Tweet
URL=https://training.defcon.org/products...ng-in-solidity
Originally posted by URL
Name of Training:
Hackable.sol: Smart Contract Hacking in Solidity
Description:
Identify vulnerabilities in Smart Contracts written in Solidity
Training description:
A 2-day full hands-on training where you will learn how to identify vulnerabilities in Smart Contracts written in Solidity. During the course, we will go over 12 labs inspired by the major hacks that saw companies lose millions of dollars, implement Smart Contracts, but also perform security reviews and detect security flaws using manual analysis and automated tools.
Some of the scenarios we will go through:
The list below contains some of the vulnerabilities that we will identify and fix in the labs:
Davide Cioccia is the founder of dcodx, a cybersecurity firm focusing on bridging the gap between development and security, working together with development teams to create and promote the DevSecOps security culture.
He is one of the first contributors to the OWASP Mobile Security Testing Guide and member of the SANS advisory board and Chapter Lead of DevSecCon Netherlands. He is also a speaker at international security conferences like BlackHat, OWASP AppSec, DevSecCon, Hacktivity and regional OWASP security events, where he presented different approaches and tools to automate mobile security testing in CI/CD, detect and prevent phishing attacks and automate infrastructure security in the release cycles.
On the personal side he loves to play racket sports, from tennis to padel, from ping pong to beach tennis. So hit him up for a match if you are in the Netherlands.
https://www.devseccon.com/chapters/dsc-netherlands/
https://appsecus2018.sched.com/event...-cicd-pipeline
https://www.blackhat.com/eu-18/arsen...-cioccia-36753
Trainer(s) social media links:
https://www.linkedin.com/in/davidecioccia/
https://twitter.com/davide107
Outline:
Intro to Ethereum and smart contracts
Course introduction
Bitcoin vs Ethereum
ETH history: The Four stages of development
POW vs POS
Sharding and Beacon Chain
Docking
Smart Contracts part 1
Smart Contracts basics
Ethereum Smart Contracts and Solidity
EVM
Accounts, Transactions and Gas
Storage, Memory and Stack
VSCode and Remix IDE
LAB: Functions visibility in Solidity
LAB: Our first smart contract
Smart Contracts part 2
Types, Enum and Events
Mappings
Inheritance
Modifiers
SCW registry: the Smart Contracts CWE
Reentrancy vulnerability: the DAO hack
LAB: Steal all my money (Reentrancy attack)
The Open Zeppelin ReentrancyGuard Smart Contract
Interfaces
LAB: Block Timestamp Manipulation Vulnerability
Authorization
Authorization in Smart Contracts
The Open Zeppelin Authorization Contracts
LAB: Authorization done properly
LAB: Tx.origin: Authorization bypass
DoS
SELFDESTRUCT
DoS With Block Gas Limit
DoS with Failed Call
More vulnerabilities
Integer Overflow and Underflow
LAB: Integer Overflow exploitation to drain smart contracts
LAB: BatchTransfer Overflow (CVE-2018–10299)
Libraries
Introduction to embedded and linked libraries
LAB: Delegatecall vs Call
LAB: Exploiting Proxy contracts and Delegate calls
Security auditing
Manual vs automated audit.
Introduction to Smart Contract reverse engineering
LAB: Tools: mythril
LAB: Tools: slither
How to build a comprehensive security auditing report
Hack them all
Final Smart Contract Hacking Challenge
Technical difficulty:
The course is for beginners/intermediate that have some knowledge about smart contracts
Knowledge of the topics below is only recommended but not mandatory for this course.
Blockchain
Smart contracts and Remix IDE
Basic understanding of decentralized applications and their applicability
Suggested Prerequisites:
The course starts from the basics of the blockchain and smart contracts.
Useful resources:
- https://docs.soliditylang.org/en/v0.8.13/
- https://ethereum.org/
What students should bring:
- Laptop with at least:
8 GB RAM
- Chrome Browser
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER:Davide Cioccia
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
Hackable.sol: Smart Contract Hacking in Solidity
Description:
Identify vulnerabilities in Smart Contracts written in Solidity
Training description:
A 2-day full hands-on training where you will learn how to identify vulnerabilities in Smart Contracts written in Solidity. During the course, we will go over 12 labs inspired by the major hacks that saw companies lose millions of dollars, implement Smart Contracts, but also perform security reviews and detect security flaws using manual analysis and automated tools.
