└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Smart Contract Auditor Tools and Techniques
  2 | 
  3 | ## How to become a Smart Contract Auditor
  4 | * [How to become Smart Contract Auditor and Bounty Hunter by Officer CIA](https://officercia.mirror.xyz/FvMKbibx7gDlufgZSkmYn77CI8HPBsVCeqUKmpXHr0k)
  5 | * [Auditor's Roadmap by RazzorSec](https://github.com/razzorsec/AuditorsRoadmap)
  6 | 
  7 | ## Transaction Visualization tools for hacks
  8 | * [MistTrack](https://misttrack.io/)
  9 | * [Phalcon BlockSec](https://phalcon.blocksec.com/?s=09)
 10 | * [Bitquery Explorer](https://explorer.bitquery.io/ethereum/address/0x58f56615180a8eea4c462235d9e215f72484b4a3/graph?theme=dark)
 11 | * [Tx eth samczsun](https://tx.eth.samczsun.com/)
 12 | * [Tenderly](https://tenderly.co/)
 13 | * [Cruise Supremacy](https://cruise.supremacy.team)
 14 | * [Cross-chain transaction tracker](https://socketscan.io/)
 15 | * [Front-running explorer](https://zeromev.org/)
 16 | * [Awesome On-chain Investigation](https://github.com/OffcierCia/On-Chain-Investigations-Tools-List/tree/main)
 17 | 
 18 | ## Stanford Defi Security Summit 2022
 19 | * [Day-1 Full](https://youtu.be/EdH7UaJec3g)
 20 | * [Day-2 Full](https://youtu.be/umV-wcKlpjg)
 21 | * [Defi-Security-Summit Channel](https://www.youtube.com/channel/UCmWdqeY9Dmcz9692nU6LjLQ)
 22 | 
 23 | ## Paris Defi Security Summit 2023
 24 | * [DeFi Security Summit 2023](https://www.youtube.com/watch?v=e_fWv7P6N3s&list=PL5r4vTR0gHj5JL62S9R0umY64ue6mfQhd)
 25 | 
 26 | ## Miscellaneous Tools
 27 | * [Cyfrin Solodit - Smart contract security research](https://solodit.xyz)
 28 | * [Cryptocurrency OSINT](https://start.me/p/ek4rxK/cryptocurrency-osint)
 29 | * [Tool for Storage visualization of Proxy contracts & to check storage collision](https://github.com/naddison36/sol2uml)
 30 | * [Uniswap TWAP Oracle Price Manipulation Simulator](https://www.euler.finance/blog/oracle-attack-simulator)
 31 | * [Metamorphic contracts detector](https://a16zcrypto.com/metamorphic-smart-contract-detector-tool/)
 32 | * [Vscode on Etherscan](https://github.com/dethcrypto/dethcode)
 33 | * [EVM traces with Python](https://banteg.mirror.xyz/3dbuIlaHh30IPITWzfT1MFfSg6fxSssMqJ7TcjaWecM)
 34 | * [Tool to detect Out of Gas/Denial of Service](https://blog.pessimistic.io/gas-gauge-pressure-control-b1c86fd7cd?123 )
 35 | * [List of Defi Hacks with Proof of Concept](https://wooded-meter-1d8.notion.site/0e85e02c5ed34df3855ea9f3ca40f53b?v=22e5e2c506ef4caeb40b4f78e23517ee)
 36 | * [Tool to extract ABI from Unverified contracts](https://github.com/shazow/whatsabi)
 37 | * [Tool to get historical data from EVM chains](https://github.com/fei-protocol/checkthechain)
 38 | * [Immunefi Web3 Security library](https://github.com/immunefi-team/Web3-Security-Library)
 39 | * [Ethers.js playground](https://playground.ethers.org/)
 40 | * [ETH-Toolbox: Useful tools for Ethereum devs](https://eth-toolbox.com/)
 41 | * [EVM codes Interactive Playground](https://www.evm.codes/)
 42 | * [Echidna Fuzzer](https://github.com/crytic/echidna)
 43 | * [Trade volume metrics across all chains](http://explorer.0x.org)
 44 | * [Tool to check audited code diff on-chain](https://app.zellic.io/?_gl=1*f41ue9*_ga*NjE2MzI2NTIyLjE2NTc0NjAwMTY.*_ga_CKQ2MLPVX5*MTY2ODU3ODU1MS42LjAuMTY2ODU3ODU1MS4wLjAuMA..)
