Let’s make web3 industry more secure!

Community

discord.svg

DeFiHackLabs


Community Whitehat (145)

Sun

Sun.jpeg

DeFi Hacks Analysis - Root Cause


English version (400 Incidents)

中文版 (Traditional Chinese)

中文版 (Simplified Chinese)

한국어 (Korean)

日本語 (Japanese)

Vietnamese version

Spanish version


DeFiVulnLabs Solidity Security Testing Guide

English version

Web3 Cybersecurity Academy

Substack

OnChain transaction debugging

Solidity smart contract security and auditing techniques

Move programming language secure development

Enhancing user asset security

Informative Tweet

[Tools] Identify a DeFi scam token

[Tools] Mev watcher & Real time threat alert

[Tools] Intro transaction debugging tools

[Course] Web3 security awareness course for users

1.Nine Common Web3 Hacks and Scams

2.Blind signing

3.[Quiz] User security awareness testing

4.Event spoofing - fake records on etherscan!

  1. Top5 crypto drainers you should know

[Course] Web3 security course for devs

1.Read-only reentrancy

2.Divide before multiply

3.Unchecked return value 4.Data location - storage vs memory

5.Unchecked external call - call injection [REF]

6.Deflationary/fee-on-transfer tokens

7.Phantom function - Permit Function

8.Empty loop

9.First deposit bug

10.Price manipulation - balanceOf

  1. ecrecover returns address(0)

12.Oracle data feed is insufficiently validated

13.Precision Loss - Rounded down to zero

14.Slippage - Incorrect deadline & slippage amount

15.abi.encodePacked() Hash Collisions

16.Struct Deletion Oversight

17.Array Deletion Oversight

18.txGasPrice manipulation

19.Return vs break

20.Incorrect use of payable.transfer() or send()

21.Unauthorized NFT Transfer in custom ERC721 implementation

22.Missing check for Self-Transfer allows funds to be lost

23.Incorrect implementation of the recoverERC20()

24.Missing flash loan initiator check

25.Unsafe downcasting

26.Incorrect sanity checks

27.Web3 DevSecOps is very important!

[中文] 大家來找碴

Resources

Github

**DeFiHackLabs:** Reproduce DeFi hacked incidents using Foundry.

**DeFiVulnLabs:** To learn common smart contract vulnerabilities using Foundry.

**DeFiLabs:** On-chain test DeFi using Foundry

**Blockchain-ctfs:** A curated list of blockchain security Capture the Flag (CTF) competitions

**Web3-Security-Library:** Information about web3 security and programming tutorials/tools

Building Secure Smart Contracts: guidelines and best practices to write secure smart contracts.

Defi-fork-bugs: Bugs in commonly forked DeFi protocols

damn-vulnerable-defi-v4-solutions: CTF writeup

SunSec HackMD


Transaction debugging tools

Phalcon | Tx.viewer | Cruise | Ethtx | New-ethtx | Tenderly


Ethereum signature database

4byte | sig.eth | etherface


Useful tools

ABI to interface | Get ABI for unverified contracts | ETH Calldata Decoder | abi.ninja | miniscan | decode-calldata | calldata-decoder |abi-guesser | Codeslaw | ABI tools | ContractReader | upgradehub | cookbook | evm.storage | rollup.codes | eth-toolbox | smartsechub | evmdiff | contract-diff | abi-guesser-cli | evmole | Blockscan Multichain Explorer | Personal Security Checklist | masamune bug search | Solidity Bugs Version Database | evmole (view function selectors)


Hacks dashboard

Slowmist | Quillaudits | Defillama | Defiyield | Rekt | Cryptosec | BlockSec | LUMOS


MEV watcher

Eigenphi | Metablock | Mevboost | Flashbots | Mevwatch


Real time threat alert

Forta | Peckshield | Beosin | Quillmonitor


DeFi scam token check

tokensniffer | goPlus | honeypot | bscheck | detecthoneypot | defisafety | gopluslabs | Quillcheck


Cross chain - Bridge explorer

Socketscan | LayerZeroScan


Blockchain Security News letter

Web3sec.news | Blockchain Threat Intelligence | Fairyproof | Quillaudits | Secureum


Transaction debugging videos

samczsun's eth txn explorer and vscode extension

Vulnerabilities in DeFi by Daniel

Tenderly 101 Tutorial

Tenderly.co - Debug Transaction


Audit report

solodit | web3sec audit report | theauditorbook | audit-collections | audit-hero


Blockchain security darkhandbook

OSWAR - Open Standard Web3 Attack Reference