rpavlovs/awesome-ethereum-security

A curated list of awesome Ethereum security references

Awesome Ethereum Security

A curated list of awesome Ethereum security references, guidance, tools, and more.

Contents

• Learning
  • Security references
  • Insecurity references
  • Capture the Flag and Wargames
    • Writeups
  • Coordinated disclosure
  • Blogs
  • Notable blog posts
  • Conference talks
  • Podcasts and Episodes
    • Podcasts
    • Episodes
• Tools
  • Visualization
  • Linters
  • Bug finding tools
  • Verification tools
  • Reversing tools
• Communities
• Other Awesome Lists

Learning

Security references

• SecurEth Development Guidelines
• Consensys Best Practices
• Solidity Security Considerations
• Comprehensive list of known attack vectors for Solidity
• Decentralized Application Security Project

Insecurity references

• Awesome Buggy ERC20 Tokens
• EVM Analyzer Benchmark
• Not So Smart Contracts

Capture the Flag and Wargames

• Capture the Ether
• Ethernaut
• EtherHack
• SI Blockchain CTF

Writeups

• Hands on the Ethernaut CTF - Writeups for various Ethernaut CTF challenge contracts.
• Ethernaut - Naught Coin (ERC20) Exploitation - Writeup for a vulnerable ERC20 from the Ethernaut CTF.
• EtherHack CTF Writeup - Writeup for EtherHack CTF challenges.
• PolySwarm Smart Contract Hacking Challenge Writeup - Demonstrates advanced use of Manticore

Coordinated disclosure

• Blockchain Security Contacts - Security contact info for blockchain projects

Blogs

• Hacking Distributed - Emin Gün Sirer, professor in Cornell Tech’s IC3 lab focused on blockchain security.
• Phil Does Security - Phil Daian, grad student behind KEVM, Hydra, and other Ethereum academic projects
• Trail of Bits - Cybersecurity R&D firm with a blockchain security practice
• Martin Holst Swende - Martin Swende, programmer and appsec consultant

Notable blog posts

• Contract upgrade anti-patterns
• How the winner got Fomo3D prize — A Detailed Explanation
• Missing return value bug in ERC20 tokens
• Not A Fair Game – Fairness Analysis of Dice2win
• The Anatomy of a Block Stuffing Attack
• The phenomenon of smart contract honeypots
• Use our suite of Ethereum security tools

Conference talks

Title	Conference	Year
Predicting Random Numbers in Ethereum Smart Contracts	OWASP AppSec	2018
Blockchain Autopsies - Analyzing Smart Contract Deaths	Blackhat USA	2018
Rattle - an EVM binary analysis framework	reCON	2018
Blackhat Ethereum	CanSecWest	2018
Smashing Ethereum Smart Contracts for Fun and Profit	HITB Amsterdam	2018
Automatic Bug Finding for the Blockchain	EkoParty	2017

Podcasts and Episodes

Podcasts

• CoinSec Podcast
• The Smartest Contract
• Zero Knowledge

Episodes

• The Smartest Contract #15 - Trail of Bits’ Outlook on Security w/ JP Smith
• The Smartest Contract #8 - Smart Contract Security and Honeypots w/ Gerhard Wagner
• Zero Knowledge #29 - The DAO, the White Hat Hacker Group & Giveth w/ Griff Green
• Zero Knowledge #16 - Talking security with JP Smith from Trail of Bits
• Risky Business #488 - JP Smith about all things blockchain

Tools

Visualization

• ethereum-graph-debugger - A graphical EVM debugger. Displays the entire program control flow graph.
• Slither - Slither can map method visibility and modifiers, state variables that are read and written, calls, and can print the inheritance graph of a smart contract
• Solgraph - Generates DOT graphs with function control flow of a solidity contract
• Surya - Generates various visual outputs of function call graphs
• sol-function-profiler - Solidity contract function profiler

Linters

• Remix - Browser-based Solidity IDE with linting features
• Solhint - Linter for both security and style-guide validations. It strictly adheres to the Solidity Style Guide.
• Solium - Linter for both security and style-guide validations. Does not strictly adhere to the Solidity Style Guide.

Bug finding tools

• Echidna - Fuzzer for Ethereum smart contracts. Uses property testing to generate malicious inputs that break smart contracts.
• Manticore - Symbolic execution tool for Ethereum smart contracts that includes detectors for common security flaws
• Mythril OSS - Open-source security analysis tool for Ethereum smart contracts built around detector modules
• Securify - Static analysis tool from ChainSecurity
• Slither - Static analysis framework, written in Python, with detectors for many common Solidity issues

Verification tools

• KEVM - K Semantics of the Ethereum Virtual Machine (EVM)
• Manticore - Symbolic execution tool for EVM

Reversing tools

• abi-decompiler - Ethereum (EVM) smart contracts reverse engineering helper utility
• ethereum-dasm - EVM disassembler with static and dynamic analysis abilities, including function signature lookup
• Ethersplay - Visual disassembler for EVM bytecode built on Binary Ninja
• evmlab - Utilities for interacting with the Ethereum virtual machine
• IDA-EVM - IDA plugin to view EVM instructions
• pyevmasm - EVM assembler and disassembler with a CLI and a Python API
• Rattle - EVM binary static analysis framework. Produces SSA representations of EVM code.

Communities

• Ethereum Security Events Calendar
• ETHSecurity
• Enterprise Ethereum Alliance Security Task Force
• Empire Hacking Slack #ethereum

Other Awesome Lists

• Awesome AppSec
• Awesome Ethereum Virtual Machine
• Awesome Solidity
• Crypto projects that might not suck

Contributing

We welcome contributions that help curate this awesome list. Please refer to the contributing guidelines when submitting PRs. Thanks!