Learn web3 / smart-contract Hacking in 2023 step by step guide
If you are a beginner in web3 security space and want to learn from start. Then I have compiled a step by step guide for 2023 version :-
First start with Blockchain Basics, Blockchain is different than traditional web2 so before starting to learn security and hacking of smart contract, give sufficient time to learn about all those basics needed to become Blockchain developer.
Blockchain Basics
Ethereum : the world computer and Solidity : the language of web3
- Mastering Ethereum by Andreas Antonopoulos and Dr. Gavin Woods : https://github.com/ethereumbook/ethereumbook
- Learn Blockchain, Solidity, and Full Stack Web3 Development with JavaScript By Patrick Collins : https://www.youtube.com/watch?v=gyMwXuJrbJQ
- Harvard’s CS50 : https://cs50.harvard.edu/x/2021/
Harvard’s CS50 you must look if you are totally new to computer technology and programming.
- Interactive school that teaches you all things technical about blockchains : https://cryptozombies.io/
- Learn Smart Contracts by actually writing one : https://buildspace.so/builds/solidity
- At last Just Read like a story: https://docs.soliditylang.org/
Reading like a story of solidity-lang documentation will give you better idea and mindset than most of other smart contract hackers out there, so that when in need you can come back and check the reference.
Learn to Hack or Secure : depends upon you
- Smart contract weakness classification: SWC Registry : https://swcregistry.io/
- ETH smart contract Best Practices: https://consensys.github.io/smart-contract-best-practices/
CTFs : Now its time for some hands-on-practice on below CTFs which will let you dive into the real smart contract hacking world. Use both mind while solving fast and slow; both has its own benefits and outcomes.
- Ethernaut : https://ethernaut.openzeppelin.com/
- capture the ether : https://capturetheether.com/
- damn vulnerable defi : https://damnvulnerabledefi.xyz/
- paradigm ctf : ctf.paradigm.xyz
Web3 News Updates
Subscribe to these news updates channels and get yourself updated with latest hacks and updates in Blockchain world. It will help you to get ahead in smart contract security field.
- Immunefi Medium: https://medium.com/immunefi
- Rekt : https://rekt.news/
- Secureum: https://secureum.substack.com/
- BlockchainThreat : https://newsletter.blockthreat.io/
- Week In The Ethereum News : https://weekinethereumnews.com/
- Tincho’s articles : https://www.notonlyowner.com/articles
- samczsun : https://samczsun.com/research/
- noxx : https://noxx.substack.com/
- Faith’s : https://faith2dxy.xyz/
- DeFiHackLabs’s : https://defihacklabs.substack.com/
- Cygaar : https://cygaar.substack.com/
Tools for hunting
Framework/ programming tools : Practice these tools, everyone has some favorite arsenel, unless you try all, you don’t know which will become your tool for success. Every tool has its own cons and pros , hence if you have practiced with these all tools, you will know during competetion which to be used when.
- Hardhat : https://hardhat.org/
- Truffle : https://trufflesuite.com/
- Foundry : https://book.getfoundry.sh/
- Brownie : https://github.com/eth-brownie/brownie
- Tenderly : https://tenderly.co/
Automation tools
Manual testing is better but who says automation tool is not good, know below tools and use it in time of need to get ahead of others and to focus on some of the important code reviews while automated tools help you find where to focus more next.
- Seth: https://github.com/dapphub/dapptools/tree/master/src/seth
- Mythril: https://github.com/ConsenSys/mythril
- Surya : https://github.com/ConsenSys/surya
- DappTools: https://github.com/dapphub/dapptools
After Finishing all of the above , start with code4rena and then immunefi. practice enough with other audit reports and past attacks simulation.
Web3 bug hunting platform
- Code4rena : https://code4rena.com/
- Immunefi : https://immunefi.com/
- hackenproof : https://hackenproof.com/
Follow me on Twitter: https://twitter.com/BgxDoc