其他
干货 | 如何成为一名智能合约审计安全研究员,学习路线和必备网站
了解和学习智能合约黑客
http://capturetheether.com/http://ethernaut.openzeppelin.com/http://cryptozombies.io/http://dappuniversity.com/https://damnvulnerabledefi.xyz/http://github.com/blockthreat/blocksec-ctfshttp://w3bs3c.com/abouthttps://useweb3.xyz/code-challengeshttp://speedrunethereum.com/https://based.builders/https://eth.build/http://github.com/fvictorio/evm-puzzleshttp://github.com/daltyboy11/more-evm-puzzleshttps://cryptohack.org/https://etherhack.positive.com/https://blockchain-ctf.securityinnovation.com/#/https://ciphershastra.com/https://www.defihack.xyz/https://github.com/blockthreat/blocksec-ctfs跟随大师
http://telegra.ph/Pel-Ada-Del-Astra-Smart-Contract-Auditor-Pathway-05-07http://telegra.ph/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31https://gitcoin.co/grants/3150/defi-web3-developer-roadmaphttp://start.me/p/QRg5ad/officerciahttps://t.me/officer_cia/269https://telegra.ph/Crypto-Telegram-Channels--Chats-04-19DeFi 路线图
https://github.com/OffcierCia/DeFi-Developer-Road-Map/blob/main/translations/README_cn.md实践操作
使用我的特别纲要中的几乎所有内容https://telegra.ph/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31和https://telegra.ph/Solidity-Catsheets-Pack-03-20研究https://quillaudits.substack.com/p/openseas-official-discord-compromised和http://rekt.news/另外,您需要研究审计清单:http://t.me/officer_cia/177这些课程http://twitter.com/0xBlasco/status/1500455598684618753 区块链安全框架https://t.me/officer_cia/232Tokenomics 模拟工具http://t.me/officer_cia/69并了解它(资源)https://t.me/officer_cia/89speedrunethereum.com 或https://cryptozombies.io/,捕获以太或http://ethernaut.openzeppelin.com/仔细研究https://github.com/Rari-Capital/solcurity 和 https://cmichel.io/how-to-become-a-smart-contract-auditor和https://pentacle.xyz/projects/security项目的内部安全
https://docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit视频
https://youtu.be/gyMwXuJrbJQ学习主动防御技术
https://smartcontractresearch.org/t/mitigations-against-flash-loan-enabled-attacks/615和https://arxiv.org/abs/2003.03810https://smartcontractresearch.org/t/from-zapper-post-mortem-to-using-front-run-in-project-defense-theory-post/545Tenderly.co警报 - https://officercia.medium.com/tenderly-app-a-swiss-pocketknife-for-the-web3-developer-89bb904bee46https://github.com/pr0toshi/rateLimithttps://github.com/Rari-Capital/solcurity研究https://medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b和https://wufflz.notion.site/Blockchain-security-guide-b26aec3d920e414d8a354618d3e36eb4https://link.medium.com/NBANM4gOirb你也可以研究https://github.com/0xsanny/solsec所有审计/安全工具- https://telegra.ph/ETHSec-Tools-02-13,github.com/nascentxyz/simple-security-toolkit在此处查看资源https://t.me/cryptooffensiveOpSec原则- https://graph.org/Key-principles-of-storing-crypto-cold-wallet-attacks-defense-methods-best-practices--Bonus-04-23 github.com/undergroundwires/privacy.sexy,web.archive .org/web/20220302223645/https://anonymousplanet.org/guide.html密码取证/研究:https://t.me/officer_cia/236 mirror.xyz/officercia.eth/BFzv17UwH6QG4q711NAljtSiP8eKR17daLjTdmAgbHw所有 TX 分析工具列表https://graph.org/TX-Analysis-tools-04-19蜜罐检测工具https://graph.org/A-Short-List-of-the-Rug-Checker-Tools-04-09Web2 