| timezone |
|---|
Asia/Shanghai |
- 自我介绍
想探索solidity乐趣的web3 sailor。
- 你认为你会完成本次残酷学习吗?
当我下定决心开始的时候,就已经完成了。
I will enjoy this Solidity learning journey going through one step by one step as a fresher. It’s a chance to dive deeper into block-chain world, which lights me up so much. Wish I could learn and understand not only just the syntax, but also a big picture and the actual underlying concepts of how to program.
This Solidity learning undertaking is divided into three steps in accordance with my goal in this 21-day journey:
Step1: Initiation 5days
-
Going through overall 50 chapters and complete every test with a score of 100.
-
Drawing at least four mind-map of the Solidity Tutorials.
-
Marking difficulties and doubts of the tutorial details.
Step2: Orientation 14days
-
Summarizing and generalizing the learning difficulties in Step1.
-
Categorizing of issues and details into different themes to learn.
-
Learning the difficulties using QA way (answer at least two questions everyday).
Step3: Summary 2 days
-
Checking and filling the gaps in Step2.
-
Figuring out all the test questions of WTF Academy .
-
Mapping my own questions into a mind map.
-
Finish looking through 15 chapters of Solidity 101 and complete the text.
-
Drawn the mindmap of Solidity 101.
3.Difficulties
Solidity is my first programming language, so the biggest challenge for me is the lack of programming mind. Without exaggeration, three steps one bug... Some sentences I couldn’t understand clearly even if I have read more than 10 times.
What's even sadder is that, despite it took me a long time to learn today. I have forgotten most of details in tutorials now. Thankfully, it doesn’t matter, I was ready for this situation. What really matters is what I could learn in this process.
It’s exactly a challenge for me cause I’m not only unfamiliar with Solidity, but also have few experience in writing English articles. However, I appreciate one sentence recently: If there are two ways to growth you can choose, always choose the one that’s harder, that's the direct way to get over it.
This training camp can force myself to take Solidity and English writing tasks and face them directly, and it’s also a good opportunity to observe my own solutions and mindset in the face of difficulties and fears. Though I want to quit many times today, I'm sticking with it. It's a good begining.
- Looking through 15 chapters of Solidity 102 and complete the text.
2.
3.Difficlties
Yesterday's difficulty is disappeared,cause I meet a bigger difficult today.Life is so fantastic.hhh
But I love and enjoy this feeling now,I have to concentrate on it and challenge myself in a short time.
In the long term, current temporary difficulty maybe not a bad thing, it's beneficial for the future.
And after learning in two days, I have a more clear goal about this 21-day Solidity Learning Journey:
Maybe I can be a translator in open source program first(If there is) after I master English terms in Coding,
Entering the blockchain world needs sustained effort,“Go the extra mile” it really really just a beginning.
1.Looking through 7 chapters of Solidity 103 and complete the text.
2.
3.Difficulties
Why I never marked specific question in tutorial details?
Excatly “questions mountain questions sea”hhh
This is my first time to learn coding deeply, it’s reasonable to meet various questions.
I need to keep calm down and find the interest where attracts me when I look through the tutorial.
I find that many names of function is so casual and direct. it’s my fun today. Yahoo~ ~
1.Looking through 7 chapters of Solidity 103 and complete the text.
3.Difficulties
On account of the more complicated chapters in Solidity 103, there are more definitions in the front of articles.
So in the Step2, it is essential to figure out definitions by my own explanation.
Which is useable to the understand the definition itself deeply and practice English coding terminology.
Fortunately,the structure of single article is more clearly and comcise,
most of these are composed of definition, events, state variables, and functions,which have elaborate description in 101 and 102.
We learn them together can promote the understanding of framework, also, the differences and connections between them.
-
Looking through 7 chapters of Solidity 103 and complete the text.
- Difficulties
In the fifth learning day, as the last step1 day, we have learned overall 50 chapters.
However, it’s just a new beginning of Step2, there is still lots of room for development.
We need more enough time and space to promote coding and English terminology skills.
Fortunately,the second part, can be modularized according to the relationship between chapters in the tutorials,
which is not only more convenient for memory and understanding, but also more convenient for logical sorting.
Just Like:
45 Time lock —— 22 Call
46 Proxy Contract —— 22 Call —— 23 Delegatecall —— Lesson 27: ABI encoding
47 Upgradeable Contract —— 46 Proxy Contract
48 Transparent Proxy ——29 Function Selectors
49 UUPS —— 23 Delegatecall
50 Multisignature Wallet —— 27 ABI encoding
Q1:
Where is the bug of this picture in coding Hello Web3 ?
