The Road to Auditing
Learning Solidity: Part 2
A couple weeks ago, I shared my intention to learn Solidity. In order to give myself a clear path and perhaps help others who have similar goals, I thought it would make sense to document the journey.
Thanks for reading Token Theorist! Subscribe for free to receive new posts and support my work.
I began with The Ultimate Smart Contract Developer Roadmap by Oliver Jumpertz. While some of the individual resources have proven helpful, the roadmap as a whole feels disjointed. It jumps from the overly simplistic to the overly complex, and some of the resources overlap with each other. Thus, while I appreciate Oliver’s efforts to create a cohesive roadmap, I cannot recommend it.
A friend of mine recommended freeCodeCamp’s course to me, and I feel that my time is now being used more wisely. The amount of content Patrick Collins has managed to pack into a single video course amazes me, and he excels at making the material exciting. I trust that completing this course will give me a strong foundation, but building on that foundation requires a less guided approach.
At this point in learning a language, I typically branch off and create a project from scratch (with a healthy dose of Stack Overflow, of course). In this case, instead of creating my own decentralized application, I’ve decided to start by learning to audit other smart contracts. I have several reasons for this:
Importance - Web3 makes security—and thus, auditing—more important than ever. If I do end up creating dapps, a background in auditing should serve me well.
Risk - Creating a dapp means higher risk since real coins and tokens can be lost. I won’t have that risk as an auditor.
Excitement - Even though I’m not the one who personally bears the risk, the high stakes make things all the more exciting.
Experience - I already have some experience reading audits from my time with Token Flags.
Opportunity - Code4rena and Immunefi post contests and bounties regularly. Plus, auditing companies always seem to be hiring.
Once I complete the Patrick Collins course, I can advance to audit-specific learning materials. Three roadmaps stand out:
How to become a smart contract auditor, a guide by Christoph Michel. The Beginner Roadmap to Smart Contract Auditing by Andy Li builds on this guide, so I’ve bulleted his recommendations as well.
Hacking the Blockchain: Ethereum, a guide by Sleepy.
Simplified Roadmap for Blockchain Security, a guide by Devansh Batham, which he elaborates further in Learning Solidity in 30 Days.
Below I’ve summarized each roadmap.
Roadmap: Michel & Li
1. Learn programming
If you have no prior programming experience, be mentally prepared that it’ll take you years before your reviews will be useful.
2. Learn ETH blockchain & Solidity basics
There’s no better way to combine learning Solidity with learning about ETH security than solving CTFs.
For the CTFs, start with Ethernaut and pair it with D-Squared’s explanation videos. Capture the Ether overlaps with Ethernaut but may still be helpful. Damn Vulnerable DeFi is the most advanced, so it should be completed last.
Switch back and forth between watching the Patrick Collins course and completing the CTFs. This approach provides a shorter feedback loop between learning something and applying it.
3. Become familiar with the most used smart contracts
There are certain contracts, patterns or even algorithms that you will see over and over again during your auditing career.
For learning DeFi basics, use Teach Yourself Crypto.
For MasterChef specifically, watch Synthetix Staking Rewards Contract Explained.
4. Learn the finance basics
There will be a time when you’re auditing a DeFi project that uses a lot of traditional finance terms and you don’t understand anything.
As with the Patrick Collins course, use the Khan Academy finance course as a reference instead of plowing straight through it.
5. Get real experience
At this point, your training is over and you’ll just keep reading more code and exploit post mortems to get better.
The Secureum 101 articles, and in particular Audit Findings 101 and Audit Findings 201, help to acclimate you to reading audit reports. D-Squared has a video series for this as well.
After reading the Secureum articles, start reading Code4rena audit reports. Start with low risk, non-critical issues and gas optimizations. At that point, you’ll be able to start engaging in contests, even if you’re only looking for minor issues. Next, read through the high and medium findings that have duplicate reports. Read different reports for the same finding to get different wardens’ points of view. Finally, read through the high and medium findings that have unique reports.
For submitting QA and gas optimization reports, don’t run automated tools. It’s more helpful to find issues manually since it trains you to pick up on patterns.
