Ever wonder what tools and knowledge are needed to start bug hunting in smart contracts? One of our application security engineers has put together a short guide that will help you get started!
A bug bounty for smart contracts bug bounty is not that different from a typical bug bounty for a web application. Basically, a smart contract is an application that runs on blockchain. Every application has vulnerabilities, and smart contracts are no exception.
In order to be a Solidity smart contract bug hunter, you need to possess the skill sets of a Solidity developer and an application security engineer. You need the former to read and understand the code, and the latter gives you the skills necessary to find and exploit vulnerabilities.
Here are 4 steps to start Solidity bug hunting:
We would advise starting by learning the basics of Ethereum blockchain concepts (you can skip this step but it is worth learning). There are a lot of good resources to be found online.
Here are some good options:
The best resource to start learning Solidity programming is CryptoZombies. It is a step-by-step guide for developing a simple Solidity game. After completing the course you will understand the main concepts of contract-oriented programming.
Another great way to learn is to find manuals online and just go through them in detail. Some resources that we can recommend are:
- Solidity Docs
- A 101 Noob Intro to Programming Smart Contracts on Ethereum
- Learn X in Y minutes
- use your Googling skills to find more 😉
Once you will start to feel comfortable with Solidity it’s time to check your understanding of the language.
Step 1: Read and try to understand some typical examples of Solidity contracts.
Step 2: Study a few random contracts from the OpenZeppelin repository.
Step 3: Try to run a contract. The simplest way to run a Solidity smart contract is to use Remix IDE. It is intuitive and you can understand it without any additional lessons if you have ever used a different IDE. In case you need any help you can check out the official documentation.
It’s pretty tough, isn’t it? There are some tools can make your life easier –
They are automatic scanners for Solidity smart contracts. There are even more useful tools around, but these should be enough for a start. Install them and test some contracts for practice. Important note: they also have a high level of false positives – check the results manually before reporting.
Now it’s time to get some final practice. These are a couple repositories with several contracts that have known vulnerabilities and some hints to help you:
There are also a few very interesting CTFs :
Once you had enough sandbox practice it’s time to test your skills in the real world – welcome to HackenProof. We always have some smart contract bug bounty programs to play around with. You can also test open source projects on GitHub and contribute there.
If you have any questions feel free to hit us up via email [email protected] – we’re always happy to help our community and we may have some opportunities for the most talented members!
Contributed by Pavlo Rachuk, application security engineer at Hacken