Studying Hard
Slowly reaching the end of some of my courses. Just finished LearnWeb3 courses. Im officially a Senior Grad of LearnWeb3! 🥳 Solidity bootcamp reached the final week of teaching as well, we would have different arrangement for the last 2 weeks (probably team project?). Oh yeah I just joined another solidity bootcamp by ThePhoenixGuild. Its more like a self learning courses so Im not stressing myself over it, just to expose myself and use this platform to test what I learnt so far…
💡 What I learnt?
21 Nov Mon < 3 hours
- Learn Web3: Senior (3/4) (20%)
Introduction to Merkle Tree and wrote a Whitelist contract using Merkle Tree library from Openzeppelin.
Explanation on EVM and its execution.
Write a simple flash loan contract and test it by impersonating a whale account to take on flashloans.
22 Nov Tues < 3 hours
- Solidity Bootcamp (6/8): Week 6
Class on Libraries / Token standard. Working on HW 19
- Learn Web3: Senior (4/4) (33%)
Tutorial on Reentrancy, wrote a vulnerable contract and an attack contract. Also given us the prevention method using nonReentrant guard.
Tutorial on how to read private data using getStorageAt to read on-chain data
23 Nov Wed < 3 hours
- Solidity Bootcamp (6/8): Week 6
My favourite topic of all…SMART CONTRACT AUDITING! Instructor shared whats the auditing process normally looks like and its personally experience since Extropy also provides auditing services. Very insightful!
- Learn Web3: Senior (4/4) (33%)
Tutorial on delegatecall, given an example and an attack contract to show the vulnerability of delegatecall if library contract is not stateless.
24 Nov Thurs < 3 hours
- Solidity Bootcamp (6/8): Week 6
Go through formal verification and static analysis and the need for formal verification even after audits and unit testing. Introduced to tools such as Manticore, Solc-verify, K framework, consensys scribble.
Working on homework 20 to impersonate Binance and perform swapping of DAI to USDC, DAI to BUSD.
25 Nov Fri < 3 hours
- Solidity Bootcamp (6/8): Week 6
Class on upgradeable contracts. Instructor does not condone upgradeable contract since smart contract suppose to be trustless and decentralized however we still need to have knowledge on this section. There are different patterns such as message call, delegate call, proxy pattern, UUPS, Eternal Storage
Working on HW20 and HW21 to write unit testing for swapping of DAI to USDC, BUSD
26 Nov Sat < 6 hours
- Solidity Bootcamp (6/8): Week 6
Working on HW20 to impersonate Binance do perform DAI to USDC swap. Met with error when trying to implement DAI to BUSD swap of error Error: Transaction reverted without a reason string. After discussion with teammate we found that the cause of the error is pool fee and we able to resolve and successfully perform the swap.
- Learn Web3: Senior (4/4) (60%)
Tutorial on what is a bad source of randomness to point out the vulnerability of generating randomness using global variables such as block.timestamp.
Tutorial on Denial of service.
Tutorial on vulnerability of tx.origin.
27 Nov Sun < 9 hours
- Learn Web3: Senior (4/4) (✅)
Tutorial on malicious external contract that shows how creating an explicit new instance able to prevent contract deploying with a certain abi able to impersonate using contract with same abi but modified the functions to exploit user.
Explanation on upgradeable contract. Given in detail design of Transparent Proxy Pattern and its issue because it will need variable owner to determine the action to be taken. Since it would access this variable everytime and added unnecessary gas cost
Explanation on UUPS Proxy Pattern. This proxy pattern solves the issue with Transparent Proxy Pattern which have to deal with unnecessary gas cost. However, UUPS has its own issue in terms of complexity of the implementation code and security concern since the upgradeTo function are on this side and every new upgrade poses a risk.
Example of gas optimization in solidity. Eg: Variable Packing, usage of memory to avoid writing to storage on iterations/loops, fixed-length array whenever possible, choosing right function’s visibility, uses of libraries, short circuiting conditions by putting the conditions with main priority to be determine first so we don waste gas cost determining the secondary requirement just to be rejected on the main one, free up storage using delete , short error strings,
Explanation on meta transaction and avoiding signature replay.
Explanation on Maximal Extractable Value (MEV) ; Role of a Searcher : a group of users that run complex algorithm to make arbitrage on-chain profit. Two main methods are front-running and flashbots. Flashbots super succeeded front-running as it does not copy transaction from mempool but the transactions are submitted directly to miners.
The use case of MEV is through profit from liquidation by being the first to get liquidation transaction mined to earn liquidation fee ; Sandwich attacks ; Recovering funds from compromised account.
Architecture of flashbots and introduced to eth_sendBundle RPC standard format to interact with flashbots relayers and miners