Though it said there are some bugs here, but I believe that "Code is law".
A bug is just a bug, it will not exist forever,be relaxed.
If the bug is fixed today, it will only affect yesterday.
I believe very strongly, someday, the web3 will change the world.
At that time, I will smile and say "hello web3",welcome to our world.
This answer will be written again later after this bug has fixed. The most easist coding maybe not so easy, When I copied tutorial's example,it's correct, When I wrote by myself, it said there are errors, but I couldn't distinguish they have any diffenence.
Q2: How Does Solidity Work?
-
Public and Private Functions In Solidity, functions are the building blocks of smart contracts. Some functions can be accessed from outside the contract (public), while others are only available within the contract (private).
-
Standard and Code Logic Solidity follows a set of rules and logic similar to other programming languages. The behavior of a smart contract is determined by the functions and conditions defined in the code.
-
Immutability Once deployed on the Ethereum blockchain, a smart contract becomes immutable,meaning its code and behavior cannot be changed. This ensures the contract’s transparency and security, as participants can trust that the contract will always function as intended.
-
Gas Costs When interacting with smart contracts on Ethereum, users must pay for the computational power used during the execution of functions. This payment is done using “gas.” Each operation within the contract consumes a specific amount of gas and users need to provide enough gas to complete the transaction.
-
Data Types Solidity has different types of data that can be used, such as numbers, addresses, true/false values, text, arrays, and more.
-
Control Structures Solidity provides tools to control how the program behaves, such as conditional statements (if-else), loops (for, while), and switches.
-
Modifiers Modifiers are like rules that we can apply to functions. They allow us to add extra checks or behaviors to functions.
-
Events Events allow contracts to communicate with external applications. They are like messages that can be logged on the blockchain and listened to by other programs.
Q1: If you want to be a solidity security auditor, what aspects do their safety reports include?
A well-structured security audit report enables readers to grasp the key findings and recommendations quickly. Consider incorporating the following components to achieve a clear, concise, and informative report:
Executive Summary: Provide a high-level overview of the audit’s objectives, scope, methodology, and main findings, catering to non-technical decision-makers.
Detailed Findings: Present an in-depth analysis of specific vulnerabilities, risks, and security issues identified during the audit.
Risk Assessment: Quantify and prioritize the risks associated with each finding, helping stakeholders focus on the most significant areas.
Recommendations: Offer actionable insights and remediation strategies tailored to the organization’s needs, resources, and goals.
Conclusion: Summarize key takeaways and emphasize the value of addressing the identified risks and implementing the proposed recommendations.
Q2: If you want to be a solidity security auditor, to what extent should you learn solidity?
There are so many details about Solidity in security audit reports,just like:
- Hardcoded Address:
contracts/ComptrollerG4.sol [1379, 1433] The contract contains unknown address. This address might be used for some malicious activity. Please check hardcoded address and it's usage.
Recommendation: It is required to check the address. Also, it is required to check the code of the called contract for vulnerabilities.
- Multiplication after division
Solidity operates only with integers. Thus, if the division is done before the multiplication, the rounding errors can increase dramatically. ● contracts/DAIInterestRateModelV3.sol [line: 83-86] ● contracts/DAIInterestRateModelV3.sol [line: 94-94]
Recommendation: Multiplication before division may increase the rounding precision.
- Locked money
● contracts/Unitroller.sol [Line 10-148] Contracts programmed to receive ether should implement a way to withdraw it, i.e., call transfer (recommended), send, or call.value at least once.
Recommendation: Implement a withdraw function or reject payments (contracts without a fallback function do it automatically).
- msg.value == 0 check
● contracts/CErc20Delegator.sol [Line: 453-453] The msg.value == 0 condition check is meaningless in most cases.
Recommendation: Avoid meaningless checks
Q1:If you want to be a solidity security auditor, to what extent should you learn solidity(2.0)? There are so many details about Solidity in security audit reports,just like:
5.Unsafe array's length manipulation
● contracts/ComptrollerG4.sol [Line: 220-220] ● contracts/Comptroller.sol [Line: 226-226 ] ● contracts/ComptrollerG2.sol [Line: 220-220 ] ● contracts/ComptrollerG3.sol [Line: 220-220 ] ● contracts/ComptrollerG1.sol [Line: 224-224 ]
The length of the dynamic array is changed directly. In this case, the appearance of gigantic arrays is possible and it can lead to a storage overlap attack (collisions with other data in storage). Recommendation If possible, avoid changing the length of the dynamic array directly.
