More Resources

This page gathers the reference materials — books, indexed-finding databases, playgrounds, registries, and tooling repositories — that practicing auditors return to repeatedly. Together with the courses, certifications, and communities listed in the prior sections, these form a working reference library.

Indexed Finding Databases

Reading other auditors' findings is the single most efficient way to build pattern recognition. These are the indices to read first.

• Solodit — solodit.cyfrin.io — searchable, tagged aggregator of public audit findings from major firms and contest platforms. The closest thing the field has to a canonical reference. Build a habit of skimming new findings weekly and reading the Critical/High ones in full.
• SWC Registry — swcregistry.io — Smart Contract Weakness Classification. Archived but still useful as a vocabulary and cross-reference; many older reports cite SWC-IDs.
• DASP Top 10 — dasp.co — Decentralized Application Security Project Top 10; older but historically influential.
• Rekt Leaderboard — rekt.news/leaderboard — ranked, narrative summaries of the largest losses in the space; useful for understanding what classes of bug actually move real money.
• Web3 Bugs (DeFiHackLabs) — github.com/SunWeb3Sec/DeFiHackLabs — runnable Foundry PoCs reproducing real exploits. Required reading.

Reference Standards and Specifications

• EEA EthTrust Security Levels Specification — entethalliance.github.io/eta-registry/security-levels-spec.html — increasingly cited standard for tiered security assurance levels.
• Smart Contract Security Field Guide — scsfg.io — concise practical guide aimed at both attackers and defenders.
• EIPs — eips.ethereum.org — Ethereum Improvement Proposals; required reading for the standards (ERC-20, 165, 721, 1155, 712, 1271, 2612, 2535, 4337, 4626, 7201, etc.) auditors encounter constantly.
• Solidity Documentation — docs.soliditylang.org — read end-to-end at least once; revisit the security considerations chapter regularly.

Books and Long-Form Publications

• Mastering Ethereum — Antonopoulos & Wood — free online at github.com/ethereumbook/ethereumbook. Foundational reference for the EVM, Solidity, and the broader Ethereum stack.
• Hands-On Smart Contract Development with Solidity and Ethereum — Solorio, Kanna, Hoover — practical, project-driven introduction.
• The Hitchhiker's Guide to Smart Contract Audits — community-maintained reference; varies by edition.
• Building Secure Contracts (Trail of Bits, online) — github.com/crytic/building-secure-contracts — not a book but a book-length, continuously-updated reference.
• Foundry Book — book.getfoundry.sh — official, free, and essential.
• Programming the Open Blockchain — for the cryptography background many auditors are missing.

CTFs, Wargames, and Playgrounds

• Ethernaut — ethernaut.openzeppelin.com — the canonical starting wargame.
• Damn Vulnerable DeFi — damnvulnerabledefi.xyz — defi-flavored progression of exploits with a Foundry harness.
• Capture The Ether — capturetheether.com — older but classic warmup challenges.
• Not So Smart Contracts (Trail of Bits) — github.com/crytic/not-so-smart-contracts — annotated examples of vulnerable patterns.
• Paradigm CTF — annual competition; archives at github.com/paradigmxyz/paradigm-ctf-*.
• EthernautDAO CTFs — periodic; archives on the DAO's GitHub.
• QuillCTF, RareSkills riddles, Cyfrin CTFs — additional themed challenge sets.

Tooling Reference

The most-used auditor tools, with their canonical repositories and docs:

• Foundry — github.com/foundry-rs/foundry, book.getfoundry.sh
• Hardhat — hardhat.org
• Slither — github.com/crytic/slither
• Aderyn — github.com/Cyfrin/aderyn
• Echidna — github.com/crytic/echidna
• Medusa — github.com/crytic/medusa
• Mythril — github.com/Consensys/mythril
• Halmos — github.com/a16z/halmos
• hevm — github.com/ethereum/hevm
• Wake — github.com/Ackee-Blockchain/wake
• Heimdall — github.com/Jon-Becker/heimdall-rs
• Certora Prover docs — docs.certora.com

On-Chain Forensics and Live Tooling

• evm.codes — evm.codes — interactive opcode reference and EVM playground.
• Tenderly — tenderly.co — transaction simulation and debugging.
• Phalcon (BlockSec) — phalcon.blocksec.com — transaction explorer with state-diff and call-tree views.
• Etherscan / Blockscout / Sourcify — verified-source explorers across networks.
• DeFiLlama — defillama.com — for TVL, protocol composition, and historical context on what was at risk when.

Reference Contract Libraries

• OpenZeppelin Contracts — github.com/OpenZeppelin/openzeppelin-contracts
• OpenZeppelin Contracts Upgradeable — github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
• Solady — github.com/Vectorized/solady
• Solmate — github.com/transmissions11/solmate
• PRBMath — github.com/PaulRBerg/prb-math

Curated Lists and Awesome Indexes

• awesome-solidity — github.com/bkrem/awesome-solidity
• awesome-smart-contract-security — community-maintained; multiple forks; useful as a meta-index.
• OpenZeppelin Ethernaut writeups and Damn Vulnerable DeFi solutions repositories — searching GitHub for the challenge name plus "writeup" turns up dozens of useful study aids.

Building Your Own Library

Beyond what's listed above, a productive habit is to maintain your own personal reference library:

• A markdown notes repo indexed by vulnerability class — every time you encounter a new variant in a real audit or contest, add it with a minimal PoC.
• A clipped-findings folder of the cleanest examples of each finding type, drawn from public reports.
• A bookmarks list of EIPs, blog posts, and threads you found yourself searching for twice.
• A "questions to ask" checklist that grows after each engagement with the questions that, in retrospect, would have surfaced the findings sooner.

The field rewards practitioners who build and continually refine such a library. Treat the resources on this page as the seed.