Brought to you by Trail of Bits, this repository offers guidelines and best practices for developing secure smart contracts. Contributions are welcome, you can contribute by following our contributing guidelines.

Table of Contents:

• Development Guidelines
  • Code Maturity: Criteria for developers and security engineers to use when evaluating a codebase’s maturity
  • High-Level Best Practices: Best practices for all smart contracts
  • Incident Response Recommendations: Guidelines for creating an incident response plan
  • Secure Development Workflow: A high-level process to follow during code development
  • Token Integration Checklist: What to check when interacting with arbitrary tokens
• Learn EVM: Technical knowledge about the EVM
  • EVM Opcodes: Information on all EVM opcodes
  • Transaction Tracing: Helper scripts and guidance for generating and navigating transaction traces
  • Arithmetic Checks: A guide to performing arithmetic checks in the EVM
  • Yellow Paper Guidance: Symbol reference for easier reading of the Ethereum yellow paper
  • Forks <> EIPs: Summaries of the EIPs included in each Ethereum fork
    • Forks <> CIPs: Summaries of the CIPs and EIPs included in each Celo fork (EVM-compatible chain)
    • Upgrades <> TIPs: Summaries of the TIPs included in each TRON upgrade (EVM-compatible chain)
    • Forks <> BEPs: Summaries of the BEPs included in each BSC fork (EVM-compatible chain)
• Not So Smart Contracts: Examples of common smart contract issues, complete with descriptions, examples, and recommendations
  • Algorand
  • Cairo
  • Cosmos
  • Substrate
  • Solana
  • TON
• Program Analysis: Using automated tools to secure contracts
  • Echidna: A fuzzer that checks your contract's properties
  • Medusa: A next-gen fuzzer that checks your contract's properties
  • Slither: A static analyzer with both CLI and scriptable interfaces
  • Manticore: A symbolic execution engine that proves the correctness of properties
  • For each tool, this training material provides:
    • A theoretical introduction, an API walkthrough, and a set of exercises
    • Exercises that take approximately two hours to gain practical understanding
• Resources: Assorted online resources
  • Trail of Bits Blog Posts: A list of blockchain-related blog posts created by Trail of Bits

secure-contracts and building-secure-contracts are licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.