Smart Contract Security: 30 Day Deep Dive

I’ve spent the last couple months doing quite a few things, dealing with irl stuff, and then moving onto some pure golang stuff which I’ve been caught up dealing with.

However, I’ve decided firmly that I need to figure out a routine to spend more time digging into solidity security.

The things that I want to figure out are far too wide so I’ve settled on a few:

  • Setup a solidity dev environment and a container to easily bootstrap something with the right tools: Setting up Linux/MacOS so you can hit the ground running. It’d also be cool to have a solidity security toolkit docker image that I can spin up whenever and whever.

  • What to do when you’re diving into a new codebase: Honestly, this leaves me blank and I just skim the code for a long time, and most of the time I’m not putting in effort so it isn’t worth it. I will take notes as I go through multiple codebases and then follow that up with a quick edit and post it on here under a deep dive tag. It’d be interesting to see how I approach new codebases, first as a rookie, and as I practice more. I’d assume theres a standard set of things that needs to be done, such as graphing to understand control flow, looking for functions with higher probability of bugs, running the contracts through slither / other static analyzers.

  • Using my personal server: I’ve been running a bare metal personal server for a few years now, and I want to write some scripts to collect some on-chain data. This isn’t exactly focused on security but it’d be cool to build some stuff. Maybe something that detects hacks (using heuristics like complex txn with large traces, coupled with a single EOA receiving funds etc)

  • CTFs: They’re great resources and I want to publish running commentary on them.

  • Compete: Getting into this space is pretty much because of two reasons, I can start competing, and there is a possibility of financial gain. The money sure does sound good. Really what I’m looking to get into is regularly competing in audit contests, learn from losing out on leaderboard, go back to the drawing board and come back stronger.

Competing is something thats natural to me, and I find that when I’m regularly competing (could be playing a sport regularly, online), it keeps me going and in good spirits. The solidity security space also buids upon my experience building and deploying smart contracts to production.

I think thats pretty much the update for today. I’ll start going through audit reports, and try to make sense of the most common bugs. This should help me build some solid intuition.