1. Some aspects of the smart contract programming

2. Summarize the Ethernaut puzzles

3. Analyze the puzzles based on my understanding

   1. The features of solidity

   2. The relationships with the blockchain characteristics

   3. The interaction calls among smart contracts

   4. The use of third-party contracts libraries

   5. Attack by consuming all the available gas

   6. The possibilities or the innovations of the business logic

   7. Smart contract's proxy upgrade mechanism

   8. Bytecode level

4. Closing thoughts

5. Other references

   1. the reference of the Ethernaut

   2. the related links

1. Some aspects of the smart contract programming

Some aspects have given me deep impressions since I touch the smart contracts.

1 Security. The classic Dao attack and on-chain hacker attack incidents keep demonstrating security's huge critical role.

2 Gas optimation.Recently gas is not a hot topic. The reasons may be that the current stage is the bear market or the layer2 ecosystem has matured, leading to the gas price decreasing. However, gas is fundamental for many things. In some situations, it will become more and more critical. To some degree, it seems like the requirements for speed in quantitative trading. With the exponential growth of the user numbers, the gas price will become the market's core attention again. On the other hand, each step of the smart contracts running has been broken down to the basic opcodes, and each opcode consumed fixed gas. All that is fundamental to the EVM, also goes for the Ethereum.

3 The sophisticated interactions among smart contracts.The interactions will become more and more sophisticated, along with business logic development. Sometimes, it's challenging to figure out the relationships cleanly.

For this article, the interaction means the calls among Contract accounts.

CA(Contract account): This contract was controlled by the code in this address.

EOA(Externally-owned account): This contract was controlled by the third party who owns the address's private key.

While going through the smart contract codes, only reading the static variables or the description of some functions doesn't guarantee enough understanding of the dynamic call flow. One case below shows the complex interactions.

https://openchain.xyz/trace/ethereum/0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d

Many hacked incidents occur in the interaction calls among smart contracts. Such as the classic hack incident:re-entrance.

4 Much new business logic will emerge based on smart contracts.As we know, blockchain's characteristics include Transparent, Unchangeable, and Unstopped. Considering the smart contract's features based on it, the other programming paradigm will emerge, such as how to develop or test based on the open Infrastructure、how to consider the design while taking the smart contract as the basic unit to think、how to upgrade the on-chain logic?... All these need people to adapt and practice, borrow ideas from others, and understand more possibilities.

2. Summarize the Ethernaut puzzles

As you can see, I always want to adapt to the new paradigm and better understand the difference between on-chain and traditional programming. The ethernaut CFT is an excellent challenge to test me and increase my understanding.

https://ethernaut.openzeppelin.com/

Below is my summary of the Ethernaut puzzles.

Tips: These analyses of the puzzles cover only some of the details from start to end. There also have some articles that explain very thoroughly. Some puzzles are challenging to solve, which takes me many hours to find the right clue, and sometimes I need others' guidance. If one begins to learn the smart contract, this article can act as an advanced topic reference. If one understands smart contracts well or is an advanced smart contract programmer, the contents below should be taken as the specific summary.

Because of my limited level, perhaps some content descriptions either lack or are incorrect.Welcome comments and discussions.

3. Analyze the puzzles based on my understanding

Ethernaut CFT shows the different security problems in the puzzle's format. First of all, the challenger can practice the security problems. Secondly, Although they all seem to be security problems, one can deepen many other aspects of understanding. Such as the solidity features、the derivative Issues related to the blockchain、the business logic design; Lastly, it enhanced the familiarity with smart contracts and felt the difference between the new and traditional architecture.

My attentions only focus on the below fields.

1. The difficult problems I encounter while solving the puzzles.

2. The general topics or the topic kept on developing. Such as the features of solidity.

3. The Indispensable aspects, such as the proxy upgrade mechanism.

3.1 The features of solidity

1) overflow/underflow check

For example, the add or sub operations among the uint256 variables, the result might go over the max value or the min value of the uint256 Type. Related puzzle Token. This type of check has been added since solidity ^0.8.

2) fallback

While calling a smart contract function that doesn't exist in the called smart contract, Or when receiving ETH, the accepted smart contract doesn't have the received function, and the fallback function exists. In these two scenarios, the fallback function will be called. Based on this feature, fallback can come in some specific scenes. Such as re-entrance, while one contract received eth, this contract can do more logic in the fallback function. Another example is the proxy mechanism. The implementation contract only deals with the business logic and doesn't store the ultimate states. How to call the business logic by the proxy smart contract? The design uses the delegateCall function under the fallback function in the proxy smart contract.

3)Custom error

Good Samaritan puzzle involves dealing with a customer error during many interactions calling. One function can't judge where an error comes from.

4) selfdestruct

This function aims to destroy the smart contract while sending all the eth balance on the address to the target address. The original design's goal is to decrease gas consumption. But this leads to an unexpected result-no smart contract can guarantee that it cannot receive eth. When someone builds business logic on smart contract's eth balance, such as address(this).balance == 0, which has great potential risk and can be used by hackers. The newest solidity version suggests not using the function https://eips.ethereum.org/EIPS/eip-6049.

3.2 The relationships with the blockchain characteristics

1) Transparent

There are public, private, and internal while defining the solidity variables. But defining the variables as private does not mean others can't watch them, which means other on-chain smart contracts can't see them. The way to access the corresponding slot value also exists, such as the function provider.getStorageAt( addr , pos [ , blockTag = latest ] ) , which provided by the ethers.js. Can reference the puzzles: Vault ，Privacy .

2) Random number

Because the on-chain variables, even defined as private, can be accessed by some functions, miners have these abilities: control the blockchain hash, and the timestamp, whether including one transaction or not. All these can lead to potential risks while using the on-chain data generating the random number. One available solution is to import the off-chain random numbers, such as the chainlink. The related puzzle is Coin Flip. Of course, some business logic needs not only random numbers but also other business data, such as stock price, which can also be obtained by chainlink or a similar third party.

There is a new opcode-PREVRANDOA since the Ethereum merge, which can generate a random number and is more randomness than the blockhash.

https://eips.ethereum.org/EIPS/eip-4399

3) the deterministic address

The function keccak256(address, nonce) can generate the smart contract's address. The details can be read this https://swende.se/blog/Ethereum_quirks_and_vulns.html. So one can send eth to one smart contract address that doesn't have the private keys and use the above function to acquire the corresponding eth. The related puzzle is Recovery.

4)The data structure of the smart contracts states

Below is the smart contract storage data structure. The smart contract includes 2^256 slots. Each slot's length is bytes32.

How to store the dynamic arrays? (The related puzzle is Alien Codex)

The variable codex's slot is the third. The third slot stores the length of the array(codex). Unexpectedly, each value of the array does not exist in the following slots. Firstly, which slot is the codex's first value's location? The answer is the location0 = keccak256(abi.encode(2)). And then the next value's slot is the previous slot add 1.

Puzzle Alien Codex, The trick to solving this puzzle is changing the owner's address to the hacker-controlled address.

While the above contract was deployed, the owner's address was set. You can see in the blew.

So, change slot-0's value to the desired address, and the contract's owner will change.

The first thought in my mind is how to make the keccakHashde(abi.encode(index)) == 0? What's the index value? But nowhere can I get it.

Now the design of how to store a dynamic array comes. As the location(slot) of the codex[0]'s value is known, the maximum value of the slots length is 2^256. So the codex[2^256- array[0]] equals location(2^256)'s value.

Suppose that the max length of the dynamic array codex is 2^256. If changed the codex[ 2^256- array[0]+1]'s value into the desired address, then the contract's first slot will store the desired address, and the contract's owner will be changed.

How to make the dynamic arrays' length 2^256. Call the below function can get the result.

3.3 The interaction calls among smart contracts

1) The basic interaction calls among smart contracts.

I break down the interaction into two types. One is sending ETH. Another is running the on-chain contract's logic. Of course, The two types can occur simultaneously, Running the contract's business logic while sending eth.

How to send or receive ETH? I have mentioned the selfdestruct, fallback in the solidity features section. There are some arguments in history. Functions including send, transfer, and call all can send ETH, but now call was suggested to be used while should be careful of the re-entrance attack.

https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

https://solidity-by-example.org/sending-ether/

https://forum.openzeppelin.com/t/reentrancy-after-istanbul/1742

Send or transfer all consumed the fixed gas(2300), But in the actual situations, each block's gas cost is not fixed, so it's not rational to fix consumed gas while calling other functions. The related reference(https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/ )

The related puzzle King.

There are three basic calls when one smart contract calls another: call,staticcall,delegateCall.

The call can be used when one smart contract wants to call another smart contract's function or send ETH; DelegateCall can also be used to call another smart contract's functions, but the difference is delegateCall will modify the states of the caller's address. As the delegateCall is often used in the proxy upgrade mechanism, I put the related contents in the Proxy upgrade mechanism section. Staticcall means not changing the blockchain's states while calling.

2) Some caller variables' modifications during the smart contract calls.

tx.origin means the original caller when one call occurs, always the EOA.

msg.sender: There always have many internal calls during one entire call. Each call involved one caller contract and the called contract. For the called contract, the caller contract is msg.sender.

related puzzle Telephone

3) The business logic relies on the third-party

the related puzzles: Elevator,shop,Re-entrancy

The business logic based on others leading to potential risks has frequently been found. No matter the called or caller contract, One can build the arbitrary logic in CA contracts and then get around the original check to exploit the target address.

related puzzle Elevator

This code's function (! building.isLastFloor(_floor) ) relies on the third-party's logic, So one attacker can modify the results when calling the attacker's address.

Puzzle Shop

_buyer.price() can also be controlled in an attacker's address.

Actually, the interaction relationships among the smart contracts are universal and complex; Sometimes, it's difficult to find the potential problem.

puzzle re-entrance classical attack

While executing the function (msg.sender.call{value:_amount}("")), the msg.sender can call the above contract again, which can lead to recursive calls.

Just like: Contract(caller)B=》Contract(called)A=》ContractB(caller)=》ContractA(called)... can withdraw all the ETH in the contract A.

The blew is the on-chain case: The attacker address (ContractA): 0x.........d653666d The attacked address(ContractB): 0x.........90ac810

We can see the recursive call relationships: ContractA => ContractB => ContractA=>ContractB...

the related link:

https://goerli.etherscan.io/tx/0x36b485c5b9e3e7a487ca9019675354584f3ddb30df6dbde844566995de4d52da#internal

3.4 The usage of third-party contracts libraries

We can apply many third-party standard libraries to our protocols, but some explosions can occur without enough careful.

the related puzzle Naught Coin

For the function transfer(), the modified LockToken checks the caller's conditions. But for the ERC20, two funcitons are sending ETH, one is transfer(), and another is transferFrom(). One can directly call the transferFrom() and then pass over the LockToken.

3.5 Attack by consuming all the available gas

This attack type seems like a smart contract's logic relying on others again, but for the outside, which means consuming all the gas available.

puzzle Denial

The call function exists, but it does not appoint how much gas can consume in the withdraw function. If the attacker consumes all the gas in its attacker's address, then the withdraw can't complete.

https://goerli.etherscan.io/tx/0xd2dbcdfa404a3864ca20041eb68770087c27f1061f5f13f52b92e746ab7a6b2c

3.6 The possibilities or the innovations of the business logic

The famous formula of the defi is x*y=k. x represents token A's quantity, y represents token B's quantity, and k is constant. The formula can calculate the price of token A or token B, such as the price of token A per token B: y/x.

But as the puzzle dex show, some potential risks can occur.

This puzzle aims to withdraw all the token A or toke B in the dex pool. Because we can adjust the quantity of token A or token B, then manipulate the quantity until the price reaches the point we can swap one into all the other token's amounts.

As seen below shows, we can adjust the quantity of token A or token B through the swap function. When the rate of the tokenA/tokenB equals 110/45, and we have at least 45 token B, then we can withdraw all the tokenB by 45 tokenB.

As the above shows, I swapped five times. In the fifth swap, the rate of tokenA/tokenB equals 110/45. My 45 token B can swap into 110 token A.

It's obvious that defining the token price only through the two tokens quantity in the pool can be manipulated by the third party. Service providers such as chainlink offer the price feed, which can avoid this type of problem.

For the puzzle dex2. The aim is to withdraw all token A and token B. The difference between dex and dex2 is that there is no check for the token pairs in dex2. I feel it's very funny to solve it.

We can build another token pair, Create token C and send 10 toeken C to the dex2 address. Now tokenA/toekn C(100/10 ) , then we can get all the tokenA by only 10 token C. The same as tokenB: token B/token C(100/20).

3.7 Smart contract's proxy upgrade mechanism

The smart contracts codes can't be changed when deployed, but what can we do if we need to upgrade the code? Then the proxy upgrade mechanism comes. In a nutshell, the proxy upgrade mechanism will not change the original code but can also upgrade the code. Two types of contracts are involved in the mechanism: one is proxy contract, which stores the ultimate states, and another is an implementation contract, which implements the business logic.

There are two types of proxy upgrade mechanisms, including Transparent and UUPS. The main difference is that which contract supplies the interface to upgrade the code? Transparent is the proxy contract and UUPS is the implementation contract.

There are two types proxy upgrade mechanism including Transparent and UUPS. The main differences is that which contract supply the interface to upgrade the code? Transparent is the proxy contract, UUPS is the implementation contract.

Puzzle Puzzle Walle, which is transparent type. The code is through the proxy contract when you need to modify some rights or upgrade. This puzzle aims to become the owner of the proxy contract.

The proxy contract: PuzzleProxy, The implementation contract:PuzzleWallet.

Proxy contract(PuzzleProxy): slot0,slot1=>pendingAdmin,admin.

implementation contract(PuzzleWallet): slot0,slot1=>owner, maxBalance.

The corresponding relationships between the two contracts as below:

implementation contract(PuzzleWallet): slot0:owner => Proxy contract(PuzzleProxy): slot0:pendingAdmin.

implementation contract(PuzzleWallet): slot1:maxBalance => Proxy contract(PuzzleProxy): slot1:admin.

We can become the PuzzleWallet's owner by setting the maxBalance as the desired address by calling the implementation contract's functions. But how to call? Withdraw all the ETH by using the mulitCall and deposit function, lastly call the setMaxBalance(uint256 _maxBalance) to change the address.

The details of how to use multicall，deposit，setMaxBalance as below, which someone explains throughly.

https://medium.com/coinmonks/solving-ethernaut-24-puzzle-wallet-fdf3be4634c4

The above puzzles demonstrate a critical aspect when using proxy upgrade mechanism. By calling the implementation contract's function, one should be very careful about the collision between the proxy contract states and the implementation states.

puzzle Motorbike

Motorbike is the second type:UUPS. Upgrading the code by interacting with the implementation contract code and the gas of deploying the proxy contract went down. This puzzle aims to break down the Engine, so the proxy contract can't work through the Engine.

The proxy contract is Motorbike, implementation contract is Engine, which has a upgrateToAndCall() function that can upgrade the code.

The initialize() function of the Engine does not work in itself address while the Motorbike is deployed. So the states, including horsePower and upgrader, are zero in the Engine address.

From this point on, Everyone who calls the Engine's initialize () can become the Engine's owner. And then can call the upgradeToAndCall() function to destroy the Engine contract.

As the below flow chat shows, The hacker contract, including the function killMySelf, which executes the selfdestruct, can be called by the Engine contract. If that, the Engine itself will destroy itself.

Because the motorbike contract's corresponding implementation contract has been destroyed, it can't work.

So should be careful while using the UUPS type, although it brings some benefits.

More discussions can see below.

https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680

Ethernaut.openzeppelin

Ethernaut used the TransparentUpgradeableProxy pattern when they deployed. Upgrading the code is through by calling the proxy contract. I wanted to query all my statistical data after completing all the puzzles. Firstly, I directly call the implementation contract's function in its address; as we know, the ultimate data were stored in the proxy contract, So the result is nothing. But when I became aware the ethernaut is using the TransparentUpgradeableProxy, I called the implementation contract's abi in the proxy contract's address; that's OK. The link is below.

https://goerli.etherscan.io/address/0x7ae0655F0Ee1e7752D7C62493CEa1E69A810e2ed#readProxyContract

3.8 Bytecode level

No matter how long, the on-chain smart contracts' code is a hex string sequence. The EVM will execute the corresponding opcodes in the stack while manipulating the memory or the storage according to the pre-defined rules of the EVM, finally completing the tx.

puzzle MagicNumber

MagicNumber is involved in how the EVM deal with the bytescode. It's a must require for the advanced solidity programmer. Many situations require this, such as manipulating the memory through the Yui or assembly. Many top protocols can see the usage, such as uniswap.

One reference can see below:

https://medium.com/coinmonks/ethernaut-lvl-19-magicnumber-walkthrough-how-to-deploy-contracts-using-raw-assembly-opcodes-c50edb0f71a2

4. Closing thoughts

The blockchain's infrastructure has had a significant development in recent years. More and more third-party libraries appear, such as the frequently used tools: Openzeppelin, Chainlink. Development environment tools including hardhat,foundary. The ethernaut often supplies more content while I solve the above puzzles, which gives me more views about the blockchains' recent development, such as the discussion of proxy upgrade mechanism just beginning about two years ago.

https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786

https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680

One example is the puzzle DoubleEntryPoint mentions the forta.

