New

SEC554: Blockchain and Smart Contract Security

  • In Person (5 days)
  • Online
30 CPEs

SEC554 will teach you all topics relevant to securing, hacking, and using blockchain and smart contract technology. The course takes a detailed look at the technology that underpins multiple implementations of blockchain, the cryptography and transactions behind them, the various smart contract languages like Solidity and Rust, and the protocols built with them like NFTs, DeFi, and Web3. The labs in the course provide the hands-on training and tools needed to deploy, audit, scan, and exploit blockchain and smart contract assets, as well as actively learn how to defend them and identify threats and threat actors using them for malicious purposes.

Course Authors:

What You Will Learn

In 2008, an anonymous author using the pseudonym Satoshi Nakamoto, published a white paper outlining a public transaction ledger for a decentralized peer-to-peer payment system entitled Bitcoin: A Peer-to-Peer Electronic Cash System, which is regarded as the "birth" of blockchain. Since then, the use of blockchain has evolved beyond its original implementation as a cryptocurrency. It has gained momentum in recent years, being adopted by some of the largest organizations in the world, including IBM, Amazon, PayPal, Mastercard, and many others. However, due to the fast moving innovation and adoption of blockchain, and the unfamiliar concepts compared to more understood and traditional technologies, its use is still hindered by speculation, confusion, uncertainty, and risk.

In SEC554: Blockchain and Smart Contract Security, you will become familiar with essential topics of blockchain and smart contract technology, including its history, design principles, architecture, business use cases, regulatory environment, and technical specifications. The course takes a detailed look at the mechanics behind the cryptography and the transactions that make blockchain work. It provides exercises that will teach you how to use tools to deploy, audit, scan, and exploit blockchain and smart contract assets. Hands-on labs and exercises will enable you to deploy, audit, scan, and exploit various blockchain implementations, such as Bitcoin, Ethereum, Solana, Cosmos, Near and others, as well as smart contract languages like Solidity and Rust, along with protocols, such as NFTs, DeFi, and Web3.

There have already been widespread security breaches, fraud, and hacks on blockchain platforms, resulting in billions of dollars in losses. These issues, along with growing scrutiny by government agencies to find malicious users abusing the technology, is tarnishing blockchain's reputation. SEC554 approaches blockchain security and smart contracts from an offensive perspective to inform students what vulnerabilities exist, how they are exploited, and how to defend against attacks that are currently leveraged today. Some of the skills and techniques you will learn include how to:

  • Interact with and get data from public blockchains
  • Exploit several types of smart contract vulnerabilities
  • Test and exploit weak cryptography/entropy
  • Discover and re-create private keys
  • Understand what cryptojackers do and how to trace and track movements on blockchain
  • Combat non-technical or social engineering types of attacks that adversaries use to access and steal from victims

We can see the many solutions blockchain technology can provide as a payment system, but as the technology is increasingly adopted, its attack surface will continue to grow. While there are some educational resources available for blockchain, there is relatively little educational content around blockchain security. No other training provides the comprehensive level of blockchain testing, exercises and knowledge that SEC554 delivers.

You Will Be Able To

  • Compile and deploy smart contracts
  • Exploit vulnerable smart contracts, nodes, and private keys
  • Run automated security scans on smart contracts
  • Use the latest blockchain tools for development, security, auditing, and exploiting
  • Trace and discover blockchain transaction information
  • Set up and protect a cryptocurrency wallet
  • Crack partially exposed mnemonics keys
  • Send transactions to blockchain
  • Set up a local Ethereum blockchain for testing
  • Join a cryptocurrency mining pool, or create your own mining node
  • Run static analysis on EVM bytecode
  • Interact with cryptocurrency on main and test networks
  • Investigate, install, and prevent crypto-jacking malware
  • Protect and defend against privacy attacks on blockchain

You Will Receive With This Course

  • ZIION blockchain and smart contract testing and development platform
  • Access to a full Bitcoin testnet node
  • Reference documents outlining all the common smart contract vulnerability classes
  • Cheat sheet for the most common blockchain CLI tool commands
  • 28 labs with custom tools
  • Course workbook

Syllabus (30 CPEs)

Download PDF
  • Overview

    The first course section begins by establishing the fundamentals of blockchain technology and how it is applied to real-world problems. We willl also look at smart contract technology and walk through examples of how it is applied today in various industries and market use cases. The most important technical aspects that make up blockchain architecture are discussed, along with examples and case studies.

