# Genesis 0x01: Simplified Roadmap for Blockchain Security By [Assune.ETH](https://paragraph.com/@assune) · 2023-12-13 --- ![](https://storage.googleapis.com/papyrus_images/91d4aaf7a651f036ef9bf650c7f9ff66a2036efbee1f1957eef94cb580e201ad.png) **👋 Howdy** ============ I hope you all are doing well and fine! Welcome to the awesome world of Blockchain Security. As promised in my introductory [Genesis 0x00 post](https://web.archive.org/web/20220525071902/https://devansh.xyz/blockchain-security/2021/09/13/genesis.html), I am back with the first edition of our [Genesis Series](https://web.archive.org/web/20220525071902/https://devansh.xyz/blockchain-security/2021/09/13/genesis.html). For those who don’t know what [Genesis](https://web.archive.org/web/20220525071902/https://devansh.xyz/blockchain-security/2021/09/13/genesis.html) is; Let’s briefly introduce this series. [Genesis](https://web.archive.org/web/20220525071902/https://devansh.xyz/blockchain-security/2021/09/13/genesis.html) is a series of weekly articles on Blockchain Security, which will include interesting topics such as Blockchain basics, Blockchain Development, Ethereum 101, Building Dapps, Common vulnerabilities in smart contracts, Auditing Solidity source code, Static analysis of Smart contracts, latest news and the future state of DeFi. **🏗️🔨 Building vs Breaking** ============================== Without knowing how an application/protocol/framework is built or structured, we cannot proceed further with its security audit or find any vulnerabilities in it. However, Suppose you do manage to find actual vulnerabilities in a smart contract or any blockchain protocol without having any prior knowledge of how it is built and structured. In that case, You were just throwing arrows in the dark and got lucky. To a great extent, your ability to break into an application is directly proportional to your understanding of how that application is built and structured; that said we will be focusing on blockchain development before we jump to the security aspects related to it. This article will be laying down a path/roadmap for us, following which we will enter into the field of Blockchain Security together 🤝. > _All you need is the plan, the road map, and the courage to press on to your destination. - Earl Nightingale_ **✔️The only Roadmap you need** =============================== This Roadmap is not exhaustive, but it is organized and covers all rudimentary topics that one needs to know in order to get into the field of Blockchain Security. It also acts as a guide to our future articles in [Genesis Series](https://web.archive.org/web/20220525071902/https://devansh.xyz/blockchain-security/2021/09/13/genesis.html). **Note:** I handpicked these topics and links to the resources listed below, all of these resources are **100% free**. In my coming articles in the [Genesis Series](https://web.archive.org/web/20220525071902/https://devansh.xyz/blockchain-security/2021/09/13/genesis.html), we will be starting from Blockchain Basics (skipping rudimentary topics such as basics of internet, `Web2.0` security, etc). * **Elementary Topics:** * [Familiarity with Linux OS.](https://web.archive.org/web/20220525071902/https://www.redhat.com/en/topics/linux/what-is-linux) * [Understanding of commonly used](https://web.archive.org/web/20220525071902/https://cheatography.com/davechild/cheat-sheets/linux-command-line/) `bash` commands. * [Understanding of version control systems such as](https://web.archive.org/web/20220525071902/https://www.atlassian.com/git/tutorials) `Git` ,`Github`, `Gitlab` , etc. * [What is](https://web.archive.org/web/20220525071902/https://www.redhat.com/en/topics/devops/what-is-ci-cd) `CI/CD` pipeline. * [JavaScript.](https://web.archive.org/web/20220525071902/https://javascript.info/) * [Python.](https://web.archive.org/web/20220525071902/https://ehmatthes.github.io/pcc/index.html) * [Good understanding of Object Oriented programming.](https://web.archive.org/web/20220525071902/https://www.educative.io/blog/object-oriented-programming#:~:text=Object%20Oriented%20programming%20\(OOP\)%20is,create%20individual%20instances%20of%20objects.) * [Familiarity with Package Managers (](https://web.archive.org/web/20220525071902/https://blog.idrsolutions.com/2018/07/what-is-a-package-manager-and-why-should-you-use-one/)`npm`, `yarn`, `pnpm`, `pip`). * **Basics