干货 | 如何成为一名智能合约审计安全研究员,学习路线和必备网站
2023-3-29 10:29:34 Author: HACK学习呀(查看原文) 阅读量:65 收藏

http://capturetheether.com/http://ethernaut.openzeppelin.com/http://cryptozombies.io/http://dappuniversity.com/https://damnvulnerabledefi.xyz/http://github.com/blockthreat/blocksec-ctfshttp://w3bs3c.com/abouthttps://useweb3.xyz/code-challengeshttp://speedrunethereum.com/https://based.builders/https://eth.build/http://github.com/fvictorio/evm-puzzleshttp://github.com/daltyboy11/more-evm-puzzleshttps://cryptohack.org/https://etherhack.positive.com/https://blockchain-ctf.securityinnovation.com/#/https://ciphershastra.com/https://www.defihack.xyz/https://github.com/blockthreat/blocksec-ctfs
http://telegra.ph/Pel-Ada-Del-Astra-Smart-Contract-Auditor-Pathway-05-07http://telegra.ph/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31https://gitcoin.co/grants/3150/defi-web3-developer-roadmaphttp://start.me/p/QRg5ad/officerciahttps://t.me/officer_cia/269https://telegra.ph/Crypto-Telegram-Channels--Chats-04-19
https://github.com/OffcierCia/DeFi-Developer-Road-Map/blob/main/translations/README_cn.md
使用我的特别纲要中的几乎所有内容https://telegra.ph/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31https://telegra.ph/Solidity-Catsheets-Pack-03-20研究https://quillaudits.substack.com/p/openseas-official-discord-compromised和http://rekt.news/另外,您需要研究审计清单:http://t.me/officer_cia/177这些课程http://twitter.com/0xBlasco/status/1500455598684618753 区块链安全框架https://t.me/officer_cia/232Tokenomics 模拟工具http://t.me/officer_cia/69并了解它(资源)https://t.me/officer_cia/89speedrunethereum.com 或https://cryptozombies.io/捕获以太或http://ethernaut.openzeppelin.com/仔细研究https://github.com/Rari-Capital/solcurity 和 https://cmichel.io/how-to-become-a-smart-contract-auditor和https://pentacle.xyz/projects/security

项目的内部安全

https://docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit

视频

https://youtu.be/gyMwXuJrbJQ
https://smartcontractresearch.org/t/mitigations-against-flash-loan-enabled-attacks/615和https://arxiv.org/abs/2003.03810https://smartcontractresearch.org/t/from-zapper-post-mortem-to-using-front-run-in-project-defense-theory-post/545Tenderly.co警报 - https://officercia.medium.com/tenderly-app-a-swiss-pocketknife-for-the-web3-developer-89bb904bee46https://github.com/pr0toshi/rateLimithttps://github.com/Rari-Capital/solcurity研究https://medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b和https://wufflz.notion.site/Blockchain-security-guide-b26aec3d920e414d8a354618d3e36eb4https://link.medium.com/NBANM4gOirb你也可以研究https://github.com/0xsanny/solsec所有审计/安全工具- https://telegra.ph/ETHSec-Tools-02-13,github.com/nascentxyz/simple-security-toolkit在此处查看资源https://t.me/cryptooffensiveOpSec原则- https://graph.org/Key-principles-of-storing-crypto-cold-wallet-attacks-defense-methods-best-practices--Bonus-04-23 github.com/undergroundwires/privacy.sexy,web.archive .org/web/20220302223645/https://anonymousplanet.org/guide.html密码取证/研究:https://t.me/officer_cia/236 mirror.xyz/officercia.eth/BFzv17UwH6QG4q711NAljtSiP8eKR17daLjTdmAgbHw所有 TX 分析工具列表https://graph.org/TX-Analysis-tools-04-19蜜罐检测工具https://graph.org/A-Short-List-of-the-Rug-Checker-Tools-04-09Web2 和 Web3 中存在的错误和漏洞 - https://www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf关于 MEV - https://t.me/officer_cia/146请务必研究https://defieducation.substack.com/p/how-to-read-smart-contracts-part?s=r和blog.trustlook.com/understand-evm-bytecode-part-1/以及这些网站的所有帖子作者https://start.me/p/QRg5ad/officercia - 仔细阅读我的 Awesome Blogs 部分和 Sec 部分(在右侧,就在 defi 地图树下方)https://telegra.ph/Article-08-08 - 前端安全NFT https://telegra.ph/NFT-security-01-28探索黑客案例https://newsletter.blockthreat.io研究https://github.com/emilianobonassi/security-toolkit和https://www.smartcontractresearch.org/t/research-summary-a-systematic-literature-review-of-blockchain-cyber-security/1299攻击向量 - https://github.com/sirhashalot/SCV-Listhttps://github.com/KadenZipfel/smart-contract-attack-vectors swcregistry.io研究框架https://secure.github.io/SCSVS/SCSVS_v1.1.pdf和https://github.com/securing/SCSVS阅读 Mudit Gupta、Immunefi 和 BlockSec 团队在 Medium 上发表的帖子,以及https://twitter.com/officer_cia/status/1519371437068505089所有 4 个主题,https://arxiv.org /pdf/2106.10740.pdf和https://arxiv.org/pdf/2109.06836.pdf使用FoundryDefi黑客事件https://github.com/SunWeb3Sec/DeFiHackLabs
https://cmichel.io/how-to-become-a-smart-contract-auditorhttps://devansh.xyz/blockchain-security/2021/09/17/genesis-0x01.htmlhttps://www.notonlyowner.com/learn/intro-security-hacking-smart-contracts-ethereumhttps://theauditorbook.com/

