19 KiB
19 KiB
Awesome EVM Security !Awesome (https://awesome.re/badge.svg) (https://awesome.re)
!Awesome EVM Security (awesome-evm-security.png) (https://github.com/kareniel/awesome-evm-security#readme)
EVM (https://ethereum.org/en/developers/docs/evm/) stands for "Ethereum Virtual Machine". The EVM powers the Ethereum mainnet, but also Layer 2 protocols, sidechains, and EVM-compatible chains.
This list is an overview of the EVM ecosystem from an information security management perspective.
Contents
- Guides (#guides)
- Governance (#governance)
- Architecture (#architecture)
- Standards (#standards)
- System Assets (#system-assets)
- Threats (#threats)
- Vulnerabilities (#vulnerabilities)
- Controls (#controls)
- Ecosystem (#ecosystem)
Guides
- CryptoSec.info (https://cryptosec.info/) - Information to help beginners learn how to protect their funds against hackers and scammers.
- Simplified Roadmap for Blockchain Security (https://devansh.xyz/blockchain-security/2021/09/17/genesis-0x01.html) - Covers all rudimentary topics that one needs to know in order to get into the field of Blockchain Security.
- How to become a smart contract auditor (https://cmichel.io/how-to-become-a-smart-contract-auditor/) - Frequently asked questions that are related to auditing and auditors can get their first job.
Governance
- A beginner's guide to DAOs (https://linda.mirror.xyz/Vh8K4leCGEO06_qSGx-vS5lvgUqhqkCz9ut81WwCP2o) - Gives a high level overview of what DAOs are, why they are interesting and some of their use cases.
- Deep DAO (https://deepdao.io/#/deepdao/dashboard) - Lists, ranks and analyzes top DAOs across multiple metrics.
- SAFT Agreements (https://saftproject.com/) - A commercial instrument used to convey rights in tokens prior to the development of the tokens' functionality.
- Voting Options in DAOs (https://medium.com/daostack/voting-options-in-daos-b86e5c69a3e3) - Voting Options in DAOs.
- The Wyoming DAO bill (https://twitter.com/awrigh01/status/1369328856260354051) - A thread about Wyoming DAOs .
- It Takes a Cryptonetwork (https://medium.com/primedao/it-takes-a-cryptonetwork-2ae9ab541c17) - Prime's Strategy for DAO to DAO Relations.
- DAOs, Democracy and Governance (https://merkle.com/papers/DAOdemocracyDraft.pdf) - A paper by Ralph Merkle about DAOs.
Architecture
- Shelling Out: The Origins of Money (https://nakamotoinstitute.org/shelling-out/) - Illustrates the value of collectibles in reducing social transaction costs.
- Foundations of Cryptoeconomic Systems (https://epub.wu.ac.at/7309/8/Foundations%20of%20Cryptoeconomic%20Systems.pdf) - This paper explores why the term
"cryptoeconomics" is context dependent and proposes complementary micro, meso and macro definitions of the term.
- Towards a Practice of Token Engineering (https://blog.oceanprotocol.com/towards-a-practice-of-token-engineering-b02feeeff7ca) - How do we design tokenized ecosystems, their incentives and how do we analyze or verify them?
- A Crash Course in Mechanism Design for Cryptoeconomic Applications (https://medium.com/blockchannel/a-crash-course-in-mechanism-design-for-cryptoeconomic-applications-a9f06ab6a976) - Introduces the basic concepts of mechanism design, and gives
a taste for their usefulness in the cryptocurrency world.
- WTF Is QF (https://wtfisqf.com/?grant=&grant=&grant=&grant=&match=1000) - A simple explanation of quadratic funding.
- Bonding Curves Explained (https://yos.io/2018/11/10/bonding-curves) - What bonding curves are and their potential applications.
Standards
- DeFi Safety (https://www.defisafety.com/) - Best practices security score reviews.
- DASP Top 10 of 2018 (https://dasp.co/) - Decentralized Application Security Project Top 10 vulnerabilities.
- IVSCS (https://immunefi.com/severity-updated/) - Immunefi Vulnerability Severity Classification System.