Forta comprises a decentralized network of independent node operators who scan all transactions and block-by-block state changes for outlier transactions and threats. When an issue is detected, node operators send alerts to subscribers of potential risks, which enables them to take action.

Similar services, like the graph, can quickly access the on-chain data or functions for developers.

Another example about the analysis of a hacker incident.

https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/

These related discussions or some articles emerge in many different places, and the news tools or the new fundamental design... not only a source of great value but also a great help for personal corresponding technological skills.

5. Other references

5. the reference of the Ethernaut

   Github address of ethernaut

   https://github.com/OpenZeppelin/ethernaut/tree/master/contracts/contracts

   The solutions supplied by the ethernaut

   https://github.com/OpenZeppelin/ethernaut/tree/master/contracts/contracts/attacks

6. The flow chat of creating puzzle and submitting puzzle.

The ethernaut contract will call the level factory to create the corresponding instance and initiate the challenger with the related puzzles' data when the challenger tries to hack a puzzle.

The ethernaut contract will call the level factory to check the result is valid, then modify the challenger with the related puzzle's data if valid when the challenger submits a puzzle.

Proxy contract address:Statistics.sol（https://github.com/OpenZeppelin/ethernaut/blob/master/contracts/contracts/metrics/Statistics.sol); The on-chain address (https://goerli.etherscan.io/address/0x7000e0f2f5a389df14b50c6f84686123f19b27f6#code).

Implementation contract address:ProxyAdmin.sol:(https://github.com/OpenZeppelin/ethernaut/blob/master/contracts/contracts/proxy/ProxyStats.sol) ; The on-chain address (https://goerli.etherscan.io/address/0x7ae0655F0Ee1e7752D7C62493CEa1E69A810e2ed#code).

2.the related links

https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/

https://blog.ethereum.org/2016/12/05/zksnarks-in-a-nutshell

https://medium.com/@dariusdev/how-to-read-ethereum-contract-storage-44252c8af925

https://weka.medium.com/announcing-the-winners-of-the-first-underhanded-solidity-coding-contest-282563a87079

https://medium.com/coinmonks/missing-return-value-bug-at-least-130-tokens-affected-d67bf08521ca

https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680

https://blog.openzeppelin.com/compound-tusd-integration-issue-retrospective/

https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786/14

https://docs.forta.network/en/latest/

https://medium.com/loom-network/ethereum-solidity-memory-vs-storage-how-to-initialize-an-array-inside-a-struct-184baf6aa2eb

https://swende.se/blog/Ethereum_quirks_and_vulns.html

1. 智能合约的几个方向

2. ethernaut puzzles汇总

3. ethernaut puzzles 案例类型解析

   1. solidity语言特性

   2. 与区块链本身的特性的相关点

   3. 合约之间的相互调用

   4. 第三方合约的使用

   5. gas消耗攻击

   6. 业务逻辑的创新与新的可能性

   7. 合约代理更新机制

   8. Bytescode级别

4. 个人看法

5. 其他资料

   1. Ethernaut资料

   2. 相关链接

1 智能合约编程的几个方面

自从开始接触智能合约，有关智能合约编程的几个方面一直让我印象深刻，1 是安全，这可以从以太坊经典事件DAO攻击以及此起彼伏的链上黑客攻击体会安全性在整个行业的重要性；2 是gas优化，对于gas优化可能现在由于不是牛市，以及layer2层逐渐完善导致的gas费降低，对这方面的关注在变淡，但我认为gas是基础，某些情况下其重要性可能会凸显，我猜想可能类似于量化投资中对于速度的要求，如果未来随着用户量的指数级上升，将会有可能再次引起人们对于gas的关注，另外一方面，智能合约每一步的运行最终都会转化为opcode,而每一个opcode都会消耗一定量的gas，这是整个EVM的运行的基础，也是了解以太坊核心的基础。3 则是智能合约之间的复杂调用关系，很多情况下随着业务复杂度的上升其调用关系也变得复杂，甚至有点扑朔迷离。我这里面所指的是CA合约CA合约之间的调用关系。

CA(Contract account): 该类型合约由代码控制。

EOA(Externally-owned account):该类型合约由拥有私钥者控制。

我们在看到单个智能合约本身往往是静态的变量与方法逻辑阐述，而涉及到很多复杂合约之间的相互调用关系时，往往则比较复杂。比如如下的合约之间的相互调用。

https://openchain.xyz/trace/ethereum/0xc310a0affe2169d1f6feec1c63dbc7f7c62a887fa48795d327d4d2da2d6b111d

智能合约之间的调用关系往往也是很多黑客事件主要的发生源，如经典的重入攻击。

4 则是基于智能合约基础之上可能展现的新的业务特性，我们知道智能合约本身就是建立在区块链本身的透明，不可篡改，永久持续运行的特点上，基于这些特点还有智能合约本身的特性将会使其与过往编程以及思考方式产生很多不同，比如基于开放式的基础设施上的开发,测试，以及以链上合约为基础单元的思考模式，比如如何更新链上合约的逻辑... 我认为这种新的环境或者方式需要逐渐去适应与揣摩，借鉴别人的思考去理解更多的可能性。

2. Ethernaut puzzles汇总

基于如上的理解，我一直尝试让自己去适应以及感受这与传统编程方式有何不同？而openzeppelin部署的ethernaut CFT，则是一个很好的测试自身以及增强自己对于此的理解。

https://ethernaut.openzeppelin.com/

如下是基于个人理解的对于ethernaut CFT的汇总

说明: 如下的puzzles案例类型介绍并不是针对每一个puzzle从头至尾的分析与代码演示，我认为已经有很多人写的很详细了。同时不少puzzles并不是那么容易解决的，其中不少puzzles我也是花了好几个小时才慢慢找到思路，甚至有些还需要借助网上别人提供的思路。我个人觉得如果是对初次接触智能合约的人来说，这可以算作一个提前性的参考，随着逐渐深入,如下提及的很多方面肯定都会遇到；如果是对智能合约有一定了解甚至是高阶的合约开发者，我觉得如下的内容可以算作是一个梳理性的操作，我认为其中的一些方面在未来还会继续衍化，某些方面我的描述可能过于压缩与不准确，欢迎讨论。

3. Ethernaut puzzles 案例解析

ethernaut CFT 主要以puzzles的形式去展示安全问题的各种情况，一方面可以据此去感受与实践在智能合约的编程中的潜在的安全问题; 二虽然呈现方式是安全问题，但据此可以在很多其他方面增强一定程度的理解，如solidity语言本身的特性,建立在区块链基础上的所衍生的问题，基于智能合约的业务设计；三则是建立一定的熟悉度，并且体会这种新架构下的与传统web2开发方式的不同。

这里仅仅就如下几个方面进行具体说明：

1.我个人在解决过程中碰到的难点问题

2.我觉得具有一定代表性的问题, 并且未来肯定会继续遇到相关的问题。如solidity语言特性。

3.生态发展肯定会涉及的一些事项，如代理更新机制。

3.1 solidity语言特性

1.overflow/underflow check

如针对于unit256类型的加减运算，如果没有进行校验，将会导致溢出。 可参靠 Token puzzle 。 不过solidity 在0.8之后已经默认加了 overFlow check。

2. fallback

如果调用一个智能合约，但是调用的方法没有匹配到智能合约的任何方法或者收到ETH时但是合约中没有定义receive 方法而是存在Fallback，则会默认调用Fallback方法。根据此特性，Fallback在不少特殊场景下都会用到，如重入攻击时，攻击者地址在收到eth之后，可以继续在Fallback方法中继续调用被攻击地址的合约。又比如涉及到代理机制时，业务逻辑合约只负责逻辑，但是并不存储最终的业务数据，这时如何调用业务逻辑合约的方法，就是通过代理合约中的Fallback方法进行中转，使用deleagteCall调用业务逻辑合约的方法。

3.Customer error

Good Samaritan案例中涉及到在调用中合约中捕获异常，但是抛出的异常对于捕获异常的合约却是无法确定是谁抛出的。

4.selfdestruct 方法

该方法的作用是销毁一个智能合约，同时将对应的eth发送到指定的合约上。其设计初衷是为了鼓励节省gas费。但是该方法同时却造成了任何一个合约都无法保证自己有能力不接收eth。如果将自己的合约逻辑建立在自身的eth余额上，如address(this).balance == 0。 该漏洞将会可能被黑客利用。 最新的solidity版本中并不建议使用，https://eips.ethereum.org/EIPS/eip-6049，

3.2 与区块链本身的特性

1.透明性

在solidity中定义变量可见性时，有public,private,internal. 但是将变量定义为private并不意味着该变量并不是不可见的，只是针对链上其他合约是不可见的，依然有方法可以获取其对应slot的值，如根据ethers.js 提供的方法 provider.getStorageAt( addr , pos [ , blockTag = latest ] ) 。 可参考Vault ，Privacy 。

当然如果要实现链上存储加密信息可使用零知识证明，即可以证明自己知道该隐私参数，但是却不会泄露该隐私参数。

2.随机数

由于链上的数据, 即便是被定义为private的变量也是可见的，同时矿工可以控制一些数据如区块哈希，时间戳,是否包含某个交易，导致直接链上生成随机数是存在隐患及不安全的，这个时候可以通过引入链下随机数来实现，比如chainlink。 对应案例可参考Coin Flip 当然有时智能合约需要的不仅仅是随机数，还需要更多业务数据，比如股票价格，这些也可以通过类似于chanlink的第三方来获取。

而自从Ethereum merge之后，新的opcode:PREVRANDOA, 也会生成随机数并且比blockhash由更强的随机性。

https://eips.ethereum.org/EIPS/eip-4399

3.地址生成

可以通过keccak256(address, nonce)来生成地址。具体可参考https://swende.se/blog/Ethereum_quirks_and_vulns.html. 这样将导致给一个没有私钥的合约发送eth,但是却可以用上述方法去获得这些eth。可参考案例Recovery。

4.合约状态存储数据结构

合约状态存储数据结构如下。合约中有2^256个slot，每个slot中存储的最大长度为bytes32.

动态数组存储的结构如下所示

参考案例Alien Codex

Solidity如何存储动态数组的值?，其对应的合约中的slot位置存储的是动态数组的长度，但是接下来存储动态数组的值并不是按照slot递增进行存储，而是根据该slot的值获取对应的keccakHash值，其对应的动态数组的第一个值存储的位置，动态数组后续的值则在此值后面依次排列。如图所示:

bytes32[] public codex 状态值存储在第三个slot值。此时对应的slot-2值存储的的是codex数组的长度。

数组中第一个值存储的位置则为location0 = keccak256(abi.encode(2))。 依次类推第二个值存储的位置则为location1 = location0 +1。然后根据sload(location)获取到对应的codex中的每一个值。

案例 Alien Codex 解决该puzzle则是需要更改该合约的owner地址为我们自己的合约地址。

如上合约创立的时候，默认已经设定好owner地址， 如下所示第一个slot的值则为该合约的owner地址。

可见，只要将slot0的位置更改为自己的地址，即可成为该合约的所有者。

起初我的想法则是，要使得keccakHashde(abi.encode(index))的值为0，那么对应的index值应该是多少？但是找了半天没有找到。

此时对于动态数组如何存储的规律就可以派上用场了，既然codex[0]值对应的slot位值已经知道了，同时整个合约存储的最大slot值为2^256, 那么 slot[2^256- array[0]]则就会对应合约中最后一个slot存储的位置2^256的值。

假设此时codex动态数组长度为的最大值为2^256。那么只要将codex[ 2^256- array[0]+1]的值设置为我们的想要的合约地址，那么此时合约中的第一个slot对应的值则为我们想要的地址，此时即对该合约拥有了所有权。

至于如何将codex动态数组长度为的最大值为2^256，不再此赘述，可参考如下方法。

3.3 合约之间的调用

1. 合约与合约之间的基本调用

我将智能合约的调用主要实现功能分为两大类，一类是发送ETH，一类是链上合约调用逻辑实现。当然两者可以结合起来，在实现链上智能合约逻辑时同时发送ETH.

关于发送与接收ETH，在solidity语言特性已经提到了destroy，Fallback。关于ETH发送的方法的如何选择历史上也是经历了一番讨论。如send,transfer,call几个方法都可以发送eth, 但是现在只是推荐使用call,同时需要防止重入攻击。

https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

https://solidity-by-example.org/sending-ether/

https://forum.openzeppelin.com/t/reentrancy-after-istanbul/1742

使用send,transfer时，对应的gas(2300)是固定的，由于实际区块消耗的gas费并不是一成不变的, 方法调用中也并不适合固定gas费.参考(https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/)

可参考案例 King可参考案例 King

合约与合约之间的调用底层对应的调用方法有 call,staticcall,delegateCall

call可以直接调用被调用合约的方法,delegateCall也是直接可调用被调用合约的方法，但与call明显的一点不同则是delegateCall会修改调用合约方的state。由于delegatecall常用于代理更新机制方面，此处放在代理及更新机制进行说明。staticcall则是指再调用其他合约方法时并不改变整个区块的的状态值。

2. 合约调用中的变量变化

tx.orgin则是指一次合约调用中的初始方，经常则是EOA合约。

msg.sender:则是在整个合约调用链条中，被调用合约的调用方合约地址。

可参考案例 Telephone

合约调用可以是EOA,也可以是CA。而在CA中定义攻击逻辑也是常用的手段。

3. 业务逻辑依赖

涉及案例 Elevator,shop,Re-entrancy

业务逻辑依赖所导致的问题可能是最会频繁遇到的问题，无论是调用方还是被调用方的合约可能是CA合约，并且在CA合约中可以自定义任意逻辑，如果合约的相关业务逻辑依赖于外部，并且没有最好一定程度的校验，那么则是潜在的隐患。

案例 Elevator

其中 ! building.isLastFloor(_floor) 的实现依赖于外部调用方的合约逻辑，则攻击者则可以控制两次调用时的判断结果。

案例Shop

_buyer.price() 的逻辑，在攻击者合约中也可以进行控制。

而在实际的链上合约复杂的调用关系，这种依赖关系可能会更普遍也更复杂，有时想要发现其中的问题也不是一件容易的事情。

案例Re-entrancy 经典的重入攻击

当 msg.sender.call{value:_amount}(""); 调用方可以在自身的合约中再次调用该合约，这样会导致递归调用，

形如:合约(caller)B=》合约(called)A=》合约B(caller)=》合约A(called)... 从而提取所有合约A中的eth。

如下是攻击合约提取完被攻击合约所有的ETH的示例。

攻击合约A:0x.........d653666d

被攻击合约B：0x.........90ac810

可以看到如下的递归调用关系: 合约A => 合约B =>合约A=> 合约B...

链接地址

https://goerli.etherscan.io/tx/0x36b485c5b9e3e7a487ca9019675354584f3ddb30df6dbde844566995de4d52da#internal

3.4 第三方合约使用

第三方如openzeppelin提供的标准库有很多现成可用的合约可以拿来即用，但是如果缺乏一定的了解，有可能导致某些方面的隐患。

Naught Coin

可以看到针对transfer方法，其有LockToken进行限制，但是集成的ERC20而言，发送ETH不仅仅有transfer方法，还有transferFrom()方法，如果攻击方直接调用该方法，则可以绕过LockToken的限制。

3.5 gas消耗攻击

gas消耗攻击也可以理解为合约逻辑依赖于外部逻辑，只不过这里指的是外部合约消耗完此次调用所有的gas。

案例Denial

在withdraw中方法中，其中有调用call但是并没有指定使用多少gas，如果攻击者合约此时消耗掉所有的gas，那么该withdraw方法将永远不可能完成。

https://goerli.etherscan.io/tx/0xd2dbcdfa404a3864ca20041eb68770087c27f1061f5f13f52b92e746ab7a6b2c

3.6 业务逻辑的创新与新的可能性

在我看来defi起初建立的公式基础则是x*y=k。 其中x为tokenA的数量，y为tokenB的数量，k则是常数。tokenA与tokenB的之间的价格则是基于这个公式进行变化推算出来，如tokenA/tokenB的价格则为:y/x。

但是如果仔细考虑一些情况，则有潜在的风险。

如案例Dex中可以看到如下代码:

该puzzled的要求则是只要可以完全提取tokenA或tokenB在其中任意一个在池子中的数量即可。由于池子中tokenA或者tokenB的数量我们可以去调节，从而影响其价格，只要价格达到可以完全提取完任意一种token的数量即可。

如下所示，可以通过swap来调节tokenA与tokenB池子中的数量，当我将池子中tokenA/tokenB数量比为110/45时，同时当前自己又拥有超过45tokenB时，此时则可以将全部tokenA通过45个tokenB全部置换出来。

如上图所示，我总计进行了5次swap，通过第5次swap，将池子中tokenA与tokenB的调整为110/45. 此时我只要需45个tokenB即可兑换处所有的tokenA。

由此可见，单纯依靠池子的数量来定义价格，可能会被第三方控制，这时可以借助第三方的价格信息如chanlink的提供的价格信息，以避免价格被控制。

又比如案例Dex2,其目的是将两个token都全部提取完，dex2在dex的基础上只是省去了对于交易对token地址的校验。具体解决时感觉有些搞笑了。

此时我们可以构建自己新的交易对，比如构建tokenC，然后存入dex2合约地址10个tokenC，此时TokenC转换成tokenA的的比率则为100/10，可以直接通过10个tokenC获得100个tokenA。同理通过20个tokenC可以获得100个TokenB.