of Internet:** * [Good understanding of Networking concepts.](https://web.archive.org/web/20220525071902/https://www.dummies.com/programming/networking/cisco-networking-all-in-one-for-dummies-cheat-sheet/) * [How a Web Browser works.](https://web.archive.org/web/20220525071902/https://www.mozilla.org/en-US/firefox/browsers/what-is-a-browser/) * [What is](https://web.archive.org/web/20220525071902/https://github.com/alex/what-happens-when) `DNS` (What happens behind the scenes when you type `google.com` in web browser). * [What is](https://web.archive.org/web/20220525071902/https://developer.mozilla.org/en-US/docs/Web/HTTP/Overview) `HTTP` Protocol and how it works. * [What are](https://web.archive.org/web/20220525071902/https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) `HTTP` Request and Response headers. * [What is](https://web.archive.org/web/20220525071902/https://www.guru99.com/remote-procedure-call-rpc.html) `RPC` Protocol. * [Familiarity with Browser’s developer tools.](https://web.archive.org/web/20220525071902/https://www.shortcutfoo.com/app/dojos/chrome-dev-tools-win/cheatsheet) * `Web2.0` (how a typical `Web2.0` application is packaged and deployed). * **Existing Authentication/Authorization models in** `Web2.0` applications. * [SSO — Single Sign On](https://web.archive.org/web/20220525071902/https://www.onelogin.com/learn/how-single-sign-on-works) * [OAuth — Open Authorization](https://web.archive.org/web/20220525071902/https://www.csoonline.com/article/3216404/what-is-oauth-how-the-open-authorization-framework-works.html) * [JWT Authentication](https://web.archive.org/web/20220525071902/https://www.youtube.com/watch?v=7Q17ubqLfaM) * [Token Based Authentication](https://web.archive.org/web/20220525071902/https://www.okta.com/identity-101/what-is-token-based-authentication/) * [Session Based Authentication](https://web.archive.org/web/20220525071902/https://sherryhsu.medium.com/session-vs-token-based-authentication-11a6c5ac45e4) * [Basic Authentication](https://web.archive.org/web/20220525071902/https://www.ibm.com/docs/en/cics-ts/5.2?topic=concepts-http-basic-authentication) * [What is HTTP Caching.](https://web.archive.org/web/20220525071902/https://www.cloudflare.com/en-in/learning/cdn/what-is-caching/) * `Web 2.0` **Security:** * **OWASP Top 10:** * [Broken Access Control vulnerabilities.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A01_2021-Broken_Access_Control/) * [Cryptographic Failures.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) * [Injection vulnerabilities.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A03_2021-Injection/) * [Insecure Design.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A04_2021-Insecure_Design/) * [Security Misconfigurations.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A05_2021-Security_Misconfiguration/) * [Vulnerable and Outdated Components.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) * [Identification and Authentication Failures.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/) * [Software and Data Integrity Failures.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/) * [Security Logging and Monitoring Failures.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/) * [Server-Side Request Forgery.](https://web.archive.org/web/20220525071902/https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/) * **Basics of Blockchain:** * [What is Asymmetric Cryptography.](https://web.archive.org/web/20220525071902/https://searchsecurity.techtarget.com/definition/asymmetric-cryptography) * [What is Elliptic Curve Cryptography.](https://web.archive.org/web/20220525071902/https://en.wikipedia.org/wiki/Elliptic-curve_cryptography) * [Understanding of commonly used words in Blockchain world, such as Programmable, Distributed, Decentralized, Immutable, Unanimous, Time-Stamped, etc.](https://web.archive.org/web/20220525071902/https://www.euromoney.com/learning/blockchain-explained/what-is-blockchain) * [Bitcoin Whitepaper.](https://web.archive.org/web/20220525071902/https://bitcoin.org/bitcoin.pdf) * [What is Double-spending problem and how bitcoin solves it.](https://web.archive.org/web/20220525071902/https://www.sofi.com/learn/content/double-spending/#:~:text=How%20Does%20Bitcoin%20prevent%20Double,are%20added%20to%20the%20blockchain.) * [What