Welcome to the Solidity Security and Auditing Examples repository! This collection contains a variety of practical examples and exercises that I use during my lectures on Solidity security and auditing. These resources are tailored for students who possess a 🌱 beginner 🌱 level of practical knowledge in the Solidity language and smart contract development. If you're ready to take the next step and delve into the realm of security, you're in the right place.
This repository is organized into the following sections:
This section contains extremely simplified contracts, almost like code snippets, that highlight individual security issues. It's an excellent starting point for your journey. Read about each of the issues, and then dive into the code to identify the bugs. You can even challenge yourself by crafting your own Proof of Concept (PoC) solutions.
In the "Exercises" section, you'll find slightly more advanced contracts that include some structure. While the majority of the code is redacted, these exercises simulate the appearance of real smart contracts. They're designed to give you a taste of what real-world contracts might look like and set you on your bug-hunting path.
Here, you'll discover a complete protocol comprising multiple contracts that interact with one another. Unlike a traditional Capture The Flag (CTF) approach, this environment mirrors a fully functional real-world protocol that is seeking your audit. While many vulnerabilities follow basic patterns, this environment offers you the chance to mimic the audit of a larger codebase, compared to the exercises in the previous section.
Some of the code snippets may draw heavily from open-source resources. If you believe you deserve credit for any of these snippets, my sincere apologies. Please reach out to me so I can properly acknowledge you by adding your name and GitHub details to the relevant section.
On September 2023 the NICS lab research group from the University of Malaga agreed to help improving this repository as part of their efforts on Open Source collaboration. In particular, with new versions of the Faillapop mock-audit environment, both improving the initial codebase and extending its features.
Important
Special thanks to Marco Lopez (TW, LD) who took on this workload as part of his dissertation and to NICS Lab's researcher Isaac Agudo who supported and pushed for the initiative to come to success.
I encourage you to make the most of this material. If you find it useful, feel free to share by linking to this repository. Your feedback is invaluable! If you have suggestions, corrections, or would like to contribute in any way, please don't hesitate to reach out:
- Telegram: @jcr_auditor
- Email: jc@jcsec.io
Thank you for exploring this repository, and happy bug hunting!