Jules here, from Cyfrin.

Smart contract security doesn’t start with audits, because the future of the entire blockchain industry depends on security.

This week

✍🏼 How to systematically approach an audit

📆 This week in Cyfrin

⭐️ Ecosystem highlights

📚 How to become an auditor, auditor salaries, and best auditing tools

10 Steps to Systematically Approach an Audit

Independent of code size or complexity, breaking the process into compartmentalized chunks makes auditing more approachable.

1. Gain context while going through the docs

2. Clone repo locally, go through the README, and test out the commands

3. Analyze the test suite to find the weaker tested areas

4. Create architecture diagrams to visualize how contracts connect

5. Assess the Solidity versions for bugs within that version

6. Use Solodit to familiarize with the vulnerabilities found in similar protocols

7. Study the most common vulnerability points (access controls, public/external functions, state changes, dependencies, etc)

8. Leverage static analyzers like Slither or Cyfrin Aderyn

9. Time to break line by line! The Solodit Checklist can be helpful in this stage.

10. Craft a compelling report to convincingly demonstrate the bug to the protocol.

— Read more about how to approach an audit here!

This week in Cyfrin

🕵🏻‍♀️ The Beanstalk contest part 2 kicks off in 5 days, April 1st for a chance to win up to $35,000!

🐱 Community First Flight, Kitty Connect, kicks off today! These are contests for new auditors to participate and hone their skills.

📆 Join us today 3PM UTC for Kitty Connect’s First Flight Kick-off and get started with the first flight!

Ecosystem Highlight ⭐️

This week we want to highlight our community member Shikhar Agarwal - who created this week’s Community First Flight.

We all help each other grow - thank you Shikhar!

Related articles

🕵🏻‍♀️ Secure the ecosystem by becoming a smart contract auditor. Here is our full roadmap to kick-off your auditing career.

💰 How much do security researchers earn? Here’s a salary guide for smart contract security auditors!

👩🏻‍💻 Check out our favorite, top industry-leading tools to smart contract auditing.

Would love to hear what you think about Cyfrin newsletter and how we can improve it for you. Let’s chat!

Sending lots of cyber love,
Jules 🤸🏻

Jules here, from Cyfrin.

Level-up you security skills with these two free new courses on Cyfrin Updraft:

1. You can think of the “Wallets & Post Deployment” course as Web3 DevOps, taking you through the fundamentals of what projects need when monitoring protocols post deployment.

2. The “Assembly & Formal Verification” course is our most advanced course yet, diving deep into low level EVM, gas optimizations, and testing methodologies.

— Start learning here!

This week

✍🏼 How to debug 10x faster with AI

⭐️ Ecosystem highlight

📚 10 steps to approach an audit, auditor salaries, and fuzzing guide

How to debug 10x faster with AI

In the age of AI, debugging and getting into software engineering has never been easier. Here is what we call the “AI debugger method”:

1. Tinker with AI coding buddies (like Github Copilot) to pinpoint your error accurately.

2. Ask your AI using the 6 prompt engineering principles.

3. Read the docs and add them as context when prompting the AI.

4. Use AI-powered search engines tailored to developers, like Phind, to get more tailored answers and custom-generated code snippets.

5. Ask a forum and leverage AI to format a markdown question and create well-formatted questions.

6. Iterate always until you find a system that works for you.

— Read more about this debugging method here!

Ecosystem Highlight ⭐️

The Standard is a DeFi protocol enabling anyone to borrow without interest or trusting an authority.

It went through a competitive audit in CodeHawks recently as an over-collateralized stablecoin protocol backed by physical & digital assets built on Arbitrum!

— Check out the Standard here!

Related articles

🕵🏻‍♀️ Want to start auditing but are unsure where to start? Here are 10 steps to systematically approach a smart contract.

💰 How much do security researchers earn? Here’s a salary guide for smart contract security auditors!

👩🏻‍💻 Level up your smart contract testing skills with this Foundry fuzzing guide.

Let us know what you think about this newsletter here!

Sending lots of cyber love,
Jules 🤸🏻

Jules here, from Cyfrin.

Did you know you could earn up to 10% of a contest prize pool by acting as a community judge in CodeHawks?

Lead judges make faster decisions while rewarding security researchers for their judging time and powering their learnings by reviewing other's submissions.

— Read more about how you can become a community judge here!

This week

✍🏼 Smart contract auditing tools to take you to the next level

📆 Cyfrin ecosystem updates

📚 Top developer tools, auditor roadmap, and a deep dive into WooFi

8 Top Smart Contract Security Auditing Tools

We’ve tested and found the best smart contract auditing and security tools every web3 smart contract auditor should include in their stack to sky-rocket their work. 

1. Best Smart Contract Fuzzing Tool Overall: Echidna

2. Best Experimental Fuzz Testing Tool: Medusa

3. Best Fuzzing as a Service (FaaS): Diligence Fuzzing

4. Best Rust-based Static Analyzer: Cyfrin Aderyn

5. Best Python-based Static Analyzer: Slither

6. Best formal verification tool: Halmos

7. Best smart contract DevOps tool: Foundry

8. Best for smart contract security research: Solodit

— Read more about the best industry tools here!

This week at Cyfrin

🏆 Beanstalk competitive audit currently running for a prize pool of $100,000, ending in 12 days.

👩🏻‍🎓 Ready to level up your smart contract security skills? Security and Auditing course part 2 was just released!

☀️ The Cyfrin team got together for a week to discuss the future plans of our products and vision. Exciting announcements coming soon!

Related articles

⚡️ WOOFi’s synthetic proactive market making (sPMM) algorithm was exploited for $8.6M this week. Read about what happened here!

✍🏼 Here are the top 5 web3 developer tools for 2024 to help you speed up your workflows and allow you to code.

👩🏻‍💻 Want to become a smart contract auditor? Here’s a full roadmap to get started!

Let us know what you think about this newsletter here!

Sending lots of cyber love,
Jules 🤸🏻

Jules here, from Cyfrin.