威胁建模

https://arxiv.org/pdf/2106.10740.pdf

用户端攻击

https://arxiv.org/pdf/2109.06836.pdf 

元宇宙安全

https://arxiv.org/pdf/2203.02662.pdf

Solidity 中的错误

https://github.com/xf97/JiuZhou 另请查看:https://github.com/sigp/solidity-security-blog & graph.org/Solidity-Cheatsheets-Pack-03-20

DApp 前端安全。

https://blog.embarklabs.io/news/2020/01/30/dapp-frontend-security/index.html 

从 Web 应用程序中学习最佳实践以避免分散应用程序中的类似安全漏洞。

https://www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf https://arxiv.org/pdf/2106.09349.pdf

关于 Oracle 攻击的更多信息

https://twitter.com/officer_cia/status/1422785502634196996 & https://twitter.com/officer_cia/status/1409537800022659074 

UniV2 Oracle 攻击模拟器

https://blog.euler.finance/uniswap-oracle-attack-simulator-42d18adf65af?gi=8ad59382eefb 

安全最小可行计划

https://docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit

所有已知的智能合约攻击向量

https://github.com/KadenZipfel/smart-contract-attack-vectors 

NFT 安全

https://graph.org/NFT-security-01-28

所有现有的 ETH 安全工具

https://graph.org/ETHSec-Tools-02-13 

Web3 网络钓鱼

https://www.phishfort.com/blog/web3-phishing-has-finally-arrived 

MetaMask 针对性攻击

https://bloom.co/blog/6-ways-a-site-can-attack-your-metamask/

Web3 时间线中的所有黑客攻击和安全事件。

https://newsletter.blockthreat.io 

https://graph.org/Key-principles-of-storing-crypto-cold-wallet-attacks-defense-methods-best-practices--Bonus-04-23https://github.com/uni-due-syssec/eth-reentrancy-attack-patternshttps://blog.chain.link/defi-security-best-practiceshttps://a16z.com/2022/04/23/web3-security-crypto-hack-attack-lessonshttps://medium.com/immunefi/hacking-the-blockchain-an-ultimate-guide-4f34b33c6e8b

