Web3 Security Researcher’s Resource List (Everything You Need to Start)
A curated collection of essential resources for aspiring smart contract security researchers. Learn the tools, platforms, courses, and strategies you need to begin your journey into Web3 auditing and security research.
In this blog, I’ve curated a comprehensive list of the most valuable resources to help you get started with smart contract security research. From learning Solidity and exploring common vulnerabilities to finding auditing platforms, CTFs, and educational tools, this list brings together all the essential resources in one place.
Solidity
- Solidity Docs
- Solidity by Example
- Ethereum Virtual Machine (EVM) by Zaryab
Secureum - Ethereum and Solidity
Foundry
EIP and ERC Standards
- Token Standard - ERC 20, 721, 777, 1155, 4626
- Token Standard - ERC 2981
- Weird ERC721 Tokens
- Important Ethereum Improvement Proposals (EIPs)
Proxies and Upgradable Contracts
- Different Proxy Patterns - EIPs 897, 1822, 1967, 1538, 2535
- Proxy Playground (Vulnerable + Fixed implementation)
Best Practices, Patterns, Checklist and Security Pitfalls
- Security Pitfalls & Best Practices 101
- Security Pitfalls & Best Practices 201
- Security Considerations
- Smart Contract Security Verification Standard
- Useful Solidity Patterns
- The Solcurity Standard
- SemGroup Rules for Smart Contracts
- Smart Contract Auditing Heuristics
Finance & Defi Deep Dive
- Khan Academy - Derivatives and Other Securities
- Defi Developer Roadmap
- DeFi - Teachyourselfcrypto
- Finematics - DeFi
- Smart Contract Programmer - DeFi
- RazzorSec Defi Deep Dive Suggestions
Vulnerabilities and Attack Vectors
- Audit Techniques & Tools 101
- Audit Findings 101
- Audit Findings 201
- Solidity Security Blog
- Smart Contract Vulnerabilites
- Smart Contract Weakness Classification (SWC)
- Smart contract attack vectors
- Immunifi Vulnerabilities
- SunWeb3Sec - DeFiVulnLabs
- QuillHash - Defi Attack Vectors
- QuillHash - Solidity Smart Contract Attack Vectors
- Defi Focused Security Resources
- Multichain Auditor Vulnerabilities and Checklist
Reading Reports
- Code4rena Audit reports
- Sherlock Audit reports
- Immunefi Bug Bounty Writeups
- Cyfrin Solodit search with filters
- List of Bridge Hacks
- Consensys
- trail of Bits
- Openzeppelin
- Quillhash
- Spearbit
- Nullity00
- NevilleHuang
- Zobront Audits
- Blockchain Security Audit List (Companies + Solo Auditors)
- The Auditor book- Sherlock and Code4rena findings
- Search Code4rena and Sherlock findings
Secureum - SAFU
- Eth2 Security Overview — Secureum #1
- Smart Contract Security Resources — Secureum #2
- Making DeFi SAFU — Secureum #3
- Making Hermez SAFU — Secureum #4
- Making Cover SAFU — Secureum #5
- Making Opyn SAFU — Secureum #6
- Smart Contract Security 101 — Secureum #7
- Making Primitive SAFU — Secureum #8
- Making Alpha SAFU — Secureum #9