This repository, brought to you by Trail of Bits, outlines guidelines and best practices to write secure smart contracts.
We welcome contributions, and you can contribute by following our contributing guidelines.
Table of contents:
- Development guidelines
- High-level best practices: High-level best-practices for all smart contracts
- Incident Response Recommendations: Guidelines on how to formulate an incident response plan
- Secure development workflow: A rough, high-level process to follow while you write code
- Token integration checklist: What to check when interacting with arbitrary token
- Learn EVM: EVM technical knowledge
- EVM Opcodes: Details on all EVM opcodes
- Transaction Tracing: Helper scripts and guidance for generating and navigating transaction traces
- Yellow Paper Guidance: Symbol reference for more easily reading the Ethereum yellow paper
- Forks <> EIPs: Summarize the EIPs included in each Ethereum fork
- Forks <> CIPs: Summarize the CIPs and EIPs included in each Celo fork (EVM-compatible chain)
- Upgrades <> TIPs: Summarize the TIPs included in each TRON upgrade (EVM-compatible chain)
- Forks <> BEPs: Summarize the BEPs included in each BSC fork (EVM-compatible chain)
- Not so smart contracts: Examples of smart contract common issues. Each issue contains a description, an example and recommendations
- Program analysis: How to use automated tools to secure contracts
- Echidna: a fuzzer that will check your contract's properties.
- Slither: a static analyzer available through a CLI and scriptable interface.
- Manticore: a symbolic execution engine that can prove the correctness properties.
- For each tool, this training material will provide:
- a theoretical introduction, a walkthrough of its API, and a set of exercises.
- exercises expected to require ~two hours to practically learn its operation.
- Resources: Various online resources
- Trail of Bits blogposts: List of blockchain related blogposts made by Trail of Bits
secure-contracts and building-secure-contracts are licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.