is Consensus Algorithm.](https://web.archive.org/web/20220525071902/https://www.geeksforgeeks.org/consensus-algorithms-in-blockchain/) * [Proof of work vs Proof of stake.](https://web.archive.org/web/20220525071902/https://www.bitdegree.org/crypto/tutorials/proof-of-work-vs-proof-of-stake) * [What is Bitcoin Mining and how ASIC is better than regular mining gig.](https://web.archive.org/web/20220525071902/https://www.investopedia.com/tech/how-does-bitcoin-mining-work/) * [What is 51% Attack.](https://web.archive.org/web/20220525071902/https://www.investopedia.com/terms/1/51-attack.asp) * **Basics of Ethereum:** * [What is Etheruem.](https://web.archive.org/web/20220525071902/https://ethereum.org/en/what-is-ethereum/) * [Why Etheruem is termed as](https://web.archive.org/web/20220525071902/https://medium.com/@reyesale/ethereum-the-world-computer-fb7b58948280) `World Computer`. * [How Ethereum is different from its predecessor blockchains.](https://web.archive.org/web/20220525071902/https://www.investopedia.com/articles/investing/031416/bitcoin-vs-ethereum-driven-different-purposes.asp) * [What is Ethereum Protocol and how it works.](https://web.archive.org/web/20220525071902/https://consensys.net/knowledge-base/ethereum/) * [The Ethereum Foundation and the ether presale](https://web.archive.org/web/20220525071902/https://www.coindesk.com/markets/2020/07/11/sale-of-the-century-the-inside-story-of-ethereums-2014-premine/) * [What is Ether Currency.](https://web.archive.org/web/20220525071902/https://www.investopedia.com/tech/what-ether-it-same-ethereum/) * [What are transactions in ethereum ecosystem.](https://web.archive.org/web/20220525071902/https://ethereum.org/en/developers/docs/transactions/) * [What are different types of accounts (EOAs vs contract accounts).](https://web.archive.org/web/20220525071902/https://ethdocs.org/en/latest/contracts-and-transactions/account-types-gas-and-transactions.html) * [Wallets and Ethereum clients.](https://web.archive.org/web/20220525071902/https://ethereum.org/en/wallets/) * [Public Key vs Private Key.](https://web.archive.org/web/20220525071902/https://vomtom.at/ethereum-private-and-public-keys/) * [What is Gas.](https://web.archive.org/web/20220525071902/https://ethdocs.org/en/latest/contracts-and-transactions/account-types-gas-and-transactions.html) * [What is Mining.](https://web.archive.org/web/20220525071902/https://ethdocs.org/en/latest/mining.html) * [What is a block explorer.](https://web.archive.org/web/20220525071902/https://etherscan.io/) * [What are different types of networks in ethereum (Mainnet vs Testnet).](https://web.archive.org/web/20220525071902/https://ethereum.org/en/developers/docs/networks/) * [What are EIPs.](https://web.archive.org/web/20220525071902/https://eips.ethereum.org/) * [What are ERC standards.](https://web.archive.org/web/20220525071902/https://finance.yahoo.com/news/guide-ethereum-erc-standards-150024381.html) * [What is ERC20 Standard.](https://web.archive.org/web/20220525071902/https://ethereum.org/en/developers/docs/standards/tokens/erc-20/) * [What is ERC721 Standard.](https://web.archive.org/web/20220525071902/https://ethereum.org/en/developers/docs/standards/tokens/erc-721/) * [What is Turing Completeness.](https://web.archive.org/web/20220525071902/https://en.wikipedia.org/wiki/Turing_completeness) * [What is Ethereum Virtual Machine(EVM).](https://web.archive.org/web/20220525071902/https://ethereum.org/en/developers/docs/evm/) * [What are Smart Contracts.](https://web.archive.org/web/20220525071902/https://ethereum.org/en/developers/docs/smart-contracts/) * [Ethereum Higher Level languages (Solidity, Vyper, LLL, Serpent).](https://web.archive.org/web/20220525071902/https://ethereum.org/en/developers/docs/smart-contracts/languages/) * **Understanding Solidity** * [What is Solidity.](https://web.archive.org/web/20220525071902/https://docs.soliditylang.org/en/v0.8.7/) * [What is Remix IDE.](https://web.archive.org/web/20220525071902/https://remix-ide.readthedocs.io/en/latest/) * [What are different Data Types in Solidity (Boolean, Integer, Fixed point, Address, Byte array, Enum, Arrays, Struct, Mapping, Time units, Ether units).](https://web.archive.org/web/20220525071902/https://docs.soliditylang.org/en/v0.8.7/types.html) * [What are Predefined Global Variables and Functions (](https://web.archive.org/web/20220525071902/https://medium.com/upstate-interactive/what-you-need-to-know-about-msg-global-variables-in-solidity-566f1e83cc69)`msg.sender`, `msg.value`, `msg.gas`, `msg.data`, `msg.sig`, etc). * [Error handing in Solidity.](https://web.archive.org/web/20220525071902/https://docs.soliditylang.org/en/v0.8.7/control-structures.html#:~:text=an%20enum%20type.