Initial commit

README.md

@@ -1,2 +1,71 @@
-# exploiting-smart-contract-vulnerabilities
-Repository for "Exploiting smart contract vulnerabilities" bachelor thesis at School of Electrical Engineering, University of Belgrade. Paper (in Serbian) with 5 examples of vulnerable smart contracts and exploitation of them.
+# Exploiting Smart Contract Vulnerabilities
+
+![Ethereum](https://img.shields.io/badge/Ethereum-3C3C3D?style=for-the-badge&logo=Ethereum&logoColor=white)
+![Solidity](https://img.shields.io/badge/Solidity-%23363636.svg?style=for-the-badge&logo=solidity&logoColor=white)
+
+Repository for "Exploiting smart contract vulnerabilities" bachelor thesis at [School of Electrical Engineering](https://www.etf.bg.ac.rs/en), [University of Belgrade](http://www.bg.ac.rs/en/index.php). 
+
+The paper is written in Serbian (Eksploatacija_propusta_u_pametnim_ugovorima.pdf) and there are 5 exmples of vulnerable smart contracts and how to exploit them with instructions in English. Everything is implemented in Solidity.
+
+## Examples
+
+1. NFT Auction
+	* Implementation of auction that has reentrancy vulnerability
+	* Inspired by DAO hack
+		
+2. Hyperinflation
+	* Smart contract that has half implementation of ERC20 contract with overflow vulnerability
+	* Exploitation of this vulnerability leads to hyperinflation of token
+	* Inspired by BEC (BeutyChain) hack
+
+3. Ether chest
+	* Smart contract that enables users to lock their Eth for some time
+	* To exploit this contract attacker needs to combine reentracny, overflow and underflow vulnerabilities
+
+4. King of Ether
+	* Famous king of ether game with additional protection (checks if caller is smart contract and if it is stops function call)
+	* Example of Denial of Service (DOS) attack
+
+5. Giveaway
+	* Contract that is giving away 10 Ethers, but you need to give 1 eth to enter the giveaway
+	* Attacks combines unexpected ether vulnerability and bad usage of delegatecall
+
+Instructions for running each example is in readme inside each example directories in src directory.
+
+
+## Recommendations for developing safe smart contracts
+
+* Use Checks-Effects-Interactions pattern
+* Use pull over push pattern
+* Implement circuit breakers
+* Use formal verification
+* Use modifiers only for checks
+* Do not use kill and selfdestruct
+* Keep the code small and modular
+* Use events to track activities in smart contract
+* Use well known libraries like the ones from [OpenZeppeling](https://github.com/OpenZeppelin)
+* Don't forget that all data is public on blockchain
+	* use commitment schemes with separate phases: first commit using the hash of the values and in a later phase revealing the values
+* Limit the maximum number of Eth that contract can accept (if possible)
+
+* More useful recommendations [here](https://consensys.github.io/smart-contract-best-practices/)
+
+## Smart contract security tools
+
+* [Slither](https://github.com/crytic/slither) - Static Analyzer for Solidity 
+
+* [Mythril](https://github.com/ConsenSys/mythril) - Security analysis tool for EVM bytecode
+
+* [Manticore](https://github.com/trailofbits/manticore) - Symbolic execution tool 
+
+* [Oyente](https://github.com/enzymefinance/oyente) - An Analysis Tool for Smart Contracts 
+
+* [Echidna](https://github.com/crytic/echidna) - Ethereum smart contract fuzzer 
+
+## Contributing
+
+If you see any mistake or have improvement idea, feel free to open an issue and PR, or contact the author.
+
+## License
+
+[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)