VulnCon Logo
Conference
Training
CTF
☰
vulncon
Chirag Agrawal
All things security at StockGro & Co-Founder Web3Sec.News
vulncon
Hemendra Sharma
Product Engineer, SquadStack

Name of Traning:

Mastering Web3 Security: Practical Insights and Case Studies

A full description of the training:

This two-day comprehensive training program in the realm of Web3 security is designed for both novice enthusiasts and seasoned professionals. This immersive course provides a deep dive into the fundamental principles, advanced methodologies, and real-world case studies of blockchain security

Through a meticulously crafted curriculum, participants will explore blockchain fundamentals, dissect smart contract security vulnerabilities, and engage in hands-on exercises to fortify their expertise. From understanding the basics of Ethereum and Solidity to conducting advanced security audits and analyzing live hack postmortems, this training equips you with the essential tools and insights to navigate the complexities of Web3 security confidently. Through intensive hands-on exercises, you'll gain real-world experience and confidence in conducting thorough smart contract audits.

KEY TAKEAWAYS:

  • Gain a comprehensive understanding of blockchain fundamentals, Ethereum, and smart contract security.
  • Identify and mitigate common vulnerabilities in smart contracts through hands-on exercises and case studies.
  • Explore advanced security audit techniques and tools for comprehensive blockchain security assessments.
  • Analyze real-life hack postmortems to deepen your understanding of security best practices and risk mitigation strategies.
  • Develop practical skills and insights to confidently navigate the evolving landscape of Web3 security and contribute to the advancement of decentralized ecosystems.

Outline of the Class

Day 1:

Foundations of Blockchain and Understanding Ethereum:

  1. Introduction to Blockchain: Exploring the decentralized ledger system and its significance in modern technology.
  2. Blockchain Components: Understanding the key elements that comprise a blockchain network, including nodes, blocks, and consensus mechanisms.
  3. Smart Contracts: Delving into the concept of smart contracts and their pivotal role in automating transactions on the blockchain.
  4. Introduction to Ethereum: An in-depth examination of Ethereum, a leading blockchain platform, and its distinctive features.
  5. Differences between Bitcoin and Ethereum: Contrasting the functionalities and use cases of Bitcoin and Ethereum within the blockchain ecosystem.
  6. Ethereum Architecture: Analyzing the architecture of Ethereum, including the Ethereum Virtual Machine (EVM) and its role in executing smart contracts.
  7. Ether (ETH) and Gas: Explaining the native cryptocurrency of Ethereum and the concept of gas as the transaction fee in Ethereum transactions.
  8. Smart Contracts on Ethereum: Hands-on exploration of smart contracts on the Ethereum platform, covering contract deployment, interaction, and state management.

Solidity Fundamentals and Environment Setup:

  1. Basics of Solidity Programming Language: A Comprehensive Overview of Solidity, the Primary Language Used for Writing Smart Contracts on Ethereum.
  2. Installing and Understanding MetaMask: Practical guidance on setting up MetaMask, a popular Ethereum wallet and gateway to decentralized applications (DApps).
  3. Learning to Use Remix: Hands-on tutorials on using Remix, an online integrated development environment (IDE) for writing, deploying, and testing smart contracts.

Smart Contract Security Vulnerabilities and Challenges:

  1. Insecure Pragma: Identifying vulnerabilities related to the declaration of the compiler version in smart contracts.
  2. Access Control Vulnerabilities: Exploring security risks associated with inadequate access control mechanisms in smart contracts.
  3. Precision Loss: Understanding potential vulnerabilities arising from loss of precision in arithmetic operations.
  4. Weak PRNG (Pseudo-Random Number Generation): Investigating the security implications of weak or predictable random number generation in smart contracts.
  5. Issues due to Zero Address Validation: Analyzing vulnerabilities resulting from improper validation of zero addresses in smart contracts.

Day 2:

Advanced Smart Contract Security Vulnerabilities and Hands-On Challenges:

  1. Faulty Loops: Identifying vulnerabilities stemming from flawed loop structures in smart contracts.
  2. Overflow and Underflow: Exploring risks associated with integer overflow and underflow vulnerabilities in smart contracts.
  3. Private on Chain Data: Investigating security concerns related to the exposure of private data on the blockchain.
  4. Gas Optimization: Strategies for optimizing gas usage in smart contracts to enhance efficiency and reduce costs.

