🇺🇦 Hacken was born in Ukraine, and we stand with all Ukrainians in our fight for freedom!

🇺🇦 Hacken stands with Ukraine!

Learn more

How to: Smart Contracts Bug Hunting

How to: Smart Contracts Bug Hunting

Published: 23 Aug 2018 Updated: 5 Dec 2022

Ever wonder what tools and knowledge are needed to start bug hunting in smart contracts? One of our application security engineers has put together a short guide that will help you get started!

A bug bounty for smart contracts bug bounty is not that different from a typical bug bounty for a web application. Basically, a smart contract is an application that runs on blockchain. Every application has vulnerabilities, and smart contracts are no exception.

In order to be a Solidity smart contract bug hunter, you need to possess the skill sets of a Solidity developer and an application security engineer. You need the former to read and understand the code, and the latter gives you the skills necessary to find and exploit vulnerabilities.

Here are 4 steps to start Solidity bug hunting:

We would advise starting by learning the basics of Ethereum blockchain concepts (you can skip this step but it is worth learning). There are a lot of good resources to be found online.

Here are some good options:

The best resource to start learning Solidity programming is CryptoZombies. It is a step-by-step guide for developing a simple Solidity game. After completing the course you will understand the main concepts of contract-oriented programming.
Another great way to learn is to find manuals online and just go through them in detail. Some resources that we can recommend are:

Once you will start to feel comfortable with Solidity it’s time to check your understanding of the language.
Step 1: Read and try to understand some typical examples of Solidity contracts.
Step 2: Study a few random contracts from the OpenZeppelin repository.
Step 3: Try to run a contract. The simplest way to run a Solidity smart contract is to use Remix IDE. It is intuitive and you can understand it without any additional lessons if you have ever used a different IDE. In case you need any help you can check out the official documentation.

Once you know how to develop and run Solidity contracts, it’s a good time to get familiar with its best practices and read more documentation on smart contract security.
It’s pretty tough, isn’t it? There are some tools can make your life easier –

They are automatic scanners for Solidity smart contracts. There are even more useful tools around, but these should be enough for a start. Install them and test some contracts for practice. Important note: they also have a high level of false positives – check the results manually before reporting.

Now it’s time to get some final practice. These are a couple repositories with several contracts that have known vulnerabilities and some hints to help you:

There are also a few very interesting CTFs :

Once you had enough sandbox practice it’s time to test your skills in the real world – welcome to HackenProof. We always have some smart contract bug bounty programs to play around with. You can also test open source projects on GitHub and contribute there.

If you have any questions feel free to hit us up via email [email protected] – we’re always happy to help our community and we may have some opportunities for the most talented members!

Contributed by Pavlo Rachuk, application security engineer at Hacken

share via social

Subscribe to our research

Enter your email address to subscribe to Hacken Research and receive notifications of new posts by email

Interested in getting to know whether your systems are vulnerable to cyberattacks?

Tell us about your project

  • This field is required
  • This field is required
    • telegram icon Telegram
    • whatsapp icon WhatsApp
    • wechat icon WeChat
    • signal icon Signal
  • This field is required
  • This field is required
  • This field is required
  • This field is required
This field is required
departure icon

Thank you for your request

Get security score on

  • certified logo
  • coingeco logo
  • coin market cap logo

1,200+ Audited Projects

companies logos

Apply for partnership

  • This field is required
  • This field is required
  • This field is required
  • This field is required
    • Foundation
    • VC
    • Angel investments
    • IDO or IEO platform
    • Protocol
    • Blockchain
    • Legal
    • Insurance
    • Development
    • Marketing
    • Influencer
    • Other
This field is required
This field is required
departure icon

Thank you for your request

Get security score on

  • certified logo
  • coingeco logo
  • coin market cap logo

1,200+ Audited Projects

companies logos

Get in touch

  • This field is required
  • This field is required
  • This field is required
  • This field is required
This field is required
By submitting this form you agree to the Privacy Policy and information beeing used to contact you
departure icon

Thank you for your request

Get security score on

  • certified logo
  • coingeco logo
  • coin market cap logo