 45 | * [Oracle risk rating system](https://docs.euler.finance/euler-protocol/getting-started/methodology/oracle-rating)
 46 | * [Tool to diff contracts using simhashes](https://contract-diff.xyz)
 47 | * [Tool to match hashes of known contracts](https://github.com/lpinilla/Smart-Contract-Hash-Matcher)
 48 | * [ABI decompiler](https://github.com/Decurity/abi-decompiler)
 49 | * [Database](https://cryptoscamdb.org/scams) and [tool](https://www.chainabuse.com/) to detect and report scams
 50 | * [Rug Checker tools](https://t.co/RseTCjVc86)
 51 | * [User friendly Metadock extension by BlockSec](https://twitter.com/BlockSecTeam/status/1595704166860861441?t=JulG2oXuwHhPXI7CK3Kb-w&s=19)
 52 | * [Tool for checking cross-function and cross-contract reentrancy](https://toolman-demo.readthedocs.io/en/latest/index.html)
 53 | * [Tool to guess type of ABI encoded data](https://github.com/samczsun/abi-guesser)
 54 | * [Running slither and other tools on cloud](https://www.youtube.com/watch?v=bgv0rVPgjzY)
 55 | * [samczsun's tool to get function signature from abi.encoded data](https://twitter.com/samczsun/status/1625063659981647875?t=K9E_WZzY5mMao8BaQYFqcw&s=19)
 56 | * [Visualize EVM storage (finally!)](https://evm.storage/)
 57 | * [Tool to query Solidity Smart contracts](https://glide.r.xyz/)
 58 | * [WeAudit Vscode extension by ToB to make Notes during Audit](https://blog.trailofbits.com/2024/03/19/read-code-like-a-pro-with-our-weaudit-vscode-extension/)
 59 | 
 60 | ## On-Chain Monitoring tools for attacks (Refer [Pessimistic-blog](https://blog.pessimistic.io/how-to-defend-your-castle-innovative-trio-in-smart-contract-security-monitoring-prevention-c8885304035a))
 61 | * [Forta](https://forta.org/)
 62 | * [Defender](https://www.openzeppelin.com/defender)
 63 | * [Tenderly](https://tenderly.co/)
 64 | * [Lossless](https://lossless.io/)
 65 | * [Hackless](https://hackless.io/)
 66 | * [Blocknative](https://www.blocknative.com/)
 67 | * [Seraph](https://dl.acm.org/doi/10.1145/3377812.3382157)
 68 | * [Slowmist monitor](https://www.slowmist.com/service-security-monitoring.html)
 69 | * [Ironblocks](https://www.ironblocks.com/)
 70 | * [Hypernative](https://www.hypernative.io/)
 71 | * [Hacken Extractor](https://hacken.io/hacken-news/hacken-extractor-public-beta-launch/)
 72 | * [QuickNode's QuickAlerts](https://www.quicknode.com/quickalerts)
 73 | * [Cyvers.ai](https://cyvers.ai/)
 74 | * [Hexagate](https://www.hexagate.com/)
 75 | * [Peckshield's KillSwitch](https://twitter.com/peckshield/status/1571819575901319168)
 76 | * [Zokyo's Mamoru.ai](
 77 | https://www.mamoru.ai/)
 78 | 
 79 | ## On-chain Simulators for user-Side Defense
 80 | * [Fire](https://twitter.com/_joinfire?t=zSw5GORhMsd-siI3U4Z3wQ&s=09)
 81 | * [Pocket Universe](https://twitter.com/PocketUniverseZ?t=NULScPCcTkdFQeUmAGa3TA&s=09)
 82 | * [Stelo](https://twitter.com/stelolabs?t=26vhkd6YOUVB2usrZX60Jw&s=09)
 83 | * [Interlock](https://twitter.com/interlockweb3?t=OtVdboey4yC-sN9UvMBbig&s=09)
 84 | * [Wallet guard](https://twitter.com/wallet_guard?t=h7JfUgmUii7RKvny_5V4cA&s=09)
 85 | * [Meshed Labs](https://www.meshed.xyz/)
 86 | * [Blowfish](https://twitter.com/blowfishxyz?t=xrj759mZ1OMgV1WZveXf2w&s=09)
 87 | * [Hexagate](https://twitter.com/hexagate_?t=7cFCpc-kLdVNBDbltNh4uw&s=09)