跨链桥攻击

https://telegra.ph/Cross-chain-bridge-attacks-A-Z-05-07
智能合约错误数据库https://swcregistry.io以太坊智能合约中的安全漏洞调查https://arxiv.org/pdf/2105.06974.pdfLNERABILITIES_AND_REAL_ATTACKS - 概述https://www.researchgate.net/publication/353794368_SMART_CONTRACTS_VULNERABILITIES_AND_REAL_ATTACKShttps://www.researchgate.net/publication/338926064_Smart_Contract_Attacks_and_Protections RPC 的攻击https://www.ndss-symposium.org/wp-content/uploads/NDSS2021posters_paper_2.pdf 智能合约中经济安全的自动分析https://eprint.iacr.org/2021/1147.pdf 关于快速贷款攻击的最佳研究https://arxiv.org/abs/2003.03810关于回退攻击https://github.com/felixnan88/fallback-attack 重入攻击模式https://github.com/uni-due-syssec/eth-reentrancy-attack-patternsDeFi 威胁列表https://github.com/freight-chain/defi-sec & github.com/freight-trust/defi-threat寻找对区块链的 DeFi 攻击https://arxiv.org/pdf/2103.02873.pdf检查交易是否容易受到三明治攻击并找到合适的订单拆分的工具https://defi-sandwi.ch & pub.tik.ee.ethz.ch/students/2021-FS/BA-2021-07.pdf智能合约 out-of-gas 漏洞的安全分析工具https://gasgauge.github.io , https://arxiv.org/pdf/2112.14771.pdftornado 现金池分析器。https://Tutela.xyzCIA 读物汇编https://github.com/OffcierCia/DeFi-Developer-Road-Map#security--safety智能合约库https://library.dedaub.com一个模糊器https://github.com/christoftorres/ConFuzziusWeb3安全资源 https://www.w3bs3c.com/
https://arxiv.org/pdf/2112.03426.pdfhttps://papers.ssrn.com/sol3/papers.cfm?abstract_id=3769774https://publik.tuwien.ac.at/files/publik_278277.pdfhttps://arxiv.org/pdf/2008.02712.pdf
https://youtu.be/0FTLC8JnWp0https://youtu.be/-469Gcye-ZEhttps://youtu.be/C9C4zgskHwghttps://youtu.be/s3FL5caAy5whttps://youtu.be/I6VDBvX9Pkw

区块链去中心化应用黑客课程

https://youtube.com/playlist?list=PLCwnLq3tOElpIi6Gci36PnvrrS8ljBHkq

工作:

| 阅读:https://web3.smsunarto.com

https://twitter.com/jobsincryptohttps://twitter.com/CryptoJobsListhttps://t.me/dailyapehrhttps://t.me/lobsters_hrhttps://t.me/solidity_learninghttps://t.me/dev_solidity

赠款和 DAO:

https://twitter.com/developer_daohttps://twitter.com/LidoGrantshttps://twitter.com/gitcoinhttps://twitter.com/web3grantshttps://questbook.xyz/

Web3漏洞赏金平台:

https://github.com/sw33tLie/bbscopehttps://immunefi.com/https://code4rena.comhttps://github.com/blockthreat/blocksec-ctfs

ETHSecurity社区

https://discord.gg/F7DRMPdgSg
https://blog.openzeppelin.com/follow-this-quality-checklist-before-an-audit-8cc6a0e44845/https://consensys.github.io/smart-contract-best-practices/https://ethereum.stackexchange.com/questions/8551/security-review-checklist-for-a-smart-contract/8593#8593https://github.com/Rari-Capital/solcurityhttps://github.com/cryptofinlabs/audit-checklisthttps://securing.github.io/SCSVS/https://our.status.im/what-is-a-security-audit-when-you-should-get-one-and-how-to-preparehttps://github.com/nascentxyz/simple-security-toolkit#readmehttps://bowtiedisland.com/how-to-read-a-smart-contract-audit-report

审计必读

https://docs.google.com/document/d/1UkAcL7-KAWANKWnebYemA-4bTXC0m9RKrV19aIoFKdY/edit#heading=h.f1o44ntj9vx9https://docs.google.com/document/d/1gTPIQMLVcv_OQ8flblVTCWWfrGadQNxZXNZTvDh6iKA/edithttps://docs.google.com/document/d/1gTPIQMLVcv_OQ8flblVTCWWfrGadQNxZXNZTvDh6iKA/edithttps://drive.google.com/file/d/1aV38iSkwFLa5FxyN8YahTVr9t9DICNmD/view

推荐阅读:

猪猪侠的黑客学习路线


记一次赏金10000美金的漏洞挖掘(从.git泄露到RCE)

实战 | 记一次针对非法网站的SSRF渗透

实战 | 记一次从瑟瑟游戏的下载到某网盘网站的渗透测试

实战 | 记一次针对非法网站的SSRF渗透

2023年零基础+进阶系统化白帽黑客学习 | 2月份最新版


文章来源: http://mp.weixin.qq.com/s?__biz=MzI5MDU1NDk2MA==&mid=2247511860&idx=1&sn=8b9e855973703c06858160e19e412b81&chksm=ec1cfa0bdb6b731daba59cae8c3462f983edb0a184f774be423db1566d9bc942ecbf7006b2b4#rd
如有侵权请联系:admin#unsafe.sh