Smart Contract Security Guidelines #3: The Dangers of Price Oracles - OpenZeppelin blog
This guide focuses on showcasing the architecture, roles and subtleties of most popular price oracles in Ethereum, ways to safely integrate them with defensive programming practices.
Price oracles are one of the most critical pieces of infrastructure in DeFi. They come in different flavors, and inevitably carry associated security risks. In this session we’ll cover the most popular price oracles available in Ethereum, along with the security considerations you must bear in mind when integrating them into your project.
In this workshop, we will cover:
The need for price oracles in DeFi.
Architecture of popular price oracles in space.
Security risks associated with each price oracle.
Must-have and nice-to-have safe guards when integrating price oracles.
Led by Martin Abbatemarco, Security Researcher, OpenZeppelin
Read the guidelines here: https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles/
Public Smart Contract Audits and Security Reviews | ConsenSys Diligence
ConsenSys Diligence has helped a wide range of projects across the blockchain ecosystem to ensure their protocols are ready for launch and built to protect users.
Stay up to date with the latest security insights on BitBlocksFinance: Smart Contract Audit, Skynet Scores, Security Oracle, CertiKShield and many more security-focused statistics.
CryptoZombies is The Most Popular, Interactive Solidity Tutorial That Will Help You Learn Blockchain Programming on Ethereum by Building Your Own Fun Game with Zombies — Master Blockchain Development with Web3, Infura, Metamask & Ethereum Smart Contractsand Become a Blockchain Developer in Record Time!.
Can you master Solidity in 30 days? No, you cannot. Can you learn about the basics and get started with the development of real-world projects using Solidity in 30 days? Yes, you sure can, and this article aims to provide you with a roadmap following which you can learn Solidity in a much more efficient way. 💡 Learning Hacks “I realized that becoming a master of karate was not about learning 4,000 moves but about doing just a handful of moves 4,000 times.” — Chet Holmes Before we proceed further, let’s talk about some hacks that I use for learning any skill or programming language in a faster manner. Before going to bed, recite what you learned for 5 mins. Don’t push yourself beyond your capacity, always keep in mind that excellence can only be attained when it is organic. Teach someone else (or just pretend to) what you learned. Get proper sleep, research shows that sleeping between two learning sessions greatly improves retention. Take notes by hand (Yes, I agree that this might sound anti-digital, but believe me, it improves our knowledge retention). Stay hydrated and exercise regularly. A healthy mind breeds a healthy body, and vice versa! 🏷️ [Day 1 - Day 5] Javascript: The Starting Block We all have different levels of experience and familiarity with programming languages. Now that you are here, I assume you are already familiar with basic Javascript syntax and the Object-Oriented paradigm. If you are not, I would suggest you should learn JavaScript before starting with Solidity. You don’t need to learn A-Z of JavaScript. All you need for getting started is a basic understanding of JS syntax and object-oriented programming. JavaScript Fundamentals An Introduction to JavaScript Manuals and specifications Code editors Developer console Hello, world! Variables Data types Type Conversions Basic operators, maths Comparisons Conditional branching: if, ‘?’ Logical operators Nullish coalescing operator ‘??’ Loops: while and for The “switch” statement Functions Function expressions Arrow functions, the basics Objects Object references and copying Garbage collection Object methods, “this” Constructor, operator “new” Object to primitive conversion Class basic syntax Class inheritance Static properties and methods Private and protected properties and methods Extending built-in classes Class checking: “instanceof” Callbacks Promise Promises chaining Error handling with promises Promise API Promisification Async/Await Generators 🏷️ [Day 6] Frameworks We learned javascript and now we have a fairly decent understanding of object-oriented programming as well. What next? Can we start learning solidity now? Yes, we can. As we are just getting started with Solidity, I would suggest you use Remix IDE for writing and compiling solidity code for now. As we gain more experience and familiarity with Solidity, we will start using a more robust Dapp development framework (such as Truffle, Hardhat, Dapptools, etc) because building a full-fledged decentralized application requires different pieces of technologies, and software frameworks include many of those needed features. Even though we are not going to use any of these frameworks as of now, but we need to know what different frameworks are available to build dapps. Truffle - A development environment, testing framework, build pipeline, and other tools. Hardhat - Ethereum development environment for professionals. Brownie - Python-based development environment and testing framework. Embark - A development environment, testing framework, and other tools integrated with Ethereum, IPFS, and Whisper. Web3j - A platform for developing blockchain applications on the JVM. OpenZeppelin SDK - The Ultimate Smart Contract Toolkit: A suite of tools to help you develop, compile, upgrade, deploy and interact with smart contracts. Create Eth App - Create Ethereum-powered apps with one command. Comes with a wide offering of UI frameworks and DeFi templates to choose from. Scaffold-Eth - Ethers.js + Hardhat + React components and hooks for web3: everything you need to get started building decentralized applications powered by smart contracts. Alchemy - Ethereum Development Platform. Dapptools - A suite of Ethereum focused CLI tools following the Unix design philosophy, favoring composability, configurability and extensibility. 