SlowMist Learning Roadmap for Becoming a Smart Contract Auditor

SlowMist
10 min readOct 24, 2023

--

By: Kong’@SlowMist Security Team

Introduction

This skill chart is a compilation of the abilities required for SlowMist’s security team’s smart contract security auditors. It aims to enumerate the essential skills needed for smart contract security audits and inspire team members to adopt a mindset of research, innovation, and engineering evolution.

Smart contract security auditing skills are primarily divided into four parts: Finding the Entrance, Singing by the Door, Integrative Mastery, and Breaking Through. These stages progressively outline the expertise needed at each level. However, before diving into these, it’s crucial to equip our minds with some foundational skills, which will serve as our anchor point in the audit journey.

Roadmap

Preparation Required

As Abraham Lincoln once said: “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” This same approach can be applied to smart contract auditing. Strengthening our mindset before starting is essential, allowing us to move with conviction and travel further.

1. Unity of Knowledge and Action

Cognition and execution go hand in hand. Theoretical knowledge and its practical application should align seamlessly.

  • Learning should result in output, and output should be put into practice
  • SlowMist Security Team’s Knowledge Base
  • Embracing the open-source culture of GitHub

2. Defend Fundamentals & Innovatively

Ethics and the law are the foundational principles for security professionals. While staunchly adhering to these principles, security professionals must also forge strong technical skills, surprising adversaries when least expected.

  • Sticking to the Basics:
    - Auditors should abide by the law and uphold ethical standards
  • Responsible Disclosure:
    - SlowMist’s alert procedure
    - FIRST’s code of ethics
  • Hacker’s Mentality:
    - While adhering to principles, prevail with unexpected strategies
    - Defend Fundamentals: Approach with reverence and always adhere to basics
    - Innovative: Think outside the box, be meticulous, employ reverse and open-minded thinking

3. Team Consciousness

The capabilities of an individual are always limited, but teamwork can effectively compensate for personal shortcomings.

  • Collaborative Audit Flow:
    -Collaborative auditing on the SlowMist MistPunk workbench ensures audit quality through technical means and accumulates auditing experience
  • Audit Workflow:
    - SlowMist’s audit workflow ensures audit quality through managerial practices, serving to identify and fill in any gaps in the audit process
  • Hacking Time Culture:
    - Team members are encouraged to engage in spontaneous intellectual exchanges and sharing, aligning team capabilities through these collaborative interactions and thereby elevating the overall team proficiency

Getting Started

The development of the cryptographic world to date encompasses disciplines such as cryptography, economics, and data science. Faced with the immense volume of knowledge in the cryptographic world, determining a point of entry is crucial. In this phase, we will start by exploring Ethereum and its smart contract language, Solidity, as a gateway into the world of cryptocurrency.

1. Basics of Blockchain

Before understanding what smart contracts are, one should first comprehend the blockchain platform on which they operate.

  • What is a blockchain?
  • Visual demonstration of blockchain
  • How cryptocurrencies work
  • Reading “Mastering Bitcoin”
  • Reading “Mastering Ethereum”
    - Emphasis should be on Chapters 1, 4, 5, 6, 7, 13, and 15

2. Fundamentals of Smart Contracts

Different blockchains might employ various languages to develop smart contracts, such as Solidity, Move, Rust, Vyper, Cairo, C++, etc. Currently, Solidity remains the most popular and beginner-friendly smart contract language for EVM-compatible chains. It’s essential to thoroughly read its language documentation. Moreover, one should understand the design standards of token contracts running on Ethereum and their specific contract implementations. Building on this foundation, it’s crucial to understand how smart contracts can be made upgradable and to practically master the writing and testing of smart contracts.

