- Home
- CFP
- Registration
- Training
- Schedule
- Speakers
- CXO Track
- CTF
- Exhibition
- Live Bug Hunting
- Hack Young
- Resume Clinic
- Media Pass
- Sponsors
- For You
- Venue
- Volunteer
- Nullcon Goa Sep 2022
- Training
- HackFi - hacking smart contracts
Trainer Name: Chaitanya RK
Title: HackFi - hacking smart contracts
Duration: 3 Days
Dates: Sept. 6, 2022 To Sept. 8, 2022
TRAINING OBJECTIVES
Blockchains are revolutionary technologies that allow for secure, distributed, decentralized information storage. Blockchains disrupt the finance industry via DeFi, governance via DAOs, and collectibles via NFTs. Over the past few years, the blockchain has taken the engineering landscape by storm. However, due to the relative newness of blockchain compared to traditional technologies, its use is still hindered by speculation, confusion, uncertainty, and risk.
Training level: Basic; Intermediate
TRAINING PREVIEW:
In this course, we shall take a holistic look at security, from the theoretical foundations of the blockchain and smart contracts to finding and exploiting vulnerabilities in smart contracts.
First, this course will give you all the prerequisites to understand blockchain and smart contracts' architecture and major components. Then, we will create and set up a development and testing environment allowing us to efficiently build, deploy and debug smart contracts on the local test net. We will learn how to find vulnerabilities and exploit vulnerabilities in the local testing environment. We will also leverage security tooling, such as Slither and Mythril, to detect smart contract vulnerabilities automatically.
Some of the skills and techniques you will learn are:
- How to interact with and get data from public blockchains
- How to write smart contracts in Solidity
- How to find vulnerabilities in smart contract
- How to test and exploit vulnerabilities in smart contracts
TRAINING OUTLINE:
Day 1
What Is Blockchain?
- Definitions and Origins
- Types of Distributed Consensus
- Purposes and Uses Cases
- A brief introduction to Consensus mechanisms [Proof of Work/Mining/Proof of Stake]
What Is a Smart Contract?
- Introduction to Smart Contracts
- Smart Contract Use Cases and Platforms
- A brief history of smart contracts hacks
Keys, Wallets, and Cryptography
- Hashing Functions
- Wallets
- Mnemonic Keys
Introduction to Ethereum
- Ethereum Architecture
- Ethereum block explorers
- Components of a Transaction
- API, Nodes, and Clients
Day 2
Smart Contract Security
The Smart Contract Lifecycle
- The Architecture and Concepts of Ethereum
- Tools for the Ethereum Blockchain
Introduction to Solidity
- Solidity language description
- The layout of State Variables in Storage
- Layout in Memory
- Contract ABI Specification
- Compiling a Contract
- Deploying a Contract
- Interacting with a Smart Contract
Common security flaws with examples
- Types of Vulnerabilities
- Transactions on Ethereum in depth
- Integer overflows and underflows
- Race conditions in ERC20
- Access controls
- Re-entrancy
- Transaction ordering dependence (TOD) and front running
- Library design flaws
Day 3
Static and Dynamic testing
- Introduction to static analysis using Slither/
- Introduction to dynamic analysis using Echidna
- Audits
Attacking and Exploiting Smart Contracts
- Exploiting Ethereum Smart Contracts (Ethernet)
- Case Study: The DAO Hack
- Understanding cross-bridges and their flaws
- Lessons from the Wormhole Exploit
Final Q & A
WHAT TO BRING?
- A laptop that supports Docker
- Please install Docker and make sure it runs Docker images
TRAINING PREREQUISITES:
- Basic understanding of programming language
- Solidity knowledge is a plus, but not required
WHO SHOULD ATTEND?
- Blockchain and smart contract developers
- Security engineers
- Bug bounty hunters
WHAT TO EXPECT?
- Learn basics of blockchain and smart contracts
- How to interact with and get data from public blockchains
- How to write smart contracts in Solidity
- How to find vulnerabilities in smart contract
- How to test and exploit vulnerabilities in smart contracts
WHAT ATTENDEES WILL GET?
- Training material
- Access to trainer post-training
WHAT NOT TO EXPECT?
- Guidance on crypto investment
- Programming introduction
About Trainer
Chaitanya (ant4g0nist), the co-founder of [WeFuzz](https://wefuzz.io), has over a decade of experience in Development and security. He focuses primarily on vulnerability research, fuzzing smart contracts, fuzzing Apple platforms (macOS/iOS), and blockchain security.
Chaitanya's interest lies in fuzzing, emulation, baseband, and exploit Development that resulted in numerous vulnerabilities leading to 0-click/1-click exploits (CVE-2015-3723, CVE-2016-1737, CVE-2016-1740, CVE-2017-7031). Chaitanya's work on blockchain development and security is backed by foundations and companies like Coinbase, Tezos, etc.
He has also contributed to developers and security communities by creating multiple open-source projects, some of them include:
- [Chinstrap](https://chinstrap.io):
A development environment, testing framework, and origination pipeline focused solely on Tezos - Monty: A Python to Solana program (rust) transpiler
- [lisa.py](https://github.com/ant4g0nist/lisa.py):
An exploit dev Swiss Army Knife - [ManuFuzzer](https://github.com/ant4g0nist/ManuFuzzer):
Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM - [Vulnerable-Kext](https://github.com/ant4g0nist/Vulnerable-Kext):
A "Vulnerable by Design" kernel driver for iOS/macOS to play & learn *OS kernel exploitation