 88 | * [Rabby.io- Alternative to metamask](https://rabby.io/)
 89 | * [Web3 Antivirus](https://web3antivirus.io/)
 90 | 
 91 | ## OffcierCIA On-chain Investigation Tools
 92 | * [Ethtective](https://ethtective.com/)
 93 | * [Breadcrumbs](http://breadcrumbs.app/)
 94 | * [Hal](https://app.hal.xyz/)
 95 | * [Dune Analytics](https://dune.xyz/)
 96 | * [Nansen.ai](https://nansen.ai/)
 97 | * [Bloxy.info](https://bloxy.info/)
 98 | * [Tx2uml](https://github.com/naddison36/tx2uml)
 99 | * [EVM Trace](https://github.com/ApeWorX/evm-trace)
100 | * [3D VR blockchain visualization](https://ethresear.ch/t/open-source-3d-and-vr-blockchain-visualizations/3297/2)
101 | * [Unrekt.net](https://app.unrekt.net/)
102 | * [Revoke.cash](https://revoke.cash/)
103 | * [Tutela](https://tutela.xyz/)
104 | 
105 | ## Echidna Fuzzing resources
106 | * [Why Echidna is the best smart contract fuzzer](https://youtu.be/RrdrfdtWnSo)
107 | * [Breaking solidity compiler with Fuzzing](https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/)
108 | * [More on fuzzing using Echidna](https://blog.pessimistic.io/fuzzing-solidity-smart-contracts-with-echidna-die-hard-level-tips-9ab7033fa893?123)
109 | * [ToB setting up fuzzing for clients](https://twitter.com/transmissions11/status/1487586670153060352)
110 | * [ToB livestream on fuzzing using Echidna](https://blog.trailofbits.com/2022/11/14/livestream-workshop-fuzzing-echidna-slither/)
111 | * [Hybrid Fuzzing](https://blog.trailofbits.com/2022/12/08/hybrid-echidna-fuzzing-optik-maat/)
112 | * [Intro to advanced, with tips & FAQs](https://secure-contracts.com/program-analysis/echidna/index.html)
113 | 
114 | ## Symbolic Execution / Formal Verification Tools
115 | * [Halmos](https://github.com/a16z/halmos)
116 | * [Certora](https://docs.certora.com/en/latest/)
117 | * [Mythril](https://github.com/ConsenSys/mythril)
118 | * [Kontrol](https://docs.runtimeverification.com/kontrol/overview/readme)
119 | * [hevm](https://github.com/ethereum/hevm) 
120 | 
121 | ## Static analysis Tools and More!
122 | * [Oyente](https://lnkd.in/dqZP3V3w)
123 | * [Osiris](https://lnkd.in/dYFtk6SZ)
124 | * [Maian](https://lnkd.in/dkkbub3H)
125 | * [TeEther](https://lnkd.in/dWD_ZGMa)
126 | * [Sereum](https://lnkd.in/dp4GRgDS)
127 | * [ContractFuzzer](https://lnkd.in/did5cdkG)
128 | * [ILF](https://lnkd.in/d3e_Rs7n)
129 | * [Slither](https://lnkd.in/d7hur-55)
130 | * [Vandal](https://lnkd.in/dZ-qmrEw)
131 | * [Madmax](https://lnkd.in/dtcvTZdE)
132 | * [Ethir](https://lnkd.in/dKGXDv3u)
133 | * [Smartcheck](https://lnkd.in/dS6ThVGy)
134 | * [SaferSC](https://lnkd.in/dim6waid)
135 | * [RecChecker](https://lnkd.in/dKPZ2rHf)
136 | * [KEVM](https://lnkd.in/dbqXZq3H)
137 | * [Eth-Isabelle](https://lnkd.in/dB_Mvz8p)
138 | * [SmartPulse](https://lnkd.in/dmwEEPTY)
139 | * [Semgrep](https://github.com/Decurity/semgrep-smart-contracts)
140 | * [C4udit](https://github.com/byterocket/c4udit)
141 | * [Cyfrin Aderyn](https://cyfrin.io/tools/aderyn)
142 | 
143 | ## Smart contract Security Techniques and Best practices (Refer [DefiVulnLabs](https://github.com/SunWeb3Sec/DeFiVulnLabs/blob/main/README.md) ) 
144 | * [Mastering Ethereum - Smart Contract Security](https://github.com/ethereumbook/ethereumbook/blob/develop/09smart-contracts-security.asciidoc)