    Students will:

    • Generate public and private key pairs used by blockchain
    • Create different types of cryptocurrency wallets
    • Deep-dive into the different consensus mechanisms like Proof of Work and Proof of Stake that make blockchain a decentralized system
    • Learn how crypto currency mining works
    • Investigate what happens during transactions

    The section concludes with the common classifications of vulnerabilities and attacks. This lesson will feature scenarios and exercises to send and receive blockchain transactions, and students will see live transactions on the public chain through various block explorers. We will then spend time learning and using blockchain security tools that exploit private keys and users, and cover the common mistakes people make when using them.

    Exercises

    Lab 1.1: Use Metamask to Swap on a DeFi Exchange

    Lab 1.2: Brute Force a Mnemonic Phrase to Access a Wallet

    Lab 1.3: Recreate a Key to Investigate Multi-Chain Transactions

    Lab 1.4: Join a Mining Pool and Create a Validator

    Lab 1.5: Use Various Blockchain Clients to Discover Funds

    Lab 1.6 Locate and Exploit an Exposed Private Key

    Topics

    Blockchain and Smart Contract Fundamentals

    • Origin and Purpose
    • Types of Blockchains
    • Smart Contract Overview
    • Common Use Cases

    Blockchain Keys

    • Wallets and Keys
    • Mnemonic Keys (BIP-32/BIP-39)
    • Attacks on Private Keys
    • Case Study: Mnemonic Reconstruction

    Blockchain Transactions

    • Block Explorers
    • BTC, EVM, Solana, Monero and other transactions
    • Case Study: Poly Network Hack Transactions

    Consensus Protocols

    • Proof of Work
    • Security Issues in Proof of Work
    • Proof of Stake
    • Security Issues in Proof of Stake
    • Other Consensus Types

    Blockchain Architecture

    • BTC, EVM, Rust, Golang  Clients, APIs, and SDKs

    Blockchain Vulnerabilities and Attacks

    • Network and Consensus Security Issues
    • Smart Contract and Code Security Issues
    • Wallet and Client Security Issues
    • Centralization Security Issues
    • User Security Issues
  • Overview

    This course section focuses on the security aspects of the most widely used smart contract platform, Ethereum. Smart contracts differ in architecture from blockchains such as Bitcoin because of their multi-purpose implementations. Developers write smart contracts in languages such as Solidity, which often contain bugs and vulnerabilities. The vulnerabilities can be exploited on the public main-net and cause massive amounts of financial and reputational damage. We will introduce the Ethereum smart contract programming language, Solidity, and examine how to compile, deploy, and interact with smart contracts locally and remotely. We also discuss the common access control standards, and security libraries to use in Solidity. We explore how NFT (Non-Fungible Tokens) work, and the unique vulnerabilities that can be exploited.

    After students are familiar with the development process from using tools like Truffle, Ganache, Brownie, and Hardhat to deep-dive into the common 7thereum vulnerabilities and walk through case studies of how they have been exploited in the past. Several tools and scanners, such as Slither, Mythril, and Remix, are provided for students to identify and validate these vulnerabilities. Methods of performing security audits, like formal verification and symbolic execution, are explained. Finally, after students learn how to identify a smart contract vulnerability, well attack and exploit a custom smart contract on a locally created Ethereum network deployed by the students.

    Exercises

    Lab 2.1: Identifying the Function Exploited on a Contract

    Lab 2.2: Compiling and Deploying a Smart Contract

    Lab 2.3: Exploiting a Vulnerable Smart Contract

    Lab 2.4: Scanning a Contract for Vulnerabilities

    Lab 2.5: Exploiting an NFT Contract to Mint a Coin

    Topics

    Solidity Basics

    • Solidity Language Overview
    • Storage, Memory, and CallData
    • Function Selectors
    • Interacting with EVM Smart Contracts

    Compiling and Deploying Contracts

    • The Solidity Compiler
    • ABI, Bytecode, Gas, and Opcodes
    • Networks and Frameworks for Auditing
    • Deploying a Smart Contract