- Smart Contract Security Verification Standard (https://securing.github.io/SCSVS/) - A free 14-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
- Secureth guidelines (https://guidelines.secureth.org/) - Aid you in formulating your own software engineering process by giving a complete picture of all the different concerns and expectations in your software projects.
- CryptoCurrency Security Standard (CCSS) (https://cryptoconsortium.github.io/CCSS/) - A set of requirements for all information systems that make use of cryptocurrencies, including exchanges, web applications, and cryptocurrency storage
solutions.
- The Solcurity Standard (https://github.com/Rari-Capital/solcurity) - Opinionated security and code quality standard for Solidity smart contracts.
System Assets
- Security Considerations in the Solidity documentation (https://docs.soliditylang.org/en/v0.8.6/security-considerations.html) - Lists some pitfalls and general security recommendations.
- Ethereum 2.0 Specifications Security Audit Report (https://leastauthority.com/static/publications/LeastAuthority-Ethereum-2.0-Specifications-Audit-Report.pdf) - Security Audit Report of the Eth2.0 spec by Least Authority.
- Getting Deep Into EVM (https://hackernoon.com/getting-deep-into-evm-how-ethereum-works-backstage-ac7efa1f0015) - An Ultimate, In-depth Explanation of How EVM Works.
- Ethereum EVM illustrated (https://takenobu-hs.github.io/downloads/ethereum_evm_illustrated.pdf) - Exploring some mental models and implementations.
- Ethereum Blockspace: Who Gets What and Why (https://www.aniccaresearch.tech/blog/ethereum-blockspace-who-gets-what-and-why) - Ethereum blockspace market structure.
- What Is Uniswap and How Does It Work? (https://academy.binance.com/en/articles/what-is-uniswap-and-how-does-it-work) - What Uniswap is, how it works, and how you can swap tokens on it simply with an Ethereum wallet.
- Scaling EVM (Ethereum Virtual Machine) (https://capitalgram.com/posts/scaling-evm/) - How fast and far can the EVM based blockchain architecture still take us.
- L2Beat (https://l2beat.com/) - Transparent and verifiable insights into emerging layer two (L2) technologies.
- The Non-Fungible Token Bible (https://opensea.io/blog/guides/non-fungible-tokens) - Everything you need to know about NFTs.
- KEVM (https://github.com/kframework/evm-semantics) - A formal model of the EVM in the K framework.
Threats
- Blockchain Graveyard (https://magoo.github.io/Blockchain-Graveyard/) - A list of all massive security breaches or thefts involving blockchains.
- List of Bitcoin Heists (https://bitcointalk.org/index.php?topic=576337) - Research on prior Bitcoin-related thefts.
- Blockchain Threat Intelligence (https://www.blockthreat.io/) - The latest in blockchain, DeFi and cryptocurrency threat intelligence, vulnerabilities, security tools, and events.
- Rekt News (https://rekt.news/) - Investigative journalism, creative commentary, and incident analysis.
- DeFiYield's REKT db (https://defiyield.app/rekt-database) - Database of Crypto Hacks, Exploit, Scam.
- CryptoScamDB (https://cryptoscamdb.org/scams) - Keeping track of cryptocurrency scams in an open-source database.
- Mudit Gupta's Twitter threads (https://mudit.blog/twitter-threads/) - Early analysis and educational content on Twitter.
- Flash Boys 2.0 Paper (https://ieeexplore.ieee.org/document/9152675) - Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability.
- MEV-explore (https://explore.flashbots.net/) - Help the community understand and quantify the significance of "Dark Forest activities" and their impact on the Ethereum network.
- Flashloan monitor (https://monitor.blocksecteam.com/) - Dashboard that helps you monitor flashloan transactions.
- Known Attacks (https://consensys.github.io/smart-contract-best-practices/known_attacks/) - A list of known attacks which you should be aware of, from Consensys.
- Solidity Security (https://blog.sigmaprime.io/solidity-security.html) - Comprehensive list of known attack vectors and common anti-patterns.
Vulnerabilities
- SWC Registry (https://swcregistry.io/) - Smart Contract Weakness Classification and Test Cases.
