SMART CONTRACT SECURITY AND AUDITING FULL COURSE IS NOW OPEN TO EVERYONE ON CYFRIN UPDRAFT

🎊🎊🎊🎊🎊🎊🎊🎊🎊🎊🎊🎊🎊🎊

In just 22 hours, the top web3 experts walk you through 5 increasingly difficult audits to drill security power into you.

Here's what you need to know👇 You can find the entire course on @cyfrinupdraft HERE:


Part 1 is broken down into 9 insane sections. I'm finishing part 2, which will focus on assembly, opcodes, huff, and formal verification.

Part 2 will come out within 2 months.updraft.cyfrin.io/courses/securi…

Imagine being able to send ETH to your friend cross chains without anyone knowing:
- what token
- to whom the tx goes
- from whom

And also encrypt a message telling them “I’m old enough to get into the bar”

I just had a crazy interview with Mind Network, highlights here 👇 1. Mind Lake

Using Zero Knowledge Proofs and Fully Homomorphic Encryption (will explain soon) you can store data in a zero knowledge fashion into their Mind Lake network.

- medical information
- financial info
- personal info
- if you’re old enough to slam a pint of beer

How to get into competitive audits:

1. Learn basic solidity/vyper
2. Start doing competitive audits

The more audits you do, the better you'll get.

Here is your gameplan going into an audit, and exactly how to get the most out of your first one 👇 1. Block off hours of time

Auditing takes hours of deep work. Deep is long uninterrupted periods of time.

If you want to be successful, you need to focus. Some auditors use pomodoro techniques where they:

- push for 55 minutes, take a 10 minute break

And repeat this

🥧 FREI-PI

‼️ Why smart contract devs NEED to know this!

Function:
- Requirements
- Effects
- Interactions

Protocol
- Invariants

This is the pattern you should all be thinking about when building smart contracts.

Here is why 👇 Previously, we followed something called CEI, checks, effects, interactions.

The idea was that in our solidity/vyper functions we first:

1. Did require statements
2. Did effects with our contracts
3. Did interactions with external contracts

ITS FINALLY HERE

🎊🎉🎊🎉🎊🎉🎊🎉🎊🎉🎊🎉
The Ultimate, Learn Blockchain Development, Solidity, AI-Powered Smart Contract Course | Foundry Edition!
🎊🎉🎊🎉🎊🎉🎊🎉🎊🎉🎊🎉
Here is everything you'll learn from this course, and more 👇 You can find parts 1 - 3 (A new YouTube cap of 12 hours means I had to split it up!)

🔗 Here's a link to part 1 of the course, with parts 2 and 3 on my YouTube.

After 2+ months of work, we arrived at 27+ hours of pure KNOWLEDGE.

There have been many conversations around the value of audits recently with the Merlin exploit.

We need to move away from the binary of "the protocol has an audit. Therefore, they are safe" ASAP.

An audit is not a guarantee your code is bug-free.

So then, why get an audit? Or even more importantly, how can a community know a project is safe?

1. An audit is a small piece of a security journey

"They have an audit" isn't good enough.

- Do they have fuzz tests?
- How many audits did they get?
- Did they do a competitive audit?

There are days I get frustrated, down in a funk, hate everything and think life sucks.

Here is what I do to get out of it 👇

1. Accept it

Recognize that you’re upset, and don’t pretend you’re all good. Toxic positivity will erode you.

Being upset sometimes is ok. 2. Take a day off

Maybe 2. Sometimes the weekend is all you need. Sometimes a light day of work.

3. Remember why

Remember why you do what you do. I typically write down a list of reasons I do an activity and I reflect on those.

Am I reading this right?

A bank in the US is allowed to lend money out without having ANY collateralization.

No wonder bank runs happen. THEY DON'T NEED TO HAVE ANY FUCKING MONEY.

They call us DeFi degenerates???

CAN SOMEONE EXPLAIN TO ME HOW THIS MAKES ANY SENSE. Even Aave has like 150% collateralization ratio.

You deposit your money into a bank and they lend out all of it. So you go to withdraw, and whopsie-daisy, they don't have it.

How is this the default.

Source: federalreserve.gov/monetarypolicy…

🧰 All your smart contract security tools are shit

...Or at least, according to a recent research study

After analyzing 516 bugs across 2021-2022, they discovered:
- How good our tools are
- How to categorize web3 bugs
- How to use this knowledge to win $102k in audit contests Let's unpack this paper.

🏋️‍♂️ 1. Humans still beat machines at finding web3 vulnerabilities

~80% of all smart contract bugs across @code4rena and real-world exploits were undetected by automated tooling

~20% were caught by automated tooling like Slither, Echidna, etc

For those of you looking to level up with tools like Certora and anything trailofbits, here is your symbolic execution EILI5:

Symbolic execution attempts to "make your code math."

Or longer: Convert your code to a set of mathematical expressions that can be solved. Because your code is now math, you can have higher assurance it "does what you want it to do."

Math can be solved. There are right and wrong answers in math.