    Smart Contract Security Issues

    • Security Hacks on Ethereum
    • Common Vulnerabilities and Attacks
    • Case Study: The DAO Hack
    • Case Study: The Party Multisig Hack

    Auditing and Hacking Solidity Smart Contracts

    • Static Analysis and Symbolic Execution
    • Manual Testing and Formal Verification
    • Security Testing and Auditing Tools

    Contract Libraries and Standards

    • ERC Standards
    • Solidity Security Libraries
    • Access Control and Contract Delegation Exploits
    • Case Study: The Poly-Network Hack

    NFT Vulnerabilities

    • NFT Vulnerability Categories
    • Case Study: Hacking an NFT Loot Bag

  • Overview

    Course section three focuses on the blockchains and contracts that are built with Rust. These blockchains are usually Proof-of-Stake systems, and have unique aspects due to the programming language used. We introduce the Rust programming language, which is a memory efficient high-level language, and we learn about the code specific vulnerabilities that can be found. We use tools to help find exploitable bugs, like cargo. Then we deep-dive into specific technologies built with rust in the blockchain ecosystem, like Solana, CosmWasm, and Substrate. New vulnerabilities, like taking over accounts, PDAs, SPL, and unique Rust-based hacks are all explained and demonstrated.

    After the technical blockchain fundamentals are established and have become familiar to students, the course builds on that knowledge with a focus on security topics scoped to blockchain systems such as the Bitcoin network. Students learn the security principles that make blockchain different from traditional technology systems, and then begin to discover some of the weaknesses in a blockchain system and how they are attacked.

    Exercises

    Lab 3.1: Web Application Hacking with Rust

    Lab 3.2: Substrate Exploit - SANS Kitties

    Lab 3.3: Exploiting Solana Account Type Confusion

    Lab 3.4: Setup and Interact with a Local CosmWasm Blockchain

    Lab 3.5: Compile and Deploy a CosmWasm Smart Contract

    Lab 3.6: Exploit a Vulnerable CosmWasm Smart Contract

    Topics

    Rust Overview

    • What is Rust
    • Rust Security
    • Rust Developer Tools

    Substrate

    • Substrate Architecture
    • Substrate Vulnerabilities

    CosmWasm

    • What is CosmWasm?
    • CosmWasm Architecture
    • CosmWasm Tools and Chains
    • CosmWasm Vulnerabilities

    Solana

    • Solana Architecture
    • Proof of history
    • PDAs and SPLs
    • Solana Security Issues
    • Solana Programs

  • Overview

    Throughout course section four you learn about the innovative and unique way smart contracts democratize financial services. DeFi is a complex environment of interworking components. We go through the most relevant DeFi protocols that make up those components, the terminology, and how they operate. Protocols discussed are DEXs, Automated Market Makers, lending and borrowing platforms, stablecoins, derivatives, yield farms, oracles, and prediction markets. Each of these DeFi protocols have unique attack types that combine both economic-based and code-based exploitation. Attacks through flash loans, oracle manipulation, and governance proposals are all discussed, with examples. This section is more about the business logic rather than the tools or platforms, and we use several labs that exploit DeFi protocols across several different blockchains.

    Exercises

    Lab 4.1: Exploit a Vulnerable AMM

    Lab 4.2: Perform a Flash Loan Attack

    Lab 4.3: Deploy and Interact with a Chainlink Oracle

    Lab 4.4: Perform a Governance Attack on EVM

    Lab 4.5: Exploit a Yield Farm on Solana

    Topics

    The Concepts, Benefits and Risks in DeFi

    • DeFi vs. CeFi
    • Protocols Overview
    • Environmental Risks and DeFi Attacks
    • Security Incident Timeline

    Decentralized Exchanges (DEX)

    • Key Terminology
    • Automated Market Makers (AMMs)
    • Aggregators
    • DEX Issues and Exploits
    • Case Study: DEX Liquidity Pool Hack

    Lending and Borrowing

    Key Terminology

    • AAVE and Compound Protocols
    • Issues and Risks
    • Flash Loans
    • Case Study: Flash Loan Attack

    Stable Coins, Derivatives, and Synthetic Assets

    • Types of Stable Coins and Derivatives
    • Security Risks
    • Case Study: Terra  UST and Luna Collapse

