More and more developers around the world are building smart contracts and "distributed applications" (Dapps for short) that interact with them, sometimes handling thousands of millions of dollars, most of the times unaware of the security risks involved and the impact that any breach can have. For pentesters, the inner workings of the Ethereum platform and all the new concepts involved in Dapps make the traditional mindset to detect and exploit vulnerabilities in applications, obsolete in some cases. It is time to become knowledgeable in the available tools and frameworks to detect, exploit and mitigate security vulnerabilities in Ethereum smart contracts. While the first part of the workshop will be spent in introducing all the necessary concepts to understand the topics covered, the second part will be entirely oriented to the different practical approaches and techniques that testers should use to detect and exploit smart contracts in a local testing environment. We will explain every single step needed to successfully exploit vulnerable smart contracts. From setting up the testing environment with Truffle and Ganache, through the Solidity basics, to how to detect common vulnerabilities both manually and with freely available automated tools, and finally how to write and execute Javascript-written exploits that were used to steal millions of dollars from real smart contracts.