Links
Comment on page

SSCH - Solidity Smart Contract Hacking

Learn how to hack and develop secure smart contracts in our 2 days course

Prerequisites

Knowledge of the topics below is only recommended but not mandatory for this course.
  • Blockchain
  • Blocks and transactions
  • Smart contracts
  • Proof of work and proof of stake
  • Gas
  • Basic understanding of decentralized applications and their applicability

Abstract

2 days full hands-on training where you will learn how to identify vulnerabilities in Smart Contracts written in Solidity. During the course, we will go over 8+ labs inspired by the major hacks that saw companies lose millions of dollars, implement Smart Contracts, but also perform security reviews and detect security flaws using manual analysis and automated tools.

Some of the scenarios we will go through

The list below contains some of the vulnerabilities that we will identify and fix in the labs:
  • Any user can cash out the money from the smart contract
  • Users can buy the subscription also with any wei amount
  • Any user can check the amount of money stored in the contract address
  • Reentrancy vulnerability
  • Block Timestamp Manipulation Vulnerability
  • Tx.origin: Authorization bypass
  • Integer Overflow and Underflow
  • BatchTransfer Overflow (CVE-2018–10299)
  • Unprotected SELFDESTRUCT
  • DelegateCall vulnerabilities
  • ....more

Syllabus

Module
Topic
Time
Intro to ETH and smart contracts
Ethereum
Bitcoin vs Ethereum
A bit of history
The Four stages of development
POW vs POS
Sharding
Beacon Chain
Docking
Smart Contracts
Smart Contracts
Ethereum Smart Contracts
EVM
Bytecode analysis
Accounts, Transactions and Gas
Storage, Memory and Stack
Truffle and Remix IDE
LAB: Our first smart contract and its vulnerabilities
Smart Contracts part 2
Types, Enum and Events
Mappings
Inheritance
Reentrancy vulnerability: the DAO hack
LAB: Steal all my money (Reentrancy)
Interfaces
Block Timestamp
LAB: Manipulation Vulnerability
Authorization
Authorization in Smart Contracts
Open Zeppelin Contracts
Modifiers
LAB: Authorization done properly
LAB: Tx.origin: Authorization bypass
DoS
SELFDESTRUCT
DoS With Block Gas Limit
DoS with Failed Call
More vulnerabilities
Integer Overflow and Underflow
LAB: Transfer your funds, or mine
LAB: BatchTransfer Overflow (CVE-2018–10299)
Libraries
Embedded vs Linked libraries
LAB: Delegatecall vs Call
LAB: Secure your calls
Security auditing
Manual vs automated
No code? reverse engineer a contract
Tools: mythril
Tools: slither
The SCW registry
Reporting
Hack them all
Final Smart Contract Hacking CTF

Reserve a spot

📅
23-24 June (9.30AM - 1.30PM CET) - BETA
👨🏫
Davide Cioccia
💺
Registration Closed on Wed June 22

More info? Contact us at [email protected]