● Use uint[] storage arrayName = new uint to create a dynamic array of the desired length. ● Use delete arrayName to clear a dynamic array. ● Use .push() (instead of .length++) to write to the end of the dynamic array. ● Starting with version 0.5.0 of the Solidity compiler, use .pop() (instead of .length--) to delete the last element of the dynamic array.
6.Using approve function of the ERC-20 token standard
The approve function of ERC-20 is vulnerable. Using front-running attack one can spend approved tokens before change of allowance value. ● contracts/CErc20Delegator.sol [line: 183-186] ● contracts/CToken.sol [line: 158-163]
Recommendation: Only use the approve function of the ERC-20 standard to change the allowed amount to 0 or from 0 (wait till transaction is mined and approved).
7.Extra gas consumption
State variable, .balance, or .length of non-memory array is used in the condition of for or while loop. In this case, every iteration of loop consumes extra gas.
● contracts/Governance/GovernorAlpha.sol [line: 210-212, 180-182, 196,198] ● contracts/ComptrollerG4.sol [line: 1018-1020] ● contracts/Lens/CompoundLens.sol [line: 230-253, 301-306,] ● contracts/Comptroller.sol [Line: 1034-1036]
Recommendation: If a state variable, .balance, or .length is used several times, holding its value in a local variable is more gas efficient. If .length of calldata-array is placed into a local variable, the optimisation will be less significant.
8.Overpowered role
● contracts/SimplePriceOracle.sol [Line: 44-47, 25-42]
This function is callable only from one address. Therefore, the system depends heavily on this address. In this case, there are scenarios that may lead to undesirable consequences for investors, e.g. if the private key of this address becomes compromised.
Recommendation We recommend designing contracts in a trustless manner. For instance, this functionality can be implemented in the contract's constructor. Another option is to use MultiSig wallet at this address.
9.Compiler version not fixed
Solidity source files indicate the versions of the compiler they can be compiled with.
pragma solidity ^0.4.17; // bad: compiles w 0.4.17 and above pragma solidity 0.4.24; // good : compiles w 0.4.24 only
It is recommended to follow the latter example, as future compiler versions may handle certain language constructions in a way the developer did not foresee.
Recommendation: Specify the exact compiler version (pragma solidity x.y.z;).
Q2: What is the purpose of security audit ?
The focus of the audit is to verify whether the smart contract is secure, resilient, and working properly according to the specs. The audit activity can be grouped in three categories. Security: Identifying the security-related issue within each contract and system of contracts. Sound architecture: Evaluating the architect of a system through the lens of established smart contract best practice and general software practice. Code correctness and quality: A full review of contract source code. The primary area of focus includes.
● Correctness. ● Section of code with high complexity. ● Readability. ● Quantity and quality of test coverage.
Q1:How To Write A Good Audit Report(1.0)?
1.Introduction:
This section sets the stage for the audit report. Introduce the auditing team, including their credentials and expertise. Emphasize the importance of the audit process and its role in enhancing the security of smart contracts. Clearly state the purpose of the audit and the methodologies employed in the analysis.
2.Project Description: '
Provide a comprehensive overview of the project being audited. Detail the audit methodology, outlining the techniques and tools used during the evaluation. Specify the type of smart contracts that were audited, the programming language they are written in, and their ecosystem. Include information such as the project repository link, GitHub commit hash, documentation sources, unit testing details, project website, and audit submission and completion dates.
3.Contracts In Scope:
Define the scope of the audit by listing the smart contracts that were audited.
4.Executive Summary:
Write a concise summary of the audit process, including details about the evaluation criteria, audit dates, and the auditors involved. Provides an overview of the vulnerabilities discovered, categorizing them based on severity levels. Highlight the number of issues found, resolved, and acknowledged during the audit.
5.Severity Definitions:
Define the severity levels used in the report and explain clearly what each level signifies, making it easier for readers to comprehend the implications of identified vulnerabilities.
Q2: How To Write A Good Audit Report(2.0)?
6.Audit Overview:
This section should include a security score that captures the overall security posture of the smart contracts. Evaluate the code and documentation quality, summarizing the strengths and weaknesses observed during the analysis. It should also provide a high-level view of the security status, serving as a quick reference point for the readers.
7.Audit Findings:
Dive deep into the vulnerabilities and issues identified during the audit. Provide a detailed account of each vulnerability, explaining its nature, potential impact, and the steps required to reproduce it. Categorize the vulnerabilities based on severity levels, emphasizing critical issues requiring immediate attention. Use code snippets and examples to illustrate the vulnerabilities, enhancing the clarity of your explanations.
8.Recommendations:
For each identified vulnerability, offer clear and actionable recommendations for resolution or mitigation. Detail the steps that developers should take to address the issues effectively. Provide code snippets, if applicable, and best practices that can be employed to improve the security of the smart contracts. Ensure the recommendations are practical, feasible, and tailored to the project's context.
