Smart Contract Security Research: A Curated Resource List

2025.06.03 ยท 8 min read
smart-contracts solidity security defi auditing

Smart contract security is a demanding field. You need to understand Solidity, the EVM, DeFi protocols, cryptographic primitives, and how attackers think โ€” all at once.

This post collects the resources worth your time. Each section covers a distinct area of knowledge. Work through them in order if you are starting out, or jump to the section you need.

Solidity and the EVM

Before auditing contracts, you need to read and write Solidity well. These resources cover the language and the execution environment beneath it.

Official documentation

EVM internals

Secureum series

The Secureum substack is one of the most concentrated sources of Ethereum and Solidity knowledge available. Read these in order:

Quick reference

Foundry

Foundry is the standard toolkit for writing tests, running forks, and building proof-of-concept exploits in Solidity. If you are not using it already, start now.

  • Foundry Book โ€” complete documentation for the toolchain

Token Standards and EIPs

Auditors spend a lot of time reviewing token contracts. Knowing the standards and their edge cases is not optional.

Proxy Patterns and Upgradeable Contracts

Proxy contracts are a common source of vulnerabilities. The different patterns each carry different risks.

Security Best Practices and Checklists

These resources cover what to look for during a review and how to structure your thinking.

DeFi Knowledge

Most audit targets are DeFi protocols. Understanding how they work โ€” AMMs, lending markets, derivatives, vaults โ€” is a prerequisite for finding meaningful bugs.

Finance foundations

DeFi overviews

Vulnerabilities and Attack Vectors

This is the core of security research. Study these to understand what attackers exploit and how.

Secureum

Vulnerability databases and lists

QuillHash collections

Additional references

Audit Reports

Reading past audit reports is one of the most effective ways to develop an eye for bugs. You see how real auditors reason, what they flag, and how they write findings.

Contest platforms

Bug bounty writeups

Security firms

Solo auditor portfolios

These are worth reading to see how individual auditors present their work:

Lists and directories

Secureum SAFU Series

A focused set of posts analyzing the security of specific DeFi protocols:

CTFs and Hands-On Practice

Reading about vulnerabilities is not enough. You need to exploit them yourself. These CTFs give you practice in a structured environment.

After completing a challenge, read other players' writeups. The same vulnerability can often be exploited in multiple ways, and seeing different approaches sharpens your thinking.

Contest Practice

Once you have finished the CTFs, first-flight contests are a low-stakes way to practice writing findings on real (if simpler) codebases.

Writing Proof of Concept Exploits

A finding without a working PoC is weak. These resources cover how to build them properly.

Postmortems and Bug Fix Analysis

Studying how protocols responded to real exploits teaches you what auditors missed and why. This is underrated as a learning method.

Where to Start

If you are new to smart contract security, a reasonable progression is:

  1. Learn Solidity basics using Solidity by Example and the Secureum 101 posts
  2. Understand the EVM at a basic level before going deeper
  3. Work through Ethernaut, then Damn Vulnerable DeFi
  4. Read 10 to 20 high-severity findings on Solodit and understand each one
  5. Participate in a CodeHawks First Flight contest
  6. Expand your DeFi knowledge in parallel with your security knowledge

The two skills reinforce each other. The better you understand how a protocol is supposed to work, the easier it is to see where it breaks.