The future of crypto hinders on smart contract security. As the markets rise, we’re more focused than ever on building the web3 we dream of.

Through technical education, private and competitive audits, auditor tooling, and more - we are committed to making 2024 the best year of crypto yet!

TLDR

✍🏼 How did a hacker steal assets from people’s wallets?

📆 Cyfrin ecosystem updates

📚 Auditing tools, audits, and AI debuggers

How did a hacker steal assets directly from user’s wallets?

Exactly a week ago, the Seneca Protocol, a DeFi collateralized debt position protocol, was exploited for approximately $6 million.

🤷🏻‍♀️ How did it happen?

The attacker was able to transfer tokens from users' wallets to their own address by manipulating the Chamber::performOperations function.

1. The performOperations function was set as external without the right input validation, enabling the attacker to call any contract with any arbitrary data.

2. The attacker set callData as a transferFrom() function on a token, specifying the to address to an attacker's EOA address

3. Since the msg.sender was the Chamber contract, the attacker transferred funds to themselves since the Chamber contract had an approval amount that exceeded the total amount of collateral deposited.

— Read more about the Seneca Hack and how to mitigate similar attacks here!

This week at Cyfrin

👩🏻‍💻 Cyfrin CodeHawks is the only competitive auditing platform in the market today enabling users to judge contests. Learn more about how that works here!  

👩🏻‍🎓 Opcodes, Huff, Assembly, bytecode, Yul, EVM, we dive deep in our Smart Contract Security Course part 2. Check it out here!

🕵🏻‍♀️ Static analyzers are foundational to audits today - helping researchers uncover vulnerabilities in seconds. Check out Cyfrin Aderyn, a Rust-based analyzer which outputs the report in an easy-to-consume markdown from the get-go!

Related articles

🛠️ Check out the top 8 industry-leading smart contract auditing tools.

⚡️ Everything you need to know about smart contract audits.

👩🏻‍💻 Here are 7 steps to debug anything using AI.

Let us know what you think about our content here!

Sending lots of cyber love,
Jules 🤸🏻

Jules here, from Cyfrin.

We’ve been seeing a slow down in hacks in the last few months - which has us questioning whether it’s because: (a) our industry is doing a better job at security practices or (b) the market just didn’t have as much liquidity.

I guess with the recent spikes, we’re about to find out! Stay tuned.

This week

✍🏼 Blockchain’s double spending issue

📆 Cyfrin ecosystem updates

📚 Signature standards, replay attacks, and invariant testing

⭐️ Ecosystem rockstars

What is the double-spending problem?

The double-spending problem is an exploit in which the same token is used more than once, undermining the trust and security of financial transactions.

🤷🏻‍♀️ How does this happen?

1. Race attacks: Occur when an attacker exploits the time delay in transaction propagation across a decentralized blockchain network.

2. Finney Attacks: Attacker broadcasts a conflicting transaction which redirects the crypto to another address controlled by the attacker.

3. 51% Attacks: Occur when a node controls the majority of the network’s hashing power, allowing it to rewrite transaction history and double spend tokens.

⚡️ How to make sure this doesn’t happen?

1. Use consensus mechanisms (PoW, PoS, PBFT) to reach agreement between nodes

2. Employ confirmation mechanisms of transactions

3. Make sure the blockchain has a transaction finality feature

4. Network monitoring for suspicious activity

5. Confirm if the Unspent Transaction Output (UTXO) has been spent

6. Education and awareness for users

7. Security and community vigilance

8. Preventing replay attacks

— Read more about the double-spending attack here!

This week at Cyfrin

👩🏻‍🎓 Cyfrin Updraft, the ultimate smart contract learning platform, made it to Coinmarketcap as one of the top resources for learning blockchain development!

🚀 Cyfrin Updraft has finally opened its doors to the public - because everyone should be able to learn smart contract development for free!

✨ Sneak peek - the Cyfrin brand is getting a lil update. Stay tuned!

Related articles

✍🏼 Everything you need to know about Ethereum signature standards.

⚡️ A replay attack happens when an attacker intercepts and manipulates data transmission over a network. Hint hint, they are connected to signatures!

👩🏻‍💻 Check out this video by Bloqarl going through how to create invariant tests for DeFi AMM smart contracts!

Ecosystem rockstars ⭐️

After supporting our community day after day, we’ve decided to onboard @eng.pips into our team as a Teacher Assistant. Find him on Cyfrin’s Discord and on each course’s Github!

Let us know what you thought of this new version of the newsletter here!

Sending lots of cyber love,
Jules 🤸🏻

Jules here, from Cyfrin.

3 months ago, we launched Cyfrin Updaft in closed beta because we wanted to give you an amazing experience.

Since then, we have received:

• 70,000+ applications

• 11,000+ early access students

• 2000+ feedback

Today, we’re happy to announce we’re opening Cyfrin Updraft, the ultimate web3 education platform, to everyone for free! 🚀

This week

✍🏼 What to do if you find a bug in a live code?

📆 Cyfrin ecosystem updates

📚 Auditor roadmap, web3 tools, and oracle manipulation attacks

What to do if you find a bug in live code?

You found a bug in a live smart contract. The clock is now ticking. What to do?

🙅🏻‍♀️ Firstly, do not exploit it. There could be legal ramifications. There are two exceptions to this rule:

• A malicious exploit that is already in the mempool.

• There is a safe harbor agreement.

🤷🏻‍♀️ So, what should you do?

1. Get in contact with the protocol, bug bounty platform, or whoever is responsible for owning the codebase.

2. Make sure you’re communicating on a secure line.

3. Prove the bug exists.

4. Come up with a fix.

5. Roll out a post-mortem.

— Read more about white hatting smart contracts here!

This week at Cyfrin

🎨 This week, we published the new Cyfrin website giving our brand a full revamp.

🏆 The Vyper contest is done! Congrats to Kuro from Binance Security Team for winning top place with a $50,000 reward.

🚀 Dolomite Margin is a composable margin trading and lending protocol running on Arbitrum. Here’s what we learned from auditing their protocol.