Advanced Attack Vectors and Mitigation Techniques:

  1. Insecure Delegate Calls: Understanding the security risks associated with delegate calls in smart contracts and implementing mitigation strategies.
  2. Reentrancy: Exploring the reentrancy attack vector and implementing safeguards against reentrancy vulnerabilities.
  3. Signature Malleability: Analyzing vulnerabilities arising from the manipulation of digital signatures in smart contracts.
  4. Frontrunning Attacks: Investigating the risk of frontrunning attacks and implementing measures to mitigate their impact.
  5. Business Logic Bugs: Identifying and addressing vulnerabilities arising from flaws in smart contract logic.

Static Analysis and Security Tools:

Leveraging Static Analyzers: Introduction to popular static analysis tools such as MythX and Slither for smart contract security testing, including techniques for identifying vulnerabilities and assessing code quality.

Real-Life Hack Case Studies:

  1. FEI RARI Exploit (Reentrancy): Uncover the mechanisms behind a reentrancy exploit that targeted the FEI RARI protocol, examining how attackers exploited vulnerabilities to manipulate smart contract logic and execute malicious transactions.
  2. Curve Finance (JS Injection, DNS Hijacking): Explore the intricacies of a hack involving JavaScript injection and DNS hijacking within the Curve Finance protocol, analyzing the attack vectors and their impact on the platform's security and functionality.
  3. SOVRYN (Flash Loan): Investigate a flash loan attack on the SOVRYN protocol, dissecting the sophisticated techniques employed by attackers to exploit vulnerabilities and execute financially impactful transactions.
  4. RoastFootball (Weak PRNG): Examine the security breach experienced by RoastFootball, understand the PRNG Attack vulnerability exploited by attackers, and consider the repercussions of the breach on the platform's integrity and user trust.
  5. Allbridge Hack Analysis (Business logic vulnerability): Conduct a detailed analysis of the Allbridge hack, scrutinizing the business logic attack vectors utilized by threat actors and assessing the security implications for decentralized finance protocols and cross-chain interoperability solutions.

Throughout the course, participants will engage in hands-on exercises and challenges designed to reinforce theoretical concepts and enhance practical skills in smart contract security auditing.

Lab Requirements:

Laptop with the following specifications:
  • Ability to connect to wireless and wired networks.
  • Ability to read PDF files.
  • Administrative rights: USB allowed, ability to deactivate AV, firewall, install tools, etc.
  • Minimum of 8GB of RAM.
  • Sublime Code Editor.
  • Latest browser

PREREQUISITES:

  • A basic understanding of blockchain technology and cryptography
  • Familiarity with programming concepts (e.g., variables, functions)
  • Basic Solidity Programming

Trainer

vulncon
Chirag Agrawal
All things security at StockGro & Co-Founder Web3Sec.News

Chirag Agrawal, also known as "Raiders," is a prominent figure in cybersecurity, with three years of experience and achievements under his belt. As the Co-Founder of Web3Sec.News, the leading aggregator in web3 security, he plays a pivotal role in advancing cybersecurity within the blockchain community. With victories in competitions like Secureum races, winning RACE-14 with a TOP-32 quiz submission, and securing bounties in Code4rena contests,. His impactful contributions to platforms such as SolidityScan, Fuzzy.fyi, Octane Security, OSWAR, and Cyvers underscore his commitment to driving cybersecurity innovation in the blockchain landscape.His dedication to excellence and passion for cybersecurity make him a trusted mentor and guide on your journey to mastering Web3 security.

vulncon
Hemendra Sharma
Product Engineer, SquadStack

Hemendra Sharma is a dedicated professional actively immersed in the dynamic realms of web3 and devops. He serves as the DevOps lead at web3sec.news, bringing over 2 years of hands-on experience in web3 development and platform engineering. He specializes in diverse web3 protocols, cross-chain development, and web3 security. Continuously advancing in the web3 and devsecops fields, he not only contributes significantly to projects like web3sec.news but also exemplifies ongoing growth and expertise at the intersection of web3 and devsecops.