3.7 合约代理更新机制

由于链上合约代码的不可更改特性，但是某些情况下需要升级代码功能，如何处理？此时代理更新机制便应运而生。代理更新机制简单讲就是是在不改变原先代码的情况下去升级代码本身。简单来讲，代理更新机制涉及两个合约，一个是代理合约(proxy contract)，其用来存储合约运行的最终状态，另一个是业务逻辑实现合约(implemention contract)，合约的业务调用逻辑都通过该合约来实现。

当前代理更新机制分为两类Transparent 与 UUPS. 其主要区别是升级合约时前者是通过与代理合约(proxy)交互来实现,后者是通过与业务逻辑合约(implemention contract)交互来实现.

如案例Puzzle Walle，其是Transparent类型，代理合约权限修改及业务逻辑升级都是通过与代理合约交互来实现。该puzzle最终的实现是通过获取代理合约的所有者。

其代理合约为PuzzleProxy, 业务逻辑合约PuzzleWallet.

可以看到

代理合约PuzzleProxy，slot0，与slot1的分别存储pendingAdmin，admin.

业务逻辑合约PuzzleWallet,slot0，与slot1的分别存储owner，maxBalance

可见

业务逻辑合约(PuzzleWallet)-slot0:owner =>代理合约(PuzzleProxy)->slot0:pendingAdmin.

业务逻辑合约(PuzzleWallet)-slot1:maxBalance =>代理合约(PuzzleProxy)->slot1:admin.

此时只要将maxBalance设置为我们的的合约地址，即拥有了PuzzleProxy合约的所有权。接下来可以通过对multicall以及deposit方法的使用提取完代理合约中所有eth，最后执行setMaxBalance(uint256 _maxBalance)方法修改为我们想要的合约地址。

具体如何利用multicall，deposit，setMaxBalance，网上现在已经有很多人写的很详细了，在此不再赘述。

https://medium.com/coinmonks/solving-ethernaut-24-puzzle-wallet-fdf3be4634c4

这里所展示的是使用代理升级机制时一个不容忽视的注意事项，即代理合约负责存储最终状态，但是执行业务逻辑合约时需要注意业务合约的合约变量状态不能与代理合约的变量状态相违背。

案例Motorbike

Motorbike 使用的则是UUPS 类型. 这样合约更新可以直接通过业务逻辑合约来实现，同时也减少了原先部署代理合约的gas费。这里解决该puzzle是让其业务逻辑合约Engine不能正常使用。

代理合约为Motorbike，业务逻辑实现合约为Engine.并且可以通过调用upgrateToAndCall的方法来进行业务逻辑合约的更新或者升级。

但是这里的问题Motorbike初始化业务逻辑合约Engine时，业务逻辑合约Engine本身的initialize()方法未执行，从而其对应的horsePower以及upgrader的状态也未更新。

从该点出发，无论是谁调用了Engine合约地址的initialize()方法,即可成为Engine合约的所有者。那么也就意味着可以调用Engine合约的upgradeToAndCall()方法，从而可以破坏Engine业务逻辑合约。

如下图所示，此时创建一个合约其包含销毁自身的方法(killMySelf), 如前所示我们当前可以直接调用upgradeToAndCall()方法，让Engine合约直接调用该Hacker address的KillMySelf，于是Engine最终会销毁自身。

回到开始的motorbike，由于其对应的业务逻辑合约已经销魂，故该代理合约已经无法调用任务方法。

可见UUPS 带来更好的灵活性同时，但使用时也要谨慎。

可参考如下讨论

https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680

ethernaut.openzeppelin

而针对https://ethernaut.openzeppelin.com/ 其部署合约时则用的TransparentUpgradeableProxy模式,业务逻辑的合约升级或者更新直接通过代理合约来实现。当我完成所有puzzles的时候，想要通过合约直接查询历史交互数据，一开始是直接通过业务逻辑合约的abi接口来访问业务逻辑合约的合约地址，大家知道实际业务数据是存在的代理合约中的，所以一开始怎么也查不到数据，当我意识到ethernaut是通过TransparentUpgradeableProxy来部署合约时，通过业务逻辑合约abi的接口直接访问代理合约的地址，于是数据就查出来了。如下

https://goerli.etherscan.io/address/0x7ae0655F0Ee1e7752D7C62493CEa1E69A810e2ed#readProxyContract

3.8 Bytescode级别

链上存储的合约代码实际一串16进制字符串。实际运行时EVM根据预先设定好的操作规则，在堆栈中执行其对应的opcode,同时修改memory或者storage中的数据状态，从而完成该笔tx。

案例MagicNumber

而针对于MagicNumber puzzle，其涉及则是对于EVM如何处理bytescode级别的数据。对于合约的理解程度达到bytescode的级别是合约编程高阶的必然要求，很多情况下都会涉及这方面的操作，比如通过Yui或者assembly直接操作memory，再很多头部协议的代码中如uniswap都可以看到。

具体可参考如下链接

https://medium.com/coinmonks/ethernaut-lvl-19-magicnumber-walkthrough-how-to-deploy-contracts-using-raw-assembly-opcodes-c50edb0f71a2

4. 个人看法

该领域这两年获得不小的发展，如第三方工具包或者工具的完善，如大家常常用到的openzeppelin,chainlink,还有开发环境工具hardhat,foundary. 在我尝试完成上述puzzles的时候，ethnaut经常会提供一些更多的参考资料从而可以了解更多、更深入的这个领域的信息。如关于合约代理更新机制，如下讨论的时间基本都是在两年之内。

https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786

https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680

比如DoubleEntryPoint 中提到了forta，其由分布式网络的节点组成，扫描区块信息，并且可以监控对应的链上事件，并且当需要时，如发现潜在的风险事件可以同步告诉订阅者，并且触发订阅者一些自定义方法的执行。这一切都发生在链上。我的理解这是链上基础设施。与此类似基础设施如thegraph，通过对链上合约方法或者相关数据建立索引，方便开发者快速查询。

又比如对于安全事故的解析

https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/

这些散落在不同社群中的讨论，以及不断出现的新的工具或者底层设计，或者是整个社群中不断有人总结梳理的最新有价值的分享或内容，是个人跟进这个领域发展的核心源头，也是提高自己相应技能栈不可或缺的养料。

5.其他资料

1. ethernaut资料

ethernaut，github地址

https://github.com/OpenZeppelin/ethernaut/tree/master/contracts/contracts

ethernaut提供的解决办法

https://github.com/OpenZeppelin/ethernaut/tree/master/contracts/contracts/attacks

CFT 创建puzzle及提交puzzle流程图

挑战者每次创建对应的puzzle时，都会通过ethernaut合约调用对应的level工厂从而创建对应的实例。同时初始化对应的挑战者及挑战的puzzle数据。

每次提交时，都会通过ethernaut合约调用level工厂去检查对应的实例是否已经解决，如果解决同步相应统计数据。

业务逻辑合约代码 Statistics.sol（https://github.com/OpenZeppelin/ethernaut/blob/master/contracts/contracts/metrics/Statistics.sol);对应的链上地址https://goerli.etherscan.io/address/0x7000e0f2f5a389df14b50c6f84686123f19b27f6#code

代理合约 ProxyAdmin.sol:(https://github.com/OpenZeppelin/ethernaut/blob/master/contracts/contracts/proxy/ProxyStats.sol) ;对应的链上地址https://goerli.etherscan.io/address/0x7ae0655F0Ee1e7752D7C62493CEa1E69A810e2ed#code.

2.相关链接

https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/

https://blog.ethereum.org/2016/12/05/zksnarks-in-a-nutshell

https://medium.com/@dariusdev/how-to-read-ethereum-contract-storage-44252c8af925

https://weka.medium.com/announcing-the-winners-of-the-first-underhanded-solidity-coding-contest-282563a87079

https://medium.com/coinmonks/missing-return-value-bug-at-least-130-tokens-affected-d67bf08521ca

https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680

https://blog.openzeppelin.com/compound-tusd-integration-issue-retrospective/

https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786/14

https://docs.forta.network/en/latest/

https://medium.com/loom-network/ethereum-solidity-memory-vs-storage-how-to-initialize-an-array-inside-a-struct-184baf6aa2eb

https://swende.se/blog/Ethereum_quirks_and_vulns.html

1) the different products based on a different architecture

The ultimate form of products should satisfy the users' needs no matter the technology; the user may be customers, institutions, third-party research agency... So not only having a basic understanding of the basic technical knowledge but also the products based on the technology is a plus. Many services or products are emerging, which include the infrastructure services based on the blockchain and products involved the defi, nft, sofi, though we can be sure that many of these products can only survive for a short time. Now the dominated it services mostly have built on cloud services, so we can compare the blockchain and cloud services

sources:decentralized-finance-on-blockchain-and-smart-contract-based-financial-markets

sources:前哨, 科技训练营

cloud services VS blockchain

google-bigquery

ethereum-bigquery-public-dataset-smart-contract-analytics

google-bigquery

As the above shows, blockchain and cloud services are different systems architectures, such as the various people who maintain the services, and the former's background is more diverse. Perhaps different chains have different situations, but the community has a great effect on the blockchains. Of course, there are some companies and investment institutions behind the blockchain. The services and the form of services based on the blockchain and cloud services are different in many aspects, and there are some relations between them, for example, some blockchain nodes running in the cloud services, get blockchain data from google services.

2) the financial products under web2 and web3

As we know, the financial markets have played a significant role in the economic system and are highly complex. The past financial depressions have still made people feel impressed. The defi summer in 2020 taught people many new concepts. I'm not saying that web3 only refers to finances, but in my understanding, the defi is fundamental to web3; many other aspects, including NFT and sofi, have also built on it. We can make an analogy that takes web3 as our current economic system; the critical role of the financial market and financial institutions is prominent; thus, we can think of more meaning of defi in web3 and all the ecosystem. This analogy may only work in some aspects, but the comparison will inspire us with more meaningful ideas.

Traditional financial exchange markets, such as securities exchange, mostly use trading on the floor, order books format. On the contrary, web3 primarily uses the AMM format exchange, which uniswap is the representative. One highlighted the different points is that in the former, in which the buyers and sellers achieve the deal through the orders books, sometimes third-party market makers should supply liquidity. The latter is based on the smart contract, which any user can interact with and make a deal with if the smart contract has enough liquidity. This different fundamental architecture leads to various features, and these features and possibilities based on the new features can easily be found in some research reports or official websites.

https://docs.uniswap.org/protocol/V2/concepts/advanced-topics/research

But it does not mean that the traditional financial market and web3 financial are isolated, such as dydx reference the order books format, which brings some mechanisms from the traditional financial market. It's easily found and forecasted that many web3 financial products will be emerging, bringing some concepts or ideas from the traditional financial market. And vice versa.

Another different point is about the regulation policy. Such as the investment entrance requirements involving how much the personal net worth, available assets, and Investor risk tolerance according to different investment targets. But this is a relatively empty area in web3.

The most famous data services providers in web3 include messari, who supply not only research reports but also some fundamental data or data analysis, nansen is well known for the tracking of the smart money; dune, which anyone can write or use other guys' dashboard that the SQL can write. Meanwhile, in the traditional financial market, we can see many financial data providers such as American's Bloomberg Inc and China's Wind. So the web3 data services provider is also an unignore role.

The below involved the comparison between the traditional financial and the defi, which can find in Berkey's online defi course.

https://rdi.berkeley.edu/berkeley-defi/assets/material/Lecture%204%20Slides.pdf

https://rdi.berkeley.edu/berkeley-defi/assets/material/Updated%20Lecture%205%20Slides.pdf

3) which points between web2 and web3 should give more attention

We can find financial products such as the exchange-uniswap, credit service provider- compound, aave, and derivatives trading- synthetix in web3; all the financial product types can find in the traditional financial. But the defi is still in the very very early stage; the complicated level, user conveniences will have great potential to develop with the development.

Another point is what the possibilities can emergy based on the unique features or abilities of the defi, such as flash loan, what about the government regulation policy, what's the mini requirements according to different investment targets in various countries, how to consider the regulations in web3 or defi? Will some traditional financial organizations apply the defi to improve their service or products' competitiveness?

All the above will bring tremendous change to the world, in my feeling.

3. The difference and some potential between different geographical areas、different languages 、different communities

1. The impact on communities has been growing

I have written that the community maintains the block services in the previous chapters. The community can refer to the developers with some relationships with the Ethereum foundation. We also call these developers builders who design the architecture and main the running services. Besides these participants, there are many other guys, such as more designers focused on their specific business logic, some users, and some activists.

The debate about the community's form and the evolutions always is very hot—for example, vitalik's blog, which involved these topics.

https://vitalik.ca/general/2022/07/13/networkstates.html

Not only does web3 have many communities, and many other industries have their communities. What's fascinating and imaginative is the communities in web3 built in the blockchain architecture. For example, the change of the investment model, which the capital received from the investment companies and now have another option: the money from the communities; the deeper relationships between the products and early users in the community; the new programmable collaborative ways which are cross-geological,cross-language. All the above and more are emerging.

With the internet investment boom since 2000, many giant internet companies mostly received capital from angel investment or investment companies. Are there more possibilities for the future winner to develop in these communities?

2. What's the difference between China and America in web3, in my understanding

I have kept an eye on the Ethereum development since finding that most top-level protocols have been built in Ethereum. And along with observing more protocols and potential protocols, the apparent fact is that most potential protocols are in the English world and mainly in America. What's more, It makes me feel like entering a new world while I read the messari annual research report, listens to many bankless episodes, find some technical articles, and other great content. As time flies, my English and computer level have unconsciously made a good step. I feel I'm the rabbit in the rabbit hole. Enjoy the imagination and great thought the good content have brought me. Feel the excitement and motivation when seeing the pure passions in the community. All these are very fun. But It is undeniable that understanding and grasping the technology mechanism and more details take work.

On the other hand, observing the Chinese world, we find an interesting phenomenon: English articles or reports once published, translated Chinese articles published either after hours or the next day. The number of original Chinese high-value articles about web3 is less than the number in the English world. All of the above explains the great value of absorbing great English content. Another point is that cross-geological features in web3 and the primary trends most have developed in the English world, so becoming a core builder is challenging if one's English ability can't achieve the required level.

An interesting phenomenon is that if one topic becomes very hot in the English world, it will become hot in the Chinese world after about three months. The three months or the flowing dates is my feeling, not the precise data. Let's take the 2020 Defi summer as an example, the defi speculate, or investment has become hot since the start of 2021 in China. When the NFT topics became hot in the start months of 2021, we can see great media reports about NFT in China in the middle of 2021; the difference is there are many strict policies after such topics become hot in China. In the second half of 2021, one question I was always thinking is the value of becoming a web3 developer; there was little content about the topic at that time. But in 2022, perhaps from the Apir or May, there is more content about becoming a web3 developer; as we know, because of the limited audience when talking technology, the topics are less hot than speculated topics.

More points include the debate atmosphere, debate topics range, and the difference when debating; the more details I'm not planning to write in there. But feel that the English communities significantly affect the Chinese communities to some extent, and sometimes they observe the Chinese communities. All the debates in these communities, which have high reliability? Which has the high guide value and even can take guide advice? It's interesting and worth comparing the differences.

Even beyond web3, the information differences between the English and Chinese worlds will also supply some serendipity values. For the personal, the comparations, the more info sources and the debates under the multi-languages, even joining the discussions will have more inspiration and value.

3. What are the possibilities under the differences

When considering the following factors:

1. The fundamental financial features of the Defi

2. the programmable collaborative possibilities based on the distributed architecture

3. the opportunities that the study and communications will bring under the cross-languages and cross-geological.

Based on the above factors, many things are emerging:

• A primary student in northwest China becomes very interested in web3's topics.

• One student is coding in the university dormitories in Argentina.

• Some people in Hongkong, London, or Silicon Valley are planning to build a project.

• A serial entrepreneur is looking for the next business.

...

In short, many things are not easily seen but are planning and building. With these technologies eating the world, for some people, these are the bubble investment like playing a roller coaster; for others, these chaotic ladders.

Closed Thoughts

The article covered topics involving technology, product forms, communities, and some comparations. Of course, everyone has their focus and understanding, and the range of topics can expand longer, such as the zk(zero knowledge)'s abilities in web3. The article's topics are personal views, and more topics are not involved. But the topics in these articles have a long time value and are worth following; more value under these topics will appear as time flies. Even though the topics in the article were simply an introduction, there are more contents and details behind the related topic, and they are changing very fast. You can find more references on the official website, research report, or the Investor education some investment institutions supply. I hope all the above has been a good help to you.