和 Web3 中存在的错误和漏洞 - https://www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf关于 MEV - https://t.me/officer_cia/146请务必研究https://defieducation.substack.com/p/how-to-read-smart-contracts-part?s=r和blog.trustlook.com/understand-evm-bytecode-part-1/以及这些网站的所有帖子作者https://start.me/p/QRg5ad/officercia - 仔细阅读我的 Awesome Blogs 部分和 Sec 部分(在右侧,就在 defi 地图树下方)https://telegra.ph/Article-08-08 - 前端安全NFT https://telegra.ph/NFT-security-01-28探索黑客案例https://newsletter.blockthreat.io研究https://github.com/emilianobonassi/security-toolkit和https://www.smartcontractresearch.org/t/research-summary-a-systematic-literature-review-of-blockchain-cyber-security/1299攻击向量 - https://github.com/sirhashalot/SCV-Listhttps://github.com/KadenZipfel/smart-contract-attack-vectors swcregistry.io研究框架https://secure.github.io/SCSVS/SCSVS_v1.1.pdf和https://github.com/securing/SCSVS阅读 Mudit Gupta、Immunefi 和 BlockSec 团队在 Medium 上发表的帖子,以及https://twitter.com/officer_cia/status/1519371437068505089所有 4 个主题,https://arxiv.org /pdf/2106.10740.pdf和https://arxiv.org/pdf/2109.06836.pdf使用FoundryDefi黑客事件https://github.com/SunWeb3Sec/DeFiHackLabs再看看
https://cmichel.io/how-to-become-a-smart-contract-auditorhttps://devansh.xyz/blockchain-security/2021/09/17/genesis-0x01.htmlhttps://www.notonlyowner.com/learn/intro-security-hacking-smart-contracts-ethereumhttps://theauditorbook.com/再次练习
威胁建模
https://arxiv.org/pdf/2106.10740.pdf用户端攻击
https://arxiv.org/pdf/2109.06836.pdf 元宇宙安全
https://arxiv.org/pdf/2203.02662.pdfSolidity 中的错误
https://github.com/xf97/JiuZhou 另请查看:https://github.com/sigp/solidity-security-blog & graph.org/Solidity-Cheatsheets-Pack-03-20DApp 前端安全。
https://blog.embarklabs.io/news/2020/01/30/dapp-frontend-security/index.html 从 Web 应用程序中学习最佳实践以避免分散应用程序中的类似安全漏洞。
https://www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf https://arxiv.org/pdf/2106.09349.pdf关于 Oracle 攻击的更多信息
https://twitter.com/officer_cia/status/1422785502634196996 & https://twitter.com/officer_cia/status/1409537800022659074 UniV2 Oracle 攻击模拟器
https://blog.euler.finance/uniswap-oracle-attack-simulator-42d18adf65af?gi=8ad59382eefb 安全最小可行计划
https://docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit奖金
所有已知的智能合约攻击向量
https://github.com/KadenZipfel/smart-contract-attack-vectors NFT 安全
https://graph.org/NFT-security-01-28所有现有的 ETH 安全工具
https://graph.org/ETHSec-Tools-02-13 Web3 网络钓鱼
https://www.phishfort.com/blog/web3-phishing-has-finally-arrived MetaMask 针对性攻击
https://bloom.co/blog/6-ways-a-site-can-attack-your-metamask/Web3 时间线中的所有黑客攻击和安全事件。
https://newsletter.blockthreat.io
https://graph.org/Key-principles-of-storing-crypto-cold-wallet-attacks-defense-methods-best-practices--Bonus-04-23https://github.com/uni-due-syssec/eth-reentrancy-attack-patternshttps://blog.chain.link/defi-security-best-practiceshttps://a16z.com/2022/04/23/web3-security-crypto-hack-attack-lessonshttps://medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b跨链桥攻击
https://telegra.ph/Cross-chain-bridge-attacks-A-Z-05-07数据整理
