A curated list of resources contributed by DeFiHackLabs to strengthen Web3 and Web security knowledge. 🌟
-
DeFiHackLabs
Collection of DeFi security incident PoCs. -
DeFiVulnLabs
Hands-on exercises and recreated vulnerabilities for learning smart contract security. -
Incident Explorer
Combines DeFiHackLabs and Root Cause Report RCA into an Incident Explorer, making it easy for everyone to search, browse, and learn from DeFi security incidents. -
Root Cause Analysis (RCA) Reports
Comprehensive Root Cause Analysis -
Solidity Security Testing Guide
A comprehensive guide for testing and securing Solidity smart contracts. -
Unphishable (coming soon)
Open-source Web3 phishing simulation platform with 30+ interactive scenarios.
3.5-month intensive training program focusing on smart contract security, supported by Ethereum Foundation ESP.
| Week | Topic | Speaker | Links |
|---|---|---|---|
| 1 | Building Your Development Environment and Getting Started with Foundry | Alex | Video / Assistant |
| 2 | Introduction to Smart Contracts: ERC20, ERC721, ERC1155 | Alex | Video / Assistant1 / Assistant2 |
| 3 | Common Vulnerabilities (1): DOS Attack & Access Control | Alice | Video / Assistant |
| 4 | Common Vulnerabilities (2): Randomness Vulnerability | Alice | Video / Assistant |
| 5 | Smart Contract Security Scanning Tools | Alice | Video / Assistant |
| 6 | Common Vulnerabilities (3): Reentrancy Attack | Alex | Video / Assistant |
| 7 | Common Vulnerabilities (4): Call and Delegatecall Vulnerabilities | Alice | Video / Assistant |
| Offline | DeFiHackLabs Annual Review + Oracle Attack Analysis | Alice & h0wsO1 | Annual Review / Oracle Attack Analysis |
| 8 | DeFi Security Introduction | Louis | Video / Assistant |
| 9 | Practical Exercise: Reproducing Real Attacks | Billh | Video / Assistant |
| 10 | Cross-Chain Bridges, MultiChain, Layer2 Security | Louis | Video / Assistant |
| 11 | Practical On-Chain Analysis Tools | BlockSec | Video |
| 12 | Phishing Attacks | SlowMist | Video |
| Topic Name | Speaker | Language | YouTube |
|---|---|---|---|
| Curta Cup CTF Write Up | Tony KΞ | English | Link |
| ERC-4337 AA Security Review Guide | SunSec | Chinese | Link |
| ChainLink Common Bugs | Gin | Chinese | Link |
| BlazCTF Writeup - Missing | 0xAWM | Chinese | Link |
| Basic Concept Of EVM and How EVM bytecode is formed and executed | Galois | English | Link |
| How to Become Smart Contract Auditor | SunSec | Chinese | Link |
| Web3 CTF Guideline | SunSec | Chinese | Link |
| zkSync circuit & audit findings | Winnie | Chinese | Community whitehat only |
| When GPT Meets Program Analysis | Bradmoon | Chinese | Link |
| Groth16 - Arithmetic Circuit, R1CS, and basic Circom | ret2basic.eth | Chinese | Link |
| Abusing the Smart Contract Verification Services for Fun and Profit | Lucas | Chinese | Link |
| Groth16 - QAP and Pairing (as black box) | ret2basic.eth | Chinese | Link |
| Groth16 - Trusted setup (powers of tau) | ret2basic.eth | Chinese | Link |
| Solidity 残酷共学第一讲 | button | Chinese | Link |
| Solidity 残酷共学第二講 - 101 重點總結 | 0xRory | Chinese | Link |
| Solidity 102, 103 導讀 | 0xRory | Chinese | Link |
| Web3 Phishing - 授權釣魚 | Helen | Chinese | Link |
| 智能合約安全與 CTF 實作 Part1 | Alex | Chinese | Link |
| 智能合約安全與 CTF 實作 Part2 | Alex | Chinese | Link |
| 重塑資安觀念:Web3 智能合約與 Dapp 的安全框架 | Helen & 0xRory | Chinese | Link |
| A Deep dive into EIP-7702 with best practices | Kong | Chinese | Link |
| Title | Author | Link |
|---|---|---|
| OnChain Transaction Debugging - Lesson 1: Tools | SunSec | Link |
| OnChain Transaction Debugging - Lesson 2: Warm up | SunSec | Link |
| OnChain Transaction Debugging - Lesson 3: Write Your Own PoC (Price Oracle Manipulation) | h0wsO1 | Link |
| OnChain Transaction Debugging - Lesson 4: Write your own POC - MEV Bot | SunSec | Link |
| OnChain Transaction Debugging - Lesson 5: Analysis for CirculateBUSD Project Rugpull | Numen | Link |