That's not saying web3 must change the world. But based on the blew points, meaning and fun must exist.

• Not only the transportation and dealing with information, but also the abilities can work in the value. We can deal with any piece of information and achieve any level of infos with the program. For example, when we want a computer's introduction, we can get the CPU version、the brand、the storage... And we can also get any level of information in an institution, such as account management, IT department... I think there are more abilities and power if we can make the program work in value.

• the transactions or some info are permissions to everyone; this open source principle has been affected by the activity of the open sources.

• The composability. The smart contracts based on the blockchain have the composability feature. And this architecture for composability exists from the start.

Based on the above points, I feel like climbing a great mountain and seeing the vast plain.

But meanwhile, money makes the crowd crazy and make much noise; sometimes, even false information misleads people. In one episode of bankless, the guest I remember is the polygon investor who said a number:199.

one means 1% of the new world who are actual builders and some interesting people; 9 means.9% who are investment institutions or some individual KOL; 90% of the world are the others.

Perhaps the number lack accuracy, but these describe the essence of the phenomenon of why there is much noise. So some questions often appear in my mind. What info are noises? What noises should be blocked? Garbage in, Garbage out, if one absorbs more garbage info, certainly one's output and quality in a low level. And also have harmful effects in absorbing more high-quality content; everyone only has 24 hours one day, so why pay attention to these noises?

So I start to think about what content should give more attention since I observe the new world. Which topics are engaging, exciting, and challenging? Even more What are the more possibilities? Although we know the world is a dark forest to some extent, some things make one sad, but the surprise connections and new thoughts trigger more passion. The articles cover three topics with more value, and we should keep an eye on them.

1. the evolution of technology and the corresponding tech stacks

   1. the development form of computers

   2. the different paradigms of software development

   3. how to advance one's tech stacks

   4. the guide about software development practices and how to make a more advanced step

   5. A deep understanding of the EVM mechanism

2. The market situations and the evolutions of the financial products in web3

   1. the different products based on a different architecture

   2. the financial products under web2 and web3

   3. which points between web2 and web3 should give more attention

3. The difference and some potential between different geographical areas、different languages 、different communities

   1. The impact on communities has been growing

   2. What's the difference between China and America in web3, in my understanding

   3. What are the possibilities under the differences

1. the evolution of technology and the corresponding tech stacks

1) the development form of computers

First, many forms of computers have emerged sequentially in history. As we can see, including the personal computer(some programs in personal computers which do not connect to the internet), Mobile Phones(Not limited to the location), and some soft systems based on the Client-Services model, centralized services, and cloud services. All these services are backed by one entity that maintains the operations. With the distributed technology development, some services appear that many nodes collaborate to support, such as the distributed share docs. But these services are only limited to share docs. The more complex applications has yet to achieve.

BTC's main feature as a medium of exchange for a cryptocurrency from the initial design. Although the design never appeared in human history, the more complicated business logic implementation is difficult in BTC, such as our current apps on mobile or computer, which have much more complex logic according to our needs. But with Ethereum’s appearance and development, more apps with complex logic based on the smart contract have more possibilities emerging.

To my excitement, This is a super great computer, which anyone can interact with when connecting to the internet. How we interact with it is different from how we interact with the mobile or computer. However, we constantly interact with the super great computer by mobile or computer. In brief, the new computer has below features:

1. permissions(anyone, anytime, anywhere, can interact with it, have basic network and hardware)

2. the base layer is based on distributed tech. No centralized entity can control it

3. How we interact with, and display content is different from the previous computer we see. in essence, it's txs on chains.

Essentially, the structure of the txs as below

Simply think this is a super great computer; anyone can play it no matter where they live; perhaps the people who play it couldn't have any relations if this new type of computer didn't exist—what a fascinating thing.

2) the different paradigms of software development

As a software engineer in web2 previously, the feeling about the different paradigms between web3 and web2 is even more vital. The below videos have taught me many critical fundamental things. It's worth watching.

DappCamp X Rajeev Gopalakrishna : Web 3 Security

the different points in different perspectives

• keys and tokens

• unstoppable and immutable

• Open- source and transparent

• Pseudonymous Teams & DAOs

• New Architecture, Language & Toolchains

• Composability by Design

• Compressed Timescales

• Test-in-Prod

• Byzantine Threat Model

• (who you trust and who don't you trust)

• every actor could be malicious.

• Miners,validator,infrastructure provider, developer,

• Team,users

• Anyone could be a threat

• Audit-as-a-Silver-Bullet

Many people may understand the different architectures between web2 and web3 but may need to pay more attention to more perspectives. Such as the trust model: who are the potential attackers in web2? Are they outside people or inside people? The judgment can always easily confirm in web2. But in web3, anyone could make malicious actions, the miners(validators) perhaps can make, the team behind the protocols can make, even the developers or users can make. What are the considerations based on the above situations, and what jobs should do? There have appeared some hacked cases involving the above sititutions. You can easily find the corresponding cases if you have noticed the ongoing hack incidents.

3) how to advance one's tech stacks

The low efficiency is in getting the on-chain data while I learn, write, and interact with the smart contracts. We can quickly get the data by SQL in web2 if familiar with the tables structures. And can query the running system's state data by the IDE.

Getting the on-chain data or customer data is always a combination of operations; we need to be skillful in some tools and familiar with the block data structure. So the question of how to get the on-chain data quickly as the web2 development is significant. Thus developers can interact with the smart contract at a good speed.

The question can analyze in two layers.

1. The excellent understanding of the on-chain data structures.

On-chain data structures include but are not limited to the following: blockhead, block body, the transactions in the block, logs, receptions, and Merkle data.

https://medium.com/@eiki1212/ethereum-state-trie-architecture-explained-a30237009d4e

The dune encapsulated the blockchain data according to their design and the customer's need, so we could better understand the blockchain data structure. Below are my summaries of the design.

1. Extract the rudimentary data, including the block data, transactions, and states info. Then make new tables according to different needs based on the extracted data. The requirements could be to query the protocol data(all the addresses which interact with the uniswap_v2) or the involved operations(the addresses which interact with one pool of the sushi). So we can query the data we want with the new tables.

2. We define the tables, which extracted data according to different demands, called the abstractions, such as the table called erc20.tokens, which pulled all the ERC-20 token basic info. Also, users or third-party can define their tables based on their demands.

3. The abstractions can be divided into many categories according to demands, such as protocols data, specific smart contract data, and always-used data, such as price and NFT data. In general, the needs we encounter and want to do can all analyze and deal with based on the encapsulated or basic tables info.

4. All the above just involved some data structure designs. The more features such as data visualization and the dashboard, which other great guys have written, also have great value. With blockchain technology becoming more and more effective in the real world, on-chain data analysis has great potential. If one has some fundamental knowledge or experience in programming, this is an excellent tool to help to do more things.

2. How to get the blockchain data? The ways which get the on-chain data include but are not limited to the blew.

• Geth client, command lines

• etherscan.com explorer

• SQL by dune

• standard used development tools such as hardhat, forge(cast)

From the perspective of writing the program, getting data from the development tools is the most efficient way. For example, we can write script tasks by hardhat and then integrate the scripts into other programs such as a shell.

Hardhat.config.ts(config a task that can get the smart contract's code when inputting a smart contract address)

task("getCode", "Prints smart contract bytescodes by address'")
  .addParam("account", "The account's address")
  .setAction(async (taskArgs, hre) => {
    let code = await hre.ethers.provider.getCode(taskArgs.account);
    console.log(code);
  });

Directly use the task in the command line

npx hardhat getCode --account 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D --network goerli

forge cast(supply some command lines) get the block data based on march 2022, the same time as now.

date -v21y -v3m "+%s" | xargs cast find-block | xargs cast block

Getting the different on-chain data according to one's demands can quickly implement based on the above ways and the more tools emerging in community, such as CTC

https://twitter.com/notnotstorm/status/1574214692834115585?s=20&t=BjIOREX4G1h5mhOoowrdqQ

4) the guide about software development practices and how to make a more advanced step

Many people who want to enter the world ask one question, How to become a web3 developer? There are many good guys guides in the community. Some guides are excellent.

https://sm4rty.medium.com/roadmap-for-web3-smart-contract-hacking-2022-229e4e1565f9

• Learn Blockchain Basics and Ethereum.

• Smart Contracts and Programming Language.

• Learn Testing Frameworks like hardhat/foundry

• Learn Finance Basics.

• DEFI and DEFI Attack Vectors:

• Learn Commonly used Libraries and Token Standards:

• Learn common Smartcontract bugs, Tools and best Practices

• Complete CTF challenges.

• Read Audit Reports and Postmortem Blogs:

• Continuous Learning and Research

The third point people may need to pay attention to is basic financial knowledge. Defi supplies the features like an exchange, collateral, borrow and lend, and derivatives Trading, which are similar to traditional financial products. But there are not only similarities but also some differences, such as flash loan, which only exists in defi. Undoubtedly, the financial mechanism in defi will become more and more complicated with the development of the markets. All the above makes me make one judgment. The soft development in web3 and web2 is the different philosophy System Structure.

1. the fundamental design and philosophy are different

2. the software development tools are different

3. there are more considerations from the security perspective

4. the products are cross-regionals and cross-border from the born

5. the facilitating power of the community

6. business logic's innovations, more new ideas, and thoughts

other references：

https://trustchain.medium.com/become-a-blockchain-expert-beginner-to-advanced-for-free-65ce62606176

https://twitter.com/BowTiedDevil/status/1573519590373883904?s=20&t=He-Qirzu4UXaalR3xi0ctA

5) A deep understanding of the EVM mechanism

I have more attention to the EVM based on the following considerations:

1. There is many top protocols' hiring info, including one requirement which should have a good understanding of the EVM.

2. From my own learning experiences, the gas optimism and security have a deep relation with the EVM.

3. The EVM is the core of Ethereum from the tech perspective.

I can grasp more EVM chains quickly if I have a deep understanding of the EVM, and I also can grab other no EVM chains because their design may borrow from Ethereum.

Java programs can execute based on the java virtual machine(JVM); JVM's design considers the different platforms so that the Java program can run on different platforms. The essence of the running JVM is stacks of Bytes Code. The computer's s chip's instruction sets are also stacks of the bytes code, which is configured when chips are produced. The difference in my understanding is that EVM's design is purely based on soft architectures. Although I am unfamiliar with the design, my understanding is that the EVM has some realtions with the chips' Instruction sets or JVM design, which indicate the information technology development.

All of the above make me consider learning that EVM has many benefits. Meanwhile, many good articles guide readers to grasp difficult concepts. This learning experience is fantastic; I can grasp difficult concepts step by step.

other references：

https://noxx.substack.com/p/evm-deep-dives-the-path-to-shadowy

https://betterprogramming.pub/solidity-tutorial-all-about-data-locations-dabd33212471

the most cover full materials about the EVM

https://www.evm.codes/about#otherevmresources

1）不同架构下不同的产品

无论是基于什么技术，最终产品形态都是基于使用者，这里的使用者可以是用户，机构，第三方分析机构。基于blockchain架构的基础设施以及对应类型的产品如defi,nft,sofi… 等呈现快速涌现的趋势，尽管可能这里面有很多产品是昙花一现。

而当前基本上主流的IT服务基本都是基于云服务，如下为blockchain体系架构与云服务架构的简单对比。

sources:decentralized-finance-on-blockchain-and-smart-contract-based-financial-markets

sources:前哨, 科技训练营

google-bigquery

ethereum-bigquery-public-dataset-smart-contract-analytics

google-bigquery

可以看到云服务与blockchain是两套完全不同的体系架构，比如两者背后维护服务的群体有显著不同，blockchain维护的群体背后更呈现多样化，可能不同公链还是有很大不同，但有些公链社群在其中的影响举足轻重，当然经常也会见到一些企业，投资机构的身影，这里不具体论述。基于其上的服务及服务形式也会有很多不同，同时两者之间有些服务是相互渗透的，如一些节点运行在云服务器上，google提供 访问区块数据的功能。

2）web2与web3下的金融产品

我们知道，金融市场在经济体系中的重要性，同时其复杂度也很高，而过往发生的历次金融危机也让人们记忆尤新。2020年的defi之夏刷新了人们很多观念。不是说web3下只有金融，只是在我看来金融属性是其基础，很多其他方向如NFT,sofi..等等都是建立在其基础上，可以类似想象一下我们当前的经济形态，金融市场及金融机构在其中扮演的位置与角色，以此类比为web3下的defi以及基于其上的各种生态，可能有些地方不太恰当，但是还是具有比较意义的。

比如传统金融交易市场，如各类证券交易所使用的大多数是场内交易，订单簿形式。web3则是以uniswap为代表的AMM形式的去中心化交易, 这里一个显著的不同是，前者则是买方买方交易双方通过订单匹配的方式形成交易，该模式下有时需要做市商提供流动性，而AMM则是基于智能合约本身，只要对应的智能合约本身有足够的流动性，用户任何时候都可以完成一笔交易。当然由于两者本身的基础不同，也导致了不同的特性，这些在uniswap官网或者其他研究报告中都可以找到。

https://docs.uniswap.org/protocol/V2/concepts/advanced-topics/research

但这并不是说传统金融与web3金融就是截然割裂的，比如dydx本身就是订单簿形式，充分借鉴了传统金融市场的交易机制，已经看见和可以预见的是不断会有很多web3金融产品会借鉴传统金融市场的一些理念。

另外一点则是传统金融市场，不同国家的监管政策，比如针对于衍生品投资，不同国家针对于参与者都有一定的要求，如个人净资产，可支配资产，投资者投资风险说明等等。但基于web3这一点当前还是一个空白的地方。

关于数据服务提供商，大家耳熟能详的messari，不仅提供分析报告，也会提供一些基础数据; 以追踪smart money为众人所知的nansen; 自定义编写SQL创建分析版块的dune; 而在传统的金融市场上，金融数据提供商如美国的Bloomberg Inc, 中国的wind 也是非常重要的市场参与者。以此来看，同样web3金融数据服务提供商也是一个非常重要的亮点。

如下为伯克利dei课程介绍传统金融及defi,并就两者进行比较。

https://rdi.berkeley.edu/berkeley-defi/assets/material/Lecture%204%20Slides.pdf

https://rdi.berkeley.edu/berkeley-defi/assets/material/Updated%20Lecture%205%20Slides.pdf

3) 哪些天生的不同点值得关注

当前我们可以看到的defi产品如去中心化交易所uniswap, 借贷服务提供商compound,aave. 以及衍生品交易synthetix. 保险提供商nexusmutual 都可以在传统金融上找到其对应的服务机构。 当前这一切还处于非常初级初级的阶段，但是可以肯定的是如果能有发展，其复杂度将会不断上升，尽管可能从用户角度看便捷性会，易用性会提高很多。

另外一点则是defi自身所具有的的独特特性或者功能，其将会释放哪些更多的可能性？比如flashloan？ 监管如何处理？各国针对投资者投资不同的标的都有不同的准入门槛，defi世界如何考虑监管？传统金融机构会不会使用一些defi产品来提供自身产品的竞争力？…

这些在我看来都是可能会产生恐怖级别的变化。

3.不同地域，不同语言，不同社群的差异

1) 社群影响权重的上升

在前两章中，我提到blockchain谁在维护基础服务时，谈到了社群。这里的社群比如与ethereum foundation相关的开发者群体。当然开发者群体俗称builder, 是整个体系的设计者，维护者，除此之外还有其他各种类型的社群参与者，不如针对不同业务方向的设计者，使用者，活动者..