9.Disclaimer:
In this section, include a disclaimer outlining the limitations of the audit and the scope of the auditing team's responsibilities. While the audit aims to enhance security, it cannot guarantee absolute immunity from all potential threats. Highlight the collaborative nature of security, emphasizing the importance of continuous vigilance and proactive measures from the development team.
10.In Conclusion
Effective documentation, comments, and reporting are essential for smart contracts. They help developers understand and verify contract functions, facilitate auditing and debugging, and allow stakeholders to monitor performance, fostering trust and accountability in the blockchain ecosystem. This is why smart contract audits, bug bounties, and reviews are crucial in every stage of development. They increase the number of eyes scouting for vulnerabilities and decrease the chance of critical vulnerabilities slipping through. Stay safe.
Q1: What is Solidity?
Solidity is an object-oriented, high-level language for implementing smart contracts. Smart contracts are programs that govern the behavior of accounts within the Ethereum state.
Solidity is a curly-bracket language designed to target the Ethereum Virtual Machine (EVM). It is influenced by C++, Python, and JavaScript. You can find more details about which languages Solidity has been inspired by in the language influences section.
Solidity is statically typed, supports inheritance, libraries, and complex user-defined types, among other features. With Solidity, you can create contracts for uses such as voting, crowdfunding, blind auctions, and multi-signature wallets.
When deploying contracts, you should use the latest released version of Solidity. Apart from exceptional cases, only the latest version receives security fixes. Furthermore, breaking changes, as well as new features, are introduced regularly. We currently use a 0.y.z version number to indicate this fast pace of change.
Q2: What means the Ethereum Virtual Machine?
The Ethereum Virtual Machine
Overview The Ethereum Virtual Machine or EVM is the runtime environment for smart contracts in Ethereum. It is not only sandboxed but actually completely isolated, which means that code running inside the EVM has no access to network, filesystem or other processes. Smart contracts even have limited access to other smart contracts.
Accounts There are two kinds of accounts in Ethereum which share the same address space: External accountsthat are controlled by public-private key pairs (i.e. humans) and contract accounts which are controlled by the code stored together with the account. The address of an external account is determined from the public key while the address of a contract is determined at the time the contract is created (it is derived from the creator address and the number of transactions sent from that address, the so-called “nonce”).
Regardless of whether or not the account stores code, the two types are treated equally by the EVM.
Every account has a persistent key-value store mapping 256-bit words to 256-bit words called storage.
Furthermore, every account has a balance in Ether (in “Wei” to be exact, 1 ether is 10**18 wei) which can be modified by sending transactions that include Ether.
Transactions A transaction is a message that is sent from one account to another account (which might be the same or empty, see below). It can include binary data (which is called “payload”) and Ether.
If the target account contains code, that code is executed and the payload is provided as input data.
If the target account is not set (the transaction does not have a recipient or the recipient is set to null), the transaction creates a new contract. As already mentioned, the address of that contract is not the zero address but an address derived from the sender and its number of transactions sent (the “nonce”). The payload of such a contract creation transaction is taken to be EVM bytecode and executed. The output data of this execution is permanently stored as the code of the contract. This means that in order to create a contract, you do not send the actual code of the contract, but in fact code that returns that code when executed.
Gas Gas Upon creation, each transaction is charged with a certain amount of gas that has to be paid for by the originator of the transaction (tx.origin). While the EVM executes the transaction, the gas is gradually depleted according to specific rules. If the gas is used up at any point (i.e. it would be negative), an out-of-gas exception is triggered, which ends execution and reverts all modifications made to the state in the current call frame. This mechanism incentivizes economical use of EVM execution time and also compensates EVM executors (i.e. miners / stakers) for their work. Since each block has a maximum amount of gas, it also limits the amount of work needed to validate a block.
The gas price is a value set by the originator of the transaction, who has to pay gas_price * gas up front to the EVM executor. If some gas is left after execution, it is refunded to the transaction originator. In case of an exception that reverts changes, already used up gas is not refunded.
Since EVM executors can choose to include a transaction or not, transaction senders cannot abuse the system by setting a low gas price.
Try to understand the contracts in openzeppelin, the first one is ERC20,
Most of the code is still incomprehensible, but it doesn't matter.
It's also interesting to feel further joy now.
Lines of code are like colorful elves dancing. hhh
Q1:
Q2:
Q1:
Q2:
I‘m a little busy during the National Day holiday,
but, I don't want to miss the daily check-in,
and, I will start to make up my study records.