Understand and categorize all findings, including findings from the Secureum articles.
1. Intro to computer science (optional)
I highly recommend completing an introductory course on computer science, such as Harvard’s CS50, ideally before beginning a course on Solidity.
2. freeCodeCamp course
[This course] shines above most other resources because it covers coding token standards like ERC20, ERC721 (NFTs), and DeFi (decentralized finance), which will give you an incredible understanding of the business logic of DApps and DEXs.
3. Mastering Ethereum book (optional)
The best resource for learning about Ethereum is Mastering Ethereum by Andreas Antonopoulos and Dr. Gavin Woods…You’ll want to read chapters 1, 2, 3, 4, 5, 6, 13, and 14.
Later, Sleepy notes that you could also add chapter 9.
To supplement this reading, he mentions you could take a look at ConsenSys’ Ethereum Smart Contract Best Practices.
You might not be able to pick up the syntax of Solidity easily from [the freeCodeCamp] course, so I recommend checking out CryptoZombies for additional practice. It’ll take much less time to get acquainted with the syntax.
5. Hack Solidity playlist
Finally, we come to the Smart Contract Programmer who is one of my favourite YouTubers and one of the only ones providing technical explanations of common Solidity smart contract vulnerabilities via video.
6. SWC Registry
The Smart Contract Weakness Classification Registry is an implementation of the weakness classification scheme proposed in EIP-1470. It is loosely aligned to the terminologies and structure used in the Common Weakness Enumeration (CWE) while overlaying a wide range of weakness variants that are specific to smart contracts.
7. Secureum bootcamp
It may be worthwhile to incorporate the Secureum bootcamp videos as part of your learning from the very beginning. I personally skipped the Ethereum and Solidity modules as I had already completed the freeCodeCamp course and read the corresponding chapters in Mastering Ethereum.
Additionally, I recommend reading through audit reports from various well-respected smart contract security firms like Trail of Bits and ConsenSys.
8. Capture the Flags
I recommend doing them in this order: Ethernaut/Capture The Ether -> Damn Vulnerable DeFi -> Paradigm CTF (One of the hardest out there created by Paradigm and notably samczsun, DeFi’s most legendary security researcher. You can read Immunefi’s interview with him here.) Ethernaut/Capture the Ether overlap, so you can do one over the other.
For solutions, see Web3 Blockchain Developer’s series for Ethernaut, Smart Contract Programmer’s series for Damn Vulnerable DeFi, and Christoph Michel’s article for Paradigm CTF 2021.
9. Real life experience
You can and should hunt for bugs on Immunefi, which hosts a multitude of bug bounty programs.
Finally, I encourage you to apply to the various smart contract security firms, as there’s an extremely high demand for people like you.
1. Elementary Topics
This section covers introductory computer science topics, such as:
Object Oriented Programming
2. Basics of Internet
Next, internet fundamentals are taught:
Protocols: DNS, HTTP, RPC
Authentication and authorization
3. Web 2.0 Security
This section simply recommends reading through the OWASP Top 10.
4. Basics of Blockchain
Now moving into the crypto space, basics are covered with an emphasis on Bitcoin:
5. Basics of Ethereum
After Bitcoin, Ethereum follows naturally:
Ethereum Virtual Machine
6. Understanding Solidity
Knowing the basics of Ethereum provides a foundation for learning Solidity:
7. Frameworks for Ethereum development
You may not need all of these, but he lists a few frameworks that could be useful:
8. Smart Contract Security
Once you have the basics of Solidity down, you can dive deeper into security topics:
Linters and formatters
Common vulnerabilities in smart contracts
Static and dynamic analysis
9. Blockchain CTFs
Building on the CTFs mentioned in other roadmaps, Batham adds Smart Contract CTF and GOATCasino:
Damn Vulnerable DeFi
Smart Contract CTF
Capture the Ether
10. Bug Bounty Platforms
He also adds a couple of bug bounty platforms which aren’t specific to crypto:
Instead of sticking to one roadmap over another, I intend to pick and choose from each one. When all is said and done, I may publish a roadmap that combines all of these resources with my own learning experience. Please let me know if that would be helpful or if you have any other feedback!