Beginners Guide: Smart Contract Auditing

A beginners guide to get into web3 smart contract auditing.

Requirements

There are some prerequisites before diving into smart contract auditing. You need to make sure to have:

• a solid understanding in Ethereum and Solidity
• basic understanding of DeFi
• basic knowledge in Finance

Ethereum

“Mastering Ethereum” by Andreas M. Antonopoulos and Gavin Wood (co-founder of Ethereum) is a great introduction to Ethereum and its EVM. You’ll learn the basics and how smart contracts work.

Solidity

To get the required knowledge in Solidity, I recommend the freeCodeCamp course by Patrick Collins. This course will teach you how to read Solidity code, deploy contracts and develop your own contracts.

Solidity CTFs:

Once you grasp the basics in Solidity, you can move on to Solidity CTFs, e.g.:

• Ethernaut
• Capture The Ether
• Damn Vulnerable DeFi

DeFi

Another important aspect is decentralized finance. Afinancial ecosystem build on the blockchain. Users can buy and sell assets and financial services as a form of investment or financing without a middleman.

You will learn about different technical concepts, like:

• different token contracts (ERC20, ERC721)
• teachyourselfcrypto.com
• Proxies
• MasterChef: Synthenix Staking Rewards Contract
• Compound
• UniswapV2

Finance

To understand the Finance part of DeFi you should know what:

• options
• swaps
• futures
• CDOs and other derivatives

are and how they work.

Secureum - Ethereum Security

Once you master those 3 pre-requirements you can move on to Secureum to hone your Ethereum security skills in:

• Ethereum 101
• Solidity 101
• Security Pitfalls and Best Practices 101
• Audit Techniques and Tools 101
• Audit Findings 101 & 201

Other Smart Contract Security related content

• Smart Contract Security and Auditing 101
• Advanced Smart Contract Security and Auditing Tools

Bug Bounty Platforms

When you feel comfortable enough, you can try and collect some bug bounties at:

• Code4rena
• Immunefi

If you have trouble starting, I recommend to:

• read all past audit reports
• understand and categorize all findings.

Start with low risk and non critical issues and gas optimizations, before looking at high and medium findings/reports.

Spend time learning and experimenting. Climb the leaderboard and make sure to share your findings and experience with others.

Happy hacking web3.0, anon!

Other useful material:

• Solidity Documentation
• https://cmichel.io/ (a great blog to learn about smart contract auditing)
• Ethernaut CTF walkthroughs (Youtube)