~/

My blockchain security journey - part 1

The subject is mainly solidity and EVM but it applies to any code base for the most part of this blogpost.

Where It All Started

I was doing a CTF with my school CTF team, the GCC CTF.

There was a blockchain category that no one solved in the team so I decided to give it try.

And I absolutely flopped.

airball curry

I didn’t even know what a wallet was …

There were only solidity challenges, and I first found the language pretty straightforward to understand. The most weird part was understanding the concept of contract, constructor

However I had some idea to solve a challenge, but there were a gap between what I had in head and how to apply it. In cryptography I have got sagemath, pycryptodome and pwntools. But for web3 I had no idea. And I was too lazy to check blogs, writeups or ask chatGPT (free version btw so it is as dumb as me).

me and gpt

After reading some writeups, it turns out it is not really different :

Solidity challenge Crypto challenge
RPC server TCP server
foundry, web3.py, web3.js pwntools, socket
python script, smart contract, javascript python script
“Contract is ERC20 {}” cipher = AES.new(key, mode)

We still had zero flags in the category after the CTF, BUT, I was very hungry for knowledge so I started to grind on solidity and smart contracts.

How I started to learn

So after the CTF, I read somes writeups and tried to solve on my side. I then learn about Remix, about RPCs, ABI, about EVMs and more.

I directly noticed that I needed many prior knowledge in EVM, of how works the smart contracts and how I can interact with it. The solidity docs helped a lot with that to just have picture of what are transactons, blocks, storage, gas and more.

I then continued by doing CTFs on some wargames : rootme, hackthebox.

Then I heard that there are platfomrs made to learn like nodeguardians. I would also recommend cryptozombies for beginners.

What I have missed while learning

A mistake I’ve made is to not be curious to get interested into the blockchain ecosystem. All I wanted to do is to flag challenge.

The different cryptocurrencies, the most known, how do they work, how are they different from bitcoin, what is a DEX, what is a DAO, what are the different blockchain project and what do they do. Understand how the crypto are traded, how to buy/sell and the blockchain glossary, how people actually make money with cryptos.

I am actually fixing this by picking a random word on https://www.cointracker.io/learn and dig into it, or reading twitter (here is a list I try to fill everyday).

What I would recommend to a beginner

For a total beginner in solidity I would recommand to first focus on the basics.

I think that the best way to learn is to switch between theory and practice. Reading docs (for instance ERC20) and try to create an ERC20 Token (but don’t reinvent the wheel and use existing contract framework) and find a way to make it vulnerable, read a blogpost/POC and try to redo it in local , do a CTF once a month/week and so on.

  1. Have an overview of what is the blockchain and what you are dealing with (use bullshit remover if you’re lazy to read)

  2. Step up your game and get some solidity knowledge

    • Either go on cryptozombies.
    • Or follow this rareskills tutorial for beginners.
    • Focus on foundry (used in the rareskills tutorial).
    • Get to know the mains ERC (20, 721, 1155 …) and read the most common EIPs and understand how the works and they are used for.

  3. Take additional times to understand how the EVM works

    • Reading blogsposts like alchemy or reading this series of blog from openzeppelin.
    • Play around with opcodes on evm.codes.
    • The best way is to code a smart contract, inspect the opcodes by debugging with remix or foundry debugger.
    • Tackle EVM reverse engineering and learn about existing tools made for this. Here is an interesting blog.

  4. Do some CTFs :

  5. And keep getting aware on what’s going on the blockchain :

    • Read a bit of twitter.
    • Read articles and blogs (likely found by reading twitter).
    • Read bug bounty and audit report.
    • Know the existing tools for auditing.

Some wise words to finish :

What’s next for me ?

For my side I have some catchup to do with the blockchain ecosystem. (I’m remembering the time I was shamed by not knowing what is a bull run …).

I will sharpen my understanding of EVM, and other cryptos by reading whitepapers.

And I’m getting interested in bug bounty as CTF are good but I want to start to get into the real things.

And finally learn rust as the core of many cryptos and infrastructure is in Rust (also Go but no thank you, one thing at a time).

References