://www.securing.pl/en/front-running-attack-in-defi-applications-how-to-deal-with-it/)
- [Exit Scams](https://www.acamstoday.org/cryptocurrency-exit-scams-what-they-are-and-how-to-avoid-them/)
- [Sandwich attacks](https://medium.com/coinmonks/defi-sandwich-attack-explain-776f6f43b2fd)
- [Unlimited Token Allowance](https://kalis.me/unlimited-erc20-allowances/)

### 9. Auditing Tools and Techniques:
- **Auditing Tools:**
- [Slither](https://github.com/crytic/slither)
- [QuillShield](https://shield.quillai.network/)
- [Mythril](https://github.com/ConsenSys/mythril)
- [Mythx](https://mythx.io/)
- [Echidna](https://github.com/crytic/echidna)
- [Foundry FUZZ](https://book.getfoundry.sh/forge/fuzz-testing)
- [Manticore](https://github.com/trailofbits/manticore)
- [Surya](https://github.com/ConsenSys/surya)
- **VS Code Extensions**
- [Solidity Visual Developer](https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-visual-auditor)
- [Solidity Metrics](https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-metrics)
- [Slither VSC](https://marketplace.visualstudio.com/items?itemName=trailofbits.slither-vscode)
- [EthOver](https://marketplace.visualstudio.com/items?itemName=tintinweb.vscode-ethover)

- **Auditing Books and Guides**
- [Audit Hero](https://audit-hero.com/finding)
- [solodit](https://solodit.cyfrin.io/)
- [Audit Checklist](https://github.com/tamjid0x01/SmartContracts-audit-checklist)

- **[Complete List of Web3 Security Tools](https://github.com/Quillhash/Web3-Security-Tools)**

### 10. Postmortem & Audit Reports:

- **Postmortems:**
- [Immunefi](https://medium.com/@immunefi)
- [QuillAudits](https://quillaudits.medium.com/)
- [BlockSec](https://blocksecteam.medium.com/)
- [SlowMist](https://slowmist.medium.com/)
- [Rekt News](https://rekt.news/)
- [Neptune Mutual](https://medium.com/@neptunemutual)
- [PeckShield](https://twitter.com/peckshield)
- [hacxyk](https://medium.com/@hacxyk)
- [Coinmonk](https://medium.com/coinmonks)
- [TrailOfBits](https://blog.trailofbits.com/)
- [Secureum](https://secureum.substack.com/)
- [Openzeppelin](https://blog.openzeppelin.com/security-audits/)
- [OfferCIA](https://officercia.mirror.xyz/)

- **Audit Report Reading**
- [QuillAudits](https://github.com/Quillhash/QuillAudit_Reports)
- [Code4rena](https://code4rena.com/reports)
- [Sherlock](https://github.com/sherlock-audit)
- [Spearbit](https://github.com/spearbit/portfolio/tree/master/pdfs)
- [Consensys](https://consensys.net/diligence/audits/)
- [Openzeppelin](https://blog.openzeppelin.com/security-audits/)
- [Chainsecurity](https://chainsecurity.com/audits/)
- [Ackee Audit Reports](https://ackeeblockchain.com/blog/)
- **[Complete List of Audit Reports](https://github.com/0xNazgul/Blockchain-Security-Audit-List)**

### 11. Keep Yourself Updated:

- **Newsletters**: [Blockthreat](https://newsletter.blockthreat.io/), [Hashingbits](https://quillaudits.substack.com/), [Immunefi](https://immunefi.com/)
- **Discord Communities**: [QuillAudits](https://discord.gg/b8y4Z8p7Qg), [Immunefi](https://discord.gg/immunefi), [Secureum](https://discord.gg/vGebCTSfNx), [Blockchain Pentesting](https://discord.gg/5JZERC5Vxs), [OpenSense](https://discord.gg/opensense), [Web3SeucurityDAO](https://discord.gg/9SQqMHkQxK), [DeFiHackLabs](https://discord.gg/HtqdYn2ECa)
- **Twitter**: [Mudit Gupta,](https://twitter.com/Mudit__Gupta/) [Samczun](https://twitter.com/samczsun), [Certik Alert](https://twitter.com/CertiKAlert), [PeckShieldAlert](https://twitter.com/PeckShieldAlert), [QuillAudits](https://twitter.com/QuillAudits), [BlockSec](https://twitter.com/BlockSecTeam), [BeosinAlert](https://twitter.com/BeosinAlert), [Officer_CIA](https://twitter.com/officer_cia)

### 12. Miscellaneous Resources:

- [Security and Audting Course by Cyfrin Updraft](https://updraft.cyfrin.io/courses/security)
- [Smart Contract Hacking Course by JohnnyTime](https://smartcontractshacking.com/)
- [Web3-Security-Library](https://github.com/immunefi-team/Web3-Security-Library)
- [TeachYourselfCrypto](https://teachyourselfcrypto.com)
- [w3bs3c](https://www.w3bs3c.com/)
- [Awesome Web3 Security](https://github.com/Anugrahsr/Awesome-web3-Security)
- [Learn Blockchain, Solidity, and Full Stack Web3 Development with JavaScript](https://www.youtube.com/watch?v=gyMwXuJrbJQ)
- [Learn Blockchain, Solidity, and Full Stack Web3 Development with Python](https://www.youtube.com/watch?v=M576WGiDBdQ)

### Credits:

[**Auditor Mindmap by Razzorsec**](https://github.com/razzorsec/AuditorsRoadmap)