This repository is a structured learning path for anyone who wants to become a Smart Contract Security Researcher, Auditor, or Bug Hunter in the Web3 ecosystem.
It is based on real industry resources such as Cyfrin Updraft, Patrick Collins, Ethernaut, Damn Vulnerable DeFi, and professional audit / bounty platforms like Code4rena, Sherlock, and Immunefi.
By completing this path, you should be able to:
✅ Read and understand real-world smart contracts
✅ Identify common and advanced vulnerabilities
✅ Use professional tools like Foundry, Slither, Echidna, Mythril
✅ Solve CTF challenges (Ethernaut, DVDeFi, etc)
✅ Participate in audit contests and bug bounties
✅ Write professional vulnerability reports
[0] Programming & Web3 Basics
↓
[1] Blockchain & Ethereum Fundamentals
↓
[2] Solidity & EVM Deep Understanding
↓
[3] Smart Contract Vulnerabilities
↓
[4] DeFi Protocols & Attack Vectors
↓
[5] Security Tooling & Auditing Workflow
↓
[6] CTF, Audits, Bug Bounties
↓
[7] Professional Level & Specialization
You must feel comfortable with:
- Basic programming concepts
- Terminal / Linux command line
- Git & GitHub
- Basic networking & how the internet works
Checklist:
- Can use git (clone, commit, push, pull)
- Can use terminal comfortably
- Understand client-server concept
- Know what an API is
If you are weak on this, pause here and improve it first.
Goal: Understand exactly how blockchain works.
- Block, transaction, gas, nonce
- Public & private key, signing
- Difference: EOA vs Smart Contract
- PoW vs PoS
- Layer 1 vs Layer 2
- Fork, consensus, finality
- ERC-20, ERC-721, ERC-1155
- Mempool & transaction ordering
Recommended resources (from your repo):
- Mastering Ethereum (summary from Contractcops)
- Patrick Collins 32-hour course (JS or Python version)
Checklist:
- Can explain how a transaction works step-by-step
- Understand gas & fees
- Know what MetaMask actually does
- Know common token standards
Goal: Become fluent in Solidity & understand EVM behavior.
- Storage vs Memory vs Calldata
- msg.sender vs tx.origin
- delegatecall, call, staticcall
- fallback & receive
- Revert vs require vs assert
- Proxy patterns & upgradable contracts
- EVM opcodes basics
Recommended resources:
- Cyfrin Updraft
- Patrick Collins advanced sections
- Solidity docs
Tools to learn:
- Hardhat or Foundry
- Remix
- Etherscan
Checklist:
- Can deploy your own contracts
- Can explain delegatecall
- Can write + test contracts
- Can read contracts from Etherscan
Goal: Recognize vulnerability patterns immediately.
- Reentrancy
- Integer overflow/underflow
- Front-running (MEV)
- Flash loan attacks
- Oracle manipulation
- Access control issues
- Signature replay attacks
- Improper randomness
- DoS (Denial of Service)
- Price manipulation
- Logic bugs
Resources:
- Contractcops - Common attack vectors
- Cyfrin security sections
- Real hack case studies
Checklist:
- Can explain how The DAO hack happened
- Can explain a flash loan exploit
- Can detect bad access control
Goal: Understand how protocols work internally.
Study deeply:
- AMM (Uniswap)
- Lending (Aave / Compound)
- Stablecoins (DAI, USDC, algorithmic)
- Yield farming
- Liquidation mechanism
- Perpetuals
- Bridges & Cross-Chain
Checklist:
- Understand how AMM pricing works
- Understand liquidation in lending
- Understand oracle dependencies
- Can spot economic attack vector
These tools are MANDATORY if you want to be professional:
- Slither
- Mythril
- Foundry Forge
- Echidna
- Tenderly
- Hardhat / Foundry testing
- VS Code extensions
Skills:
- Running Slither on a contract
- Writing a fuzz test
- Creating POCs
Checklist:
- Can run static analysis
- Can write at least 1 fuzz test
- Can create an exploit POC
This is where you really become good.
- ✅ Ethernaut
- ✅ Damn Vulnerable DeFi
- ✅ Foundry CTFs
- ✅ Paradigm CTF (advanced)
Contest / Bug Bounty platforms:
- Code4rena
- Sherlock
- Immunefi
- Hats Finance
Rules:
- Read previous reports
- Learn report format
- Compare with winning reports
Checklist:
- Solved 15+ Ethernaut levels
- Solved 3+ DVDeFi challenges
- Submitted at least 1 contest report
At this point, you choose your path:
- Study design patterns
- Study formal verification
- Join audit firms
- Build portfolio
- Focus on Immunefi
- Learn live protocol monitoring
- Set up alerting
- Automate scanning
- Find new classes of vulnerabilities
- Write blog + PoC
- Contribute to open-source
- Speak / write research
Every report should contain:
- Summary
- Severity
- Description
- Impact
- Proof of Concept
- Recommendation
| Stage | Time Needed |
|---|---|
| 0–1 | 1–2 months |
| 2 | 2–3 months |
| 3 | 2–3 months |
| 4 | 1–2 months |
| 5 | 1 month |
| 6 | Ongoing |
| 7 | Lifetime |
Total: 6–12 months realistically
Do not rush. Do not skip fundamentals.
Security = Depth, not speed.
If you're serious about becoming Smart Contract Security / Web3 Bug Hunter, this roadmap is enough.
You only need:
- Consistency
- Curiosity
- Obsession
No university will teach you this path.
You are building a rare skill.
Cukup jawab: "Buatkan weekly plan Stage 1"