- 246 Findings (https://blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/) - 246 Findings From Trail of Bits Smart Contract Audits.
- A Survey of Security Vulnerabilities in Ethereum Smart Contracts (https://arxiv.org/pdf/2105.06974.pdf) - Explains eight vulnerabilities that are specific to the application level of blockchain technology by analyzing the past exploitation case
scenarios of these security vulnerabilities.
- List of Security Vulnerabilities (https://github.com/runtimeverification/verified-smart-contracts/wiki/List-of-Security-Vulnerabilities) - A comprehensive list of common smart contract security vulnerabilities, compiled from various sources.
- List of Known Bugs (https://docs.soliditylang.org/en/v0.8.1/bugs.html) - A JSON-formatted list of some of the known security-relevant bugs in the Solidity compiler.
Controls
- Simple Security Toolkit (https://github.com/nascentxyz/simple-security-toolkit) - Opinionated recommendations that the team at Nascent find to be appropriate, particularly for teams developing and managing early versions of a protocol.
- Gnosis Safe (https://docs.gnosis-safe.io) - Multi-sig. Require multiple team members to confirm every transaction in order to execute it, which helps prevent unauthorized access to company crypto.
- List of DeFi auditors (https://www.defisafety.com/auditors) - List of DeFi auditors maintained by DeFiSafety.
- State of DeFi Audits (https://medium.com/conflux-network/the-overlooked-element-of-defi-adoption-e3b29829e3da) - Article taking a look at the auditing space and its importance in onboarding users by properly securing new DeFi protocols.
- Building Secure Contracts (https://github.com/crytic/building-secure-contracts/) - Trail of Bits' guidelines and best practices on how to write secure smart contracts.
- Solidity Patterns (https://fravoll.github.io/solidity-patterns/) - A compilation of patterns and best practices for the smart contract programming language Solidity.
- Security Pattern for Ethereum and Solidity (https://docs.google.com/spreadsheets/d/1PF4QZudW6Z7EV4hqQfwPo3A43AVqPrsuzzzey5yRYcs/edit#gid=0) - Google Sheets Checklists.
- Solidity Best Practices for Smart Contract Security (https://consensys.net/blog/developers/solidity-best-practices-for-smart-contract-security/) - Pro tips from Consensys to ensure your Ethereum smart contracts are fortified.
- CERtified (https://cer.live/) - Top 100 exchanges by Cybersecurity rating.
- Smart Contract Security Registry (https://github.com/ethereum-lists/contracts) - An effort to identify deployed contracts instances given their chain and address, by listing the project they belong to.
- Forta (https://docs.forta.network/) - Community-based runtime security network for smart contracts.
Ecosystem
- People to follow on Twitter (https://twitter.com/i/lists/1453086258436128770) - Twitter list to an overview of the web3 ecosystem and security people.
- Videos to watch on YouTube (https://www.youtube.com/playlist?list=PLox242_JhiuEe64LzW1M8XpiQ2-N5bZsX) - YouTube playlist of web3 security videos.
Footnotes
See Also
Other Awesome Lists:
- Awesome BlockSec CTF (https://github.com/0xjeffsec/awesome-blocksec-ctf) - Blockchain security Capture the Flag (CTF) competitions.
- Awesome Buggy ERC20 Tokens (https://github.com/sec-bit/awesome-buggy-erc20-tokens) - Vulnerabilities in ERC20 Smart Contracts With Tokens Affected.
- Awesome Cryptoeconomics (https://github.com/jpantunes/awesome-cryptoeconomics) - Cryptoeconomic research and learning materials.
- Awesome Zero-Knowledge Proofs (ZKP) (https://github.com/matter-labs/awesome-zero-knowledge-proofs) - A curated list of awesome things related to learning Zero-Knowledge Proofs (ZKP).
- Officer CIA's Ultimate DeFi Research Base (https://github.com/OffcierCia/ultimate-defi-research-base) - Curated DeFI & Blockchain research papers and tools.