而关于社群形态或者其发展路径，也是一个时常比较激烈的讨论，比如vitalik曾经就此写过自己的看法

https://vitalik.ca/general/2022/07/13/networkstates.html

不仅仅是web3，每个行业，每个领域都有自己的群体，而基于blockchain架构下形成的群体及特点确实让人充满了想象，比如投资模式的改变，从基于投资公司投资早期初创企业到基于社群募集资金；从第一批用户或者产品的使用者与社群的深度关联；跨地域，跨语言，基于blockchain架构下可编程的合作方式… 这些正在不断涌现与尝试中。

所以我始终有一种感觉，2000年初的互联网的投资浪潮开始，现在的互联网巨头可能大多数都是基于天使投资方式或者其他企业级别的投资方式，那么再往后几十年来看，未来的胜出者会不是从这种类型的社群中涌现出来。

2) 我眼中中美之间的一些差别

自从看到基于智能合约的的头部项目是在ethereum上之后，让我对ethereum保持持续关注与了解，同时进一步看到了更多的项目，有潜力的项目大部分都是在英语世界，并而大多数都是在美国，而在阅读了解了诸如messari的年度报告，听了不知道多少期的bankless的podcast之后，还有很多英语世界让我颇受启发的技术文章以及很不错的内容之后，不知不觉我就好像进入了一个新世界，而这一年多以来，我的英文水平貌似也在潜移默化中快速提高了，同时也拉升了我的基础计算机水平，我就是那个掉进兔子洞中的兔子。我很享受这种想象与思辨的内容，同时看到与感受到那种纯粹的热情，也让我感觉很有热情有动力有意思，有时不禁感叹太好玩了。但是也理解其中的不易，理解基本的技术原理以及技术细节，甚至是掌握并不是那么容易的，而且也不见得就能玩转起来。

反过来，回看中文世界，基于一些原因，中文世界的基本情况大家都懂。经常性的看到一篇英文文章或者报告，第二天或者下午就有人翻译出来。但是原创性的高价值的文章相比英文世界还是少一些。这也进一步说明了通过英文方式获取信息的价值巨大。同时web3本身的跨地域特点，以及基本主流趋势都是在英文世界，想成为核心建设者，英文水平不达标，基本不可能。

一个有意思的现象，即在英文世界出现热点之后，个人感觉是3个月左右中文世界开始热起来，比如2020年defi之夏之后，2021年初中文世界defi开始热起来，2021年初NFT在英文世界逐渐火爆，2021年年中NFT开始在中文世界出现大量宣传，一个不同点则是接下来中文世界则是严格政策监管；我在2021年下半年就在思考这个领域开发者的价值，当时中文社区更多的报道也都是炒作概念，如何成为这个领域的开发者基本上没见到，但是于今年，可能是4，5月份开始，这方面的内容中文世界逐渐多了起来，不过技术类相对受众较小，没有炒作概念传播广泛。

另外一点，则是讨论的氛围，讨论的话题范围，观点的分歧，具体则不展开，可以明显感受到中文世界还是受到英文世界的影响，或者说英文世界对中文世界还是有一定关注度。哪些具有可信度，具有足够的参考甚至指导价值，都是有意思值得对比的地方。

即便不是web3，其他领域这种信息差有时也会带来一些意想不到的价值。针对于个人，这种对比，多源的信息，多源的的讨论与参与也是很有启发的。

3）差异可能释放出来的可能性

defi的金融属性基础；web3基于分布式架构的可编程协作的可能性；跨语言，跨地域的交流，学习，碰撞带来的思想上新的可能性。无论是在中国西部地区的某个中学生的好奇了解中，还是阿根廷某个大学生在宿舍正在coding，或者是香港,伦敦，硅谷某所大学的学生在孵化某个项目，亦或者某个连续创业者正在寻找新的赛道… 总之，也许一切正在我们看不见的地方正在孕育。 对于一些人来讲，这可能是又一次的过山车的投机泡沫，但是对另外一些人来讲，这将是混乱的阶梯。

结语

本系列主要是个人认为针对web3应该关注什么？涉及到技术，产品形态，社群以及一些差异的对比。当然每个人的关注点及理解点不同，关注的范围与重点也会有所不同，比如zk(零知识证明)在这个领域的运用，此处也仅仅是个人观点，同时也会有很多话题没涉及到。但是个人认为如上谈及的一些点个人认为值得关注，长期来看其价值将会不断显现，很多点也是简单提一下，实际上背后有大量的内容与细节，同时也在不断快速变化中，有很多相关的资料也已经写的很详细了，无论是官网还是一些研究报告亦或者是一些投资机构的投资者教育。希望这些对你有所帮助。

不是说web3一定会改天换地，但是基于三点，一是不仅仅是信息的传输与处理，而且是价值的传输与处理，思考一下，我们通过程序对于信息的处理达到任意颗粒度，任意级别，如果对于这种处理能力作用于价值将会什么效果？第二点，链上交互与信息对于所与人开放，这种开放本身与开源软件本身有一脉相承的感觉。第三点，可组合性，链上合约本身的功能天生就具有可组合性的特性与需求。基于如上三种特性，感觉就相当于突然爬上一座山峰，映入眼帘的是一片广袤的平原。

但与此同时，金钱会让人趋之若鹜。群体性的疯狂不可避免的会出现一些噪音，进而更进一步会放大某些噪音。我记得bankless有一期节目，好像是polygon投资人聊过对于这个行业的看法。其中polygon创始人提到了一个数199，即这个行业只有1%的人是真正的建设者或者有意思的人，另外9%则是投资机构，个人KOL之类，另外99%则是大众。所以，在这种喧闹之中，各类信息之中，有一个问题经常会触发我的神经？那就是什么是噪音，哪些应该去屏蔽？gabage in, gabage out. 如果吸收过多的垃圾信息，那么个人的输出或者产出质量也不会高。同时也会影响吸收有营养，有价值的信息或者知识。每个人的一天就只有24小时，为什么要把注意力贡献给这些噪音呢？

所以，从一开始我就思考应该关注哪些内容，哪些让人感觉到有意思，有挑战，充满新的可能性的事物？ 与此同时，即便会遇到一些不那么美丽的事物，但是一些意料之外的惊喜链接与新的思考，还是挺能激活人更多鲜活的情绪与热情。

本文着重从三方面来说，我觉得哪些方面需要关注。

1.技术的演进与相应的技术栈

• 计算机形态演变

• 不同的开发范式

• 如何武装自己的技能栈

• 进阶实践与指导

• EVM的深入理解

2.市场状况与产品形态的演进与尝试

• 不同架构下不同的产品

• web2与web3下的金融产品

• 哪些天生的不同点值得关注

3.不同地域，不同语言，不同社群的差异

• 社群影响权重的上升

• 我眼中的中美之间的一些差别

• 这种差异可能释放出来的可能性

1.技术的演进与不同的实现方案。

1）计算机形态演变

首先从计算机的发展形态而言，从个人计算机(单机版的应用), 再到移动手机(不受限于地理位置)，应用程序的服务化(CS客户端模式)，中心化的服务器，云服务。在这之前，计算机所提供的服务本质上都是有一个独立的实体去进行维护的。分布式技术发展以来，出现了多点维护的服务，如分布式分享文档。但是这种服务也仅仅陷于分享文档。更多更复杂的应用还不能实现。

BTC本身从最初的设计而言来讲，也仅仅更多的是作为一种货币的交易媒介。尽管这种形式在人类历史上从来没有过。基于分布式技术之上提供更多的功能，就像我们现在使用手机上的各种app的功能一样，没有这样的基础。但是ethereum等公链，基于智能合约本身则让这一切有了涌现的可能性。

令我感到兴奋的则是，这就想一个超级大计算机，任何人只要联网都可以进行交互。只不过这种交互方式与我们之前通过计算机或者手机那种方式不一样，即便与这个超级大计算机交互的媒介也是通过计算机或者手机。

1.无许可性(任何人，任何时间，任何地点，只要有最基本的网络与硬件就可以交互)

2.底层运行基础基于分布式技术，任何中心化实体无法操控。

3.当前的交互方式与呈现内容也不一样。 实质则是链上的一笔笔交易(TX).

本质上是如下的数据结构

                                                          source:[noxx](https://noxx.substack.com/p/evm-deep-dives-the-path-to-shadowy-16e)            

单纯的讲想想这就是一个超级大计算机，世界上任何人都可以玩，也许是这辈子都不会有交集的两个人。这件事情本身就不是很有意思吗？

不同的开发范式

对于曾经作为一名开发人员而言，这种不同感，则会更让人深受震动。这是两种不同范式下的开发模式。如下的视频对我触发很多，非常值的观看与思考。

DappCamp X Rajeev Gopalakrishna : Web 3 Security

                         不同角度下的不同点

• keys and tokens

• unstoppable and immutable

• Open- source and transparent

• Pseudonymous Teams & DAOs

• New Architecture, Language & Toolchains

• Composability by Design

• Compressed Timescales

• Test-in-Prod

• Byzantine Threat Model

• (who you trust and who don't you trust)

• every actor could be malicious.

• Miners,validator,infrastructure provider, developer,

• Team,users,

• Anyone could be a threat

• Audit-as-a-Silver-Bullet

对于web2与web3的不同的架构，很多人应该很熟悉了，但是更多的其他角度，我觉得可能关注较少或者思考较少，比如从信任模型来说，传统的web2开发，谁可能是潜在的攻击者，是内部人员，还是外部人员，更多情况下这些评判都很明确。但是基于web3，任何一个参与方都可以是恶意人员，矿工可能是，验证者可能是，团队可能是，甚至开发者，用户都可能是。基于这些如和考虑安全？而如上的可能是，当前很多也已经发生了很多对应的案例。

如何武装自己的技能栈

在了解，编写智能合约以及进行交互的过程中，让我感受效率特别低的一个地方就是快速获取我想要的数据。传统web2开发时，基本上只要对于表数据结构很熟，很快就可以通过SQL等相关语句快速查询到想要的数据。或者通过IDE工具快速获取系统运行过程中的状态数据。

但是如果想要快速获取相关区块数据或者按照自己的需要快速获取数据，在我看看来往往是一种组合操作，需要对于一些工具达到一定程度的熟练运用，以及对于区块数据结构很熟悉。

所以，有一个问题我觉得很有意义。如何按照自己的需求快速获取区块数据？就像传统的web2开发一样。进而如何更快速的与和合约交互？

这个问题可以分为几个层面。

1.对于链上数据结构的深入理解

链上的数据结构如区块头，区块本身，区块本身包含的交易信息，日志信息，收据信息，Merkle数的信息。

https://medium.com/@eiki1212/ethereum-state-trie-architecture-explained-a30237009d4e

又比如dune对于区块信息的封装

1.其将基础数据如区块信息、交易信息(TX)、状态信息，进行抽取，链上发生的每次操作都会反应在每条交易信息中(TX)。接着基于这些基础数据再根据各种需要，如是查询协议数据(如uniswap2交互的所有地址)，还是查询相关操作的数据(如通过sushi一个池子进行交易的所有地址)，进行封装，方便查询。

2.基于不同的需求而进行抽取的表，这里称之为abstractions(https://github.com/duneanalytics/abstractions…),比如将所有链上的ERC-20 token代币基础信息放入erc20.tokens表中。同时用户或者项目方也可以根据自身需求添加。这是动态扩展的。

3.数据的抽象层次根据需求可以进行分类，比如项目数据、合约数据、一些常用数据如即时价格数据、NFT数据，基本上我们能想到的需求，都可以根据基础数据或者已经封装好的表进行再次分析得到目标结果。

4.上面是粗略介绍其表结构。当然其还有很多有价值的功能，如数据可视化、查询其他大牛已经写好的sql。我个人认为如果这一领域未来影响力越来越大，那么链上数据分析将价值极大，对于有编程基础或者对此感兴趣的人而言。将是很好的工具库，随着了解与熟悉程度的加深，只会越来越有价值。

2.如何获取数据

获取数据的方式包括但不限于以下几种方式

• geth客户端，命令行模式

• etherscan 浏览器查看

• dune, sql查询

• 常用的开发工具如Hardhat,forge(cast)

• …

从编写程序的角度而言，当然是基于开发工具快速获取数据效率较高

比如通过hardhat, 可以自定义脚本的编写task, 从而可以集成到自己其它程序如shell中。

Hardhat.config.ts(配置一个获取当前合约code的task)

task("getCode", "Prints smart contract bytescodes by address'")
  .addParam("account", "The account's address")
  .setAction(async (taskArgs, hre) => {
    let code = await hre.ethers.provider.getCode(taskArgs.account);
    console.log(code);
  });

命令行模式直接可以调用该task

npx hardhat getCode --account 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D --network goerli

forge cast(提供一些命令行方式)

获取与当前同一时间，2021年3月份的区块数据 （environment: mac）

date -v21y -v3m "+%s" | xargs cast find-block | xargs cast block

针对链上的不同数据，都可以根据自己的需求去实现快速获取，同时社区也不断涌现出更多的工具，很方便去进行交互。如

ctc

https://twitter.com/notnotstorm/status/1574214692834115585?t=F4aZzWiwteoXkVHqBeDYuA&s=19

进阶实践与指导

如何成为一名web3开发者？我想是很多想进入这个行业的人非常想咨询的一个问题。整个社区也不乏很多热心者基于自己的经验去分享，有些也很有指导意义。

Roadmap for Web3/Smart Contract Hacking | 2022

1. Learn Blockchain Basics and Ethereum.

2. Smart Contracts and Programming Language.

3. Learn Testing Frameworks like hardhat/foundry

4. Learn Finance Basics.

5. DEFI and DEFI Attack Vectors:

6. Learn Commonly used Libraries and Token Standards:

7. Learn common Smartcontract bugs, Tools and best Practices

8. Complete CTF challenges.

9. Read Audit Reports and Postmortem Blogs:

10. Continuous Learning and Research

这里面容易被忽略的则是第三点，基础的金融知识。对于defi而言，其也提供了类似传统金融机构的功能如交易，抵押，借贷，衍生品交易。但这里面有相同点，也有不同点，比如floashloan传统金融就不存在。可以肯定的是随着市场的发展，相关的产品机制会越来越复杂。

这也是我个人感受特别深的一点，即当前web3的开发与传统web2的开发存在很多不同点，甚至本质上是两套不同的思维体系结构。

1.底层设计体系与思想的不同

2.开发工具的不同

3.对于安全需要从更多的角度考虑

4.产品本身就是跨区域，跨国界

5.社区力量的促进作用

6.业务逻辑的创新，理解与思考

other references：

https://trustchain.medium.com/become-a-blockchain-expert-beginner-to-advanced-for-free-65ce62606176

https://twitter.com/BowTiedDevil/status/1573519590373883904

EVM的深入理解

让我对EVM开始重点关注一是看到基本上头部协议的招聘要求都有写到对于EVM达到深入理解，另外一点则是基于自身过往的学习经历，gas优化与安全很大一部分也与EVM相关，第三点则是个人感觉evm是整个以太坊的核心功能，如果对于其达到一定理解，那么基本上所有的EVM链则可以快速熟悉，同时即便是非EVM链也有借鉴其的设计，这样了解其他非evm链也会更加轻松。

而在之前从事开发的时候，java语言是基于java虚拟机运行的，java虚拟机本身的设计则兼容了不同的平台，这样可以让java语言跨平台运行。而java虚拟机实际运行的时候就是一堆字节码。但是我从来没有深入理解其具体机制。联系到计算机本身处理的指令集，其本身也是一堆事先设计好的操作符，用来进行计算机最基本的运算。只不过EVM的设计本身是存粹基于软件设计的。尽管不是很熟悉，但是感觉这里面的设计有些地方是一脉相承的。

如上让我觉得深入了解EVM是一本万利的事情，同时看到社区有很多人写的很棒的资料，引导读者深入掌握，让我感觉太棒了，之前感觉非常高深的东西，竟然一步步被自己逐渐消化。

           source: [Mastering Ethereum by Andreas Antonopoulos and Gavin Wood](https://github.com/ethereumbook/ethereumbook/blob/develop/13evm.asciidoc)

手把手教你理解EVM

https://noxx.substack.com/p/evm-deep-dives-the-path-to-shadowy

理解EVM所有的存储位置

https://betterprogramming.pub/solidity-tutorial-all-about-data-locations-dabd33212471

evm最全参考资料

https://www.evm.codes/about#otherevmresources

I wanted to build my fundamental technical knowledge about the blockchain and Ethereum last year. The direct reason is that the appearance of uniswap is a shock to me and makes me think of more possibilities and opportunities in the new world. Making this decision depends on the below factors:

1. My Competitiveness will grow alongside my improved understanding of the evolving technology. Compared to other information technology, distributed technology and blockchain technology are evolving every day. These are almost open to everyone; on the one hand, it is a pressure that prompts you must master many new skills and more concepts every day; on the other hand, The new land will offer many possibilities. And with time flies, the Compound Interest Effect will appear.

2. I have always wanted to interact with the deployed contract because I have basic software development knowledge. But my limited knowledge about Ethereum development prevents me from more advanced development practices, such as writing smart contracts more effectively and understanding the security or gas optimation. From my past development experience and intuition, I think there is more content than we see on the surface, and many things are evolving. It's not easy that intend to write a smart contract and invest more energy and time.

For a long time, I focused on learning the basic knowledge and operations based on the above thoughts. The learning and practices include how to interact with smart contracts more efficiently, the basic understanding of the distributed technology, and the design of other essential chains such as NEAR, DOT, and AVAX. Sometimes I look at the whitepaper or yellow paper. But the annoying thing is that I constantly feel confused and wouldn't grasp the core concept.

Despite the confusion, I have a basic judgment that the numbers of people all over the China mainland who grasp the involved technology ( the distributed technologicol、smart contract development) at a high level are not so many. Though I'm not a high-level person, having a basic understanding is still a plus. More meaningful, as time flies, my knowledge and skills in this field are growing; if this technology changes the world like the internet, I think those steps I make will be powerful.

I find preethikasireddy's articles in this situation. some below

how-does-Ethereum-work-anyway

https://www.preethikasireddy.com/post/how-does-ethereum-work-anyway

the-architecture-of-a-web-3-0-application

https://www.preethikasireddy.com/post/the-architecture-of-a-web-3-0-application

lets-take-a-crack-at-understanding-distributed-consensus

https://www.preethikasireddy.com/post/lets-take-a-crack-at-understanding-distributed-consensus

If you are interested in this topic, you will find these articles satisfy my demands and questions. On the one hand, It's giving me a high level of understanding of the entire block technology and introduce some technical details, such as how to calculate the approximate numbers of transactions in a block; on the other hand, some new attractive present or explanation gives me a different understanding, for example.