Some of the scenarios we will go through:
The list below contains some of the vulnerabilities that we will identify and fix in the labs:
- Any user can cash out the money from the smart contract
- Users can buy the subscription also with any wei amount
- Any user can check the amount of money stored in the contract address
- Reentrancy vulnerability
- Block Timestamp Manipulation Vulnerability
- Tx.origin: Authorization bypass
- Integer Overflow and Underflow
- BatchTransfer Overflow (CVE-2018–10299)
- Unprotected SELFDESTRUCT
- DelegateCall vulnerabilities
- ....more
Davide Cioccia is the founder of dcodx, a cybersecurity firm focusing on bridging the gap between development and security, working together with development teams to create and promote the DevSecOps security culture.
He is one of the first contributors to the OWASP Mobile Security Testing Guide and member of the SANS advisory board and Chapter Lead of DevSecCon Netherlands. He is also a speaker at international security conferences like BlackHat, OWASP AppSec, DevSecCon, Hacktivity and regional OWASP security events, where he presented different approaches and tools to automate mobile security testing in CI/CD, detect and prevent phishing attacks and automate infrastructure security in the release cycles.
On the personal side he loves to play racket sports, from tennis to padel, from ping pong to beach tennis. So hit him up for a match if you are in the Netherlands.
https://www.devseccon.com/chapters/dsc-netherlands/
https://appsecus2018.sched.com/event...-cicd-pipeline
https://www.blackhat.com/eu-18/arsen...-cioccia-36753
Trainer(s) social media links:
https://www.linkedin.com/in/davidecioccia/
https://twitter.com/davide107
Outline:
Intro to Ethereum and smart contracts
Course introduction
Bitcoin vs Ethereum
ETH history: The Four stages of development
POW vs POS
Sharding and Beacon Chain
Docking
Smart Contracts part 1
Smart Contracts basics
Ethereum Smart Contracts and Solidity
EVM
Accounts, Transactions and Gas
Storage, Memory and Stack
VSCode and Remix IDE
LAB: Functions visibility in Solidity
LAB: Our first smart contract
Smart Contracts part 2
Types, Enum and Events
Mappings
Inheritance
Modifiers
SCW registry: the Smart Contracts CWE
Reentrancy vulnerability: the DAO hack
LAB: Steal all my money (Reentrancy attack)
The Open Zeppelin ReentrancyGuard Smart Contract
Interfaces
LAB: Block Timestamp Manipulation Vulnerability
Authorization
Authorization in Smart Contracts
The Open Zeppelin Authorization Contracts
LAB: Authorization done properly
LAB: Tx.origin: Authorization bypass
DoS
SELFDESTRUCT
DoS With Block Gas Limit
DoS with Failed Call
More vulnerabilities
Integer Overflow and Underflow
LAB: Integer Overflow exploitation to drain smart contracts
LAB: BatchTransfer Overflow (CVE-2018–10299)
Libraries
Introduction to embedded and linked libraries
LAB: Delegatecall vs Call
LAB: Exploiting Proxy contracts and Delegate calls
Security auditing
Manual vs automated audit.
Introduction to Smart Contract reverse engineering
LAB: Tools: mythril
LAB: Tools: slither
How to build a comprehensive security auditing report
Hack them all
Final Smart Contract Hacking Challenge
Technical difficulty:
The course is for beginners/intermediate that have some knowledge about smart contracts
Knowledge of the topics below is only recommended but not mandatory for this course.
Blockchain
Smart contracts and Remix IDE
Basic understanding of decentralized applications and their applicability
Suggested Prerequisites:
The course starts from the basics of the blockchain and smart contracts.
Useful resources:
- https://docs.soliditylang.org/en/v0.8.13/
- https://ethereum.org/
What students should bring:
- Laptop with at least:
8 GB RAM
- Chrome Browser
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER:Davide Cioccia
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.