Traw Profile picture
Feb 25 โ€ข 17 tweets โ€ข 8 min read
How to make a jump from Web2 hacking to Web3 hacking?

โ€œ๐‘‡๐‘ค๐‘œ ๐‘Ÿ๐‘œ๐‘Ž๐‘‘๐‘  ๐‘‘๐‘–๐‘ฃ๐‘’๐‘Ÿ๐‘”๐‘’๐‘‘ ๐‘–๐‘› ๐‘Ž ๐‘ค๐‘œ๐‘œ๐‘‘ ๐‘Ž๐‘›๐‘‘ ๐ผ โ€” ๐ผ ๐‘ก๐‘œ๐‘œ๐‘˜ ๐‘กโ„Ž๐‘’ ๐‘œ๐‘›๐‘’ ๐‘™๐‘’๐‘ ๐‘  ๐‘ก๐‘Ÿ๐‘Ž๐‘ฃ๐‘’๐‘™๐‘™๐‘’๐‘‘ ๐‘๐‘ฆ, ๐‘Ž๐‘›๐‘‘ ๐‘กโ„Ž๐‘Ž๐‘ก โ„Ž๐‘Ž๐‘  ๐‘š๐‘Ž๐‘‘๐‘’ ๐‘Ž๐‘™๐‘™ ๐‘กโ„Ž๐‘’ ๐‘‘๐‘–๐‘“๐‘“๐‘’๐‘Ÿ๐‘’๐‘›๐‘๐‘’โ€
โ€“ ๐‘…๐‘œ๐‘๐‘’๐‘Ÿ๐‘ก ๐น๐‘Ÿ๐‘œ๐‘ ๐‘ก

๐Ÿงตโ†“
Credits๐Ÿฅ‚: @adrianhetman DeFi Security Triager
@immunefi.
{1}
As with everything, you need solid foundations before leaping into anything advanced.

That's why I recommend reading upon how Ethereum works first.

github.com/ethereumbook/eโ€ฆโ€ฆ

This should give you a great overview of inner workings of Ethereum.

Next, Solidity!๐Ÿ
{2}
All Ethereum DApps rely on Smart Contracts (SC)

Knowing what they are, how to write them is a big step towards findings bugs

Solidity is the most popular language for SCs and
@ProgrammerSmart
created an awesome resources for learning the language
solidity-by-example.org
{3}
Apart from the awesome website, he also creates YouTube videos on various Solidity/Security/DeFi topics.

It's worth checking it out!
youtube.com/channel/UCJWh7โ€ฆ
Apart from learning the language, it's also essential knowing the application landscape and what the hell is DeFi ๐Ÿ’ฑ
{4}
DeFi apps are one of the most popular Ethereum based applications.

Knowing what they are and how they work will help you with finding bugs.

One of the best resources to learn more about the topic is
@finematics

Also check out
@officer_cia
guide to DeFi
{5}
One of the most fun way to see and learn how to break applications is by completing CTFs.

Web3 also got you covered on this front and there are multiple CTFs worth checking out.

1. ethernaut.openzeppelin.com
2. capturetheether.com/challenges/
3. damnvulnerabledefi.xyz
When you have that knowledge and practice behind you, next step I could recommend is by reading Post Mortem on various hacks/bugs.

@adrianhetman already wrote few such articles on
@immunefi
where he covered for example Price Oracle manipulation.
{6}
It's also worth checking out reputable auditing firms like @trailofbits / @ConsenSysAudits / @OpenZeppelin / @peckshield and others.

They always post something interesting and they make most of their audit reports public.

Reading such audit report is a knowledge mineโ›๏ธ๐Ÿ•ฏ๏ธ
{7}
Having a dev/test env is a must for bug hunter
It's worth learning the basics of
@HardhatHQ
and
@BrownieEth
. Without them you won't go far with writing your own PoC.
Get familiar with Web3.js/Web3.py packages to be able to query Ethereum easily and manipulate transactions
{8}
Some of the interesting security tools that can help you and improve your workflow are

1. Solidity Visual Developer
2. Surya
3. ethtx.info
4. github.com/dapphub/dapptoโ€ฆ
5. seth
{9}
If you want to become a smart contract auditor,
@cmichelio
created an awesome blog post just about that.

It's worth giving it a read as you will find some valuable information.
{10}
Here are other superb links you will find helpful that I didn't had a character count in previous tweets

1. useweb3.xyz
2. notonlyowner.com/learn/intro-seโ€ฆโ€ฆ
3. github.com/ConsenSys/etheโ€ฆโ€ฆ
4. devansh.xyz/blockchain-secโ€ฆโ€ฆ

Thread is not over continue to read ๐Ÿง
{11}
Armed with the knowledge and practice you are now prepared to start submitting bugs on bug bounty platforms like @immunefi.