Related articles

✍🏼 Here are the top 5 web3 developer tools for 2024 to help you speed up your workflows and allow you to code.

⚡️ Here’s everything you need to know about one of the most common crypto attacks in recent years - oracle manipulation attacks .

👩🏻‍💻 Want to become a smart contract auditor? Here’s a full roadmap.

Let us know what you think about this newsletter here!

Sending lots of cyber love,
Jules 🤸🏻

Jules here, from Cyfrin.

Yesterday was Valentines day and I had a buggy date with my Soulmate.sol 💖.

This week

✍🏼 How do blockchain signatures work?

📆 Cyfrin ecosystem updates

📚 Signature standards, replay attacks, and ECDSA algorithm

Blockchain signatures and ECDSA algorithm

Signatures are a means for authentication - allowing operations, such as sending transactions, to verify that they originated from the intended signer account.

🤷🏻‍♀️ What are they used for? Validating computation performed off-chain and authorize transactions on behalf of a signer.

⚡️ When are signatures created?

1. Signing a message: Hashing the message and then combining this hash with the private key using the ECDSA algorithm.

2. Digital signature: Generated upon signing a message, serving as a means to verify that the signer is in fact the intended account.

3. Unique signature: Each distinct message produces a unique hash, resulting in a correspondingly unique signature.

💪🏽 Why is the ECDSA algorithm important?

• ECDSA creates the private key based out of an integer (i.e [0..n-1]) and the public key (a point in the blockchain’s ellyptic curve)

• ECDSA is in charge of creating signatures using a cryptographic function (i.e. SHA256) to generate a securely random number

• ECDSA verifies the signature by taking the signed message, the signature produced from the signing algorithm and the public key. The output is a valid boolean.

— Read more about the ECDSA and signatures here!

This week at Cyfrin

🎨 You spoke, we listened. Cyfrin Updraft now has dark mode available!

🚀 Want to showcase your security skills? You can now add CodeHawks to your LinkedIn experience!

✨ Sneak peek - the Cyfrin brand is getting a lil update. Stay tuned!

Related articles

✍🏼 Everything you need to know about Ethereum signature standards.

⚡️ A replay attack happens when an attacker intercepts and manipulates data transmission over a network. Hint hint, they are connected to signatures!

👩🏻‍💻 How does the ECDSA algorithm create signatures?

Let us know what you thought of this new version of the newsletter here!

Sending lots of cyber love,
Jules 🤸🏻

Jules here, from Cyfrin.

This week, we’re diving deep into the multi-chain world 🌍.

This week

🌉 How do blockchain bridges work?

📆 Security news going on this week

✍🏼 Top dev tools, security firms, and learning opportunities for 2024

⭐️ Ecosystem rockstar shoutout!

Blockchain Bridges

Over $2 billion dollars were stolen through bridge exploits in 2022.

🤷🏻‍♀️ What are bridges? Blockchain bridges facilitate the transfer of assets and data across different blockchain platforms. They act as facilitators for interoperability between chains, extending the utility of (dApps) and assets beyond the confines of a single network.

🥷🏻 How do they work?

1. User wants to transfer x assets from chain A to chain B

2. User initiates the transfer on chain A (say, through a bridge dApp), adding the chain B address that should receive funds

3. The bridge locks the assets on chain A (temporarily removes them from circulation) and sends a signal to chain B verifying the assets have been locked and new ones should be minted on chain B

4. Chain B mints an equivalent amount of the assets or a wrapped version of them. Then allocates them in the chain B address you specified in Step 2.

💪🏽 5 ways to prevent bridge hacks:

• Verify the asset-locking mechanism

• Choose bridges that are not centralized

• Be careful with federated bridges, if a significant portion of the nodes is compromised

• Check for replay attack and malicious transactions to illicitly mint or unlock assets.

• Get an audit

— Read more about blockchain bridges here!

Security news

🔐 [Today, Feb 8th. 4pm UTC] Twitter Space: Web3 Security for Protocols - a peek into how protocols today are thinking about security in 2024.

🎙️ Introducing Updraft subtitles! You can now learn smart contract development in 7 languages - check if yours is here!

🕵🏻‍♀️ Want to get real-life experience auditing contracts? Join the upcoming CodeHawks First Flight contest on finding soulmates on-chain.

Related articles

🥷🏻 Want to become a smart contract auditor? Here is how to get started!

⚡️ These are the top Web3 tools for developers in 2024.

🕵🏻‍♀️ Here are the top 10 smart contract auditing firms, and how to determine which is best for your protocol

Ecosystem rockstars ⭐️

This week, we want to give a shoutout to @n0kto!

@n0kto wrote CodeHawks’ first community-based First Flight: the Soulmate protocol 💖.

First flights are contests for new auditors to get real-life auditing experience and feedback.

Thank you @n0kto for helping us upskill more auditors in the industry!

Let us know what you thought of this new version of the newsletter here!

Sending lots of cyber love,
Jules 🤸🏻

Jules here, from Cyfrin.

We are doing a little experiment with the newsletter this week - let us know what you think here!

What you will find this week

🥷🏻 Everything you need to know about oracle manipulation attacks

📆 Security events going on this week

✍🏼 Articles on wallets, auditing firms, and how fuzzing can help you catch exploits

⭐️ Rockstar community member highlight

Oracle Manipulation Attacks

In 2022, over $403.2 million were stolen in DeFi as a result of over 40 oracle manipulation attacks.

🤷🏻‍♀️ What are they? Oracle manipulation attacks happen when an oracle’s price feed is artificially altered.

🥷🏻 How do they happen? Attackers usually execute these exploits through flash loans altering the price of assets in automated market makers, such as Uniswap, changing the spot price of a token before the smart contract has a chance to look up the token’s value again.

💪🏽 5 ways to prevent them:
- Choose your oracle carefully
- Have back-up systems
- Decentralized > centralized oracles
- Constantly check the oracle’s performance and take protective steps if needed
- Get an audit

— Read more about oracle manipulation attacks here!

Security events this week

🧐 [Today, Feb 1st. 4pm UTC] Twitter Space: Web3 Security in 2024: what to look out for? - conversation between some of the industry’s top security researchers.