-,Error%20handling%3A%20Assert%2C%20Require%2C%20Revert%20and%20Exceptions,an%20error%20to%20the%20caller.) * [What is Ethereum Contract ABI.](https://web.archive.org/web/20220525071902/https://docs.soliditylang.org/en/v0.5.3/abi-spec.html) * [Life Cycle of Smart Contract.](https://web.archive.org/web/20220525071902/https://medium.com/quillhash/life-cycle-of-smart-contract-development-8929fa073b7f) * [Compiling, testing, Deploying smart Contracts.](https://web.archive.org/web/20220525071902/https://docs.openzeppelin.com/learn/) * [What is JSON RPC.](https://web.archive.org/web/20220525071902/https://ethereum.org/en/developers/docs/apis/json-rpc/) * [Interacting with smart contracts using an external library such as](https://web.archive.org/web/20220525071902/https://web3js.readthedocs.io/en/v1.5.2/) `web3.js` or `web3.py` * **Frameworks for Ethereum development:** * [Truffle Suit (Truffle, Ganache, Drizzle).](https://web.archive.org/web/20220525071902/https://www.trufflesuite.com/) * [Brownie (written in Python).](https://web.archive.org/web/20220525071902/https://github.com/eth-brownie/brownie) * [Infura.](https://web.archive.org/web/20220525071902/https://infura.io/) * [Openzeppelin.](https://web.archive.org/web/20220525071902/https://openzeppelin.com/contracts/) * [Dapptools](https://web.archive.org/web/20220525071902/https://dapp.tools/) * **Smart Contract Security:** * **Visualization Tools:** * [Solidity Visual Developer](https://web.archive.org/web/20220525071902/https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-visual-auditor) * [Surya](https://web.archive.org/web/20220525071902/https://github.com/ConsenSys/surya) * [Solgraph](https://web.archive.org/web/20220525071902/https://github.com/raineorshine/solgraph) * [EVM Lab](https://web.archive.org/web/20220525071902/https://github.com/ethereum/evmlab) * [ethereum-graph-debugger](https://web.archive.org/web/20220525071902/https://github.com/fergarrui/ethereum-graph-debugger) * [Piet](https://web.archive.org/web/20220525071902/https://github.com/blockchainsllc/piet) * **Linters and formatters:** * [Ethlint](https://web.archive.org/web/20220525071902/https://github.com/duaraghav8/Ethlint). * [Prettier + Solidity Plugin.](https://web.archive.org/web/20220525071902/https://prettier.io/) * [Solhint.](https://web.archive.org/web/20220525071902/https://github.com/protofire/solhint) * **Common Vulnerabilities in Smart contracts:** * [What is Reentrancy.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-107) * [What is Junk code (Code With No Effects).](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-135) * [What is Unencrypted Private Data On-Chain.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-136) * [What is Integer Overflow and Underflow.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-101) * [What is Floating](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-103) `Pragma`. * [What is Unchecked Call Return Value.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-104) * [What is Unprotected](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-106) `SELFDESTRUCT` Instruction. * [State Variable Default Visibility.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-108) * [What is Uninitialized Storage Pointer.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-109) * [Use of Deprecated Solidity Functions.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-111) * [DoS with Failed Call.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-113) * [Authorization through](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-115) `tx.origin` * [Signature Malleability.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-117) * [Weak Sources of Randomness from Chain Attributes.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-120) * [Lack of Proper Signature Verification.