智能合约错误数据库https://swcregistry.io以太坊智能合约中的安全漏洞调查https://arxiv.org/pdf/2105.06974.pdfLNERABILITIES_AND_REAL_ATTACKS - 概述https://www.researchgate.net/publication/353794368_SMART_CONTRACTS_VULNERABILITIES_AND_REAL_ATTACKShttps://www.researchgate.net/publication/338926064_Smart_Contract_Attacks_and_Protections对 RPC 的攻击https://www.ndss-symposium.org/wp-content/uploads/NDSS2021posters_paper_2.pdf 智能合约中经济安全的自动分析https://eprint.iacr.org/2021/1147.pdf 关于快速贷款攻击的最佳研究https://arxiv.org/abs/2003.03810关于回退攻击https://github.com/felixnan88/fallback-attack 重入攻击模式https://github.com/uni-due-syssec/eth-reentrancy-attack-patternsDeFi 威胁列表https://github.com/freight-chain/defi-sec & github.com/freight-trust/defi-threat寻找对区块链的 DeFi 攻击https://arxiv.org/pdf/2103.02873.pdf检查交易是否容易受到三明治攻击并找到合适的订单拆分的工具https://defi-sandwi.ch & pub.tik.ee.ethz.ch/students/2021-FS/BA-2021-07.pdf智能合约 out-of-gas 漏洞的安全分析工具https://gasgauge.github.io , https://arxiv.org/pdf/2112.14771.pdftornado 现金池分析器。https://Tutela.xyzCIA 读物汇编https://github.com/OffcierCia/DeFi-Developer-Road-Map#security--safety智能合约库https://library.dedaub.com一个模糊器https://github.com/christoftorres/ConFuzziusWeb3安全资源 https://www.w3bs3c.com/所有智能合约安全工具:
https://arxiv.org/pdf/2112.03426.pdfhttps://papers.ssrn.com/sol3/papers.cfm?abstract_id=3769774https://publik.tuwien.ac.at/files/publik_278277.pdfhttps://arxiv.org/pdf/2008.02712.pdf视频学习
https://youtu.be/0FTLC8JnWp0https://youtu.be/-469Gcye-ZEhttps://youtu.be/C9C4zgskHwghttps://youtu.be/s3FL5caAy5whttps://youtu.be/I6VDBvX9Pkw区块链去中心化应用黑客课程
https://youtube.com/playlist?list=PLCwnLq3tOElpIi6Gci36PnvrrS8ljBHkq在 web3 中工作
工作:
| 阅读:https://web3.smsunarto.com
https://twitter.com/jobsincryptohttps://twitter.com/CryptoJobsListhttps://t.me/dailyapehrhttps://t.me/lobsters_hrhttps://t.me/solidity_learninghttps://t.me/dev_solidity赠款和 DAO:
https://twitter.com/developer_daohttps://twitter.com/LidoGrantshttps://twitter.com/gitcoinhttps://twitter.com/web3grantshttps://questbook.xyz/Web3漏洞赏金平台:
https://github.com/sw33tLie/bbscopehttps://immunefi.com/https://code4rena.comhttps://github.com/blockthreat/blocksec-ctfsETHSecurity社区
https://discord.gg/F7DRMPdgSg智能合约审计清单推荐
https://blog.openzeppelin.com/follow-this-quality-checklist-before-an-audit-8cc6a0e44845/https://consensys.github.io/smart-contract-best-practices/https://ethereum.stackexchange.com/questions/8551/security-review-checklist-for-a-smart-contract/8593#8593https://github.com/Rari-Capital/solcurityhttps://github.com/cryptofinlabs/audit-checklisthttps://securing.github.io/SCSVS/https://our.status.im/what-is-a-security-audit-when-you-should-get-one-and-how-to-preparehttps://github.com/nascentxyz/simple-security-toolkit#readmehttps://bowtiedisland.com/how-to-read-a-smart-contract-audit-report审计必读
https://docs.google.com/document/d/1UkAcL7-KAWANKWnebYemA-4bTXC0m9RKrV19aIoFKdY/edit#heading=h.f1o44ntj9vx9https://docs.google.com/document/d/1gTPIQMLVcv_OQ8flblVTCWWfrGadQNxZXNZTvDh6iKA/edithttps://docs.google.com/document/d/1gTPIQMLVcv_OQ8flblVTCWWfrGadQNxZXNZTvDh6iKA/edithttps://drive.google.com/file/d/1aV38iSkwFLa5FxyN8YahTVr9t9DICNmD/view推荐阅读:
记一次赏金10000美金的漏洞挖掘(从.git泄露到RCE)