The Ethereum blockchain is essentially a transaction-based state machine. In computer science, a state machine refers to something that will read a series of inputs and, based on those inputs, will transition to a new state.

The EVM processes Ethereum's state transitions. We interact with the deployed smart contract through the EVM and eventually change the Ethereum states. Unlike other format computers or systems, everyone can interact with it every time. Perhaps this is a simple and basic explanation, but the introduction I never hear gives me a new understanding and feeling.

As we know, It's challenging to understand distributed technology; From these articles, I have seen the development of distributed technology as an ongoing research achievement by some scientists or researchers within the academic range. For a long time, distributed technology development focused on the technology implements, but Satoshi Nakamoto was the first person who combined distributed technology with economic incentives. This development history and the breakthrough which brought the revolution make me feel the gaps between me and the difficulties in understanding the technology are eliminated, along with the fantastic and exciting feeling.

One day I found the Dappcamps, which train the Ethereum development mainly for people who want to translate from web2 developer to web3 developer. The first reaction is this training is a challenge to absorb if they use English from beginning to end. But with the realization that much high-quality information or good innovation appears about web3 in the English world, I think trying to use English to study, practice, and communicate with other people has much more potential. Lastly, As you can see, there are many similarities or questions about my thoughts that can find in preethikasireddy's articles, such as the technical explanation about the critical top chains, focus on the Ethereum development, and above a word, the questions, and curiosity that motivate me to join.

Serendipity gains and exercises

How can one catch up with others' meanings in the English environment？

I can get the most meaning when I read the English information, but I always can't catch up with others' oral English. When I first communicated with Indian coaches, I couldn't make every word. But thanks to the chrome Live Caption, The English subtitles are simultaneously appearing. So getting the meaning of others' oral meaning is not a question for me.

When the first video course, which I watched by the tool(Live Caption), ended, I had a solid feeling that communicating with foreigners using English is not impossible if the below criteria one achieved.

1. Synchronized feedback.

   The criteria require one can catch the meaning of what others are saying. You can like me through the tool or other ways. But synchronized getting the sense is the first.

2. High-frequency and high-density.

   The high frequency requires you to keep thinking to catch up with what others say. The high density is there are many contents or new things you will encounter. The more thinking, the more content you absorb in the English environment. As a result, the unfamiliarity with English is low.

3. Enough time is a must.

   Five or six minutes in this situation is not enough; you should stay in this situation for about one to two hours. The more you actively think or communicate, the effect better.

For me, getting the most meaning worked by the tool, if you can through yourself and more proactively, the effect is better. Many times, the powerful tools make me feel amazing. Hah.

The route to study smart contract development, which in my opinion

The standard process of grasping a programming language includes learning grammatical features, basic function library, or other third-party libs; if you have some basic program knowledge, You can quickly write business logic.

The differences involved solidity with the above process.

1. Have a better understanding of the grammatical features.

   In my opinion or intuition, perhaps many programmers don't have an in-depth knowledge of the grammatical features when they use their language, such as Java Virtual Machine to JAVA. In the most productive environment, accomplishing the business login at a reasonable speed is the first thing. The more items, including the potential security problems and the more In-depth technology details, people always ignore, as a fact of the limited time or the lack of high-level person. In contrast, one could have faith that one must have a precise, comprehensive understanding of the solidity grammatical features from the beginning; otherwise, one bug means the hacked, which perhaps leads to a loss of several million dollars. Meanwhile, the frequency of the update about the solidity compiler is quicker than in other program languages (this should verify).

2. A different development environment.

   Soft engineers can directly debug their developing system in web2 situations, such as credit review systems; they can see and modify some functions or variables depending on their need and do not require many steps. But in the web3, some things changed. You can't modify the smart contract code once deployed. The deployed environment is a blockchain(this refers to Ethereum), which can be a public test Ethereum chain(rinkeby、ropsten) or your local node(one can use hardhat or truffle to create a local node). It isn't easy to modify some functions, variables, and blockchain parameters(blocktimestamp、blocknumber). As a developer, these are frequent occurrences when you want to change some process or conditions to check your assumptions and want to take some inspiration. It's very uncomfortable that you can't do that. Fortunately, more tools for development or testing are maturing, including forge、tenderly. You can modify some code and blockchain parameters when your need or display the call traces more friendly.

3. Security.

   There should be more attention and energy given to the security of web3. I think the paradigm transfer for the developer who wants from web2 to web3 includes understanding security. Critical awareness is what's the meaning when one writes smart contact. It's the users' monetary value and assets and the user's first concern about their money. The hacked incidents never stopped from" The Dao "was hacked.

A good security study entry. https://www.secureum.xyz/.

4. More program languages could be familiar.

Soft engineers have often used native languages such as JAVA, occasionally some front-end languages such as HTML, CSS, and javascript in my web2 development experience. But based on the practices of writing smart contracts, some new languages or features should be familiar. The primary language used is typescript when looking at Hardhat; One could use the basic lib(ethers.js, web3.js) to interact with the Ethereum, either directed or undirected. Some developers or builders know that more language usage will limit developers' time and energy. Hence, the community developed the tools such as foundry to write test cases only by solidity and supply fuzz-testing function, which can test security problems conveniently.

5. The power of tools.

The more tools I use, such as remix, hardhat, and forge..., the more the importance and help I strongly feel. One can write, test, and package in one IDE in web2 development. But a developer should use a few tools simultaneously for some situations in web3 development; let's show my troubled operations when I write smart contracts, code with VisualStudio, test or deploy by the hardhat or truffle. It's necessary to display different process flow when you need to explore many different operation results. For example, if you want to call one function under smart contract A and then call another function under smart contract B or vice versa, the remix is visualization under this situation. Another case we always encounter is that we want to transfer eth to some address. There are many options, such as through the javascript command under the truffle or hardhat environment or the meta mask wallet, you can import your test address, which sends eth is convenient and efficient.

As you can see, there are a lot of preparations when you write a smart contract. I divided it into the below components.

1. The selection of test environment.

There are Ethereum test chains such as ropesten and rinkeby; you can configure the RPC setting through some online blockchain development suite such as infura or alchemy. You can also create a local node by hardhat, Anvil. The remix supplies many nodes configure you can choose, such as the injected VM.

2. Visualization of the operations.

You can manually operate different functions in the remix and see the results immediately on the web page. Or you can see the details through the ganache, like etherscan.com, when you create the local node. Recently, I'm familiar with the tenderly that you can see the details and simulator of the transaction or config the block parameters such as block timestamp or block number.

3. the selection of wallet

​ Metatask, through which you can import your address and test.

​ Hardhat: you always should use the js commands when you want to transfer eth in the hardhat environment.

4. the selection of debugging environment

​ The most used tool is the remix which can display the results conveniently and include other plugins such as git.

​ Hardhat, the main tools which many protocols as their development tools. The trouble is the need to write many test cases using javascript or typescript, So familiar or mastering the javascript and typescript is a need.

​ The information about the security problem or gas used will always help when debugging.

General overview and historical evolution of technology

I listened to the history of the internet development by one writer some years ago. From the BBS era to the web portal sites, and then the blog era, which users can supply content; Meanwhile, the related technology is evolving, such as static web pages which users only read and can't provide more content by themselves. What followed was the dynamic web page(such as JSP, AJAX) in which people could have more interactions. The more interactions include, people can write more content by themselves and publish it; ajax, which can asynchronous instant messaging, makes one web page interact with more services possible. As a result, the interaction becomes more exciting and more dynamic. Of course, the involvement of the technology includes many, not limited to these. This description has a counterpart for the definition of web1 and web2. Web1 can read; web2 can read and write.

There is an apparent feeling, perhaps not accurate, or it's my prejudices, or the reason is the limited engineers crowd I contact. More people always think they should learn the new technology as the technology is evolving quickly, and then they can have an opportunity to enter a top company and have a better work role. But more discussions and thoughts about the technology's history and background are few. This phenomenon or situation leads to the status of seeing the trees but not the forest; people always focus on the technical details or the very complicated problems, which consume more time and energy, but there are doubts in my opinion that this has actual results?

So this is the reason why a high level of understanding of technology is very important. For example, Ethereum is one status machine in which external users interact with the EVM to change Ethereum's global status.

What's the definition of the status? what are the components of the status? Not one transaction will change the entire Ethereum status, the transactions will be packaged into one block by a miner, and then the block is confirmed. The Ethereum status will be verified or changed In the realistic interaction environment.

Another case is the smart contract address.

External users interact with the Ethereum by the Ethereum address, which has two types: EOA (Externally Owned Account), CA(Contract Account), and different types of addresses lead to different interaction types.

With clarity about the fundamental problem, one could feel confident writing code or the importance of some essential knowledge such as hash function.

The third case is why gas exists? One reason is that Ethereum is the implementation of the Turing machine but leads to a defect that the exhaustion of resources by the malicious. The existence of gas makes the attackers have more economic burdens. The discussion of gas is the core topic in the Ethereum community, not only for the above reason but also for the miner's rewards、the Ethereum economic design, such as EIP1995, involved the adjustments of gas.

A high-level understanding gives one fundamental knowledge, which is a good map. For me, there are many interesting things; for example, BTC, which is very conservative, aims to become a cryptocurrency. Compared to BTC, Ethereum looks more radical in doing things that were impossible never before; to become the new form of computer that everybody can interact with every time and write the interaction by the developer's willing. Whenever I think about the point, I feel fascinated and motivated.

Close thoughts

I have some opinions which perhaps are my personal bias.

For soft engineers, especially the developers with a high skill level, the development of the on-chain ecosystem will supply the opportunity that one developer can, across borders, join the global product's development.

In most Chinese web2 companies, the developers' business logic experience was deeply bonded to the company and industry; As time goes on, the developer either enters the leader position or translates into another role. Meanwhile, Most people consider a developer at a high age writing code not a normal phenomenon in China.

But with the development of the on-chain ecosystem, the spread of the open-source culture, the verifies of personal contributions, and the on-chain enormous economic potential, I think this is an excellent opportunity for some developers who will not be limited to some companies, industries. Furthermore, the on-chain potential supplies more economics and social acceptance for those developers or geeks. The challenge is that this is not easy and will have many barriers to overcome if someone wants to achieve it.

I feel reading English technology articles is more straightforward and effortless to understand; perhaps it's only my feelings. In the meantime, there is an excellent perspective to observe or join the discussion in the English environment; the perspective prompts me to observe more and think more meaningful questions. In many situations, there are need to observe or join a high-level discussion which will make one have a better understanding; So It's significant to join a high-level community or the mind-like crowds.

Imagine we can enter the development of the global protocol, discussing questions alongside the programmers or other guys worldwide. We will witness the birth of a protocol, experience intercultural communication, and how the technology absorbs the world(if it was). That makes me very interesting and motivated.

去年开始确立想要了解整个区块链，以太坊的技术情况。是基于如下的考虑，一是如果未来这一领域有很大潜力的话，那么基于对于技术层面的理解至少会提升我在这个领域的竞争力。分布式技术，智能合约的开发本身也是再不断迭代的，这种迭代需要关注者持续学习，随着时间的推移，也会赋予这些关注者一定的复利效应。二是，我本身有一定的开发基础，时常会冒出想自己亲自动手调用一下的的冲动，比如直接通过js调用链上合约，但是也仅仅止步于此，因为我知道这里面有不少内容，而且很多内容是不断更新迭代的，如果没有一定基础并且打算专门写合约的话，无论是客观还是主观都很难有条件去跟进与深入的。

基于此，之前我也是一直本着了解合约的一些基础操作，比如会调用合约。其他技术方面，比如分布式技术发展、其他链的技术实现，比如NEAR，AVAX，DOT，也去会看看白皮书。但是依然觉得还是云里雾里，不能抓住其精髓。不过我有一种根深蒂固的感觉，就是放在整个中国，了解这些技术，并且能达到一定程度的人可能都不多。即便我不是最了解的那个人，但最起码知道一点，总归是好的。再加之如果未来发展，这项技术如互联网技术那样全面普及开来，我相信这一切都会有意义的。

尽管自己有着上述自己的如意算盘，但是实际情况依然常常感到一种有心无力感。首先分布式技术，一些主要公链的白皮书、黄皮书真的是部大部头，啃的人头大，硬着头皮了解一遍之后，总是感觉哪里还欠一点，但是又说不上来。二是对于合约的理解，也仅仅是达到合约调用的程度，更深一步的合约编写，安全方面的思考，实际的项目历练这些其实感觉离自己还是有些距离的，重要的是自己一开始也没想到要去专门写合约。

我正是在这样的困惑下，看到了preethikasireddy几篇相关的介绍文章:

以太坊是如何工作的？

https://www.preethikasireddy.com/post/how-does-ethereum-work-anyway

web3的整体体系架构

https://www.preethikasireddy.com/post/the-architecture-of-a-web-3-0-application

介绍分布式技术

https://www.preethikasireddy.com/post/lets-take-a-crack-at-understanding-distributed-consensus

可以说，如上文章介绍的程度，一方面满足了我了解的需求，对于整体技术有一个更高层面的理解，同时也有联系到具体的技术实现，另一方面，也让我有了一些新的感受，比如将说以太坊就类似于一个状态机，我们与其交互是通过与以太坊虚拟机(EVM)方式，每一次合约交互完成之后，都会改变该状态机的状态。与以往计算机形态不同的是，任何人在任何时候都可以与以太坊进行交互。这种解释虽然听起来很简单也很基础，但之前我从来没看到类似的解释，这让我很受触动。

另外一方面，对于分布式技术的解析，前面提到了，几乎是很多科学家，研究人员花费了很多的心血，在一个小的学术范围范围内进行研究，思维框架也一直在技术方面上思考，但经过了这么多年的实践与研究，BTC是中本聪是第一个将分布式技术与经济模型结合的人，这种历史感的演进，这种边界上突破带来的革命，这种分布式技术发展几十年来具体的演变突然不让我有那么巨大的距离感，这些让我产生了电花火石般的感觉。我感觉一些大家觉得神奇的东西，在我心中正在去魅。

正是在如上的背景下，我偶尔看到preethikasireddy有培训ethereum开发，第一反应，如果是纯英文讲，可能吸收不了，二是随着看着这个领域的内容越多，很多有价值或者受到启发的文字都来自于英文世界。我觉得这个可以尝试下。三是preethikasireddy写的不少内容，与我起初思考的方向有着很多相似点，比如对于基础技术的拆解，对于重要公链的关注，对于以太坊的重视，以及对于合约开发的重点关注，这让我本能有种亲切感。

意外的锻炼与收获

如何在纯英文环境下跟进。

起初在与印度教练沟通的时候，我真的是一个单词都听不懂，不知道他们说的是哪国英语？不过看chrome 即时字幕，也都能识别出来。只要有字幕，就能理解大部分的意思。

在第一次视频见面的时候，配上chrome英文即时字幕，这么一通操作下来，我突然有种很强烈的直觉，觉得达到和老外正常的沟通，基本理解老外要表达的意思，不是不可能的。只不过要达到如下条件。

1.需要即时反馈，这种反馈需要自身即时反馈，即可以借助工具(如chrome的即时字幕工具)看懂大部分的意思，如果能够即时输出比如文字或者口语，那效果更佳。

2.高频高密度的环境，这种高频的反馈是指自身可以在这种交流中跟上对方的思路，理解对方的意思。同时交流的内容要多，需要思考，去确认，这种思考与交互越频率效果越好，那种语言的陌生感也就会越来越淡。

3.一定时间的沉浸，说上两三句不会有什么效果的，沉浸上其中半小时至一小时，如果基本能跟上，那效果就达到了。

当然如上这些，我基本是在英文字幕的帮助下是被动实现的。就像沟通中文一样，要使用英文达到如上三点，需要更多的时间与这样的环境，还有自身怎么去实现这种主动反馈。

合约开发学习路径

一般情况下掌握一门语言，我理解的过程是这样子，熟悉其语法特性，了解其基础函数库，如果有编程基础，那么用这门新掌握的语言可以快速写业务逻辑。

而对于solidity的了解与掌握，其了解与掌握路径与上述路径则有所不同

1.语法特性，需要深入精确掌握，我不确定我的感觉是否正确，就是可能有不少程序员，对于自己当前语言的语法特性并没有达到一个很深入的程度，比如java虚拟机之于Java，实际不少情况下，只要完成编写业务逻辑即可，更多情况下也没有过多的精力关注这些更深一点的技术层面或细节。但是基于以太坊上的solidity，则从一开始就要真正了解其语法特性，否则一个bug，就可能导致几百万美金的损失。另外，solidity编译器也再不断更新，这种更新频率也相较于其他语言要快些。