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-122) * [Missing Protection against Signature Replay Attacks.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-121) * [Insufficient Gas Griefing.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-126) * [DoS With Block Gas Limit.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-128) * [Hash Collisions With Multiple Variable Length Arguments.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-133) * [Message call with hardcoded gas amount.](https://web.archive.org/web/20220525071902/https://swcregistry.io/docs/SWC-134) * [Oracle Manipulation.](https://web.archive.org/web/20220525071902/https://hackernoon.com/how-dollar100m-got-stolen-from-defi-in-2021-price-oracle-manipulation-and-flash-loan-attacks-explained-3n6q33r1) * **Static and Dynamic Analysis:** * [Oyente](https://web.archive.org/web/20220525071902/https://github.com/enzymefinance/oyente) * [Octopus](https://web.archive.org/web/20220525071902/https://github.com/pventuzelo/octopus) * [Vertigo](https://web.archive.org/web/20220525071902/https://github.com/JoranHonig/vertigo) * [MythX](https://web.archive.org/web/20220525071902/https://mythx.io/) * [Mythril](https://web.archive.org/web/20220525071902/https://github.com/ConsenSys/mythril) * [Slither](https://web.archive.org/web/20220525071902/https://github.com/crytic/slither) * [Echidna](https://web.archive.org/web/20220525071902/https://github.com/crytic/echidna) * **Blockchain CTFs:** * [Openzeppelin’s Ethernaut.](https://web.archive.org/web/20220525071902/https://ethernaut.openzeppelin.com/) * [Damn Vulnerable DeFi.](https://web.archive.org/web/20220525071902/https://www.damnvulnerabledefi.xyz/) * [Smart Contract CTF.](https://web.archive.org/web/20220525071902/https://blockchain-ctf.securityinnovation.com/) * [Capture the Ether.](https://web.archive.org/web/20220525071902/https://capturetheether.com/) * [GOATCasino](https://web.archive.org/web/20220525071902/https://github.com/nccgroup/GOATCasino). * [Paradigm CTF.](https://web.archive.org/web/20220525071902/https://ctf.paradigm.xyz/) * **Bug Bounty Platforms with Crypto Programs:** * [Immunefi](https://web.archive.org/web/20220525071902/https://immunefi.com/) * [HackerOne](https://web.archive.org/web/20220525071902/https://www.hackerone.com/) * [Bugcrowd](https://web.archive.org/web/20220525071902/https://www.bugcrowd.com/) * **The future of Ethereum:** * [What is Ethereum 2.0.](https://web.archive.org/web/20220525071902/https://decrypt.co/resources/what-is-ethereum-2-0) **✨ Bonus** =========== For your convenience in tracking your progress while following the above roadmap, I am sharing a publicly readable version of my [**Notion**](https://web.archive.org/web/20220525071902/https://valiant-ptarmigan-f40.notion.site/Blockchain-Security-Checklist-4e403dc8db284ab3aa74b0379d5b0620) notes, which you can copy to your own [**Notion notebook**](https://web.archive.org/web/20220525071902/https://valiant-ptarmigan-f40.notion.site/Blockchain-Security-Checklist-4e403dc8db284ab3aa74b0379d5b0620) as a template for tracking your progress. **Link to my notion notebook can be** [**found here**](https://web.archive.org/web/20220525071902/https://valiant-ptarmigan-f40.notion.site/Blockchain-Security-Checklist-4e403dc8db284ab3aa74b0379d5b0620). **Additional Resources** ======================== * [Ethereum Homestead Documentation](https://web.archive.org/web/20220525071902/https://ethdocs.org/en/latest/) * [Ethereum Community guides and resources](https://web.archive.org/web/20220525071902/https://ethereum.org/en/learn/) * [Solidity Documentation](https://web.archive.org/web/20220525071902/https://docs.soliditylang.org/en/v0.8.7/) * [Solidity, Blockchain, Smart Contract Course](https://web.archive.org/web/20220525071902/https://www.youtube.com/watch?v=M576WGiDBdQ) * [DeFi Developer Road Map](https://web.archive.org/web/20220525071902/https://github.com/OffcierCia/DeFi-Developer-Road-Map) That was all from my side in this article. See you very soon in [**Genesis 0x02**](https://web.archive.org/web/20220525071902/https://devansh.xyz/blockchain-security/2021/09/23/genesis-0x02.html). Keep warm, stay hydrated, and have a good day ahead :) --- *Originally published on [Assune.ETH](https://paragraph.com/@assune/genesis-0x01-simplified-roadmap-for-blockchain-security)*