Tweet
Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...tract-security
Training description:
Blockchain, Cryptocurrency, Smart Contracts, DeFi, "Web3": these buzzwords are increasingly flowing into twitter conversations and news articles, sometimes describing crazy hacks and sometimes deriding crazy people. But beneath all the drama is a complex landscape of fascinating algorithms that work together to enable some, if we step away from the cryptobroing, really cool stuff!
Getting started in "web3'' security is hard: while stories of hacks abound, there is a dearth of approachable educational material. This training is the first step in changing that. Over the course of two days, we will push you from the very fundamentals of blockchains all the way through to the analysis of smart contracts for vulnerabilities, and even toward their exploitation. We hope that you will take this power and do good: finding and fixing bugs in an emerging area of distributed finance!
Outline the class in enough detail that we can determine the hour-by-hour experience a student will experience:
The class will be split into a very quick introduction followed by four modules. Based on the pwn.college platform, each module consists of educational material and in-depth, hands-on practice problems (hosted on our infrastructure and accessible over the browser, so there will be no setup cost for the participants).
Course overview:
Day 1 (the first two modules) will cover blockchain basics, while Day 2 (the second two modules) will cover smartcontract security.
Module 0: Introduction, including a Very Brief Overview of one-way hash functions (1h)
Mostly lecture, with a small series of challenges exploring the difference between safe and unsafe hash functions (e.g., crc32 vs sha256).
Module 1: The basics of blockchain, merkle trees, and simple consensus (3h)
Lectures on the topics (45 min).
Challenges on forging entries in a merkle tree with unsafe hashes (45 min).
Challenges on breaking consensus via merkle trees with unsafe hashes (45 min).
Challenges on participating in a merkle tree-based consensus algorithm (45 min).
Module 2: Cryptocurrency, wallets, and transactions (4h)
Lecture on the topics (1 hour)
Challenges on using blockchain consensus to track account balances (1 hour).
Challenges using blockchain consensus to "mine" coins (1 hour).
Putting it together: simple blockchain-based cryptocurrency (1 hour).
Module 3: Smart contracts and their vulnerabilities (4h)
Topics covered through lectures (1 hour):
Ethereum Virtual Machine (EVM) and smart contracts
Storage and memory
Opcode and gas
Message call
Construction and destruction
Challenges exploring common smart contract vulnerabilities:
Re-entrancy (1 hour)
Integer overflow (1 hour)
Unsafe .call() and .delegatecall() (1 hour)
Module 4: Distributed vulnerabilities in smart contracts (4h)
Lectures covering an introduction to DeFi (1 hour)
Tokens: ERC20
Decentralized lending
Decentralized exchange (DEX)
Challenges exploring DeFi attacks (3 hours)
Flash loan attack (1.5 hours)
Price oracle manipulation (1.5 hours)
Student skill level:
Basic/Advanced. The material will start quite approachable but will get increasingly complex. Smart contracts are interesting in that the complexity does not arise from archaic binary formats, but from tricky interactions of logic and protocols. Thus, though the only real prerequisite knowledge is a workable understanding of the concept of one-way hash functions, more and more intelligence will be required as the course moves onward.
What should students bring to the Training?:
- A laptop or tablet with a web browser. The pwn.college platform provides all the tooling via web-accessible KVM-capable containers. Try it for yourself (with the existing binary analysis content) now!
Bios:
This training is hosted by Pwned No More (PNM). PNM is a white hat hacker's guild. We are building infrastructure, toolings and a new organizational paradigm to empower white hats, protect their value-creation and unleash their superhero fire powers, to stand together and protect the crypto/Web3 new world.
Link: https://pwnednomore.org/
Wen:
Wen Xu is the co-founder of PNM and Narya Labs. He has been working as a security researcher for a decade. His research is focused on developing automated systems for finding bugs in modern software. He has discovered hundreds of bugs in operating systems and web browsers. His work has been published on IEEE S&P, ACM CCS, Usenix Security, NDSS, BlackHat USA, etc. In addition, he is a winner of Pwn2Own and DEF CON CTF.
Yan:
Yan Shoshitaishvili is an Assistant Professor at Arizona State University, where he pursues parallel passions of cybersecurity research, real-world impact, and education. His research focuses on automated program analysis and vulnerability detection techniques. Aside from publishing dozens of research papers in top academic venues, Yan led Shellphish’s participation in the DARPA Cyber Grand Challenge, achieving the creation of a fully autonomous hacking system that won third place in the competition.
Underpinning much of his research is angr, the open-source program analysis framework created by Yan and his collaborators. This framework has powered hundreds of research papers, helped find thousands of security bugs, and continues to be used in research labs and companies around the world.
When he is not doing research, Yan participates in the enthusiast and educational cybersecurity communities. He is a Captain Emeritus of Shellphish, one of the oldest ethical hacking groups in the world, and a founder of the Order of the Overflow, with whom he ran DEF CON CTF, the “world championship” of cybersecurity competitions, from 2018 through 2021. Now, he helps demystify the hacking scene as a co-host of the CTF RadiOOO podcast. In order to inspire students to pursue cybersecurity (and, ultimately, compete at DEF CON!), Yan created pwn.college, an open practice-makes-perfect learning platform that is revolutionizing cybersecurity education for aspiring hackers around the world. This, in turn, has led to Yan's interest in educating the next generation of smartcontract security professionals and his involvement in the core team of PNM.
Trainer(s) social media links:
PNM DAO: https://twitter.com/pwnednomore
Wen: https://twitter.com/0xtarafans
Yan: https://twitter.com/zardus
Previous Trainings:
angr binary analysis training, ACSAC, December 2016: https://www.acsac.org/2016/program-files/p60.html
angr binary analysis training, SECDEV, September 2017: https://www.computer.org/csdl/procee...08/12OmNwHQB8A
DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINER:Yan Shoshitaishvili & Wen Xu
CERTIFICATE TEST AVAILABLE (45 minutes after class) Please purchase Certificate test
- 16 hours of training with a certificate of completion for some classes
- COVID safety: Masks required for indoor training
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
- Note: Food is NOT included