🎙️ [Tomorrow, Feb 2nd. 12pm UTC] You Tube Live: DeFi Dialogue with The Standard - a decentralized, over-collateralized stablecoin protocol backed by physical & digital assets.

🔐 [Next week, Feb 8th. 4pm UTC] Twitter Space: Web3 Security for Protocols - a peek into how protocols today are thinking about security in 2024.

Related blogs

🥷🏻 A deep dive into oracle manipulation attacks

🧪 How can fuzz testing help you catch exploits, like oracle manipulation attacks?

🕵🏻‍♀️ Top 10 smart contract auditing firms, and how to determine which is best for your codebase

Ecosystem rockstars ⭐️

This week, we want to give a shoutout to @engr.pips!

One of our most active community members in Discord - he is helpful, curious, and currently studying the UniswapV3 book and participating in his first audits.

Excited to have you!

Let us know what you thought of this new version of the newsletter here!

Sending lots of cyber love,
Jules 🤸🏻

Heyo,

Jules here, from Cyfrin.

Spending ~$20,000 in an audit could save you approximately $2,000,000 in hacks. That’s a 99% ROI.

Audits are helpful when it comes to preventing hacks, yet how to know when to choose private audits over competitive audits?

The secrets behind competitive and private audits

Types of audits

• Private Audits are security reviews where a firm or solo auditor takes a deep dive into your protocol, providing a detailed report of the codebase including architecture reviews, proofs of concept, best practices, among others.
  
  Example: Cyfrin
  

• Competitive Audits, on the other hand, gather multiple auditors from around the world to review your protocol, competing for a reward based on vulnerabilities found and their uniqueness and impact.
  
  Example: CodeHawks

Should you do both?

The answer is yes. However, if you have to choose, keep in mind that:

• Private audits focus in depth. They produce detailed reports, architecture reviews, and review best practices before your protocol is ready for mainnet.

• Competitive audits focus on breadth. Because they have hundreds if not thousands of auditors looking at your code, their various skill sets provide a more well-rounded view.

Key things to consider

Primary benefits

• Private audits enable a close-knit partnership with the auditing firm. This means that auditors often embed themselves within engineering teams to better understand codebases, provide full support and produce detailed, actionable insights on improving your codebase.

• Competitive audits offer multiple perspectives and help unearth “blind spots” thanks to their competitive nature, rewarding unique, impactful vulnerabilities.

Limitations

• Private audits usually incur a higher upfront cost since you have a dedicated team of high-quality researchers looking at your codebase.
  

• Competitive audits, on the other hand, will get you more auditors for a better price, but the quality depends on a variety of factors, and there is no continuity for support.

Cost

For both, costs depend largely on the size of the codebase and its complexity.

• Private audits from solo auditors may cost anywhere from $5k-$10k a week, whereas auditing firms usually range from $20-30k a week.

• Competitive audit costs are structured based on the prize pool for the contest. These usually range from $35k to $ 150k (with some rewarding up to $1M).

Project’s stage

• Private audits work best for both live and pre-launch projects, including those going through upgrades.

• Competitive audits cast a wide net of vulnerabilities, so they are best for pre-launch protocols.

Conclusion

If you’re still unsure of which type of audit is best for you, make sure to reach out to us here, and we’ll be more than happy to support you.

Protocols ideally go through both types of audits to get a full spectrum review of their codebase. When this is not possible, looking at which type of audit is best to optimize resources is key to keeping your assets and users safe.

— You can read the full article here: https://www.cyfrin.io/blog/competitive-vs-private-audits-comparison

Additional resources

🕵🏻‍♀️ Want to hire a private audit? Here’s the top 10 smart contract auditing firms in the market today.

💰 Here’s a deeper dive on what are smart contract audits and how they differ from traditional software audits.

📚 Everything you need to know about the salary of a smart contract auditor.

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Heyo,

Jules here, from Cyfrin.

Are smart contract auditors really making over $10,000+ every week?

Well, It depends.

We've asked tens of auditors to produce our smart contract auditors salary report for 2023.

Here’s the TLDR 👇

💰 How much money are smart contract auditors making? How do smart contract researchers monetize their skills?

First, what's the global average?

Global average salary for a smart contract auditor is $105,000 a year, with salaries ranging from $33,000 to over $200,000.

How to determine where you’d be in that scale?

🐣 Experience matters: Entry-level auditors earn between $50,000-$80,000, whereas mid-level auditors earn $80,000-$120,000, and senior auditors can earn from $120,000 to $200,000 or more.

🌎 Regional differences: In the US, the average salary is $130,000, while in Europe it's around $70,000, and in India, it's approximately ₹10,00,000 or $12,000.

Key factors influencing salaries

🐣 Experience level: From entry-level to senior auditors, experience plays a significant role on the salary range.

🌎 Region: As we might have expected, cities like San Francisco, New York, and Singapore offer higher salaries.

🚀 Company size: And larger auditing companies tend to pay more.

💸 Trending additional income streams:

• Competitive Auditing: Platforms like CodeHawks and CodeArena reward auditors based on the vulnerabilities they uncover.

• Solo Auditing: Many auditors have decided to start working independently, setting their fees based on experience, skill set, and project complexity - usually leading to greater salaries as well added entrepreneurial risk and marketing resources.

— 🔗 Want to dive deeper? Here’s the full report with more insights!

Want to level up?

👩🏻‍🎓 Want to level up your blockchain development skills? Cyfrin Updraft is the ultimate learning platform to learn smart contract development and auditing. Entirely for free!

💰Monetize your smart contract developer skills on CodeHawks by auditing smart contracts for protocols.

📚 Learn about smart contract attacks by leveraging Solodit, the world’s largest library of smart contract vulnerabilities!

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Heyo,

Jules here, from Cyfrin.

We’ve been researching, analyzing, and testing the web3 platforms and tools a developer needs to be successful in 2024.