145 | * [Smart Contract Best Practices- The Smart Contract Security Field Guide](https://scsfg.io/hackers/)
146 | * [Awesome-Smart-Contract-Security](https://github.com/saeidshirazi/Awesome-Smart-Contract-Security)
147 | * [(Not So) Smart Contracts](https://github.com/crytic/not-so-smart-contracts)
148 | * [Smart contract best practices by ToB](https://github.com/crytic/building-secure-contracts)
149 | * [Smart Contract Attack Vectors](https://github.com/kadenzipfel/smart-contract-attack-vectors)
150 | * [Secureum Security Pitfalls 101](https://secureum.substack.com/p/security-pitfalls-and-best-practices-101?s=r)
151 | * [Secureum Security Pitfalls 201](https://secureum.substack.com/p/security-pitfalls-and-best-practices-201?s=r)
152 | * [How to Secure Your Smart Contracts: 6 Solidity Vulnerabilities and how to avoid them (Part 1)](https://medium.com/loom-network/how-to-secure-your-smart-contracts-6-solidity-vulnerabilities-and-how-to-avoid-them-part-1-c33048d4d17d)[(Part 2)](https://medium.com/loom-network/how-to-secure-your-smart-contracts-6-solidity-vulnerabilities-and-how-to-avoid-them-part-2-730db0aa4834)
153 | * [All Ethereum EIPs](https://eips.ethereum.org/)
154 | * [Missing support for EIP-2930 on BSC- Beware Multisigs!](https://ethereum.stackexchange.com/questions/122558/does-bsc-chain-support-eip2930)
155 | * [Handling "missing return" ERC20 tokens](https://medium.com/coinmonks/missing-return-value-bug-at-least-130-tokens-affected-d67bf08521ca)
156 | * [All types of Reentrant attacks](https://github.com/pcaversaccio/reentrancy-attacks)
157 | * [Smart Contract Weakness Classification Registry (SWC Registry)](https://swcregistry.io/)
158 | * [Ethereum Post Merge Security and known attack vectors](https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/attack-and-defense/)
159 | * [Best practice for Upgradeable smart contracts](https://mirror.xyz/shanzson.eth/HHvF8IDCiJs62C3GGDZXY5JqJnlKsl1oaBoUY_O8rY8)
160 | * [Guide to Governance attacks](https://bowtiedisland.com/governance-attacks-and-you-the-responsible-citizens-guide/)
161 | * [How to avoid Governance attacks](https://a16zcrypto.com/dao-governance-attacks-and-how-to-avoid-them/)
162 | * [DAO Governance Attacks and how to avoid them](https://dacian.me/dao-governance-defi-attacks)
163 | * [The Vulnerable Nature of Decentralized Governance in DeFi](https://arxiv.org/abs/2308.04267)
164 | * [A white hat mindset- From the perspective of a smart contract auditor](https://mirror.xyz/shanzson.eth/jJR3drPtxZ8uuuW0086_o2m0qkS13QfF8ZueYxeuG_Q)
165 | * [Commit and Reveal scheme to mitigate Front-run attacks](https://solidity-by-example.org/hacks/front-running/)
166 | * [NFT Security collection](https://telegra.ph/NFT-security-01-28)
167 | * [Solving the issue with slippage in EIP-4626]( https://link.medium.com/d4tmBHMijvb)
168 | * [A Novel Defense Against ERC4626 Inflation Attacks by Openzeppelin](https://blog.openzeppelin.com/a-novel-defense-against-erc4626-inflation-attacks)
169 | * [ERC-4626 Security concern: Inflation attack by Openzeppelin](https://docs.openzeppelin.com/contracts/5.x/erc4626#inflation-attack)
170 | * [Property tests in Foundry for ERC4626 by a16z](https://github.com/a16z/erc4626-tests)
171 | * [Proxy contracts security guide](https://proxies.yacademy.dev/)
172 | * [Awesome Oracle manipulation](https://github.com/0xcacti/awesome-oracle-manipulation)