🏷️ [Day 7 - Day 10] Understanding Solidity Solidity is an object-oriented/contract-oriented, high-level language for writing smart contracts. It is statically typed, supports inheritance, and is highly influenced by C++, Python and JavaScript. ⚠️ Note: Following URLs will get outdated as soon as new versions of Solidity will be released, I will try to update these URLs every month, but if I fail to do so for some reason, it is advised readers should refer to the latest documentation. Day 7 Introduction to Smart Contracts Installing the Solidity Compiler Layout of a Solidity Source File Structure of a Contract Data Types Units and Globally Available Variables Day 8 Expressions and Control Structures Inline Assembly Language Grammar Day 9 Using the Compiler Analysing the Compiler Output Layout of State Variables in Storage Layout in Memory Day 10 Contract Metadata Contract ABI Specification 🏷️ [Day 11] Break We are on a learning streak for the past ten consecutive days. I believe it is time you should take a day out for yourself. You are doing very well so far and you deserve a break. Go out, Treat yourself to your favorite food, give food to some street animals, spread love and have fun ❤️😊. 🏷️[Day 12 - Day 17] On-hands Practice We are familiar with Solidity documentation now. It is time to write actual code, let’s practice Solidity by understanding and re-writing the following example contracts: Day 12: Hello World First App Primitive Data Types Variables Reading and Writing to a State Variable Ether and Wei Day 13: Gas and Gas Price If / Else For and While Loop Mapping Array Enum Structs Day 14: Data Locations - Storage, Memory and Calldata Function View and Pure Functions Error Function Modifier Events Day 15: Constructor Inheritance Shadowing Inherited State Variables Calling Parent Contracts Visibility Interface Payable Day 16: Sending Ether - Transfer, Send, and Call Fallback Call Delegatecall Function Selector Calling Other Contract Day 17: Creating Contracts from a Contract Try / Catch Import Library Hashing with Keccak256 Verifying Signature 🏷️ [Day 18 - Day 19] Micro-projects From Day 12 to Day 17, we completed code practice of various Solidity concepts, now it is time to put all of those learnings from previous days into micro-projects. Day 18: Multi Sig Wallet Merkle Tree Iterable Mapping ERC 20 Day 19: Precompute Contract Address with Create2 Minimal Proxy Contract Uni-directional Payment Channel Bi-directional Payment Channel 🏷️ [Day 20] Break We are on a learning streak for the past eight consecutive days. I believe it is time you should take a day out for yourself. You are doing very well so far and you deserve a break. Go out, Treat yourself to your favorite food, give food to some street animals, spread love and have fun ❤️😊. 🏷️ [Day 21 - Day 25] Secrurity Considerations We are now familiar with foundations concepts of Solidity programming, it is right time for us to understand what common vulnerabilities can be present in smart contracts and how you can spot and mitigate them. Day 21: What is Reentrancy. What is Junk code (Code With No Effects). What is Unencrypted Private Data On-Chain. What is Integer Overflow and Underflow. Day 22: What is Floating Pragma. What is Unchecked Call Return Value. What is Unprotected SELFDESTRUCT Instruction. State Variable Default Visibility. Day 23: What is Uninitialized Storage Pointer. Use of Deprecated Solidity Functions. DoS with Failed Call. Authorization through tx.origin Day 24: Signature Malleability. Weak Sources of Randomness from Chain Attributes. Lack of Proper Signature Verification. Missing Protection against Signature Replay Attacks. Day 25: Insufficient Gas Griefing. DoS With Block Gas Limit. Hash Collisions With Multiple Variable Length Arguments. Message call with hardcoded gas amount. Oracle Manipulation. 🏷️ [Day 26 - Day 27] Tools and Frameworks During these two days, our goal is to get familiar with existing tools and frameworks which can be useful while performing security audits related to smart contracts. Please note that there is no need to know A-Z about these tools, for now, just play around with them, get familiar, and test them out, and most importantly, Have fun! Day 26: Visualization Tools: Solidity Visual Developer Surya Solgraph EVM Lab ethereum-graph-debugger Piet Linters and formatters: Ethlint. Prettier + Solidity Plugin. Solhint. Day 27: Static and Dynamic Analysis: Oyente Octopus Vertigo MythX Mythril Slither Echidna 🏷️ [Day 28 - Day 29] Reading audit reports During these 2 days, we will be going through publicly available smart contracts audit reports, and see what kind of real-world vulnerabilities are generally present in Solidity code. I believe there is no need for me to include a list of URLs that host public audit reports, as they are just a Google search away. 🏷️ [Day 30] Break We are on a learning streak for the past eight consecutive days. I believe it is time you should take a day out for yourself. You are doing very well so far and you deserve a break. Go out, Treat yourself to your favorite food, give food to some street animals, spread love and have fun ❤️😊. 💪 30 Days Challenge If you do start this 30 days challenge, you can post your progress on Twitter with hashtag #30DaysOfSolidity and don’t forget to tag me @0xAsm0d3us. I’ll be happy to see your progress. For any query, you can reach out to me via Twitter, I’ll be glad to help. All the best ❤️ 💌 Want to support my work? If you think my work has added some value to your existing knowledge, then you can Buy me a Coffee here (and who doesn’t loves a good cup of coffee?) Newsletter Subscribe to Genesis’s
Chapter 9: Smart Contract Security - Floating Point and Precision - 《Mastering Ethereum》 - 书栈网 · BookStack
Floating Point and PrecisionThe VulnerabilityPreventative TechniquesReal-World Example: Ethstick Mastering Ethereum is a book for developers, offering a guide to the operation and use of the Ethereum,
x676f64/secureum-mind_map: This repo is actively maintained. Perform git pull's regularly for now.
This repo is actively maintained. Perform git pull's regularly for now. - x676f64/secureum-mind_map: This repo is actively maintained. Perform git pull's regularly for now.
This channel provides free education about smart contracts on open decentralized blockchains. Join us in our adventures where we explore cutting edge innovations in smart contract programming, security and applications.
Just what are elliptic curves and why use a graph shape in cryptography? Dr Mike Pound explains.Mike's myriad Diffie-Hellman videos: https://www.youtube.com/...