Here are our favorite web3 developer tools to level up this year ⚡️

Top 5 web3 developer tools for 2024

1. Language: Solidity or Vyper

Although Solidity remains the most widely used language for writing smart contracts (94% of market share), Vyper is still gaining traction despite last year’s setbacks.

This is largely because of how much it improves the learning curve for Python developers.

2. Framework: Foundry or Hardhat

Although Hardhat still has the most repositories leveraging it, Foundry is quickly rising to the top because of:

• Faster testing by a factor of 20

• Built-in fuzz tests

• Deployment improvements

• All Solidity-based

Foundry has definitely become our framework of choice at Cyfrin!

3. Smart contract essentials: Chainlink and OpenZeppelin

OpenZeppelin is notable for its extendable contracts, while Chainlink is a popular choice for oracles.

Chainlink's CCIP is worth paying special attention to, as it's poised to usher in a new era of cross-chain decentralized applications.

4. Onboarding: wallets

Onboarding the next generation of web3 users, wallets have been getting incredible upgrades in recent months!

The Paradigm team's Rivet is making it easier for developers to interact with their front-ends.

Other wallets such as Metamask, Rabby, and Trezor have also made significant improvements, offering customization, transaction checks, and open-source hardware options respectively.

5. Must-have: security tooling

Security remains a top priority in the web3 space to reach mainstream adoption.

Advanced security tools with a focus on fuzzing (Echidna, Foundry, Medusa) and formal verification (Certora, Halmos, Kontrol) have made significant strides - as well as the static analysis department with Aderyn and Slither.

Competitive audit platform CodeHawks and Cyfrin Updraft have also emerged as key resources for enhancing web3 security knowledge and identifying potential issues.

Keeping up with Web3 Security

• Cyfrin Updraft, the ultimate web3 learning platform, is now open-source! If there’s anything you’d like to see, feel free to submit a contribution. We build the future of web3 together 💪🏽

• Security concerns as we look at crypto for 2024

• Spot Bitcoin ETFs are approved by SEC and cleared to start trading on Thursday

• How to become a smart contract security auditor in 2024

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Heyo,

Jules here, from Cyfrin.

The first reentrancy attack in history caused so much loss that the entire Ethereum community decided to fork itself into a previous block in time.

Today, we’re diving deep into what are reentrancy attacks and how we can spot them.

🚪 Reentrancy Attacks

= Reentrancy attacks happen when a hacker "reenters" a function to do something malicious.

🤔 What are they?

Reentrancy attacks happen when a hacker typically exploits a callback function (like a “fallback” function or “onERC721Received’) to maliciously "reenter" the victim’s contract and execute a malicious transaction.

🤨 How do they work in practice?

A user and a malicious contract both deposit funds into a contract.

When malicious contract calls on the victim’s withdraw function, a fallback function is triggered.

This fallback function then allows the attacker to continuously drain the victim’s assets.

👩🏻‍💻 An example

1. A "Bank" contract holds 10 ETH & updates its state every 24 hours

2. A hacker then opens an account in that bank, depositing 1 ETH

3. The hacker starts withdrawing 1 ETH hourly

4. Because accounting is only updated after 24h, the hacker is able to do this 24 times

5. Hacker drains bank treasury in 10 hours without the Bank contract state realizing it

3 ways to prevent them from happening ⛔️

1. 🛡️ Reentrancy Guards

   Using a reentrancy guard ensures the attacker can’t make more than one function run at a time. For this, OpenZeppelin’s ReentrancyGuard.sol has become an industry standard.

2. ✅ Checks, Effects, Interaction (CEI) Pattern

   The effects or changes in the state variables of the contract should be carried out before any interactions with another contract.

   For ex, doing interactions before allowing a withdrawal.

3. 🕵🏻‍♀️ Get a security review

   Although audits are not the cure to all exploits, getting one decreases exponentially the likelihood of an attack happening.

   Consider reaching out to Cyfrin for a competitive or private audit of your codebase to find vectors like these and others.

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Heyo,

Jules here, from Cyfrin.

One year ago, Cyfrin didn’t exist.

Today, we have:

• Launched 4 products

• Audited more than 15 protocols

• Hired more than 20 people worldwide

We’re just getting started ⚡️

What did we do for security in 2023?

With well over $1 billion worth of cryptocurrency stolen in 2023, this was a hard year for security.

Audits are important, but, alone, they’re not the cure to hacks. It’s why we’ve taken a holistic approach to security at Cyfrin.

🕵🏻‍♀️ Through 15 private audits, we uncovered over 140+ exploit vectors ranging from critical to low and everything in between.

We built a team from some of the top auditors in the industry and even designed a whole new way to run audits for protocols (more on that for 2024 😉).

📚 Solodit, web3 vulnerability aggregator, became the most used platform by blockchain auditors.

• More than 20,000+ vulnerabilities aggregated from 20+ auditors and firms

• Bug bounties from all 5 top industry platforms

• Index for all competitive audit contests & reports

• Auditing checklist with 300+ compiled items so that auditors can have an easier time kicking off contests with a systematic approach.

🦅 We distributed over $350,000+ through CodeHawks in prizes:

• 7+ competitions and counting

• 6 first flights, onboarding hundreds of new auditors into the industry

• 2000+ auditors onboarded

👩🏻‍🎓 We designed, built, and launched Cyfrin Updraft to help onboard 1 billion developers into web3:

• We received over 37k+ applications, which, for context, is twice the amount of software engineers currently in web3.

• 6,000+ students we’ve provided with early access

• 50+ hours of courses entirely for free

🧑🏻‍🏫 We developed, recorded, and released 3 new web3 courses taken by students from all continents (except apparently Antartica?)!

• Foundry 101

• Foundry Advanced

• Security and Auditing

And most importantly, in Cyfrin, the sun never sets ☀️.

👯 With a growing team of 20+ people coming from 10 different countries, we completed 8 different escape rooms, played Paintball, Scribble, and Secret Santa, and did many sessions of Crossfit together (while others may or may not be eating burritos 🌯).

— All of this to say, we’re just getting started and beyond excited to have you build it with us!

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Jules here, from Cyfrin.