- Awesome MEV resources (https://github.com/0xalpharush/awesome-MEV-resources)
evmsecurity Github: https://github.com/kareniel/awesome-evm-security
!Awesome EVM Security (awesome-evm-security.png) (https://github.com/kareniel/awesome-evm-security#readme)
EVM (https://ethereum.org/en/developers/docs/evm/) stands for "Ethereum Virtual Machine". The EVM powers the Ethereum mainnet, but also Layer 2 protocols, sidechains, and EVM-compatible chains.
This list is an overview of the EVM ecosystem from an information security management perspective.
Contents
- Guides (#guides)
- Governance (#governance)
- Architecture (#architecture)
- Standards (#standards)
- System Assets (#system-assets)
- Threats (#threats)
- Vulnerabilities (#vulnerabilities)
- Controls (#controls)
- Ecosystem (#ecosystem)
Guides
- CryptoSec.info (https://cryptosec.info/) - Information to help beginners learn how to protect their funds against hackers and scammers.
- Simplified Roadmap for Blockchain Security (https://devansh.xyz/blockchain-security/2021/09/17/genesis-0x01.html) - Covers all rudimentary topics that one needs to know in order to get into the field of Blockchain Security.
- How to become a smart contract auditor (https://cmichel.io/how-to-become-a-smart-contract-auditor/) - Frequently asked questions that are related to auditing and auditors can get their first job.
Governance
- A beginner's guide to DAOs (https://linda.mirror.xyz/Vh8K4leCGEO06_qSGx-vS5lvgUqhqkCz9ut81WwCP2o) - Gives a high level overview of what DAOs are, why they are interesting and some of their use cases.
- Deep DAO (https://deepdao.io/#/deepdao/dashboard) - Lists, ranks and analyzes top DAOs across multiple metrics.
- SAFT Agreements (https://saftproject.com/) - A commercial instrument used to convey rights in tokens prior to the development of the tokens' functionality.
- Voting Options in DAOs (https://medium.com/daostack/voting-options-in-daos-b86e5c69a3e3) - Voting Options in DAOs.
- The Wyoming DAO bill (https://twitter.com/awrigh01/status/1369328856260354051) - A thread about Wyoming DAOs .
- It Takes a Cryptonetwork (https://medium.com/primedao/it-takes-a-cryptonetwork-2ae9ab541c17) - Prime's Strategy for DAO to DAO Relations.
- DAOs, Democracy and Governance (https://merkle.com/papers/DAOdemocracyDraft.pdf) - A paper by Ralph Merkle about DAOs.
Architecture
- Shelling Out: The Origins of Money (https://nakamotoinstitute.org/shelling-out/) - Illustrates the value of collectibles in reducing social transaction costs.
- Foundations of Cryptoeconomic Systems (https://epub.wu.ac.at/7309/8/Foundations%20of%20Cryptoeconomic%20Systems.pdf) - This paper explores why the term
"cryptoeconomics" is context dependent and proposes complementary micro, meso and macro definitions of the term.
- Towards a Practice of Token Engineering (https://blog.oceanprotocol.com/towards-a-practice-of-token-engineering-b02feeeff7ca) - How do we design tokenized ecosystems, their incentives and how do we analyze or verify them?
- A Crash Course in Mechanism Design for Cryptoeconomic Applications (https://medium.com/blockchannel/a-crash-course-in-mechanism-design-for-cryptoeconomic-applications-a9f06ab6a976) - Introduces the basic concepts of mechanism design, and gives
a taste for their usefulness in the cryptocurrency world.
- WTF Is QF (https://wtfisqf.com/?grant=&grant=&grant=&grant=&match=1000) - A simple explanation of quadratic funding.
- Bonding Curves Explained (https://yos.io/2018/11/10/bonding-curves) - What bonding curves are and their potential applications.
Standards
- DeFi Safety (https://www.defisafety.com/) - Best practices security score reviews.
- DASP Top 10 of 2018 (https://dasp.co/) - Decentralized Application Security Project Top 10 vulnerabilities.
- IVSCS (https://immunefi.com/severity-updated/) - Immunefi Vulnerability Severity Classification System.
- Smart Contract Security Verification Standard (https://securing.github.io/SCSVS/) - A free 14-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.
