Skip to content

Roadmap to get up to speed with CosmWasm smart contract audits and security vulnerabilities

License

Notifications You must be signed in to change notification settings

jcsec-security/CosmWasm-audit-roadmap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 

Repository files navigation

Note

Would you like to know more about my security services? Check out my website!


Roadmap to CosmWasm Security/Auditing

The following is a list of interesting resources in case you want to start auditing CosmWasm smart contracts. I have not personally reviewed some of the resources, but those have been useful to others in the past and therefore worthy of mention.

The obvious recommendation looks like this:

  1. Blockchain and smart contracts basics
  2. Rust lang
  3. CosmWasm
  4. CosmWasm Security

👋 Do not hesitate to drop me a line if you have any personal favorites that you think should be listed or if you think some of the current additions are not worthy of attention

Blockchain and smart contracts basics

You first need to be familiar with the basic concepts of blockchain technologies and smart contracts in general. I came from Solidity and Ethereum auditing myself, so I'm not very sure which ones to recommend if you don't have any experience and don't want to get much into it… But I enjoyed Mastering Ethereum back in the day.

💁 You can probably find a lot of recommendations for this already :)

Rust language

You don´t need a high level of Rust programming to start, which is quite challenging IMO, just to be able to clearly understand Rust code and create basic programs.

Tip

For any question that could come to your mind during this journey, the Rust Book will most likely be your bible.

There are a lot of free basic courses out there, for example: Udemy: Ultimate rust crash course and its second part Ultimate rust 2

💡 You can find easy code examples to follow or try to implement yourself at Rust by Example. There are a lot of additional sites with Rust exercises such as Exercism's Rust path

I loved Rustlings, as you get to learn Rust by actually fixing code snippets that you have to previously understand which is quite similar to auditing in a sense.

I sometimes use Rust Playground as a quick ready-to-go environment to test random stuff and behaviors.

CosmWasm

At this point, you already have at least basic knowledge of blockchain techs, smart contracts, and Rust. It is about time to actually get into CosmWasm! There is a set of posts featured by Ethan Frey (@ethanfrey) that are now outdated but could still give you a nice overview and comparison with other techs:

🌌 As CosmWasm is a Cosmos SDK module that will run in Cosmos chains, you should familiarize yourself with how Cosmos works and some core concepts. You should at least read the following Cosmos documentation:

  1. Introduction section. Includes high-level overview, application-specific blockchains, blockchain architecture, and main components of the Cosmos SDK.
  2. Basics section. Includes anatomy of a Cosmos SDK application, transaction lifecycle, query lifecycle, accounts, and gas and fees.

👉 NOW is when we start diving into CosmWasm itself. I would say just reading the CosmWasm Book cover to cover is a good starting point to get all the concepts before trying to develop your contracts. In addition, this one resource has been helpful to me for quick references from time to time, some details are reflected on The Book but some others are not so clear to me there.

CosmWasm smart contract programming will be your next stop. You should be able to write easy CW smart contracts, CW Template is a nice resource to play around with a bit. You can find a list of resources below, some of the content will overlap so the idea is not to do all of them but but to give more options

  1. CosmWasm Academy <-- best maintained one at the time of writing
  2. CosmWasm zero to hero
  3. Area 52

CosmWasm Plus is a set of publicly available base contracts of common implementations following the idea of OpenZeppelin. Going over some of the main ones and understanding their architecture and behavior is an excellent way to start testing your Smart Contract analysis game, your main skill as a future auditor.

💯 In addition, you should get familiar with Smart Contract testing as you will craft your PoCs using these, check Mastering CosmWasm Multi-Test for a practical crash course on the topic. Further documentation on the most used libraries can be found at:

Getting familiar with IBC in CosmWasm is a good addition as it will become more and more common in CW contracts. Although not mandatory at this point as it is not a basic feature, you will have to go through this sooner or later.

There is an additional framework for building CosmWasm smart contracts, the Sylvia Framework. I have only been asked to audit one of these a handful of times, but I would say it is getting community attention.

CosmWasm security

Now you have all the prerequisites to get into the audit and security specifics of CosmWasm! If you come from Solidity auditing, the lack of resources here will surprise you compared to the overload of beginner security stuff for Sol/EVM out there.

📜 First of all, as you may expect, the CosmWasm Security Spotlight posts and any future ones in my Medium (@jcsec-audits). Then DAO DAO's CosmWasm security best practices have some interesting bits of info too.

💪 The next stop is practical examples:

  1. Oak's CosmWasm Security Dojo. In addition to the challenges themselves, you will find an EXPLAINATION.md on each dir giving you further details and concepts that are very useful.
  2. Oak Security CTF. CosmWasm CTF which me and Richie created for Awesomwasm 2023, is a nice overview of different security issues of CW contracts. Medium difficulty I would say.
  3. DeFiVulnLabsCosmWasm

There are not many more good resources out there, so it is time to start reading CosmWasm audit reports. This is the best way to get familiar with the kind of security issues that we auditors find during our security reviews.

There are three companies that I know of that have multiple public reports of CosmWasm audits:

  1. Oak Security
  2. SCV Security
  3. Halborn, although most of their reports are from the "Terra era"

Tooling

I don't use many tools, to be honest, just a bunch of VS Extensions and Notion for note-taking.

  • Rust analyzer
  • Better TOML
  • Inline Bookmarks - audit is just not the same without this one, MVP
  • CodeLLDB - Do you know you can debug rust unit tests for CW smart contracts? I may write a Medium post in the future
  • Coverage Gutters - easily displays test coverage from a lcov file
  • Line Note - I sometimes like to add 2/3 lines of additional info without breaking the total number of lines and not creating extensive one-line comments

📍 Aside from these I use a bunch of my own scripts that I am turning into a standalone "printer" tool, will publish it soon. Keep an eye on my new repos!