/awesome-ethereum-security

A curated list of awesome Ethereum security references

Creative Commons Attribution 4.0 InternationalCC-BY-4.0

Awesome Ethereum Security PRs Welcome

A curated list of awesome Ethereum security references, guidance, tools, and more.

Contents

Learning

Development references

Security references

Insecurity references

Capture the Flag and Wargames

  • Capture the Ether - A Capture The Flag style set of exploitable contracts at varying levels of difficulty.
  • Ethernaut - A Capture The Flag style set of exploitable contracts at varying levels of difficulty.
  • EtherHack - A Capture The Flag style set of exploitable contracts at varying levels of difficulty.

Writeups

Coordinated disclosure

Blogs

  • Hacking Distributed - Emin Gün Sirer, a professor in Cornell Tech’s IC3 lab focused on blockchain security.
  • Phil Does Security - Phil Daian, the software engineer and grad student behind KEVM, Hydra, and other Ethereum academic projects
  • Trail of Bits - Cybersecurity R&D firm with a blockchain security practice
  • Martin Holst Swende - Martin Swende, programmer and appsec consultant

Conference talks

Podcasts and Episodes

Podcasts

Episodes

Tools

Visualization

  • ethereum-graph-debugger - A graphical EVM debugger. Displays the entire program control flow graph.
  • Slither - Slither can map method visibility and modifiers, state variables that are read and written, calls, and can print an inheritance graph of a smart contracts
  • Solgraph - Generates DOT graphs with function control flow of a solidity contract
  • Surya - Generates various visual outputs of function call graphs
  • sol-function-profiler - Solidity contract function profiler

Linters

  • Remix - A browser-based Solidity IDE with linting features
  • Solhint - A linter for both security and style-guide validations. It strictly adheres to the Solidity Style Guide.
  • Solium - Another linter for both security and style-guide validations. Does not strictly adhere to the Solidity Style Guide.

Bug finding tools

  • Echidna - The only available fuzzer for Ethereum software. Uses property testing to generate malicious inputs that break smart contracts
  • Manticore - Symbolic execution tool for Ethereum smart contracts that includes detectors for common security flaws
  • Mythril - Security analysis tool for Ethereum smart contracts built around detector modules
  • Securify - Static analysis tools from ChainSecurity
  • Slither - Static analysis framework with detectors for many common Solidity issues. It has taint and value tracking capabilities and is written in Python.
  • MAIAN - Automatic tool for finding trace vulnerabilities in Ethereum smart contracts

Verification tools

  • KEVM - K Semantics of the Ethereum Virtual Machine (EVM)
  • Manticore - Symbolic execution tool for EVM

Reversing tools

  • Ethersplay - A visual disassembler for EVM bytecode built on Binary Ninja
  • ethereum-dasm - An EVM disassembler with static and dynamic analysis abilities, including function signature lookup
  • evm-lab - Utilities for interacting with the Ethereum virtual machine
  • IDA-EVM - An IDA plugin to view EVM instructions within IDA
  • PyEVMAsm - An EVM assembler and disassembler with a CLI and a Python API
  • Rattle - EVM binary static analysis framework. Produces SSA representations of EVM code.
  • abi-decompiler - Ethereum (EVM) smart contracts reverse engineering helper utility

Communities

Other Awesome Lists

Contributing

We welcome contributions that help curate this awesome list. Please refer to the contributing guidelines when submitting PRs. Thanks!