2.开发环境的不同，传统web2的情况下，比如开发人员开发一套信贷审核流程，测试或者debug的时候，运行该系统，然后进行调试。web3则是与自己完成的合约交互，该合约则需要部署再链上，部署在链上的合约代码不可改变。这里牵扯到两个不同点，一是链上测试环境，现在有公用的测试环境如rinkeby、ropsten，自己也可以使用诸如hardhat、truffle等工具创建本地测试环境；二是debug的时候不能更改代码或者很不方便去重现一些场景。所以就会让人感到很麻烦，不像web2开发测试时，可以做到即时反馈与展现。不过有关开发与测试工具，也在不断的完善发展中，比如在与合约交互时，如果要改变整个区块环境参数怎么模拟？tenderly就提供了这种方式。

3.安全，在编程中时刻保持对于安全问题的重视，这可能是相对于web2开发时最重要的一个不同点。完成的合约不仅仅是像web2开发时，一些逻辑操作流程，一些信息流转，更重要的是用户本身价值货币化的一种流转。而从以太坊的The Dao受到攻击，有关各种黑客实践就几乎没断过。

https://blog.openzeppelin.com/15-lines-of-code-that-could-have-prevented-thedao-hack-782499e00942/

很好的了解安全的入口：https://www.secureum.xyz/

4.需要了解的其他语言，之前web2开发的时候，比如用java语言开发后台系统，很大一大部分精力则是主要使用java语言，偶尔可能会需要用一些前端页面技术如js等调用一下。但是基于链上与合约交互，我现在见到的还需要继续熟悉javascript新的语言特性以及typescript，用其与链上合约交互，比如hardhat本身基本就是用typescript编写的，基础库如ethers.js，web3.js 直接或者间接都会用到。也有开发者意识到这点，开发合约的时候，需要过多考虑的其他语言将会限制开发者的精力，因此出现了foundry，本身就提供了使用solidity编写测试代码的功能，并且还提供了fuzz-testing测试功能，可以测试出一些安全问题。

5.工具的使用

随着逐渐有了一定程度度的了解，我越发越体会到工具的重要性与帮助。首先是需要多个工具搭配使用，传统web2开始时，基本上一个IDE工具就可以搞定所有辅助工作，如辅助测试、debug、打包等操作。但是在web3，使用visualstudio编写代码，需要truffle或者hardhat进行部署、测试。有时测试的时候,需要手动测试不同的流程的展示结果，比如先调用合约A的某方法，再调用合约B的某方法，或者反之。这个时候remix就显得很顺手了。还有一种情况，就是需要不同的地址与其交互，比如从某个地址发送ETH或者代币到某个合约，要么通过hardhat或者truffle提供的js窗口输出命令行进行操作，要么可以直接MetaMask导入对应的钱包，进行钱包的操作，而可见使用metatask图形化方式操作就显得很方便、省时间也不易出错。

通过如上简述，大概就会体会到，这个准备工作还是不少的。我将其分为如下几个要素:

1.节点选择

节点环境可以使用ropesten,rinkeby等，或者一些节点服务提供商提供的节点配置。

也可以使用本地节点，如hardhat，Anvil。

也可以使用reminx自带的节点选择其，其提供多种选项。如选择injected vm.

2.图形化展示

remix连接对应节点。或者使用ganache。

3.钱包选择

metatask/hardhat等工具，hardhat需要使用js 在命令行模式下进行交互。

4.debug调试环境的选择

常用的为remix，可进行可视化操作。本身也集成很多插件。

hardhat,当前主要使用的工具，但是hardhat写测试js比较麻烦，需要熟悉typescript。

而再使用工具的过程中，也会保障一些基本的要求，如安全，gas优化。可以看到具体的gas消耗量，一些安全问题可以测试出来。

站在更高处看待整个技术情况

几年前，我听到一个作家讲互联网的发展历史，如BBS时代到门户网站，再到用户可以提供内容的博客时代，与此同时这其中所涉及的技术也在不断发展变化，这里我理解的技术脉络是门户网站可能使用的是大量的静态网页，用户更多是看，无法进行更多的交互。再到用户可以交互，类似于java的jsp，可以让用户进行更多的交互，javascript的ajax，可以实现异步交互，即可以同时与不同的服务内容交互。与当前的web1，web2的定义可以做个对应，如web1实现的是read，web2实现的是read+wirte.

这里让我有一个很明显的感受或者也与我接触的程序员群体有关，大家更多想的是又出现新的技术，新的框架了，变化迭代真快，要学习这些东西，才能进入大公司，找到一个好岗位。而基于这些技术发展的脉络及其历史背景，说的人寥寥无几。而这会进一步导致进入一种境地:陷入只见树木不见森林的情况，大量的时间与精力陷入到技术细节，攻克难以理解的问题上，但是其效果，是否符合自己面临的实际现实情况往往让我存疑？

所以这也是认为站在一个更高的high level理解的重要性。比如我理解到ethereum是一个状态机，外界则是通过tansaction与EVM进行交互，从而导致整个以太坊状态的变化。

那么是怎么定义这些状态的？怎么描述这些状态的变化？在实际的与太坊交互中，并不是每次一个transaction就导致整个以太坊状态发生变化，而是将这些transaction封装成区块，区块确认之后整个以太坊的状态才会发生变化。而外界与以太坊交互的方式都是通过与以太坊地址进行交互，以太坊的地址又可以分为EOA(Externally Owned Account)，CA(Contract Account)，不同的地址交互导致了不同的交互类型。伴随着这些基本问题的澄清，会逐渐感受到一些基本概念的澄清，比如hash函数在这里非常重要，是我们更好理解其机理的基础。

又或者说gas为什么会存在？一方面是避免了图灵机的实现之于ethereum存在一个缺陷，如果遭受攻击，gas的存在将会使得避免ethereum陷入资源被耗尽的境地。同时gas的存在也使得攻击者存在成本。而对于gas的费的设计也是整个社区讨论的一个核心话题，因为这里面不仅涉及到了如上所指，还有矿工的奖励，整个ethereum的经济模型，比如EIP1995,对于gas的调整。

站在更高层面去理解，一方面给了我们认识整个技术框架的底座，也给了一份指导。对于我而言，也感受到了很多乐趣点，比如从历史上来讲，BTC的定位就是很保守，就是数字货币。而以太坊相比较于BTC，从技术演化上来讲，更是尝试之前不可能完成或者很难完成的事情，去成为新的形式的计算机，任何人在任何时刻都可以与其交互，而且交互的逻辑可以自定义编写。每当我想到这点，还是感觉挺兴奋与挺有意思的。

结语

我有一种观点，也可能是个人的一种臆想。

就是基于链上生态发展的，对于程序员，尤其是符合一定标准的将会需求加大并且显得很重要，为很多程序员跨越国界，参与全球性产品的开发提供了可能性，这与之前在某个行业某个平台，业务逻辑的积累深度与平台所绑定的现状截然不同，在这种绑定的情况下，随着时间推移要么走上管理岗位，要么转向其他岗。而且整个社会环境的认识与观念可能会认为在中国这样的环境下高龄敲代码不是一个正常的存在。

而我认为随着链上生态的发展，开源宗旨的传播，链上个人贡献的验证，经济模型的巨大的潜力，将会使得这类程序员不再受制于平台的限制，甚至反过来会重塑社会的某些认识与观念。即为纯粹搞技术的人提供了经济基础与社会认可度。不过这不容易，有很多关要过，个人觉得这种潜在门槛其实不低。

也可能仅仅是个人的感觉而已，我总觉得用英语看一些技术内容更顺畅与更容易理解一些。同时看下英文环境下人们的讨论，也是提供了一个更好的视角，促进自己去观察与思考。很多情况下，是需要自己去看一些更高水平的人讨论，去看下他们的设计，这样才能真正会有所体悟，这个时候具有一定质量的社群或者同频的人就显得极为重要。

想一想，自己可以参与全球性产品的开发，与分布在世界各地的程序员或者其他伙伴讨论问题，这一过程中见证一项产品的诞生，去体会不同国界文化不同思维的碰撞，看一下一项技术是如何慢慢吞噬整个世界(如果是的话)。还是挺让人备受鼓舞的与挺有意思的。

​POW(power of work)即工作量证明，是BTC实现共识机制的一种方式。也就是网络中的节点相互竞争计算一个难题，谁先计算出来就会获得奖励(BTC)，获得奖励的该节点会将最近的交易以及计算结果、其他区块信息、放入区块，从而完成对于账本的维护。要计算该难题是基于算力，伴随着BTC价格的不断上涨，节点数量也在不断增加，同时节点所拥有的的算力也不断提高，从而导致了算力的军备竞赛。

如图所示，算力是一路高涨，值得注意的是2021年6月份有一次大跌，这是由于中国大陆出台的政策导致很多大陆的矿场关闭，不过随着海外逐渐吸收这些算力，后面则不断回升，直到现在甚至已经超过大跌前的高点。

​即便都是基于POW的不同币种，其也有些不同，如对于BTC的算力计算要求，其会导致，拥有更多算力的节点占有更多的比重，这也是当前BTC算力基本被几大矿场所占据的一个原因。而以太坊其对于难题计算的设计，不仅仅会有算力这个层面，还涉及到带宽。这样即便是单一算力很高，也不会形成像BTC那样算力垄断的局面，呈现出一种更分散化的态势。

由于POW基于算力，电力资源的使用与浪费也成了热点话题，随之而来的环境污染问题也成为了反方的论据。这里不就此问题展开，与之相对的是，POS( power of stake)机制，也是当前很多知名的公链选用的方式，包括即将到来的以太坊的升级，也是向POS方向迁移。

简单来说，POS是参与者通过质押手中一定的token(如以太坊就是eth、avax就是avax、cosmos就是atom)，成为打包区块的节点。根据自身抵押的token等比例等因素来获取区块奖励，抵押者不仅可以质押自身的token，也可以吸引其他个人或者组织将其手中的节点质押给自己，然后给这些质押者返回一些奖励。

共识机制的演进

从BTC的POW，到ETH的现在将要进行升级到POS机制。同时很多公链当前也是基于POS，只是实现方式不同，如波卡(DOT)，也是基于POS，只不过其参与主体种类较多，包括提名者(nomial),验证者(validator),钓鱼者(fisher),收集者(collator)，COSMOS:基于共识算法Tendermint(Tendermint is a partially synchronous BFT consensus protocol derived from the DLS consensus algorithm),NEAR基于new Nightshade algorithm算法。可以将BFT与Nightshade理解为经典的共识算法引擎，这些项目是基于自身的目标与取舍使用该算法引擎实现自身的共识机制。对于共识机制的比对及发展变化，后面会单独写。

从我个人来讲，由于共识机制涉及的技术面较广，也比较难以理解与吸收，同时没有相关的实践，可能理解上也存在偏差与不准确。但是共识机制作为这个世界的基石，对其达到基本逻辑的理解，会更加清晰的认识这个世界的发展与变化。 这是进入这个领域的必备理解，尤其是针对于建设者而言，而我认为随着时间的变化，至少是基于共识机制会衍生出来更多的变化。

至少从我当前的感知来看，

1.共识实现的方式本身不断演进，这会带来参与方各自的行为的变化，如从算力挖矿到stake模的，会带来一批挖矿机器的淘汰，而stake更多的表现在经济激励与惩罚，同时带来对于资源损耗的减少。

2.即便当前至少在共识实现层面认识较浅，但个人判定整个市场上参与的不少群体也有一个逐渐认识加深的过程，作为关注这个领域的个人，长期关注，并且保持与该领域这方面的人才的沟通、讨论，相信随着市场的发展，成为专家也不是不可能。

3.如第一点提到的带来参与方的行为的变化，经济模型还表现在如更多的参与方开始stake，并且获得之前挖矿方的收益。诚如之前所述质押成为节点或者其成为代理质押节点(吸引第三方将自己的手中的代币质押到自己的节点上)，这是从公链共识层考虑，但随着流动性的不断释放与创新，也会出现这些质押代币不仅仅是参与产生区块的基础，也会渗透到特定应用中，如其流动性流转到defi中，成为去中心化交易中的流动性提供者。

4.参与节点角色的变化，比如之前在BTC时代，矿机也仅仅是进行挖矿，参与方的功能属性也单一，但是现在如波卡(DOT)，就有提名者(nomial),验证者(validator),钓鱼者(fisher),收集者(collator)，这么多角色，每个角色分工不同，受到的激励与奖惩也不一样，甚至角色的之间也可以互换。又如NEAR的节点，使用分片技术，一组节点在一个时间段挖一条链上的区块，可能在下一时刻则会挖另一条链上的区块。这种角色的变化带来经济博弈模型的变化值得关注，也是很有意思的一个点。

共识机制与这个领域很多的热点与难点问题的相关度很高

1.不可能三角问题，包括去中心化(decentralization) 、安全性(security)、扩展性(scalability)。也就是如果满足其中两个特性，那么第三个特性就会受到影响。

如ETH，当前有很多节点，而且每个节点的维护成本不是特别高，从而保障了网络节点的分散化，单一节点对于网络造成的影响力很小，从而保障了网络的安全性与分散性。但这么多节点为了维持共识，众多的节点本身的平均水平处理能力有限，而且众多的节点之间的带来的沟通成本都会将影响整个网络的扩展性，具体表现在就是吞吐量(tps),当前以太坊每秒大概可以处理15~20条交易。

如与之相对的EOS，其通过21个节点进行维护，这21个节点是通过竞选动态形成的。个人猜测少数的几个节点，其处理打包的速度则得到大幅提升，当前TPS，则达到3900。但是可见的是，其去中心化程度则限制为21个节点。

2.不同的扩容方案

众所周知，2021年defi summer以来，以太坊整个网络甚是拥堵，gas费用有时则达到200，甚至300左右。如果是散户进行一个链上操作的话，比如抵押200美金，可能gas费用就会达到300美金。从而关于扩容的方案一时成为热点讨论问题。

我理解这里面分为三个方向，一是重新构建自己的公链，TPS可以达到较高水平，同时gas费用散户也可以接受，比如BSC(binance smart chain),solana。

第二则是将ETH作为第一层，将ETH作为共识层，在ETH共识层的基础上，采用不同的技术解决方案如零知识证明(ZK Rollups)与Optimism。代表项目则有zkSync与Optimistic。

第三种则是在共识机制上的一些创新，如波卡、NEAR宣称的其可以实现的达到几千TPS。个人当前猜测波卡是通过建立不同角色的相互配合形成的共识机制来实现较高的TPS,NEAR则是通过分片技术。现在市面上也也不时看到有说已经解决了不可能三角的问题，我猜测他们其实指的分片技术，但具体是否能经受住市场的检验，还有待观察。

任何公链都会有自身实现的共识机制，其对于不可能三角问题的描述与解决都是重要的解决问题，而对于TPS的实现程度，则是兵家必争之地。同时面向特定应用的公链、如该链是专门来部署金融方面的应用，或者面向游戏的公链(如flow)，也是一些公链的宣传点，如波卡(DOT)，开发者基于波卡生态的substrate的开发工具基于自身的需求开发对应的公链，NEAR也提到过。

3.跨链

如上所述，已经涉及到了不少公链，如BTC、ETH、BSC、DOT、NEAR。而二层的扩容方案也带来从以太坊第一层到第二层的跨链需求，反之亦然。

首先不同的公链有不同的共识机制，如果是基于相同或者类似的共识机制，进行跨链是一种情况，如波卡(DOT)以及基于substarte开发的公链进行跨链. 与这种情况类似的还有NEAR、COSMOS。如果是不同的共识机制，进行跨链则是另外一种情况，如从BTC跨链至COSMOS。

所谓的跨链当前我们理解的主要是不同的token，此外从合约层面讲，如何从合约执行层面进行跨链则显得更是一个有挑战性的问题。

另外，跨链带来的安全问题，也不容忽视。如前一段时间的wormhole

共识机制作为基础构建，决定了很多生态基础设施。

1.节点服务提供商。这些节点部署其对应公链的客户端，其是专门运营，软硬件各方面条件都会达到一定水平，这样就避免了一些个人部署时一些不稳定的情况，如硬盘存储不够，网络不稳定等等。现在一些web3的软件也会使用这些节点服务商的服务，如小狐狸(meta)，其使用就是infra的节点服务。当然很多节点服务商不仅仅是不是一个公链的客户端，往往是多个公链。​节点服务提供商infra，alchemy​

2.安全与审计公司

安全始终也是绕不开的一个话题，很多项目宣传是都会提到自己的合约代码已经进行审计过。当前出现的黑客事件基本上都是集中于合约层面，共识层面的则没有看到，当然共识层面已经考虑到作恶成本。但是否在未来会有共识层面的安全问题，也不排除有这种可能性。

3.社区治理

POS引入stake机制，相比较于BTC的POW矿机单纯挖矿而言，这些stake的各方参与者都开始进行社区共建，这一点也是很多公链本身共识机制的一部分，如公链一些运行参数的调整。这是共识层面的stake机制，具体到协议本身的stake，如ens,也是各方根据自身持有的ENS将一些社区提议进行表决，值得注意的是这其中有些参与方是这个世界的重量级选手，如coinbase。

