API - Building Secure Contracts (original) (raw)

  1. Introduction
  2. Development Guidelines
    1. Code Maturity
    2. High-Level Best Practices
    3. Token Integration Checklist
    4. Known non-standard ERC20 tokens
    5. Incident Response Recommendations
    6. Secure Development Workflow
    7. Preparing for a Security Review
  4. Learn EVM
    1. EVM Opcode Reference
    2. Transaction Tracing
    3. Arithmetic Checks
    4. Yellow Paper Guidance
    5. Forks <> EIPs
      1. Forks <> CIPs
        1. Upgrades <> TIPs
        2. Forks <> BEPs
  6. Not so smart contracts
    1. Algorand
      1. Rekeying
        1. Unchecked Transaction Fees
        2. Closing Account
        3. Closing Asset
        4. Group Size Check
        5. Time-Based Replay Attack
        6. Access Controls
        7. Asset ID Check
        8. Denial of Service
        9. Inner Transaction Fee
        10. Clear State Transaction Check
    3. Cairo
      1. Arithmetic Overflow
        1. L1 to L2 Address Conversion
        2. L1 to L2 failure
        3. Overconstrained L1 <-> L2 interaction
        4. Signature replays
        5. Unchecked from address in L1 Handler
    5. Cosmos
      1. Incorrect Signers
        1. Non-Determinism
        2. Not Prioritized Messages
        3. Slow ABCI Methods
        4. ABCI Methods Panic
        5. Broken Bookkeeping
        6. Rounding Errors
        7. Unregistered Message Handler
        8. Missing Error Handler
    7. Solana
      1. Arbitrary CPI
        1. Improper PDA Validation
        2. Ownership Check
        3. Signer Check
        4. Sysvar Account Check
        5. Improper Instruction Introspection
    9. Substrate
      1. Arithmetic Overflow
      2. Don't Panic!
      3. Weights and Fees
      4. Verify First
      5. Unsigned Transaction Validation
      6. Bad Randomness
      7. Bad Origin
    11. Ton
      1. Fake Jetton Contract
      2. Foward TON without gas check
      3. Int as boolean
  8. Program Analysis
    1. Echidna
      1. Introduction
          1. Installation
            1. Introduction to Fuzzing
            2. How to Test a Property
        2. Basic
          1. How to select the most suitable testing mode
            1. How to select the best testing approach
            2. How to filter functions
            3. How to test assertions
            4. How to write good properties step by step
            5. How to write properties that use ether
        4. Advanced
          1. How to collect a corpus
            1. How to use optimization mode
            2. How to detect high gas consumption
            3. How to perform smart contract fuzzing at a large scale
            4. How to test bytecode-only contracts
            5. How and when to use cheat codes
            6. How to use hevm cheats to test permit
            7. How to seed Echidna with unit tests
            8. Understanding and using allContracts
            9. How to fuzz contracts with external libraries
            10. How to do on-chain fuzzing with state forking
            11. Interacting with off-chain data via FFI cheatcode
        6. Fuzzing tips
        7. Frequently Asked Questions
        8. Configuration options
        9. Exercises
          1. Exercise 1
            1. Exercise 2
            2. Exercise 3
            3. Exercise 4
            4. Exercise 5
            5. Exercise 6
            6. Exercise 7
            7. Exercise 8
    3. Medusa
      1. Installation
        1. First Steps
        2. Configuration Overview
          1. Fuzzing Configuration
            1. Testing Configuration
            2. Chain Configuration
            3. Compilation Configuration
            4. Slither Configuration
            5. Logging Configuration
        4. CLI Overview
          1. init
            1. fuzz
            2. completion
        6. Testing Overview
          1. The Fuzzing Lifecycle
            1. Types of Invariants
            2. Writing Function-Level Invariants
            3. Writing System-Level Invariants (WIP)
            4. Reporting
        8. API Overview (WIP)
        9. Cheatcodes
          1. warp
            1. roll
            2. fee
            3. difficulty
            4. prevrandao
            5. chainId
            6. store
            7. load
            8. etch
            9. deal
            10. snapshot
            11. getCode
            12. getNonce
            13. setNonce
            14. coinbase
            15. prank
            16. startPrank
            17. stopPrank
            18. prankHere
            19. ffi
            20. addr
            21. sign
            22. toString
            23. parseBytes
            24. parseBytes32
            25. parseInt
            26. parseUint
            27. parseBool
            28. parseAddress
        11. Console Logging
        12. FAQ
    5. Manticore
      1. Introduction to symbolic execution
        1. Running under Manticore
        2. Getting throwing paths
        3. Adding constraints
        4. Exercises
          1. Example
            1. Exercise 1
            2. Exercise 2
    7. Slither
      1. Usage
        1. API
          1. Static Analysis
            1. API
            2. SlithIR
            3. SSA
            4. Data dependency
            5. JSON output
        3. Detectors
          1. Detectors
            1. Adding a detector
        5. Printers
        6. Tools
          1. Adding a new tool
            1. Code Similarity
            2. Contract Flattening
            3. Documentation
            4. Doctor
            5. ERC Conformance
            6. Interface
            7. Mutator
            8. Path Finding Utility
            9. Property Generation
            10. Read Storage
            11. Format
            12. Upgradeability checks
        8. Tutorials
          1. Exercise 1
            1. Exercise 2
            2. Exercise 3
  10. Resources
    1. Security contact
  12. Blog posts

Building Secure Contracts