173 | * [100 point checklist before sending your smart contract for audits](https://betterprogramming.pub/the-ultimate-100-point-checklist-before-sending-your-smart-contract-for-audit-af9a5b5d95d0)
174 | * [Solcurity security checklist for audits](https://github.com/transmissions11/solcurity)
175 | * [Smart contract Audit Checklist](https://github.com/tamjid0x01/SmartContracts-audit-checklist)
176 | * [Solodit audit checklist](https://solodit.xyz/checklist)
177 | * [Upgradeable smart contract audit checklist](https://twitter.com/pashovkrum/status/1699407698750578765/photo/1)
178 | * [Smart Contract Security Verification Standard (SCSVS)](https://github.com/ComposableSecurity/SCSVS)
179 | * [Top 10 Hacking Techniques of 2022- by Openzeppelin](https://www.openzeppelin.com/security-audits/top-hacking-techniques-2022)
180 | * [Question until it crashes- by Tincho](https://blog.theredguild.org/question-until-it-crashes/)
181 | * [Reproducing MEV attacks](https://medium.com/immunefi/how-to-reproduce-a-simple-mev-attack-b38151616cb4)
182 | * [Checklist for Signature verification](https://twitter.com/TheSchnlich/status/1693747190458433881)
183 | * [Signature Replay attacks](https://www.youtube.com/watch?v=jq1b-ZDRVDc)
184 | * Improper verification of signatures [SWC-121](https://swcregistry.io/docs/SWC-121/) and [SWC-117](https://swcregistry.io/docs/SWC-117/)
185 | * [Loss of Precision vulnerabilities](https://www.youtube.com/watch?v=Ild-N0ADrkI)
186 | * [EEA DeFi Risk Assessment Guidelines (1st Draft)](https://entethalliance.org/specs/drafts/defi-risks/20230116/)
187 | * [Blog on AI in Crypto & Smart Contract security](https://medium.com/zokyo-io/ai-in-crypto-smart-contract-security-1af9ed03cb07)
188 |   
189 | 
190 | ## Defi Focused Security Resources
191 | * [Zokyo Auditing Tutorial for Medium to High Findings](https://zokyo-auditing-tutorials.gitbook.io/zokyo-tutorials)
192 | * [Top 10 DeFi Security Best Practices](https://blog.chain.link/defi-security-best-practices/)
193 | * [Defi Slippage attacks](https://dacian.me/defi-slippage-attacks)
194 | * [Price Oracle Best practices](https://samczsun.com/so-you-want-to-use-a-price-oracle/)
195 | * [Securely using Chainlink to price Curve LP Pools](https://blog.chain.link/using-chainlink-oracles-to-securely-utilize-curve-lp-pools/)
196 | * [Chainlink oracle attacks](https://medium.com/cyfrin/chainlink-oracle-defi-attacks-93b6cb6541bf)
197 | 
198 | 
199 | ## Audit reports and findings
200 | * [Code4rena Audit reports](https://code4rena.com/reports)
201 | * [Sherlock Audit reports](https://github.com/sherlock-protocol/sherlock-reports)
202 | * [The Auditor book- Sherlock and Code4rena findings](https://theauditorbook.com/)
203 | * [Search Code4rena and Sherlock findings](https://audit-hero.com/search-findings)
204 | * [Immunefi Bug Bounty Writeups](https://github.com/sayan011/Immunefi-bug-bounty-writeups-list)
205 | * [Cyfrin Solodit search with filters](https://solodit.xyz/)
206 | * [All Audit reports of Security companies](https://github.com/0xNazgul/Blockchain-Security-Audit-List)
207 | * [List of Bridge hacks](https://gist.github.com/cwhinfrey/9fd1bbc31bbcff08fca242b90c7f875d)
208 | 
209 | ## ZK security and Learning resources
210 | * [Intro to Zk Security](https://www.youtube.com/watch?v=8wsR7o0rOxU&feature=youtu.be)
