Tweet
Davide Cioccia - Smart Contract Hacking in Solidity
Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...ng-in-solidity
Training description:
2 days full hands-on training where you will learn how to identify vulnerabilities in Smart Contracts written in Solidity. During the course, we will go over 8+ labs inspired by the major hacks that saw companies lose millions of dollars, implement Smart Contracts, but also perform security reviews and detect security flaws using manual analysis and automated tools.
Some of the scenarios we will go through
The list below contains some of the vulnerabilities that we will identify and fix in the labs:
Any user can cash out the money from the smart contract
Users can buy the subscription also with any wei amount
Any user can check the amount of money stored in the contract address
Reentrancy vulnerability
Block Timestamp Manipulation Vulnerability
Tx.origin: Authorization bypass
Integer Overflow and Underflow
BatchTransfer Overflow (CVE-2018–10299)
Unprotected SELFDESTRUCT
DelegateCall vulnerabilities
SSCH - Solidity Smart Contract Hacking
Learn how to hack and develop secure smart contracts in our 2 days course
Prerequisites
Knowledge of the topics below is only recommended but not mandatory for this course.
Blockchain
Blocks and transactions
Smart contracts
Proof of work and proof of stake
Gas
Basic understanding of decentralized applications and their applicability
Abstract
2 days full hands-on training where you will learn how to identify vulnerabilities in Smart Contracts written in Solidity. During the course, we will go over 8+ labs inspired by the major hacks that saw companies lose millions of dollars, implement Smart Contracts, but also perform security reviews and detect security flaws using manual analysis and automated tools.
Some of the scenarios we will go through
The list below contains some of the vulnerabilities that we will identify and fix in the labs:
Any user can cash out the money from the smart contract
Users can buy the subscription also with any wei amount
Any user can check the amount of money stored in the contract address
Reentrancy vulnerability
Block Timestamp Manipulation Vulnerability
Tx.origin: Authorization bypass
Integer Overflow and Underflow
BatchTransfer Overflow (CVE-2018–10299)
Unprotected SELFDESTRUCT
DelegateCall vulnerabilities
Syllabus
Module
Topic
Time
LAB: Manipulation Vulnerability
Authorization
Authorization in Smart Contracts
Open Zeppelin Contracts
Modifiers
LAB: Authorization done properly
LAB: Tx.origin: Authorization bypass
DoS
SELFDESTRUCT
DoS With Block Gas Limit
DoS with Failed Call
More vulnerabilities
Integer Overflow and Underflow
LAB: Transfer your funds, or mine
LAB: BatchTransfer Overflow (CVE-2018–10299)
Libraries
Embedded vs Linked libraries
LAB: Delegatecall vs Call
LAB: Secure your calls
Security auditing
Manual vs automated
Tools: mythril
Tools: slither
The SCW registry
Reporting
Hack them all
Final Smart Contract Hacking CTF
https://1337.dcodx.com/trainings/ssc...cking#syllabus
Student skill level:
The course is for beginners/ intermediate that have some knowledge on blockchain and smart contracts
Knowledge of the topics below is only recommended but not mandatory for this course.
Blockchain
Blocks and transactions
Smart contracts
Proof of work and proof of stake
Gas
Basic understanding of decentralized applications and their applicability
What should students bring to the Training?:
- Laptop with at least:
8 GB RAM
- Chrome Browser
Bio:
Davide Cioccia is the founder of dcodx, a cybersecurity firm focusing on bridging the gap between development and security, working together with development teams to create and promote the DevSecOps security culture.
He is one of the first contributors to the OWASP Mobile Security Testing Guide and member of the SANS advisory board and Chapter Lead of DevSecCon Netherlands. He is also a speaker at international security conferences like BlackHat, OWASP AppSec, DevSecCon, Hacktivity and regional OWASP security events, where he presented different approaches and tools to automate mobile security testing in CI/CD, detect and prevent phishing attacks and automate infrastructure security in the release cycles.
On the personal side he loves to play racket sports, from tennis to padel, from ping pong to beach tennis. So hit him up for a match if you are in the Netherlands.
Trainer(s) social media links:
https://www.linkedin.com/in/davidecioccia/
https://twitter.com/davide107
Previous Trainings:
https://www.youtube.com/watch?v=xYA-ajPH814
https://appsecus2018.sched.com/event...-cicd-pipeline
https://www.blackhat.com/eu-18/arsen...-cioccia-36753
DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINER:Davide Cioccia
CERTIFICATE TEST AVAILABLE (after class) Please purchase Certificate test
- 16 hours of training with a certificate of completion for some classes
- COVID safety: Masks required for indoor training
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
- Note: Food is NOT included