Smart Contract Audit 101

Presented at ekoparty 14 (2018), Sept. 27, 2018, 4 p.m. (120 minutes)

More and more developers around the world are building smart contracts and "distributed applications" (Dapps for short) that interact with them, sometimes handling thousands of millions of dollars, most of the times unaware of the security risks involved and the impact that any breach can have. For pentesters, the inner workings of the Ethereum platform and all the new concepts involved in Dapps make the traditional mindset to detect and exploit vulnerabilities in applications, obsolete in some cases. It is time to become knowledgeable in the available tools and frameworks to detect, exploit and mitigate security vulnerabilities in Ethereum smart contracts. While the first part of the workshop will be spent in introducing all the necessary concepts to understand the topics covered, the second part will be entirely oriented to the different practical approaches and techniques that testers should use to detect and exploit smart contracts in a local testing environment. We will explain every single step needed to successfully exploit vulnerable smart contracts. From setting up the testing environment with Truffle and Ganache, through the Solidity basics, to how to detect common vulnerabilities both manually and with freely available automated tools, and finally how to write and execute Javascript-written exploits that were used to steal millions of dollars from real smart contracts.


  • Ignacio Bonilla, Martín Abbatemarco, Walter Riveros
    We are penetration testers and security researchers interested in the new applications and security challenges that blockchain-based technologies have introduced both for developers and security professionals. Given the lack of proper documentation and training material, many have been discouraged from jumping into developing and testing smart contracts. We have gone through that process, gathering and compiling enough material to successfully put together a testing methodology that gentles the learning curve, lowering the entry barriers for new players in the field.


Similar Presentations: