Awesome Ethereum Security

A curated list of awesome Ethereum security references, guidance, tools, and more.

Join Trail of Bits for a free Ethereum Office Hours session by reserving a slot on Calendly. An engineer from Trail of Bits will assist you in applying advanced security (tools)[#tools] and practices to your smart contract code.

Contents

• Learning
  • Security references
  • Insecurity references
  • Capture the Flag and Wargames
  • Writeups
  • Coordinated disclosure
  • Blogs
  • Notable blog posts
  • Conference talks
  • Podcasts and Episodes
  • Podcasts
  • Episodes
• Tools
  • Visualization
  • Linters
  • Bug finding tools
  • Verification tools
  • Reversing tools
• Communities
• Other Awesome Lists

Learning

Security references

• Comprehensive list of known attack vectors for Solidity
• Consensys Best Practices
• Decentralized Application Security Project
• Solidity Security Considerations
• Solidity v0.5.0 Breaking Changes

Insecurity references

• Awesome Buggy ERC20 Tokens
• EVM Analyzer Benchmark
• Not So Smart Contracts

Capture the Flag and Wargames

• Capture the Ether
• Ethernaut
• EtherHack
• SI Blockchain CTF

Writeups

• Hands on the Ethernaut CTF - Writeups for various Ethernaut CTF challenge contracts.
• Ethernaut - Naught Coin (ERC20) Exploitation - Writeup for a vulnerable ERC20 from the Ethernaut CTF.
• EtherHack CTF Writeup - Writeup for EtherHack CTF challenges.
• PolySwarm Smart Contract Hacking Challenge Writeup - Demonstrates advanced use of Manticore

Coordinated disclosure

• Blockchain Security Contacts - Security contact info for blockchain projects

Blogs

• Hacking Distributed - Emin Gün Sirer, professor in Cornell Tech’s IC3 lab focused on blockchain security.
• Phil Does Security - Phil Daian, grad student behind KEVM, Hydra, and other Ethereum academic projects
• Trail of Bits - Cybersecurity R&D firm with a blockchain security practice
• Martin Holst Swende - Martin Swende, programmer and appsec consultant
• SmartDec blog - Company blog about security issues and practices within blockchain ecosystem

Notable blog posts

• Contract upgrade anti-patterns
• How the winner got Fomo3D prize — A Detailed Explanation
• How to debug Solidity Smart Contracts with Tenderly and Truffle
• Lashing out at a Spank Channel
• Malicious GasToken Minting
• Missing return value bug in ERC20 tokens
• Not A Fair Game – Fairness Analysis of Dice2win
• Initial Formal Verification of Ethereum Casper Protocol
• Security considerations for Shamir's secret sharing
• SmartDec smart contract audit beginner's guide
• The Anatomy of a Block Stuffing Attack
• The phenomenon of smart contract honeypots
• Use our suite of Ethereum security tools
• Vertcoin (VTC) was successfully 51% attacked

Conference talks

| Title | Conference | Year | | --- | --- | --- | | Predicting Random Numbers in Ethereum Smart Contracts | OWASP AppSec | 2018 | | Blockchain Autopsies - Analyzing Smart Contract Deaths | Blackhat USA | 2018 | | Rattle - an EVM binary analysis framework | reCON | 2018 | | Blackhat Ethereum | CanSecWest | 2018 | | Smashing Ethereum Smart Contracts for Fun and Profit | HITB Amsterdam | 2018 | | Automatic Bug Finding for the Blockchain | EkoParty | 2017 |

Podcasts and Episodes

Podcasts

• CoinSec Podcast
• The Smartest Contract
• Zero Knowledge

Episodes

• The Smartest Contract #15 - Trail of Bits’ Outlook on Security w/ JP Smith
• The Smartest Contract #8 - Smart Contract Security and Honeypots w/ Gerhard Wagner
• Zero Knowledge #29 - The DAO, the White Hat Hacker Group & Giveth w/ Griff Green
• Zero Knowledge #16 - Talking security with JP Smith from Trail of Bits
• Risky Business #488 - JP Smith about all things blockchain

Tools

Visualization

• ethereum-graph-debugger - A graphical EVM debugger. Displays the entire program control flow graph.
• Slither - Slither can map method visibility and modifiers, state variables that are read and written, calls, and can print the inheritance graph of a smart contract
• Solgraph - Generates DOT graphs with function control flow of a solidity contract
• Surya - Generates various visual outputs of function call graphs
• sol-function-profiler - Solidity contract function profiler

Linters

• Remix - Browser-based Solidity IDE with linting features
• SmarrtCheck - A linter for Solidity and Vyper that checks code for security issues and bad practices.
• Solhint - Linter for both security and style-guide validations. It strictly adheres to the Solidity Style Guide.
• Solium - Linter for both security and style-guide validations. Does not strictly adhere to the Solidity Style Guide.

Bug finding tools

• Echidna - Fuzzer for Ethereum smart contracts. Uses property testing to generate malicious inputs that break smart contracts.
• Manticore - Symbolic execution tool for Ethereum smart contracts that includes detectors for common security flaws
• Mythril OSS - Open-source security analysis tool for Ethereum smart contracts built around detector modules
• Securify - Static analysis tool from ChainSecurity
• Slither - Static analysis framework, written in Python, with detectors for many common Solidity issues

Verification tools

• KEVM - K Semantics of the Ethereum Virtual Machine (EVM)
• Manticore - Symbolic execution tool for EVM

Reversing tools

• abi-decompiler - EVM reverse engineering helper utility
• ethereum-dasm - EVM disassembler with static and dynamic analysis abilities, including function signature lookup
• Ethersplay - Visual disassembler for EVM bytecode built on Binary Ninja
• evmlab - Utilities for interacting with the Ethereum virtual machine
• IDA-EVM - IDA plugin to view EVM instructions
• Panoramix
• pyevmasm - EVM assembler and disassembler with a CLI and a Python API
• Rattle - EVM binary static analysis framework. Produces SSA representations of EVM code.

Custody

• Subzero - Subzero is an HSM-backed method for cold storage of Bitcoin developed by Square

Communities

• Enterprise Ethereum Alliance Security Task Force
• Empire Hacking Slack #ethereum

Other Awesome Lists

• Awesome AppSec
• Awesome Ethereum Virtual Machine
• Awesome Solidity
• Crypto projects that might not suck

Contributing

We welcome contributions that help curate this awesome list. Please refer to the contributing guidelines when submitting PRs. Thanks!