Resources and Tools for Mastering Smart Contracts with Solidity

  • Solidity Official Documentation
  • Essential Reading “Mastering Ethereum”
    - Emphasis on reading the remaining chapters
  • Understanding Ethereum’s Standard Proposals (ERC)
    - ERC20: Standard for fungible tokens
    - ERC165: Interface standard
    - ERC173: Contract ownership standard
    - ERC191: Data signature standard
    - ERC601: Deterministic wallet hierarchical structure standard
    - ERC721: Non-fungible token standard
    - ERC777: Interoperable token standard
    - ERC1155: Multi-token standard
    - ERC1167: Minimal proxy contract
    - ERC1967: Proxy data storage slots
    - ERC2612: Token permit signature
    - ERC4626: Token vault standard
  • Studying OpenZeppelin’s token implementations
  • Understanding what upgradable contracts/proxy contracts are
    - Introduction to different proxy contract patterns
    - Proxies Deep Dive
  • OpenZeppelin Proxy implementation documentation
  • Learning to Write Smart Contracts
    - WTF Solidity Smart Contract Tutorials
    - Crypto Zombies
    - Smart Contract Engineer
    - Solidity by Example
  • Utilizing Smart Contract Build Tools
  • Popular Online IDEs
    - Remix
    - ChainIDE
    - Tenderly Sandbox
  • Familiarization with Package Managers
    - npm
    - yarn
    - pnpm
  • Popular Smart Contract Testing and Debugging Frameworks
    - Foundry
    - Convenient testing tools
    - Cheatcodes
    - Best practices
  • Hardhat
    -Leveraging its potent plugins
  • Brownie
  • Tenderly
    - Convenient DevNet development testing environment
    - Quick transaction simulations
    - Visual transaction debugging tools
  • Interacting with Smart Contracts
    - Understanding JSON-RPC
    - Ethers.js
    - Web3.js
    - Web3.py
    - viem

3. Common Smart Contract Vulnerabilities

After mastering the fundamentals of smart contracts, it’s essential to understand common vulnerabilities and the principles behind these vulnerabilities. Quillhash’s vulnerability list, which aggregates multiple sources, offers a comprehensive view of the prevalent types of smart contract vulnerabilities. (For beginners, it’s recommended to read through all the lists repeatedly to reinforce their understanding.)

  • DASP Top 10
  • SWC Smart Contract Weakness Classification
  • Smart Contract Security Guide
  • Kaden: Smart Contract Attack Vectors
  • Quillhash: Solidity Attack Vectors
  • RareSkills Smart Contract Security

4. Best Practices and Security Standards

As auditors, it’s crucial to be familiar with the best practices and security standards of smart contracts. Best practices serve as a reference in identifying security issues during an audit, while security standards provide a basis for any security issues raised.

  • Solidity Patterns
  • Solcurity
  • ConsenSys Smart Contract Best Practices
  • Solidity Security Pitfalls and Best Practices 101
  • Solidity Security Pitfalls and Best Practices 201
  • SCSVSv2
  • EEA EthTrust Certification
  • Foundry Testing Best Practices

5. Basic CTF Challenges

After acquiring foundational knowledge about blockchain, smart contracts, and common vulnerabilities, it’s beneficial to consolidate and apply this knowledge through basic Capture The Flag (CTF) challenges.

  • OpenZeppelin Ethernaut
  • Capture the Ether

Diving Deeper Into Smart Contracts

Having grasped the basics of blockchain and smart contracts, we’ve essentially opened the door to Solidity smart contract security auditing. Beyond this door, the world of smart contracts is still vast. In this stage, we’ll delve deeper into the expansive realm of smart contract applications, starting with decentralized finance (DeFi).

1. Fundamentals of Decentralized Finance (DeFi)

Blockchain and smart contracts have made the construction of DeFi possible, and the emergence of DeFi has spurred the rapid development of blockchains like Ethereum. Before delving further, one should understand: What is DeFi?

  • Read “How To DeFi: Beginner”
  • Read “How To DeFi: Advanced”
  • Introduction to different types of DeFi
    - Understand what each type of DeFi is
    - Grasp basic economic knowledge and common terminologies
  • Introduction to fundamental financial strategies
  • Economics Model 101

2. Leading Protocols in Decentralized Finance (DeFi)

After an initial understanding of what DeFi is, it’s important to delve deeper into what these platforms have achieved and how they achieved it. This can be accomplished by reviewing the technical documentation of the current leading DeFi protocols to gain preliminary insights into their implementations.

