Smart Contract Security - Writing an amazing finding

Writing an amazing finding

Patrick explains reporting process. How to create a detailed report with Markdown. Discusses importance of issues & solutions.

Solidity Developer

Smart Contract Security

Course Introduction

Duration: 25min

Section 1: Review

Duration: 1h 18min

Section 2: What is a smart contract audit

Duration: 35min

Section 3: Your First Audit | PasswordStore

Duration: 2h 28min

1. Your First Security Review

All the things we'll cover in this section! High-level info. Learn to conduct audits, prepare PDF reports, scope, reconnaissance, vulnerability identification & reporting. Duration: 5min

2. Scoping: Etherscan

Learn why test suites and deployment frameworks are important prerequisites in a security review/audit. REKT Test discussed as an evaluation tool. Duration: 6min

3. Scoping: Audit Details

Exploring the codebase, examining contracts in scope for audit, starting with PasswordStore.sol - simple, key concepts for Solidity & smart contract security. Duration: 13min

4. Scoping: cloc

CLOC demonstration - Measure nSLOC, estimate code base audit time. Duration: 3min

5. Recap I

Recap of smart contract scoping & review tips with Patrick. Focus on mature code bases, test suites, and documentations. Review onboarding form usage for engaging clients. Duration: 3min

6. "The Tincho"

Learn how the legendary Tincho approaches his audits in this overview of his systematic technique, brought to us by Tincho himself! Duration: 15min

7. Recon: Context

Starting in on PasswordStore using The Tincho! Read and understand context & docs, leveraging Solidity Metrics VS Code extension. Duration: 5min

8. Recon: Understanding the code

Demonstrates step-by-step approach, note-taking, communication with team. Gain understanding, identify vulnerabilities. Duration: 3min

9. Exploit: Access control

Missing Access Control - Vulnerability Discovered! Duration: 3min

10. Exploit: Public Data

Exploit Public Data - Private Variables Aren't Private! Explore this vulnerability in PasswordStore. Duration: 3min

11. Recap II

Patrick recaps the vulnerabilities found so far: No Owner Check, Erroneous Parameter, Unsafe Storage on Chain. Duration: 1min

12. Protocol Tests

Validating protocol tests and coverage, emphasizing thoroughness! Duration: 3min

13. Writing an amazing finding

Patrick explains reporting process. How to create a detailed report with Markdown. Discusses importance of issues & solutions. Duration: 4min

14. Writing an amazing finding: Title

Learn how to write better findings: focus on repetition, use clear titles with root causes & impact, example of effective title creation in a security report. Duration: 2min

15. Writing an amazing finding: Description

Writing a description for our report detailing all the necessary information about our discovered vulnerability. Duration: 4min

16. Writing an amazing finding: Proof of code

Writing a proof of code to indisputably prove the vulnerabilities we've found! Duration: 3min

17. Writing an amazing finding: Recommended Mitigation

Writing a great recommended mitigation for the issues found in PasswordStore! Duration: 2min

18. Finding Writeup

Recap finding write ups: Structured format, clear communication, specific details (code snippets). Duration: 2min

19. Access Control Writeup

Add missing access control in PasswordStore's set password function. Use code examples & tips on markdown formatting. Duration: 3min

20. Missing Access Controls Proof Of Code

Vulnerability proof: Write test case using the protocols test suite Duration: 5min

21. Finding Writeup Docs

Writing up our finding for incorrect NatSpec! Duration: 3min

22. Augmented Report With Ai

Using AI to improve our writing and grammar. Duration: 3min

23. Quick Primer On What We Are Learning Next

Audit data, severity ratings, PDF report creation. Instructions by Patrick on accomplishing tasks using tools & resources. Duration: 2min

24. Severity Rating Introduction

Learn how to determine severity ratings for findings in security reviews with the CodeHawks docs as a guide! Duration: 4min

25. Assessing Highs

Audit report severity evaluation using likelihood & impact methodology, demonstrated with examples & steps. Duration: 4min

26. Severity Rating Informational

Assessing informational severity as a potential issue, unlikely to disrupt code functionality. Duration: 3min

27. Timeboxing

In this video, Patrick discusses timeboxing in reviewing codebases & moving on when needed. Learn effective time management for security research. Duration: 2min

28. Making A Pdf

Generate a professional PDF report from a markdown file! Duration: 12min

29. Building Your Portfolio

Creating a GitHub public repo for storing smart contract audit and security journey in PDF format. Build that portfolio and get your name out there! Duration: 2min

30. Exercises

Celebrate progress, join CodeHawks! Rest & prep for bigger challenges ahead. Duration: 4min

31. Isolated Dev Environments

Duration: 12min

32. Recap & Congrats

Patrick recaps your first security review steps: onboarding, docs, scope, vulnerabilities, mitigation and reporting Duration: 9min

Section 4: Puppy raffle

Duration: 5h 03min

Section 5: TSwap

Duration: 5h 22min

Section 6: Thunder Loan

Duration: 4h 33min