Scoping: Etherscan

Learn why test suites and deployment frameworks are important prerequisites in a security review/audit. REKT Test discussed as an evaluation tool.

Solidity Developer

Smart Contract Security

1. Your First Security Review
All the things we'll cover in this section! High-level info. Learn to conduct audits, prepare PDF reports, scope, reconnaissance, vulnerability identification & reporting. Duration: 5min
2. Scoping: Etherscan
Learn why test suites and deployment frameworks are important prerequisites in a security review/audit. REKT Test discussed as an evaluation tool. Duration: 6min
3. Scoping: Audit Details
Exploring the codebase, examining contracts in scope for audit, starting with PasswordStore.sol - simple, key concepts for Solidity & smart contract security. Duration: 13min
4. Scoping: cloc
CLOC demonstration - Measure nSLOC, estimate code base audit time. Duration: 3min
5. Recap I
Recap of smart contract scoping & review tips with Patrick. Focus on mature code bases, test suites, and documentations. Review onboarding form usage for engaging clients. Duration: 3min
6. "The Tincho"
Learn how the legendary Tincho approaches his audits in this overview of his systematic technique, brought to us by Tincho himself! Duration: 15min
7. Recon: Context
Starting in on PasswordStore using The Tincho! Read and understand context & docs, leveraging Solidity Metrics VS Code extension. Duration: 5min
8. Recon: Understanding the code
Demonstrates step-by-step approach, note-taking, communication with team. Gain understanding, identify vulnerabilities. Duration: 3min
9. Exploit: Access control
Missing Access Control - Vulnerability Discovered! Duration: 3min
10. Exploit: Public Data
Exploit Public Data - Private Variables Aren't Private! Explore this vulnerability in PasswordStore. Duration: 3min
11. Recap II
Patrick recaps the vulnerabilities found so far: No Owner Check, Erroneous Parameter, Unsafe Storage on Chain. Duration: 1min
12. Protocol Tests
Validating protocol tests and coverage, emphasizing thoroughness! Duration: 3min
13. Writing an amazing finding
Patrick explains reporting process. How to create a detailed report with Markdown. Discusses importance of issues & solutions. Duration: 4min
14. Writing an amazing finding: Title
Learn how to write better findings: focus on repetition, use clear titles with root causes & impact, example of effective title creation in a security report. Duration: 2min
15. Writing an amazing finding: Description
Writing a description for our report detailing all the necessary information about our discovered vulnerability. Duration: 4min
16. Writing an amazing finding: Proof of code
Writing a proof of code to indisputably prove the vulnerabilities we've found! Duration: 3min
17. Writing an amazing finding: Recommended Mitigation
Writing a great recommended mitigation for the issues found in PasswordStore! Duration: 2min
18. Finding Writeup
Recap finding write ups: Structured format, clear communication, specific details (code snippets). Duration: 2min
19. Access Control Writeup
Add missing access control in PasswordStore's set password function. Use code examples & tips on markdown formatting. Duration: 3min
20. Missing Access Controls Proof Of Code
Vulnerability proof: Write test case using the protocols test suite Duration: 5min
21. Finding Writeup Docs
Writing up our finding for incorrect NatSpec! Duration: 3min
22. Augmented Report With Ai
Using AI to improve our writing and grammar. Duration: 3min
23. Quick Primer On What We Are Learning Next
Audit data, severity ratings, PDF report creation. Instructions by Patrick on accomplishing tasks using tools & resources. Duration: 2min
24. Severity Rating Introduction
Learn how to determine severity ratings for findings in security reviews with the CodeHawks docs as a guide! Duration: 4min
25. Assessing Highs
Audit report severity evaluation using likelihood & impact methodology, demonstrated with examples & steps. Duration: 4min
26. Severity Rating Informational
Assessing informational severity as a potential issue, unlikely to disrupt code functionality. Duration: 3min
27. Timeboxing
In this video, Patrick discusses timeboxing in reviewing codebases & moving on when needed. Learn effective time management for security research. Duration: 2min
28. Making A Pdf
Generate a professional PDF report from a markdown file! Duration: 12min
29. Building Your Portfolio
Creating a GitHub public repo for storing smart contract audit and security journey in PDF format. Build that portfolio and get your name out there! Duration: 2min
30. Exercises
Celebrate progress, join CodeHawks! Rest & prep for bigger challenges ahead. Duration: 4min
31. Recap & Congrats
Patrick recaps your first security review steps: onboarding, docs, scope, vulnerabilities, mitigation and reporting Duration: 9min

Testimonials

Students Reviews

Read what our students have to say about this course.

Chainlink

Chainlink

Chainlink

Gustavo Gonzalez

Gustavo Gonzalez

Solutions Engineer at OpenZeppelin

Francesco Andreoli

Francesco Andreoli

Lead Devrel at Metamask

Albert Hu

Albert Hu

DeForm Founding Engineer

Radek

Radek

Senior Developer Advocate at Ceramic

Boidushya

Boidushya

WalletConnect

Idris

Idris

Developer Relations Engineer at Axelar

Cyfrin
Updraft
CodeHawks
Solodit
Resources