GithubHelp home page GithubHelp logo

user00000001 / hardhat006 Goto Github PK

View Code? Open in Web Editor NEW
0.0 1.0 0.0 199 KB

hardhat Upgrades/DAOs/Security&Auditing. experience from https://www.youtube.com/watch?v=gyMwXuJrbJQ

Solidity 34.74% TypeScript 65.26%

hardhat006's Introduction

Operations

install hardhat & packages

# pnpm env --global use 16.x.x
pnpm init 
pnpm i -D "hardhat@~2.9.0"
pnpm hardhat init # typescript

# remove eslint supports, not good at it, handling it is too boring and spend time.
pnpm install --save-dev "hardhat@~2.9.9" "@nomiclabs/hardhat-waffle@^2.0.0" "ethereum-waffle@^3.0.0"^
 "chai@^4.2.0" "hardhat-deploy@^0.10.5" "ethers@^5.0.0" "@nomiclabs/hardhat-etherscan@^3.0.0"^
 "dotenv@^16.0.0" "hardhat-gas-reporter@^1.0.4" "prettier@^2.3.2" "prettier-plugin-solidity@^1.0.0-beta.13"^
 "solhint@^3.3.6" "solidity-coverage@^0.7.16" "@typechain/ethers-v5@^7.0.1" "@typechain/hardhat@^2.3.0"^
 "@types/chai@^4.2.21" "@types/node@^12.0.0" "@nomiclabs/hardhat-ethers@npm:[email protected]"^
 "@types/mocha@^9.0.0" "ts-node@^10.1.0" "typechain@^5.1.2" "typescript@^4.5.2" "@openzeppelin/contracts@^4"^
 "@openzeppelin/hardhat-upgrades@~1.15.0"

pnpm hardhat node --hostname 0.0.0.0 --no-deploy

upgrade by hardhat-upgrades

pnpm hardhat run scripts/otherUpgradeExamples/deploy.ts --network localhost # then set env PROXY_OF_BOX
pnpm hardhat run scripts/otherUpgradeExamples/prepare-upgrade.ts --network localhost
pnpm hardhat run scripts/otherUpgradeExamples/upgrade.ts --network localhost

# set env NEXT_PROXY_ADMIN
# It seems not transfer again at this version. (always using hre default signer, can't specify signer)
pnpm hardhat run scripts/otherUpgradeExamples/transfer-ownership.ts --network localhost

Governance

pnpm hardhat deploy --tags all --network localhost
echo -n '{"31337":[],"1":[],"11155111":[]}' > proposals.json

pnpm hardhat run --network localhost scripts/propose.ts
pnpm hardhat run --network localhost scripts/votes.ts
pnpm hardhat run --network localhost scripts/queue-and-executes.ts

Audit Tool Usage

Slither

Open the docker shell:

pnpm run toolbox

Then, run:

slither /src/contracts/ --solc-remaps @openzeppelin=/src/node_modules/@openzeppelin --exclude naming-convention,external-function,low-level-calls

To exit:

exit

Echidna

Open the docker shell:

pnpm run toolbox

Then, run this:

echidna-test /src/contracts/test/fuzzing/VaultFuzzTest.sol --contract VaultFuzzTest --config /src/contracts/test/fuzzing/config.yaml

To exit:

exit

What is an Audit?

An audit is a security focused code review for looking for issues with your code.

Help your auditors!

When writing good code, you 100% need to follow these before sending you code to an audit.

Tweet from legendary security expert Tincho

  • Add comments
    • This will help your auditors understand what you're doing.
  • Use natspec
    • Document your functions. DOCUMENT YOUR FUNCTIONS.
  • Test
    • If you don't have tests, and test coverage of all your functions and lines of code, you shouldn't go to audit. If your tests don't pass, don't go to audit.
  • Be ready to talk to your auditors
    • The more communication, the better.
  • Be prepared to give them plenty of time.
    • They literally pour themselves over your code.

"At this time, there are 0 good auditors that can get you an audit in under a week. If an auditor says they can do it in that time frame, they are either doing you a favor or they are shit. " - Patrick Collins, March 4th, 2022

Process

An auditors process looks like this:

  1. Run tests
  2. Read specs/docs
  3. Run fast tools (like slither, linters, static analysis, etc)
  4. Manual Analysis
  5. Run slow tools (like echidna, manticore, symbolic execution, MythX)
  6. Discuss (and repeat steps as needed)
  7. Write report (Example report)

Typically, you organize reports in a chart that looks like this:

impact image

Resources

These are some of the best places to learn even MORE about security:

PRs welcome to improve the list.

Tools

Games

Blogs

  • rekt
    • A blog that keeps up with all the "best" hacks in the industry.
  • Trail of bits blog
    • Learn from one of the best auditors in the space.
  • Openzeppelin Blog
    • Another blog of one of the best auditors in the space.

Audit Examples:

Articles

hardhat006's People

Contributors

user00000001 avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.