4.开发者在web2世界与web3世界面临的不同的技术架构。

核心表现在代码逻辑则主要是基于合约，而合约执行的环境是公链，公链本身则不是任何单一节点可以控制的。至于前端展示，当前则主要是基于传统web2.0服务，如前端展示页面的展示代码则是部署在云服务上。然后请求则会触发合约逻辑。前端代码也可以基于IPFS等去中心化存储链，不过当前比较少见。

​

​

Source:https://www.preethikasireddy.com/post/the-architecture-of-a-web-3-0-application

总结

本文从共识机制出发，粗浅的提及了一些公链的共识机制及其演化，由于共识机制涉及到技术及经济激励，比较复杂也很难写清楚，但这是这个领域的基础，值得去关注，我也相信共识机制也会继续不断演化。然后论及了由共识机制所引发的几个热点或者关键问题，如不可能三角问题、扩容、跨链。最后提及了一些生态基础设施，如节点服务提供商、安全与审计、社区治理、技术架构，当然不仅仅限于这些，相信也有很多基础服务会受到共识机制的影响。总之，我认为共识是很多问题的源头，值得花精力去深入其中，也笃信未来不仅会有更多技术层面的演化，也会有有新的经济博弈态势，将会出现很多精彩有意思的瞬间。Welcome to the world！

判断一个程序语言或者一个项目本身的生态，如果针对于该语言有越来越丰富的开发框架、工具、开源工具包，那么就说明该语言的生态再不断丰富，这一点在etherum生态上也在不断体现。

比如soliditylang网站详细介绍solidity语言语法

https://docs.soliditylang.org/en/v0.8.11/

提供可复用、安全性较高的合约代码包的OpenZeppelin

https://openzeppelin.com/

方便合约部署、并且提供交互工具的truffle

https://trufflesuite.com/

同时也存在着众多兼容EVM的公链，这些公链或多或少在开发生态中与Etherum有交集。

正是基于如上的认识，我认为随着该领域的发展，solidity语言以及Ethereum开发生态会越来越茁壮，就像Java语言由于其稳定性、丰富的开源工具、数量巨大的开发者等原因依然作为很多大型机构、项目的首选。

为此，为了达到对Solidity语言一定程度的理解，并且可以做到基本的合约部署、合约调用、常见工具的使用。本文梳理了solidity，Ethereum开发生态中的相关资料。如果是这个领域的开发者，那么这些资料或者工具大部分应该接触与应用过。

目录如下

A.solidity语言及ethereum基本概念的介绍

​ 1.soliditylang

​ 2.ethereum.org

​ 3.ethereumdev

B.客户端交互工具或基础设施

​ 1.Go-eth

​ 2.Clef

​ 3.truffle

​ 4.infura

​​ 5.myetherwallet

C.其他工具

​ 1.合约工具mythril

​ 2.myetherwallet

D.补充与结语

E.其他参考资料

A.solidity语言及ethereum基本概念的介绍

1.soliditylang

合约的基本语法、合约代码示例、编译器以及其他工具。solidity语法最全的网站。

https://docs.soliditylang.org/en/v0.8.11/

2.ethereum.org

了解Ethereum整个生态的入口，从理念、基本概念、开发、社区建设...等角度都有大量翔实精确的内容。

https://ethereum.org/

3.remix

学习solidity语言开发平台，免去本地繁琐的搭建与配置环境，直接基于remix编写与调用合约.

http://remix.ethereum.org/

不过本人还是倾向于本地搭建好平台，或者将节点为配置infura作为基础开发环境。有时因为网速原因reminx不太稳。

如上内容只要把soliditylang、ethereum.org 涉及solidity的掌握，基本对于语言就已经掌握了。

B.客户端交互工具或基础设施

如何搭建本地节点，同步以太坊主网数据？如果需要管理以太坊地址，如何管理，使用什么工具？如果需要指定地址与指定合约进行交互，如何进行交互？

首先是如何搭建本地节点？常见的是使用geth。

1.Go-eth

使用go语言实现的与eth协议交互的工具，可以作为单独客户端也可以作为函数包嵌入到其他应用，如android、iOS。可以搭建本地轻节点，同步数据。

https://geth.ethereum.org/

2.Clef

账户管理工具，geth本身也有账户管理的功能，clef本身集成的功能更专注于账号管理。

https://geth.ethereum.org/docs/clef/tutorial

3.truffle

进行合约部署、测试、交互的工具包。可以连接本地的节点，也可以通过配置连接第三方节点如infura进行交互。当前不少开发者使用的都是该工具包进行合约的部署与交互。

https://trufflesuite.com/

4.infura

开发工具组件，主要提供节点服务，不用自己下载eth全部巨量的数据，可以直接通过infura的接口进行调用，Metatask用的就是infura的服务。

https://infura.io/

https://www.alchemy.com/

Alchemy类似于infrua，不过看起来比infrua产品功能更多一些。

C.其他工具

1.合约工具mythril

EVM 安全分析工具，如果合约未开源，可以通过该工具获取到该合约的abi。

https://github.com/ConsenSys/mythril

2.myetherwallet

通过网页可视化方法与合约交互，如可以获得合约的abi。

https://www.myetherwallet.com/

D:补充与结语

turffle是使用js与eth主网进行交互，js最新版的语法相较于之前有不少改动，如增加了一些异步处理的语法await、let。如果对此不熟悉，需要熟悉下这些新增加的语法，方便使用truffle与合约进行交互。

js语言 最新语法ES6

https://www.javascripttutorial.net/es6/

由于truffle是封装了web3.js的很多接口，有时truffle不太好用的时候，比如我之前直接调用链上已经存在的合约，发现直接使用truffle总是出现一些问题，可以通过web3.js原生方法进行调用。

https://web3js.readthedocs.io/en/v1.7.0/index.html

个人学习与训练使用solidity的目的则是达到能够进行的合约部署与调用、为能够读懂solidity合约代码或者发现深层次的问题(如安全问题)打下基础、也算是能够从代码层面去理解项目本身，同时个人也一直坚信只要这个领域一直在发展，生态不断再繁荣，那么随着时间的推移将会出现在越来越多的情况下，用到这方面的知识或者技能可能性。

不过学习与训练过程，不是那么一蹴而就，有时一个小问题可能2个小时就过去了。为什么还要继续？如果几年之后，这个领域发生了更广泛的变化，当很多设施被广泛的人群所使用，很多协议被广泛的人所熟知与了解的话，那么我相信，这一切都是值得与期许的。

D:其他参考资料

1.如何与已经部署的合约交互

https://medium.com/@blockchain101/interacting-with-deployed-ethereum-contracts-in-truffle-39d7c7040455

2.使用java语言实现的以太坊客户端

https://besu.hyperledger.org/en/stable/

3.EIP-1559介绍

https://www.quicknode.com/guides/web3-sdks/how-to-send-an-eip-1559-transaction

4.HD-wallet 钱包体系

https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

时间来到2017年，ICO的疯狂仍然让许多人记忆犹新。2020年开启的defi之厦，让沉寂多年的熊市转身变为疯牛，或许整个大的宏观环境也是巨大的催化剂，新冠疫情、美元放水...

紧接而来的L2，侧链之争、NFT、sofi、gamefi...各个热点如夜晚突然的漫天烟花，这边还没看完、那边又热起来了，都说币圈一天，人间一年。时间走到现在，感觉提速到币圈半天、人间一年。在理想者的艰难建造中、在财富欲望的裹挟中、在泡沫与未来方向观点的冲击中...这里面充满了太多不同的身影、不同的得意失落、迷惑与痛恨。

在我看来，纵观人类历史，即便是我们所说的过往的投机，南海泡沫、郁金香泡沫、20世纪之初的互联网泡沫...这些都是局限于某一区域或者特定的某一群体，但是数字货币本身却是人类有史以来第一次可以达到所有人参与的程度，虽然由于本身概念以及技术，很多人身在门外。但这把钥匙始终放在这里，For everyone,depends on your willing and ablity.

当我第一次看到uniswap本身的流动性设计，就被其所震撼，也震撼于其所引发的财富效应。一种想深入其中了解通透、也希望自己能搭上这趟财富列车，同时让我兴奋，与嗨点不断的是在这个领域存在的巨大可能性，这里面不仅仅有财富列车、新的跨地域的合作方式、范式转移下的能量爆发、创新与机缘背景下个人人生新的充满历险、有趣的选择可能性...

那问题来了，面对这纷繁复杂快速变化的世界，我该怎么了解，怎么进入，在综合自身的情况下，我应该进行怎样的取舍，什么才是我的路径？

我将从以下几个方面介绍我的思考与操作。1.整体市场认知的建立与感知 2.信息源的筛选 3.如何跟进 4.重点方向了解、学习与操作 5.一些技能的思考与锻造 6.参与社区的一些畅想 7.风险与泡沫之中的求存。

1.整体市场认知的建立与感知

首先要感谢两份资料，一份为messari今年年初发布的一条报告《messari-report-crypto-theses-for-2021.pdf》其中涉及到关键趋势、人物、公司、协议，通过这些去透视整个数字货币领域，BTC以及ETH。另外一篇则是Decentralized Finance: On Blockchain- and Smart Contract-Based Financial Markets ,综合介绍了去中心化金融，现在依然记得自己花了两天时间沉浸其中。第一份资料建立了我整体粗略的认识，比如让我知道对于稳定币的争夺相当于兵家必争之地，众多协议的不断涌现以及在各个方向如dex、借贷、聚合、保险、衍生都有协议在竞争。第二份资料则是让我对x*y=k 兴奋开始的地方。

当然仅仅通过这两份资料是远远不够的，首先历史的演化从BTC到eth，再到山寨币，再到各个领域与方向的热点轮动，如defi1.0、defi2.0、L2与侧链、公链之争、NFT、gamefi、web3.0、sofi、dao...这里面有两点，一是内容多，无论是横向还是纵向，横向表现如前所述的方向很多，纵向则是涉及到技术、经济模型、社群等等。二是变化快，随着时间的流逝或者涌现出创新或者成为热点或者归零。

所以全部的理解与掌握基本上不可能，但是建立整体的认识又是那么有必要，可取的方法则是慢慢积累相关知识与经验，然后就某一自身关注的方向持续深入。

2.信息源的筛选

上述提到建立整体认知，那么信息源的建立与跟进就很有必要了。当前我梳理的信息源分为如下：

1.社交软件 如twitter、discord、telegram、reddit、telegram，很多项目宣传或者讨论都聚集于此地。很多人也根据这些社交的人数聚集程度来作为判断项目的一个指标。

2.媒体信息的获取，包括资讯平台、行情数据、研报与数据分析网站。现在很多渠道都可以看到有人搜集的资料。

如下为搜集的英文资料

https://twitter.com/Darrenlautf/status/1434877372700901384

如下为搜集的中文资料

https://medium.com/@happyhey/币圈进阶-cnhappyhey-f738630db3e1

3.英文世界与中文世界的KOL，如万姨、DFarm、defiteddy，messari。

由于中文世界的政策影响，还有大部分项目都在英文世界并且很多第一手的资料来源于英文世界，所以英文世界信息的跟进就显得很有必要，并且重视权重要放得比较高。

当然信息源远远不仅这些，newsletter、podcast、国外个人的独立站、Mirror、medium、YouTube、clubhouse的讨论，很多有价值的讨论与财富密码散落在这些角落。

3.如何跟进

信息源头很多，那么怎么选择与如何跟进就显得是个很必要的问题。当前我个人喜欢telegram上的 The Daily Ape，中文社区defiteddy的每日发布，youtube上Bankles的每周视频，这些信息源头会每日或者每周进行更新，将最近市场状况，各个领域的最新进展，以及一些方向的深度解读与讨论，链闻的关停有点可惜，或许也意味着什么。此外一些专业分析机构如messari的研报也适合定期去深度阅读。

4.重点方向、了解学习与操作

首先这一领域方向诚如前面所述，不同方向及其子集太多并且变化太快，随便一说如L2，侧链之争、NFT、sofi、gamefi、dao，至于套利方式如空投、打新、跨市场套利...就让人分身乏术，什么都懂什么都搞可能到最后精力花了，钱被割光了，也没有啥深入理解。

所以我自己也一直在思考应该怎么有所取舍，首先总体的市场认识必须是具备的，即便不深入但必须有了解。其次某一方向长期跟进，尽力理解其机理。

比defi1.0到defi2.0，其中流动性的问题是其中非常关键的问题，针对流动性问题OHM与tokemak是两个不同的解决方案，由于项目本身也是启动没多久，自身了解也需要过程，随着项目后期的发展也会出现很多情况，所以就是参与了解再参与，可以看到ohm仿盘不断涌现，并造就一波投机，而tokemak就沉稳了好多。

又比如NFT，我现在从这个几个点出发，1 其意义价值，如crypro pucks其就像NFT世界的BTC，2 社群活跃与价值程度 3 未来的可组合性，比如root，发售的时候是自己mint，而且也仅仅是一些描述信息，但是基于这些描述信息给了人很大的想象。4 参与未来一些社群或者活动的入口，比如一些dao组织，会给成员发行NFT凭证。

又比如gamefi，现在链上游戏那么多，不可能每个都玩一把，那我就选取趣味性强，属于头部游戏，并且自身足够感兴趣进行体验。

又比如基于机制深入讲解方面，youtube上的Finematics，经常会从历史、机制方面讲的细致，值得花时间去了解。

https://www.youtube.com/c/Finematics

5.一些技能的思考与锻造

现实生活中每个人的技能树都不一样，而且每个人对于自身在这个世界的方向与定位也都有差别，如下也仅为个人的一些思考。

可以预见的是，eth作为世界级的计算机，未来使用的人只会越来越多，那么未来学习与应用solidity语言的人只会越来越多，即便是其他公链在一定程度上也有借鉴或者兼容该语言，所以我认为，未来solidity只会越来越流行，掌握与运用这个工具，其在未来的价值只会越来越大，也会给自身带来很多机会，即便不是专门写合约的程序员，但是分析源代码，判断其安全程度或者设计思路，也会对自身大有裨益。

第二点则是链上越来越多的开放数据，众所周知，在传统金融市场上有很多数据提供商，很多金融数据想要获取是存在各种各样的门槛，但在链上更多有价值的数据变得清晰可见。那么对于链上数据的认识、分析就会更好的辅助个人去判断、去认识。

比如dune,链上数据分析工具。其不仅将链上杂乱、编码的数据标准化，只要会使用SQL，则可以按照自己的思路与诉求去进行分析，同时其也提供了一整套思路，比如别人的查询列表、别人的分析框架都可以去借鉴，再以开源社区的精神去合作讨论，相信不仅自身这方面的技能会不断得到锻炼，也会迸发不少新的思路。

https://dune.xyz/

当然数据分析工具不限于此，还有nansen，一些行情软件https://defillama.com/、https://dex.guru/。

如上偏向于IT技能方向，其他方向如marketing、商业模型分析方向、经济模型等等，这些不是本人当前重点的关注的方向，不再赘述。

6.参与社区的一些畅想

首先，为什么要参与社区，社区是很多价值信息的发源地，尽管也有很多杂音，作为开源精神的进一步展现，很多项目运作的形式都是在社区内部的沟通协作推进中往前走的。

随着时间的推移，项目与外在条件的不断变化，也需要通过参与社区去了解。

而dao的不断发展演化，在我看来，已经触发了巨大的想象空间，人类在公司的这种组织形式下已经发展了几百年，dao的存在提供了一种更为不同的组织形式，其聚集的成员跨地区，所有权归成员所有的自我激励机制，链上dao治理工具的不断完善似乎在拉开新时代的帷幕。

巨大的成员基数与多样性、带来了协作几何级的复杂度，但是也带来了更高层级的能力或者能量输出。也许新时代的谷歌或者苹果就诞生在这里。

那我作为个体如何参与？或许投入真金白银试错，或许参与协议链上投票、或者参与参与社区讨论、或者基于自身的技能栈参与社区本身的建设。

不同的社区或者dao有不同的方向，比如投资、社群、基础设施构建...，关注投资的人可以社区做类似商业分析师的角色、关注基础设施构建的人可以从项目代码层面去运用自身的技能栈。

由于很多价值社区都是英文社区，所以需要跨过语言的屏障，去融入其中。

7.在风险与泡沫中求存

数字货币巨大的涨跌幅、层出不穷的归零项目、不断动辄以百万、千万美金的黑客事件，个人疏忽造成的巨额损失，社交软件上层出不穷的欺诈信息，还有各种各样告诉你这是骗局的声音...可以说在这里尽管可以看到很多机会，但是风险与泡沫也时刻在暗处潜伏者，如何求存是需要灵魂式的发问？你为什么在这里，你能在这里活着吗？能活着看到未来的曙光吗？

https://rekt.news/

https://hacked.slowmist.io/

黑客攻击记录

就犹如私钥掌握在你手中，只要不泄密，那么你就对个人的资产拥有绝对的所有权，任何组织或者个人都无法剥夺，那么同样对于这个市场的认识，对于项目的认识也需要个人亲自去了解，去体验，去损失或者去收获。

我相信，未来的变化可能性是惊心动魄的，希望当有一天这一刻来临的时候我能够在场。我相信这里面将会上演很多故事，足以打破当前自我的想象边界。