Secure Development Trainings

SSCH – Smart Contract Hacking

Hack and secure smart contracts in our 2 days hands-on web3 hacking training



Picture of Davide Cioccia

Davide Cioccia

Founder and Principal Security Architect @ DCODX

Hi there! I’m Davide Cioccia, founder of DCODX, an ethical hacking, and DevSecOps consulting and coaching firm. Besides helping companies implement their Sec in DevOps, I’m also a developer of security tools (check our GitHub), OWASP Mobile Security Testing Guide contributor and DevSecCon Chapter Lead for the Netherlands. You can find my talks at security conferences like BlackHat, OWASP AppSec, DevSecCon, DevDays Europe and more online, together with some CVE disclosed to Microsoft and other big vendors. Enjoy my course :)

Course overview

Some of the scenarios we will go through
The list below contains some of the vulnerabilities that we will identify and fix in the labs:
  • Any user can cash out the money from the smart contract
  • Users can buy the subscription also with any wei amount
  • Any user can check the amount of money stored in the contract address
  • Reentrancy vulnerability
  • Block Timestamp Manipulation Vulnerability
  • Tx.origin: Authorization bypass
  • Integer Overflow and Underflow
  • BatchTransfer Overflow (CVE-2018–10299)
  • Unprotected SELFDESTRUCT
  • DelegateCall vulnerabilities
  • ….more
Knowledge of the topics below is only recommended but not mandatory for this course.
  • Blockchain
  • Blocks and transactions
  • Smart contracts
  • Proof of work and Proof of Stake
  • Gas
  • Basic understanding of decentralized applications and their applicability
  Public events hosting this training


Introduction to ETH and smart contracts
Ethereum history and basics
Proof Of Work vs Proof Of Stake
Bitcoin vs Ethereum
Sharding, Beacon Chain and Docking
Smart Contracts introduction part 1
Smart Contracts basics
Ethereum Virtual Machine and Solidity
Accounts, Transactions and Gas
Storage, Memory and Stack
Smart Contract bytecode analysis
LAB: Our first vulnerable smart contract
Smart Contracts introduction part 2
Types, Enum and Events
Storage and mappings
Reentrancy vulnerability: the DAO hack
LAB: Steal all my money (Reentrancy)
LAB: Block Timestamp: the manipulation vulnerability
Authorization in Smart Contracts
Authorization in Solidity
The Open Zeppelin Contracts
LAB: Authorization done properly
LAB: Tx.origin: Authorization bypass
Smart Contract DoS attacks
DoS with Failed Call
DoS With Block Gas Limit
More vulnerabilities
Integer Overflow and Underflow
LAB: Transfer your funds, or mine
LAB: BatchTransfer Overflow (CVE-2018–10299)
Attacking Solidity libraries
Introduction to embedded and linked libraries
LAB: DelegateCall vs Call: how can this impact the security of the smart contract
LAB: Secure your library calls: attacking DelegaCall to steal funds
Security auditing
Manual vs automated
No code? Reverse engineer a contract
Security auditing tools: mythril, slither, semgrep
Introduction to Smart Contract reverse engineering
Exploring the bytecode
Storage and Memory allocation
The EVM OPCODEs and instructions
Identify DELEGATE calls
Hack Them ALL
Final Smart Contract Hacking CTF