    Governance and Oracles

    • Oracle Purpose and Designs
    • Oracle Attacks
    • Governance Overview and Key Terms
    • Governance Attacks
    • Case Study: Beanstalk Farms Malicious Governance

    Emerging DeFi Protocols and Risks

    • DEX Aggregators
    • Prediction Markets
    • Decentralized Insurance
    • Yield Farms and Yield Aggregators

  • Overview

    We start this course section by looking at common vulnerabilities of cross-chain and bridges. These are critical infrastructure components that are constantly attacked, and they have high value and impact. We discuss the adversaries on blockchain, the patterns they use to attack and steal funds, and defining a framework for these patterns to help us defend against it.

    We then look at some of the tools used for monitoring and protecting smart contracts. You analyze how privacy, anonymity, and personal identity can be compromised if a blockchain user is not authenticated and how to protect again these issues. Finally, we take a look at how the blockchain is used maliciously and the current compliance and regulatory landscape of blockchainand some tools used.

    We also take a deep dive on how privacy can be compromised and used by adversaries or government agencies to monitor and identify user activity. Dark net markets have been one of the most notorious uses of cryptocurrencies, and this course section also provides information on how these markets differ from the normal Internet and why they are used for illegal purposes. We also examine privacy crypto like Monero, as well as the regulations enforced by agencies to prevent criminal activity.

    Exercises

    Lab 5.1: Crash a Cross-Chain Bridge

    Lab 5.2: Detect a Front-Running Attack

    Lab 5.3: Verify a Smart Contract with Tenderly

    Lab 5.4: Monitor a Wallet for Malicious Activity Using Forta

    Lab 5.5 Install a Crypto-Miner Malware Agent

    Lab 5.6: Use OSINT to Discover Hidden Bitcoin Funds

    Topics

    Cross-chain

    • What is Cross-chain?
    • Bridges
    • Cross-chain and Bridge Vulnerabilities
    • Case Study: ThorChain Vulnerabilities in the BiFrost
    • Chain-bridge

    Blockchain Threats and Adversary Tactics

    • Blockchain Threat Actors
    • Case Study: Rug Pull Anatomy
    • ATT&CK Matrix for DeFi
    • Tornado Cash and Money Laundering

    Blue Team for Blockchain

    • Incident Response Process Overview and Key Terms
    • Tools for Defending DeFi

    Attacks on Privacy

    • Blockchain-Based Attacks
    • Non-Blockchain-Based Attacks
    • Defenses for Privacy

    Malicious Uses of Blockchain

    • Ransomware and Crypto-Lockers
    • Case Study: WannaCry Ransomware
    • ICO Scams, and Ponzi Schemes
    • Case Study: PlusToken
    • Crypto-jacking
    • Case Study: CoinHive

    Regulatory Compliance and Investigation

    • The Current Regulatory Environment
    • TOR, Monero, and Dark Net Markets
    • Case Study: Operation Disruptor
    • OSINT and Blockchain Forensics
    • Monero

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC554 SYSTEM HARDWARE REQUIREMENTS

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 30GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

MANDATORY SEC554 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"Blockchain is a revolutionary solution that solves multiple issues inherent in the social, economic, and technological challenges we face today. Decentralization and self-sovereignty are not just concepts, but fundamental ideals that should be made available and accessible for all to benefit from. But those processes need to be carried out responsibly and securely. In order to drive adoption, security must be a priority for all developers, users, or speculators interacting with blockchains or smart contracts. I've always thought the best way to protect something is to learn how to break it." - Steven Walbroehl

Reviews

Amazing and unique one of a kind course. No other learning experience quite like this one... wish there was more!
Yenny Angzas
BlockOne
SEC554 provided great foundational knowledge around blockchain security. Anyone interested in learning blockchain security should be able to go through this material and have a solid understand of how Bitcoin works.
Beau Bullock
SEC554 gives an excellent education on the next big technological revolution, taught by the folks on the front lines.
SEC554 gives an excellent education on the next big technological revolution, taught by the folks on the front lines.
Ravi Danesh
BMO Financial Group
What I had hoped for and more. The course is covering not only the fundamentals, but offense, defense, and forensics.
Mauricio Maranho
Solution Providers Inc

    Register for SEC554

    Loading...

    All pricing excludes applicable taxes