Did you know that the #1 reason for hacks in 2023 was stolen private keys?

They primary way in which we interact with private keys is through wallets. Your wallet choice depends on where you are in your web3 journey, and how much crypto you have to store.

TLDR on which wallet is best for you:

• Total noob: Custodial wallet or centralized exchange

• Beginner with small amount of money: Browser wallet

• Intermediate with medium-small sized money: Hardware wallet 

• Intermediate with big amounts of money: Multi-sig wallet/Social Recovery AND Hardware wallet

• Advanced with big amounts of money: Multi-sig wallet/Social Recovery or roll your own solution

💰 What should I use to store my assets?

= Crypto wallets store your private keys, keeping your crypto safe and accessible.

1. 🐣 Noobs: Centralized exchange

   
   A centralized exchange is a platform owned and operated by a single company, where users store and exchange their cryptocurrency. 

   👍🏽 Pros: easy to use and can protect you in case you’re new to crypto.

   👎🏽 Cons: because they are a single company, they could go under, freeze your account, own your money, and even rug pull you if you’re not careful. They also don’t work with web3 dApps.

   — Potential suggestions: Coinbase, Kraken

2. 🐥 Small Amounts or Short-Term Storage: Desktop, Browser, or Hardware Wallet

   
   If you are a protocol or organization, your money should not be in the hands of solely one of these. We do not recommend you use these for large amounts of funds, or control of applications. But for small amounts of money and everyday use, this is great.

   👍🏽 Pros: you have full custody of your assets and they’re easy to use with web3 dApps.

   👎🏽 Cons: you’re the sole security checkpoint, so if you make a mistake, you may get rekt quite quickly.

   — Potential Suggestions: Metamask, Rainbow, Rabby

3. 🪨 Intermediate or Medium-Sized Amount for Longer Storage: Hardware Wallet

   If you MUST have a lot of money in a hot wallet, it’s best to spread the money across multiple wallets with different secret phrases so that if one gets compromised, all is not lost.
   
   👍🏽 Pros: you get all the pros from a browser wallet, plus being separated from the internet for additional protection.
   
   👎🏽 Cons: you get the same cons as a browser wallet, plus being vulnerable to physical attacks where people may attack you to steal your device.

   — Potential Suggestions (Cold wallet): Trezor (open-source), Gridlattice (closed-source, but good added protections against physical threats)

4. ⚡️ Advanced Users for Long-Term Storage: Multi-sig with Social Recovery

   Multi-sig wallets are our top choice for advanced developers and protocols to store their funds. The way they work is that you deploy a smart contract that needs X of Y signers to send any transaction.

   👍🏽 Pros: are that with many signers, multiple steps are needed in order to take actions.
   

   👎🏽 Cons: weak support for using these in Web3 dApps, the address is different on each chain, and getting people to sign transactions can be cumbersome.

   — Potential Suggestions: Safe, Aragon, Argent

💡 Best practices

• It’s best to rotate through private keys, rather than keeping the same one for years.

• Never take a hardware wallet people give out in events.
  

• Never share your private key with anyone, take any picture, email it, etc.
  

• Most importantly - If, for even 1 second, your key is lost or potentially accessible by someone else, move your assets and consider that key forever lost.

— Check out the full article here: https://www.cyfrin.io/blog/what-should-i-use-to-store-my-cryptocurrency-web3-wallet-guide

🔏 Security news

• The ultimate auditor’s checklist was released this week in Solodit, compiling lists from the industry’s top auditors.
  

• Updraft got an upgrade with English subtitles, full keyword controls, and picture-in-picture functionalities to watch lessons while reading the text.
  

• Cyfrin just released its end of year review - make sure to check it out here!

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Heyo,

Jules here, from Cyfrin.

More than $1,000,000,000 has been stolen on-chain in 2023. This is not okay.

It’s why we’re open sourcing the ultimate security and auditing course at Cyfrin Updraft ⚡️. Start learning smart contract security for free today!

The course goes through fuzzing, manual review techniques, static analysis, how to build an audit report, how MEV works, how to leverage flashbots, and so much more.

One of the topics that doesn’t come up in this first section though is formal verification. For that one, we’ll have to wait for Part 2, but here’s a sneak peak! 😉

🧪 What is formal verification (FV) testing?

= The act of proving or disproving a given property of a system using a mathematical model.

Formal verification tries to break properties using mathematical proofs.

There are many different ways to do formal verification such as:

• Symbolic execution (most popular in web3)

• Abstract interpretation

• Model Checking

👩🏻‍💻 How to use symbolic execution for FV?

= Symbolic execution explores the different paths in a program, creating a mathematical representation for each path.

Symbolic execution makes your code math: it explores the different paths the program can take and represents them as mathematical expressions to try to prove something.

Here’s how to use it in 3 steps:

1. Define the invariant property and explore all paths

   The invariant is the property you want to prove should be a certain way.

   In this example - we have 2 paths, each with their own invariant:

   • Path 1: We return (a + 1)

   • Path 2: a + 1 overflows, so we must revert

2. Convert paths to mathematical expressions

   Some of the most common ways to converting paths to expressions is to turn them into booleans.

   For the examples above, we may define our expressions something like:

   • Path 1: a < type(uint256).max

   • Path 2:

     • a == type(uint256).max

     • a + 1 < a

3. Run the mathematical expressions through a solver

   Once we have the expressions, we run them through a solver, normally using a symbolic execution tool like Manticore, HEVM, and even the Solidity SMT checker.

   A solver is used to determine if the path constraints can be satisfied and with which values.

This is an example testing our invariantes using Z3 as our symbolic execution tool and solver.

The sat output means Z3 was able to find an input that makes the set of booleans for each path true — and since path 2 reverts, and our invariant is that it should never revert, we proved our invariant breaks!

💡 Some considerations

• Formal verification takes a significant effort to set up right and it can be hard to maintain throughout time.
  

• There’s also the path explosion problem for symbolic execution tools, which occurs when your program has too many paths for a computer to explore in a reasonable amount of time and the solver is never able to finish.
  