- Secureth guidelines (https://guidelines.secureth.org/) - Aid you in formulating your own software engineering process by giving a complete picture of all the different concerns and expectations in your software projects.
- CryptoCurrency Security Standard (CCSS) (https://cryptoconsortium.github.io/CCSS/) - A set of requirements for all information systems that make use of cryptocurrencies, including exchanges, web applications, and cryptocurrency storage
solutions.
- The Solcurity Standard (https://github.com/Rari-Capital/solcurity) - Opinionated security and code quality standard for Solidity smart contracts.
System Assets
- Security Considerations in the Solidity documentation (https://docs.soliditylang.org/en/v0.8.6/security-considerations.html) - Lists some pitfalls and general security recommendations.
- Ethereum 2.0 Specifications Security Audit Report (https://leastauthority.com/static/publications/LeastAuthority-Ethereum-2.0-Specifications-Audit-Report.pdf) - Security Audit Report of the Eth2.0 spec by Least Authority.
- Getting Deep Into EVM (https://hackernoon.com/getting-deep-into-evm-how-ethereum-works-backstage-ac7efa1f0015) - An Ultimate, In-depth Explanation of How EVM Works.
- Ethereum EVM illustrated (https://takenobu-hs.github.io/downloads/ethereum_evm_illustrated.pdf) - Exploring some mental models and implementations.
- Ethereum Blockspace: Who Gets What and Why (https://www.aniccaresearch.tech/blog/ethereum-blockspace-who-gets-what-and-why) - Ethereum blockspace market structure.
- What Is Uniswap and How Does It Work? (https://academy.binance.com/en/articles/what-is-uniswap-and-how-does-it-work) - What Uniswap is, how it works, and how you can swap tokens on it simply with an Ethereum wallet.
- Scaling EVM (Ethereum Virtual Machine) (https://capitalgram.com/posts/scaling-evm/) - How fast and far can the EVM based blockchain architecture still take us.
- L2Beat (https://l2beat.com/) - Transparent and verifiable insights into emerging layer two (L2) technologies.
- The Non-Fungible Token Bible (https://opensea.io/blog/guides/non-fungible-tokens) - Everything you need to know about NFTs.
- KEVM (https://github.com/kframework/evm-semantics) - A formal model of the EVM in the K framework.
Threats
- Blockchain Graveyard (https://magoo.github.io/Blockchain-Graveyard/) - A list of all massive security breaches or thefts involving blockchains.
- List of Bitcoin Heists (https://bitcointalk.org/index.php?topic=576337) - Research on prior Bitcoin-related thefts.
- Blockchain Threat Intelligence (https://www.blockthreat.io/) - The latest in blockchain, DeFi and cryptocurrency threat intelligence, vulnerabilities, security tools, and events.
- Rekt News (https://rekt.news/) - Investigative journalism, creative commentary, and incident analysis.
- DeFiYield's REKT db (https://defiyield.app/rekt-database) - Database of Crypto Hacks, Exploit, Scam.
- CryptoScamDB (https://cryptoscamdb.org/scams) - Keeping track of cryptocurrency scams in an open-source database.
- Mudit Gupta's Twitter threads (https://mudit.blog/twitter-threads/) - Early analysis and educational content on Twitter.
- Flash Boys 2.0 Paper (https://ieeexplore.ieee.org/document/9152675) - Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability.
- MEV-explore (https://explore.flashbots.net/) - Help the community understand and quantify the significance of "Dark Forest activities" and their impact on the Ethereum network.
- Flashloan monitor (https://monitor.blocksecteam.com/) - Dashboard that helps you monitor flashloan transactions.
- Known Attacks (https://consensys.github.io/smart-contract-best-practices/known_attacks/) - A list of known attacks which you should be aware of, from Consensys.
- Solidity Security (https://blog.sigmaprime.io/solidity-security.html) - Comprehensive list of known attack vectors and common anti-patterns.
Vulnerabilities
- SWC Registry (https://swcregistry.io/) - Smart Contract Weakness Classification and Test Cases.