  • MakerDAO (Collateralized Debt Position)
  • AAVE (Lending)
    - V2
    - V3
  • Compound (Lending)
    - V2
    - V3
  • Uniswap (Decentralized Exchange)
    - V2
    - V3
  • Curve (Decentralized Exchange)
    - Technical Documentation
    - Algorithm Overview
    - Detailed Explanation of Curve’s Newton Iteration
  • Chainlink (Oracle)
    - Price Oracles
    - VRF (Verifiable Random Function)
  • Convex Finance (Yield Optimization)
    - Protocol Overview
    - Technical Documentation
  • Yearn Finance (Yield Aggregator)
  • GMX (Derivatives)
  • Nexus Mutual (Insurance)
  • OpenSea (NFT Marketplace)
  • Set Protocol (Index Funds)
  • Lido (Liquid Staking)
  • … and more

3. Delve into the Source Code of Leading Protocols

Many DeFi projects currently interrelate and combine, with some leading DeFi protocols forming the cornerstone of complex DeFi combinations. Hence, mastering the implementation of these DeFi initiatives is critical. After an initial understanding of DeFi’s workings through protocol documentation, further comprehension can be achieved by studying the complete source code to grasp specific logic and economic models.

4. Understand the Risks in Decentralized Finance (DeFi)

DeFi isn’t solely about smart contracts; the frontend and backend are vital components. Most users interact with DeFi through the frontend. Therefore, after understanding DeFi’s operations and implementations, it’s essential to learn and practice its risks through frontend security measures, backend security configuration requirements, and historical vulnerabilities in the DeFi sector.

  • Understanding Web Frontend Security
    - Read the “SlowMist Web Frontend Security Best Practices Guide”
    - Dive deeper into “Web Frontend Hacker Techniques Revealed”
  • Understanding DeFi Hacks
    - SlowMist DeFi Hack Analysis
    - SlowMist Medium Articles
    - DeFiHackLabs
    - Rekt
    - Immunefi
    - QuillAudits
    - BlockSec
    - Neptune Mutual
    - PeckShield
    - hacxyk
    - TrailOfBits
    - Secureum
    - Openzeppelin
    - OfferCIA

5. Reviewing Audit Reports

During an audit, an individual’s perspective may miss certain aspects and cannot cover all scenarios. Therefore, reading other people’s audit reports is crucial to learn different methods of vulnerability discovery and various auditing thought processes.

  • SlowMist Audit Reports
  • Solodit Aggregation
  • Code4rena Audit Reports
  • Consensys Audit Reports
  • QuillAudits Audit Reports
  • Spearbit Audit Reports
  • Sherlock Audit Reports
  • ADBK Audit Reports
  • BlockSec Audit Reports
  • Certik Audit Reports
  • ChainSecurity Audit Reports
  • Cyfrin Audit Reports
  • PeckShield Audit Reports
  • OpenZeppelin Audit Reports
  • Complete List of Security Audit Reports

6. CTF Challenges

Engage in more advanced CTF challenges to test new skills and grow.

  • EtherHack
  • SI Blockchain CTF
  • QuillCTF
  • Curta CTF
  • Paradigm CTF
  • Cipher Shastra CTF
  • Damn Vulnerable DeFi
  • Unhackedctf

Integration and Mastery

Through the exploration of leading DeFi platforms, a profound understanding of DeFi will be established. Moving forward, by learning from the foundational layer of EVM to the upper economic models of DeFi, we can continue to deepen our grasp on smart contracts. During this process, independently auditing complex smart contracts can help solidify one’s own audit methodology.

1. Deep Dive into EVM

The EVM (Ethereum Virtual Machine) is responsible for executing smart contract instructions. A comprehensive understanding of the EVM aids in a more in-depth grasp of the deployment, invocation, execution, and data storage of smart contracts. This foundational knowledge is also pivotal for Gas optimization and discovering vulnerabilities.

  • About EVM
  • Noxx’s In-depth Research on EVM
  • Parsing Solidity Slot Data
  • Ethereum Yellow Paper
    - Simplified Version
  • EVM Implementation Examples

2. Gas Optimization Design

All on-chain transactions incur Gas costs. For complex contracts, optimizing Gas can reduce user interaction costs, thereby attracting more users. This demands that auditors have a certain understanding of Gas optimization design.

  • Gas Optimization References 1
  • Gas Optimization References 2
  • Gas Optimization References 3

3. DeFi Economic Models

The economic model is a core component of DeFi products, so it’s essential to understand the risks associated with these models. Throughout the learning process, one should develop and consolidate their perspectives and methodologies.