Functions in code can't be solved; this is why symbolic execution can be so powerful.

🪨 Invariant tests can be the difference between rock-solid solidity, and $1B down the drain.

🍹Fuzz testing vs Invariant testing in web3🧵

What are they, why are they so important, and what do they look like.

(not trying out Twitter's new big-ass tweets cuz I have images)👇 Fuzz testing, also known as fuzzing, involves providing random data as inputs during testing.

Invariant tests are tests that focus on verifying the conditions that must always hold true in a system.

Oftentimes, a fuzz test is also an invariant test.

🔐Multi-sig wallets are straight goated.

Especially for devs.

I think we might have to update our “I WILL BE SAFE” page.

Here are 4 reasons why 👇 1. A one-of-one multi-sig is better than a hot wallet

Oh no.

Your encrypted private key has been compromised.

Maybe your hardware wallet stolen, or computer hacked.

They can now try to brute force your password.

⏰ The countdown for them stealing your funds has started.

💸 aTokens & cTokens are two of the biggest interest-bearing tokens out there.

But they can be tricky to understand.

What are they, what makes them different, & how they make you money (for anyone)👇

1st, In order to understand the tokens, we need to understand the protocols. 👻 ATokens are from @AaveAave

📈 CTokens are from @compoundfinance

Both Aave and Compound are borrowing and lending protocols.

People borrow money for a few reasons, one of the most popular ones is to "gain exposure" to an asset.

But what's "gaining exposure"?

💩 A lot of stuff in web3 is BS.

And last year we weeded out a lot of it. Which was good for web3 longevity, but it hurt a lot of innocent people in the short term.

A lot of people stay away from web3 because of all the scams.

How can we fix this? 1. Focus on actual use cases

@VitalikButerin recently wrote an article that summarizes his current favorite use cases for web3 which includes Money, DeFi, Identification, DAOs, and other niche projects like voting.

vitalik.ca/general/2022/1…

🎆 New Year's Resolutions are shit.

1. The action items are what matter
2. Goal setting in public is bad
3. 1 year is too long a reflection period

Here's why 👇 🏋️ 1. Actions

It's good to have goals, of course it is, but too many people focus on the goal instead of how to achieve that goal, which is more important.

"I'm going to lose 5 pounds" as a goal is fine, but 95% of what you SHOULD be focusing on is how to get there.

🎁 AND. THATS. A. WRAP.

2022... Honestly, I won't miss you lol.

But it's essential to reflect and give some gratitude for all the good that happened in the blockchain/crypto/web3 developer world.

🧵 Here is a non-exhaustive list of what I'm thankful for from 2022 👇 🎥 1. @freeCodeCamp hosting my 32-hour course.

I can't tell you how many devs we've helped onboard to web3 with it. It's been amazing to see the response. With that, a HUGE thank you to anyone who took it, gave feedback, participated in the discussions, or promoted it!

👀 Over the past two years, I had two developer education videos reach over 1 Million views

As of counting:
- 1.3M (JS)
- 3M (Py)

🧵 Here are seven tips I learned from that experience 👇 1. Don't focus on views, focus on creating as much value as you can

Seems obvious, but that's the strategy.

How to get views -> don't focus on views

This is the #1 most important thing. You can literally stop reading this thread if you want if this is all you take away.

🐸 I created the world's most unstoppable website using Decentralized Storage.

After T-Cash got banned, I wanted to answer the following:

"How can I make a website as resilient as a smart contract?"

Here is how we did it 👇 And if you'd like, we go over how to do this on the ChainDev YouTube channel!

My editing is getting too clean.

Anyways...

🪙 Stablecoins are a misunderstood DeFi primitive.

Let's clear some things up.

1. "Algo stablecoins are bad" is wrong
2. "A stablecoin is anchored to another asset" is wrong
3. Where do stablecoins come from? (IMPORTANT)

Let's jump in. 🧵 Huge thanks to @LucaProsperi for his Dirt Road publication which has been incredibly helpful in understanding "the depths" of stablecoins.

You can watch the video on all this (last tweet), and jump into some code examples of these different kinds of stablecoins.

⏰ STARTING TODAY - BUG HUNT

A little pre-hackathon event for you...

You have until Oct. 12th to find as many bugs on the @immunefi platform with #ChainDev to win some swag, and tell your friends you are better at web3 than me.

...Unless I beat you. @immunefi 🕵🏻‍♂️ You can watch the new #ChainDev YouTube video to get some clues on how to find bugs.

We learn about a bug hunter who was paid 2.2 MILLION dollars for finding a bug that could have drained over $7 BILLION.

Yes, you heard that right.

We as a web3 community are going to need to actively reject toxic projects leeching off the success of web3.

I want people to be successful.

I want you to do well.

But if you take more from web3 than you give, if you steal from users, not dedicated to the web3 long tail.

Gtfo I’m not telling you to attack people, that’s detrimental. I’m saying after deep discussion on projects, when we identify a “bad” one, we don’t let each other become a user.

This isn’t easy, as it’s easier to just lose our temper a tell every protocol to fuck off.