- 246 Findings (https://blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/) - 246 Findings From Trail of Bits Smart Contract Audits.
- A Survey of Security Vulnerabilities in Ethereum Smart Contracts (https://arxiv.org/pdf/2105.06974.pdf) - Explains eight vulnerabilities that are specific to the application level of blockchain technology by analyzing the past exploitation case
scenarios of these security vulnerabilities.
- List of Security Vulnerabilities (https://github.com/runtimeverification/verified-smart-contracts/wiki/List-of-Security-Vulnerabilities) - A comprehensive list of common smart contract security vulnerabilities, compiled from various sources.
- List of Known Bugs (https://docs.soliditylang.org/en/v0.8.1/bugs.html) - A JSON-formatted list of some of the known security-relevant bugs in the Solidity compiler.
Controls
- Simple Security Toolkit (https://github.com/nascentxyz/simple-security-toolkit) - Opinionated recommendations that the team at Nascent find to be appropriate, particularly for teams developing and managing early versions of a protocol.
- Gnosis Safe (https://docs.gnosis-safe.io) - Multi-sig. Require multiple team members to confirm every transaction in order to execute it, which helps prevent unauthorized access to company crypto.
- List of DeFi auditors (https://www.defisafety.com/auditors) - List of DeFi auditors maintained by DeFiSafety.
- State of DeFi Audits (https://medium.com/conflux-network/the-overlooked-element-of-defi-adoption-e3b29829e3da) - Article taking a look at the auditing space and its importance in onboarding users by properly securing new DeFi protocols.
- Building Secure Contracts (https://github.com/crytic/building-secure-contracts/) - Trail of Bits' guidelines and best practices on how to write secure smart contracts.
- Solidity Patterns (https://fravoll.github.io/solidity-patterns/) - A compilation of patterns and best practices for the smart contract programming language Solidity.
- Security Pattern for Ethereum and Solidity (https://docs.google.com/spreadsheets/d/1PF4QZudW6Z7EV4hqQfwPo3A43AVqPrsuzzzey5yRYcs/edit#gid=0) - Google Sheets Checklists.
- Solidity Best Practices for Smart Contract Security (https://consensys.net/blog/developers/solidity-best-practices-for-smart-contract-security/) - Pro tips from Consensys to ensure your Ethereum smart contracts are fortified.
- CERtified (https://cer.live/) - Top 100 exchanges by Cybersecurity rating.
- Smart Contract Security Registry (https://github.com/ethereum-lists/contracts) - An effort to identify deployed contracts instances given their chain and address, by listing the project they belong to.
- Forta (https://docs.forta.network/) - Community-based runtime security network for smart contracts.
Ecosystem
- People to follow on Twitter (https://twitter.com/i/lists/1453086258436128770) - Twitter list to an overview of the web3 ecosystem and security people.
- Videos to watch on YouTube (https://www.youtube.com/playlist?list=PLox242_JhiuEe64LzW1M8XpiQ2-N5bZsX) - YouTube playlist of web3 security videos.
Footnotes
See Also
Other Awesome Lists:
- Awesome BlockSec CTF (https://github.com/0xjeffsec/awesome-blocksec-ctf) - Blockchain security Capture the Flag (CTF) competitions.
- Awesome Buggy ERC20 Tokens (https://github.com/sec-bit/awesome-buggy-erc20-tokens) - Vulnerabilities in ERC20 Smart Contracts With Tokens Affected.
- Awesome Cryptoeconomics (https://github.com/jpantunes/awesome-cryptoeconomics) - Cryptoeconomic research and learning materials.
- Awesome Zero-Knowledge Proofs (ZKP) (https://github.com/matter-labs/awesome-zero-knowledge-proofs) - A curated list of awesome things related to learning Zero-Knowledge Proofs (ZKP).
- Officer CIA's Ultimate DeFi Research Base (https://github.com/OffcierCia/ultimate-defi-research-base) - Curated DeFI & Blockchain research papers and tools.
- Awesome MEV resources (https://github.com/0xalpharush/awesome-MEV-resources)
evmsecurity Github: https://github.com/kareniel/awesome-evm-security