211 | * [Zk bugs tracker](https://github.com/0xPARC/zk-bug-tracker)
212 | * [Zk hash collision vulnerability](https://youtu.be/W4zAbEnJQUw)
213 | * [Common Zero-Knowledge Proof Vulnerabilities](https://youtu.be/1RQSwj8h8rM)
214 | * [Zk auditing cohort open sourced](https://yacademy.dev/fellowships/zBlock1/)
215 | * [Zk Camp's Aztec/Noir Cohort](https://www.zkcamp.xyz/aztec)
216 | * [Zk learning with 0xparc](https://learn.0xparc.org/)
217 | * [Zk learning resources by Shanzson :)](https://github.com/shanzson/Zero-Knowledge-Proofs-Learning-Resources/blob/main/README.md)
218 | * [Zk audit playbook by Zellic](https://twitter.com/zellic_io/status/1750638776215621971)
219 | * [Zk Bugs Database](https://bugs.zksecurity.xyz/)
220 | 
221 | ## Free smart contract security-related resources
222 | * [Ethereum Yellow paper course](https://youtu.be/e84V1MxRlYs)
223 | * [Awesome Openzeppelin](https://github.com/OpenZeppelin/awesome-openzeppelin)
224 | * [Stanford Cryptography course](https://www.coursera.org/learn/crypto)
225 | * [Mastering Solidity Assembly (YUL)](https://www.youtube.com/playlist?list=PL5hld-skrdFrxGUmmEbG1LBvYVyTE9M62)
226 | * [All about assembly](https://jeancvllr.medium.com/solidity-tutorial-all-about-assembly-5acdfefde05c)
227 | * [Cyfrin Updraft - Smart Contract Security and Auditing Course](https://updraft.cyfrin.io/courses/security)
228 | 
229 | ## What to do when Hacked?
230 | * [Seal 911 Bot by Whitehats to Rescue You when Hacked](https://t.me/seal_911_bot)
231 | * [Incident Response Guidelines by ToB](https://secure-contracts.com/development-guidelines/incident_response.html)
232 | * [Crisis Handbook- Smart contracts Hack](https://docs.google.com/document/d/1DaAiuGFkMEMMiIuvqhePL5aDFGHJ9Ya6D04rdaldqC0/edit#heading=h.c4h2beeflqpo)
233 | 
234 | ## Privacy Tools
235 | * [Tool for Private RPC](https://twitter.com/emilianobonassi/status/1596169493893771265)
236 | * [Hopr protocol](https://hoprnet.org/protocol)
237 | * Using [Zmok](http://zmok.io) along with [MullVad VPN](http://mullvad.net)
238 | 
239 | ## Ethereum blogs to Deep Dive
240 | * [Timeline of all Ethereum forks and upgrades](https://ethereum.org/en/history/)
241 | * [How data is stored in Ethereum](https://hackernoon.com/getting-deep-into-ethereum-how-data-is-stored-in-ethereum-e3f669d96033)
242 | 
243 | ## PoCs
244 | * [Coinspect EVM attacks](https://github.com/coinspect/learn-evm-attacks)
245 | * [Defi Hack Labs](https://github.com/SunWeb3Sec/DeFiHackLabs)
246 | 
247 | ## Miscellaneous
248 | * [List of all Blockchain security companies](https://github.com/0xNazgul/Blockchain-Security-Audit-List)
249 | * [Upgrading Ethereum Eth2Book](https://eth2book.info/bellatrix/)
250 | * [Deconstructing a Solidity contract series (to understand and debug byte level code)](https://blog.openzeppelin.com/deconstructing-a-solidity-contract-part-i-introduction-832efd2d7737/)
251 | * [Solidity Notes by Chinmaya](https://github.com/chinmay-farkya/solidity-notes)
252 | * [Formal verification Speedrun with Halmos, Kontrol and Certora](https://youtu.be/pjwYr97Q-Ok?si=2uGujm-p4be8mcdN)
253 | * [Ethereum Cypherphunk Manifesto](https://hackmd.io/@pcaversaccio/the-ethereum-cypherpunk-manifesto)
254 | 


--------------------------------------------------------------------------------