• It depends on the invariants you define, so if you forget a property, your code is not bug-free.

— Check out the full article here: https://www.cyfrin.io/blog/formal-verification-symbolic-execution

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Jules here, from Cyfrin.

6%+ of all assets in crypto were stolen last year due to security breaches.

This means there's a 1 in 20 chance all your money in DeFi will be gone in a year.

Here’s how hackers are stealing your crypto in 2023

Top 5 attack vectors today

1. 🗝️ Stolen private keys [$243M stolen through 16 attacks]

As devs, we often need to add our private keys in files in order to interact with smart contracts. However, if we forget and deploy keys to the public, any contract we’ve deployed is now in danger of potentially loosing of millions of dollars to attackers.

— How to spot: usually private keys are found within .env files, shared company docs, or previous repository versions.

2. 💰 Reward manipulations [$200M stolen through 27 attacks]

Reward manipulation attacks are like price oracle manipulations, except they manipulate the rewards or incentives provided by a system.

— How to spot: malicious actors artificially influence the rewards or incentives built into smart contracts, through front-running (with insider information or MEV) or through wash trading (pump and dump scheme to give the impression of a higher trade volume in order to attract legitimate traders to the market).

3. 💵 Price oracle manipulations [$146M stolen through 52 attacks]

Price oracle manipulations happen when an oracle’s price feed is manipulated, ultimately impacting behavior within DeFi protocols and enabling arbitrage opportunities.

— How to spot: attackers usually leverage Flash Loans to manipulate the price of assets in automated market makers, like Uniswap, to change the spot price of a token before the lender smart contract looks up the token again.

4. 🔐 Insufficient function access control [$17M stolen through 25 attacks]

Some functions can be accessed by everyone, others only by specific addresses.

Mistakes in function access control, like enabling a function to be public which should be set to private, open the door for hackers to intercept actions they shouldn’t have access to.

— How to spot: look for the modifiers within a function to see who is able to access a function. Always question why someone has access to a function and whether that’s entirely necessary for the protocol to function.

5. ♻️ Logic error [$17M stolen through 9 attacks]

Sometimes the code doesn’t do exactly what you programmed it to do. Logic errors attack code that is well written, but somehow does something different than what the developers expected it to do.

— How to spot: found in inconsistencies between the documentation and how the code behaves. Reading comments, developer docs, and testing our behaviors is how we spot these.

At Cyfrin, we’ve been reviewing these attacks ourselves both through our private and competitive audits.

To get an glimpse at how these vulnerabilities are exploited in real life, check out our case studies - the latest one focusing on governance attacks.

Keeping up with Web3 security

• Vulnerability found within ThirdWeb in a commonly used open-source library in the web3 industry - not yet exploited.

• Coinbase rolls out money transfers via links sent on WhatsApp, TikTok and Instagram.

• Seattle judge accepts former Binance CEO Changpeng Zhao's guilty plea.

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Heyo,

Jules here, from Cyfrin.

This week we launched the initial batch of early access codes for Cyfrin Updraft 👩🏻‍💻 the ultimate web3 learning platform for smart contract security and development.

One of the key topics we cover in Updraft courses is smart contract testing.

What if I told you that you could write ONE TEST that would check for almost every possible exploit scenario?

Hello Fuzzing 😸

Fuzz Testing or Fuzzing is when you automagically supply random data to your system in an attempt to break it.

Ok, sounds cool. But how does it work?

1. ✍🏼 Write a smart contract, define invariants

Invariants are statements that must always remain true.

For example, our variable shouldAlwaysBeZero MUST always return 0.

2. 👩🏻‍💻 Write fuzz tests

In order to prove our invariant holds true, we traditionally would write unit tests with function assertions.

Unit tests are great to prove a statement is true, but they often miss edge cases we didn’t think of.

That’s where fuzz tests come in. Fuzzers input semi-random values automatically to test a wider variety of scenarios.

These values are “semi-random” in that a fuzzer (in this case Foundry’s) is smart enough to pick out values based on its pre-defined data type, uint256, and other conditions you can configure.

For example, we may want to establish the amount of runs the fuzzer should do. The more times it runs, the closer we should be to bug-less code, but the longer the tests will take to run.

3. 🏃🏻‍♀️ Run the fuzz test

Depending on the fuzzer you’re using, running the fuzz test could require a different command.

In our case, we’re using the Foundry fuzzer so simply running forge test within our Foundry project will do.

Foundry fuzzer is great because of how easy it is to write tests. Alternatively, if you’d like to go deeper - you may want to try out Trail of Bit’s Echidna fuzzer which is arguably better, but a bit more complex - due to its intelligent random number selection process.

— To dive deeper into stateless and stateful fuzz testing, check out this article!

Make sure to check out Updraft’s smart contract security auditing course to learn more about:

• Stateful and stateless fuzzing

• formal verification

• Mutation testing

• Differentiated testing

• Unit testing

• and so much more!

⚡️ Apply and get access earlier here: https://x.com/CyfrinUpdraft/status/1727691247777685693?s=20

Keeping up with Web3 security

• Korea is piloting digital currency for 100,000 citizens next year - an exciting experiment for the future of monetary systems.

• KyberSwap DEX was hacked for $48 million cross-chain (a bit more than half their treasury size).

• A comprehensive report on crypto fundraising was released - sharing that in 2023 alone, there were ~640 funding rounds funded by 1957 unique investors with cumulative financing amount totaling at $5.58 billion.

• Spanish government tightens crypto regulation, requesting citizens to declare crypto holdings by March 2024.

Always feel free to reach out if there’s anything we can support or collaborate on.

Sending lots of cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Read on: Our Website
Read time: 3 minutes

Heyo,

Jules here, from the Cyfrin team.

Did you know that you can save users up to 90% of transaction costs by optimizing your contracts for less gas?

We’ve tested dozens of gas optimization techniques and have collected the best ones for this ultimate checklist!

11 Solidity Gas Optimization Tricks

1) ⛓️ Minimize on-chain data

Not every piece of data needs to be stored on the blockchain. In fact, doing so is often the most expensive approach, like many NFT protocols have taught us.