| OnChain Transaction Debugging - Lesson 6: Write Your Own PoC (Reentrancy) | gbaleeee | Link |
| User Asset Security - Lesson 1: Blockchain Dark Forest Selfguard Handbook | SlowMist | Link |
| User Asset Security - Lesson 2: Nine Common Web3 Hacks and Scams | XREX Security Team | Link |
| User Asset Security - Lesson 3: Learn Security Risks with a New Honeypot Scam | GoPlus Security | Link |
| User Asset Security - Lesson 4: NFT Airdrop Phishing Case Study | Scam Sniffer | Link |
| User Asset Security - Lesson 5: Address Poisoning Scam | SlowMist | Link |
| User Asset Security - Lesson 6: How to Handle or Report the Theft of Crypto? | Beosin | Link |
| User Asset Security - Lesson 7 (Part 1/2): Offline Signatures Can Drain Your Wallet | ZenGo Wallet | Link |
| User Asset Security - Lesson 7 (Part 2/2): Offline Signatures Can Drain Your Wallet | ZenGo Wallet | Link |
| User Asset Security - Lesson 8: How to Choose an Anti-Phishing Plugin | SlowMist | Link |
| User Asset Security - Lesson 9: The Intricate Shadow Transactions Attack Deciphered | GoPlus Security | Link |
| Move Security - Lesson 1: Security Analysis of the Move Language | Numen | Link |
| Move Security - Lesson 2: Verify Smart Contracts in Aptos with the Move Prover PT.1 | MoveBit | Link |
| Solidity Security - Lesson 1: Smart Contract Audit Methodology & Tips | Sm4rty | Link |
| Solidity Security - Lesson 2: First Deposit Bug in CompoundV2 and its forks | Akshay Srivastav | Link |
| Solidity Security - Lesson 3: Guidelines for Auditing Staking Protocols | QuillAudits | Link |
| Solidity Security - Lesson 4: Web3 Project Security Practice Requirements | SlowMist | Link |
| Solidity Security - Lesson 5: Lending/Borrowing DeFi Attacks | Dacian | Link |
| Solidity Security - Lesson 6: DeFi Slippage Attacks | Dacian | Link |
| Solidity Security - Lesson 7: Automated Brain Process for Smart Contract Auditing | 0xBeirao | Link |
| Solidity Security - Lesson 8: Exploiting Precision Loss via Fuzz Testing | Dacian | Link |
| Solidity Security - Lesson 9: Comprehensive Guide to Contract Size Checks | SlowMist | Link |
| Smart Contract Audit Methodology | MiloTruck | Link |
| Delving into the Security Implications of Fee Structure in a CDP protocol | Billh | Link |
| Mastering Audits Mindset: From Beginner to Pro | gbaleeeee | Link |
| Reversing a Web3 Scam via Dynamic Analysis and Deobfuscation | Ching367436 | Link |
| 2023 NUMEN CTF Writeup - HEXP | Kaiziron | Link |
| 2023 NUMEN CTF Writeup - GOATFinance | SunSec & Lucas | Link |
| 2023 NUMEN CTF Writeup - Asslot, Counter, Exist, LenderPool, Wallet | Kaiziron | Link |
| 2023 NUMEN CTF Writeup - SimpleCall | 0x4non | Link |
| Conference Name | Topic | Speaeker | Slide |
|---|---|---|---|
| AWS Summit 2023 | Web3 Security | SunSec | 📝 |
| HK Web3 Festival 2024 | Web3 DevSecOps:Methodology and Best Practices | SunSec | 📝 |
| CyberSec 2024 | Web3 DevSecOps:Methodology and Best Practices | SunSec | 📝 |
| CyberSec 2024 | Unlawful Financial Activities in Blockchain: Revealing Hidden Financial Flows from the Blue Team's Perspective | Wolf,Miffy | 📝 |
| CyberSec 2024 | DeFi Security Incident Analysis | Alice,York | 📝 |
| COSCUP 2024 | Ethereum Cancun Upgrade | Bill | 📝 |
| HITCON 2024 | DeFi Hacks:Exploit Reproduce 101 | Seal | 📝 |
| ETH TAIPEI 2025 | Exploring AI’s Role in Smart Contract Security | Alice, Daky | 📝 |
| CyberSec 2025 | AI-Driven Smart Contract Vulnerability Detection | Alice, Daky | 📝 |
| CyberSec 2025 | Reentrancy Trap: Debunking the Myth of Smart Contract Immutability | Helen | 📝 |
| CyberSec 2025 | Security Challenges in Ethereum Layer 2 and Cross-Chain Ecosystems | Louis | 📝 |
| Tool Name | Author | Link |
|---|---|---|
| FiniteMonkey | Brad | GitHub |
| Code Audit Hinter | Brad | GitHub |
| Bastet | Alice & Daky | GitHub |
Your contributions make Web3 safer. Keep hacking ethically! 🛡️