If you want to know how to properly write your bug report (and you should!) Immunefi got you covered with the following article.๐Ÿฅท
{12}
Another great article explaining how to get started with block hacking by @morphean_sec . I Highly recommend you read it(โญ๏ธโญ๏ธโญ๏ธโญ๏ธโญ๏ธ)

Hacking the Blockchain: An Ultimate Guide
medium.com/immunefi/hackiโ€ฆ
{13}
I hope I you found the thread helpful to you and you will start making first steps towards Web3 Security.
{14/14}
If you like the article, please retweet๐Ÿ” the first tweet, and if you have any other interesting links๐Ÿ”— or suggestions, please leave a comment๐Ÿ’Œ.

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with Traw

Traw Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @xtremepentest

Feb 26
I made a cybersecurity/ethical hacking roadmap๐Ÿฅฐ

Feel free to download/save and use it!
โ†“๐Ÿงต Image
The Ultimate Hacker's Roadmap
1/ Basic Computer Skills - Computer skills refer to the knowledge and abilities required to operate computers and related technology.
2/ Basic Networking Skills - Networking skills are one of the most important talents to have if you want to be an ethical hacker.
Read 12 tweets
Feb 24
Life is too short to use dated CLI tools that suck

Try these new ones instead ๐Ÿงต
exa is `ls` but with coloring.
github.com/ogham/exa
`bat` is `cat` with syntax highlighting for a large number of programming and markup languages , line numbers and supports paging which is very handy when viewing a long file.
github.com/sharkdp/bat
Read 12 tweets
Jan 22
My Top 5 Linux ๐ŸงDistros

๐Ÿงตโ†“
1. Kali Linux๐Ÿ†
I hand over the award to Kali Linux for the best Linux distro I've had an amazing experience with. I love Kali Linux because it's specifically geared towards what I love, that is Penetration Testing. Image
2. Manjaro
Manjaro is a user-friendly and open-source Arch-based Linux OS. It is very easy to install, unlike Arch Linux which you have to do a lot of work to get it up and running. Manjaro takes all of the hassles out of installing Arch. Image
Read 7 tweets
Jan 9
Replace your Dated ๐ŸงLinux Command Line Utilities with These Modern Alternatives.

Thread๐Ÿงตโ†“
1. exa
A modern replacement for ls with coloring written in Rust.
github.com/ogham/exa
2. btop++
Modern replacement for top written in C+. Btop++ is a resource monitor that shows usage and stats for processor, memory, disks, network, and processes
github.com/aristocratos/bโ€ฆ
Read 19 tweets
Jan 7
Here is a roadmap to master python๐Ÿ in 2022๐Ÿ‘‡

(1/4): The Basics๐Ÿงฑ
- syntax๐Ÿ“œ
- variables๐Ÿงฎ
- Operatorsโž—
- Control Flow (if/else)๐Ÿ›‚
- loops and iterableโ™พ
- basic data structures๐Ÿ—‚๏ธ
- functionsโš’๏ธ
- Mutable and Immutable datatypes๐Ÿ“‘
- File IO (Read, Write Text files)๐Ÿ“‚
Thread๐Ÿงตโ†“
(2/4): Intermediate Skills๐Ÿงฐ
- Exception Handlingโ‰๏ธ
- Logging๐Ÿ—’๏ธ
- OOPโš’๏ธ
- Collections๐Ÿ—ƒ๏ธ
- Ittertools๐Ÿ”
- lambda functions๐Ÿ”จ
- Decorators๐Ÿชง
- Generators๐ŸŽฐ
- Data Structures and Algorithmsโ˜ธ๏ธ
- List/Dictionary comprehensions๐Ÿ”ข
- Threading๐Ÿงต
- Function arguments (*args & **kwargs)*โƒฃ
(3/4): Advance Skills๐Ÿชœ
- Regexยฎ๏ธ
- Shallow and Deep copyingยฉ๏ธ
- Multithreading ๐Ÿงต๐Ÿงต
- Multiprocessing๐Ÿ”„๐Ÿ’ป
- Multiprocessing lock & pool๐Ÿ”’
- ConcurrencyโŒ›๏ธ
- Parallelismโ†”๏ธ
- Context Managers๐ŸŽ›๏ธ
- Metaclassesโ„น๏ธ
- Unit Testing: Pytest ๐Ÿงช
- Build and Manipulate Packages๐Ÿงฑ
- Cythonยฉ๏ธ๐Ÿ
Read 5 tweets
Jan 5
The Linux๐Ÿง commands you should NEVER use.
โš ๏ธDisclaimer: Don't RUN these commands.

A thread๐Ÿงต๐Ÿ‘‡
1. Recursive Deletion๐Ÿ”๐Ÿ—‘๏ธ
This is one of the most dangerous commands. Once this command is run, it deletes all the content of the root directory forcefully and recursively. Thus, all your directories and sub-directories will be deleted and the data will be lost.
2. Fork Bomb๐Ÿด๐Ÿ’ฃ
My personal best๐Ÿ˜„, this is a simple bash recursive function which once executed creates copies of itself which in turn creates another set of copies of itself. This consumes the CPU time and memory. Thus, it runs recursively until the system freezes.
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(