Using events to store data off-chain, as well as using CIDs in our contracts pointing to solutions like IPFS, Arweave, and others are a great way to save on on-chain data.

2) 📖 Use mappings instead of arrays

In order to retrieve data from an array, we usually need to loop over it, which consumes gas because of the opcodes requested to do so.

Instead, mappings allow you to easily query the data by having just the key value.

3) ⚡️ Constant and immutable variables consume less

Unlike other variables, these two types do not consume storage space within the EVM since they are not changed moving forward.

4) 🗑️ Optimize unused variables

Anytime we alter the state of a variable, we must check to see if that state change is required for another logic. If it’s not, we should remove that unused variable!

It may sound obvious, but we’ve all mistakenly left unused variables in our code - a mistake that can cost an average of 18% gas in our contracts.

5) 👀 Deleting unused variables upon use

Inevitably, our contract will have variables who upon fulfilling their purpose, are no longer needed for any additional action.

By assigning its default value back through using the delete keyword, we actually grant our contract a 15,000 units gas refund.

6) ♻️ Use fixed-size arrays over dynamic ones

Since dynamically-sized arrays can grow indefinitely, the EVM needs to keep track of and update their length in storage every time an item is added - ultimately resulting in higher gas costs.

7) 🐣 Avoid using lower than uint256 variables whenever possible

The EVM operates with word sizes of 256 bits, so, counterintuitively, using smaller integers like uint8 often means the EVM needs to perform additional operations to align with the 256-bit word size.

Keep in mind, this also includes booleans, which are 8 bits. If you need to use, them, pack them like we show below!

8) 📦 Pack your variables together

Packing your variables means declaring your variables with the storage slots in mind to reduce the number of slots required to store state variables.

For example, Solidity will pack these two boolean variables together in the same slot as they both weigh less than 256-bit when they are declared one after the other.

9) 🧐 Use the external visibility modifier

external functions can read from calldata in read-only mode, whereas public functions can be called both internally and externally.

When public functions are called internally, parameters are passed in memory rather than in calldata, making the transaction more expensive.

10) 🚀 Enable the Solidity compiler optimization

Consider the Solidity compiler as a wizard's spell book, sprinkling optimization potions throughout your contract.

Through calling on —optimize, the compiler will streamline your bytecode and translate it into a leaner version to consume less gas.

11) 👩🏻‍💻 Use Assembly*

By using Assembly, your contract operates at a levele mor closely aligned with opcodes, ultimately outperforming Solidity bytecode in certain scenarios.

Note: Using Assembly may also lead to insecure code if not used appropriately. We strongly recommend having your contracts reviewed by security experts before deploying.

You can find the whole article diving into each of these in more depth here: https://www.cyfrin.io/blog/solidity-gas-optimization-tips

Keeping up with Web3 security

• a16z published their 2023 State of Crypto report

• Tether freezes $225M linked to human trafficking, amid a US investigation

• Vudeo tutorial: how to make a secure stablecoin?

• Everything you need to know about smart contract audits

Let me know if you have any questions, happy to help!

Sending cyber love,

Jules 🤸🏻

update your preferences or unsubscribe

Heyo,

Jules here, from the Cyfrin team - with a new issue of your weekly web3 security newsletter!

The amount of stolen crypto assets increases every year by millions of dollars.

Projects are looking for audits as support - but the question remains: “which is better, private or competitive audits?”

Some definitions

• 🔒 Private Audits: a consultation by 2-4 security researchers conducting a smart contract review resulting in a detailed report.
  

• 🏁 Competitive Audits: auditing contests where auditors from around the world scrutinizing a codebase for a reward. CodeHawks is a great example of this.
  

• 🐛 Bug Bounties: an open-ended program where auditors only get a reward when they successfully discover a vulnerability.

Which audit type is best?

TLDR: Depends on the stage, timeline, complexity, and the budget.

🐣 Based on project’s development stage

• Private audits: Early on, private audits will provide a deep review to set a solid foundation for scaling. Also, if the project is deploying upgrades, having someone with continuous context like private auditors is best to provide a deeper review and report.

• Competitive audits: When the project is about to deploy to mainnet, competitive audits allow for more more auditors watching your codebase, translating into more bugs found.

• Bug bounties: After deployment, bug bounties will be your best bet in incentivize hackers to warn you before the hack occurs.

📆 Based on project’s launch timeline

If the product is soon to launch, a competitive audit will be the best since more auditors will look at the code at once and there’s no rush on audit scheduling.

Private firms often have retainer options though, which may help with continuous releases and quicker timelines.

👩🏻‍💻 Based on codebase complexity

Complexity is usually determined by the size of the codebase and how advanced the functionality is. This means that:

• Private audit for the deep dive review and report

• Competitive audit to find all possible vulnerabilities

The more complex the codebase, the more a hybrid approach is needed!

💰 Based on budget

Competitive audits offer flexible prize pools, catering to projects of varied sizes. These range from $10,000 to $100,000, with some complex ones up to ~$800k.

On the other hand, private audits can range anywhere from $40k-$60k a week, some leading up to ~$500k total.

Ultimately,  the more audits a codebase goes through, the less likely a hack will occur.  When deploying your codebase to mainnet, consider going through all the above to keep your users' assets safe.

— For a deeper review, check out our article here: https://www.cyfrin.io/blog/competitive-vs-private-audits-comparison

Get started with smart contract audits 🕵🏻‍♀️

Apply for Cyfrin Updraft early access to learn how to code and audit smart contracts!

We’re releasing a smart contract security course in the coming weeks. Stay tuned!

Keeping up with Web3 security

• Raft was hacked for 3.3M last week. Here’s how it happened.

• GPTs were all the rage last week, but could there be a backdoor risk in code interpreters? Seems so!

• Looking for a smart contract auditing firm but you’re unsure which ones are the best? Check out the top 10 best auditing firms here.

Let me know if you have any questions, happy to help!

Sending cyber love,

Jules 🤸🏻

update your preferences or unsubscribe