Curated Resources¶
Use this section as a working index. The tiers are editorial judgments based on practical security value, maintenance, accessibility, and reputation.
Must Learn¶
| Resource | Category | Track | Note |
|---|---|---|---|
| OWASP Smart Contract Top 10 2026 | Standard | EVM, protocol | Current shared vocabulary for high-impact smart contract risks. |
| OWASP SCSVS | Standard | Auditor | Verification standard for smart contract assessments. |
| OWASP SCSTG | Testing guide | Auditor | Test guide aligned to smart contract security controls. |
| OpenZeppelin Readiness Guide | Audit readiness | Protocol | Practical preparation model before external review. |
| SEAL Frameworks | Operations | Protocol | Security program and incident readiness frameworks. |
| Foundry Book | Tooling | EVM | Core EVM development and audit test framework. |
| Solidity Docs | Language | EVM | Primary compiler and language reference. |
| Solodit | Vulnerability intel | Auditor | Searchable public finding and contest intelligence. |
| DeFiHackLabs | Exploit study | Auditor | Reproduce historical DeFi incidents. |
| Mastering Ethereum | Fundamentals | Beginner | Durable blockchain and EVM background. |
Use in Real Audits¶
| Resource | Category | Track | Note |
|---|---|---|---|
| Slither | Static analysis | EVM | Fast bug triage, inheritance graphs, and printers. |
| Aderyn | Static analysis | EVM | Auditor-oriented static analysis and reports. |
| Echidna | Fuzzing | EVM | Property-based fuzzing. |
| Medusa | Fuzzing | EVM | High-performance stateful fuzzing. |
| Halmos | Symbolic testing | EVM | Symbolic execution for Foundry tests. |
| Tenderly | Debugging | EVM | Transaction simulation, forks, and debugging. |
| Sourcify | Verification | EVM | Source-code verification metadata. |
| Immunefi | Bug bounty | Protocol | Bounty hosting and disclosure workflows. |
| Sherlock | Contests | Auditor | Competitive audits and coverage markets. |
| Cantina | Contests | Auditor | Competitive audits, bounties, and private engagements. |
| Pashov Audits | Reports | Auditor | Large public archive of independent audit reports. |
| Pashov Skills | AI-assisted audit | EVM | Practical Solidity auditor and x-ray skills. |
| Burp Suite | Web/API testing | Full-stack | Baseline proxy for offchain auth, API, and admin-surface testing. |
Situational / Advanced¶
| Resource | Category | Track | Note |
|---|---|---|---|
| ERC-4337 Resources | Account abstraction | EVM, wallet | Primary hub for smart accounts, bundlers, paymasters, and UserOperations. |
| ERC-4337 Simulation Requirements | Account abstraction | EVM, wallet | Bundler simulation expectations that should inform reviews. |
| OpenZeppelin EIP-4337 Audit | Audit report | EVM, wallet | Public report with paymaster, bundler, and EntryPoint failure modes. |
| Solana Program Security Course | Chain-specific security | Solana | Solana signer, owner, PDA, CPI, and lifecycle vulnerability classes. |
| Mollusk | Testing | Solana | Fast instruction-level tests for Solana programs. |
| Anchor LiteSVM | Testing | Solana | Lightweight local Solana tests for CI-friendly security coverage. |
| Surfpool | Testing | Solana | Local Solana network and simulation environment. |
| BlockSec Phalcon Simulator | Simulation | EVM, IR | Transaction simulation for exploit reproduction and privileged action review. |
| Tenderly Docs | Simulation | EVM | Forks, traces, simulations, monitoring, and incident reproduction. |
| Safe Transaction Service | Multisig operations | Protocol | Monitoring and timeline evidence for Safe-controlled operations. |
| Chainlink Feed Selection | Oracle security | DeFi | Feed freshness, deviation, fallback, and selection guidance. |
| Wormhole Security | Bridge security | Multi-chain | Security-program reference for bridge and messaging assumptions. |
| CosmWasm Docs | Chain-specific security | Cosmos | Wasm smart contract development and testing reference. |
| Sui Security | Move security | Sui | Public reports and security resources for Sui and Move. |
| Aptos Move Docs | Move security | Aptos | Primary Aptos Move smart contract reference. |
| RISC Zero Docs | zkVM | ZK | zkVM proof, guest, receipt, and verifier reference. |
| SP1 Repository | zkVM | ZK | Source and release reference for SP1 integrations. |
| Certora Prover | Formal methods | EVM | Specification and formal verification for high-value systems. |
| Runtime Verification | Formal methods | Multi-chain | Semantics and verification services. |
| 0xPARC | ZK | ZK | Strong ZK education and research community. |
| zkSecurity | ZK | ZK | ZK audit research and vulnerability guidance. |
| Starknet Docs | Chain docs | Cairo | Current Starknet platform documentation. |
| Move Book | Language | Move | Practical Move language reference. |
| Anchor Docs | Framework | Solana | Solana program development and account constraints. |
| Token-2022 | Token standard | Solana | Extension-heavy token surface. |
| Kontrol | Formal methods | EVM | Foundry-integrated formal verification using K semantics. |
| ItyFuzz | Fuzzing | EVM | Snapshot-based fuzzing and exploit-generation research. |
| TestMachine EVMbench | AI benchmark | AI-assisted | Benchmark context for EVM exploit reasoning claims; not an audit-tool endorsement. |
| Paradigm EVMbench | AI benchmark | AI-assisted | Research framing for EVM exploit-generation benchmarks. |
| Re-Evaluating EVMBench | AI benchmark | AI-assisted | Cautionary paper for interpreting benchmark scores. |
Paid / Certification¶
| Resource | Category | Track | Note |
|---|---|---|---|
| Certora Prover | Formal methods | EVM | Commercial tooling; valuable for protocols with formal specs. |
| AuditBase | Training/tools | EVM | Paid security learning and scanning options. |
| Offensive Security | General security | Full-stack | Useful for web, infra, and attacker methodology. |
| SANS SEC554 | Training | Protocol | Structured paid blockchain and smart contract security training. |
| Octane Security | AI security | EVM | Commercial AI security tool to evaluate carefully. |
| TRM Labs | Blockchain intelligence | Compliance | Investigations, monitoring, and wallet risk intelligence. |
| Chainalysis | Blockchain intelligence | Compliance | Investigations, compliance, and ecosystem intelligence. |
| Elliptic | Blockchain intelligence | Compliance | Crypto risk intelligence and wallet screening. |
| zeroShadow | Incident response | Protocol | Web3 IR, investigations, threat intel, and vSOC. |
Watchlist¶
| Resource | Category | Track | Note |
|---|---|---|---|
| AIxCC | AI security | AI-assisted | Watch for program-analysis lessons that transfer to audits. |
| Wake | Testing | EVM | Growing Python-based Solidity testing and analysis framework. |
| GoPlus Security | User protection | Full-stack | Transaction and token risk APIs for wallet/app defenses. |
| Blockaid | User protection | Full-stack | Wallet and dapp threat detection. |
| Hypernative | Monitoring | Protocol | Real-time risk and exploit detection platform. |
| VANTAGE by DigiBastion | External trust monitoring | Full-stack | Maintainer-labeled monitoring for domain, DNS, frontend, phishing, and Web3 trust risk. |
| Pashov AI Web3 Security | AI security | AI-assisted | Source list for AI audit tools, skills, and commercial products. |
The machine-readable catalog lives in resources.yml.