  • Governance Risks
  • Summary of Risks in DeFi Economic Models
    - Euler Oracle Manipulation Tool
    - Chaos Lab’s Uniswap v3 Oracle Manipulation Risk
    - Agent Buttercup Simulation Engine
    - Curve Simulation Tool
    - DELV Agent-based Simulation Tool
    - Uniswap v3 Simulations: Option 1, Option 2, Option 3

4. Deconstructing and Analyzing Complex DeFi Protocols

After mastering these skills, auditors should be capable of dissecting and analyzing complex, highly innovative DeFi protocols.

  • To be released…

5. Peer Learning

Learning from other outstanding peers who are researching various topics can provide us with more insights and broaden our horizons.

  • Bytes032
  • Noxx
  • Mixbytes
  • Samczsun
  • Cmichel
  • Pessimistic
  • OfficerCia
  • Smart Contract Research Forum
  • Zefram
  • Alin Tomescu
  • Christoph Michel
  • Kyrian Alex
  • And More

6. Rapid Incident Analysis

After independently auditing numerous complex projects, accumulating extensive knowledge, and experiencing various business scenarios, auditors should be able to respond quickly to unforeseen security incidents and conduct rapid analysis and reporting. Here are some commonly used analysis tools:

  • Contract Decompilation Tools
    - Dedaub
    - Panoramix
    - Abi-decompiler
    - Heimdall-rs
    - Ethervm
    - Pyevmasm
  • Transaction Analysis Tools
    - Phalcon
    - Ethtx.info
    - Tx eth samczsun
    - Tenderly
    - Eigenphi
    - SocketScan
  • Others
  • Web3 Security Tools
  • On Chain Investigations Tools List

7. Bug Bounty Practice

Engaging in real-world scenarios is the best way to test your skills.

  • Immunefi
  • BugRap
  • Code4rena
  • HackerOne
  • HackenProof
  • HatsFinance
  • And more

Continuous Growth

After entering the world of Solidity smart contracts, one should not be content with circling within a single domain. Instead, you should crystallize your own methodology, boldly carve out a new path, break through, and expand into other areas while deepening your expertise in the current field.

1. Overcoming Limitations

  • Don’t confine yourself to Solidity; explore other smart contract languages like Rust, Vyper, Cairo, and Move
  • Don’t limit yourself to smart contracts; understand popular public blockchains like BTC, Cosmos, Solana, Starknet, EVM L2, and more
  • Beyond blockchain, gain insights into areas like Web2.0 and mobile development
  • Dive deeper into the field of cryptography
  • And more

2. Methodology

After mastering the skills of smart contract security auditing, you can develop your own methodology. This helps you quickly identify the core issues and determine problem-solving approaches. A good methodology can greatly increase your efficiency.

  • Methodology for auditing work
  • Methodology for smart contract security practices
  • Approaches to problem-solving
  • Building a thinking framework

3. Creativity

Creativity is the weapon that allows us to conquer challenges and the essential attribute for progress. After acquiring skills systematically, nurture your creativity to advance further.

  • Cultivate curiosity
    - Learn new things
    - Don’t limit yourself to your circle, profession, or field
  • Pursue knowledge relentlessly
    - Approach knowledge with reverence
    - Explore new realms of knowledge
  • Embrace the hacker mindset
    - Staying true to principles while thinking outside the box
  • Be adept at research
    - Aim for practical results and publish research
  • Implement engineering principles
    - Turn ideas and research into practical solutions and test them in real-world
    - SlowMist MistEye Monitoring System
    - SlowMist Contract Visibility Analysis Tool
    - SlowMist Static Vulnerability Scanner
    - And more

Acknowledgments

Special thanks to friends who provided valuable feedback:

  • Cos
  • 23pds
  • T41nk
  • Doublenine
  • Flush
  • Blue
  • Lizi

Thanks to Jian for the English translation and to Hik3 for designing the cover image.

Due to space limitations, all links mentioned in this document can be accessed on GitHub. Feel free to read and share:

https://github.com/slowmist/SlowMist-Learning-Roadmap-for-Becoming-a-Smart-Contract-Auditor

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Their goal is to make the blockchain ecosystem as secure as possible for everyone. They are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.