NEAR Smart Contract Security Course by Timur Guvenkaya
Timur Guvenkaya has published his in-depth NEAR Smart Contract Security Course.
It first touches upon general Rust security practices, before diving into Rust smart contract security best practices.
The course consists of 12 lectures and is freely available on YouTube: NEAR SC Security Course, or hop directly to the first lecture 👇.
You can find the supporting slides on Timur's GitHub: https://github.com/timurguvenkaya/near-sc-security-course
Course modules
Here is an overview of topics that the 12 lectures cover.
Rust Security
- Error Handling
- Recoverable Errors
- Unrecoverable Errors
- unwrap & expect
- Panicking Macros
- Arithmetic Issues
- Integer Overflow & Underflow
- Integer Overflow Prevention
- Checked Maths
- Saturating Maths
- Casting Overflow
- Silent Casting Overflow
- Panicking Casting Overflow
- Division By 0
- Rounding Direction
- Division Before Multiplication
- Index Out Of Bounds
- Stack Overflow
- OOM (Out Of Memory)
- Crates With Vulnerabilities
- Handy Rust Tools
NEAR Rust Smart Contract Security
- Access Control Issues
- Missing Access Control
- Incorrect #[near_bindgen] usage
- Using env::signer_account_id()
- Public Callbacks
- Lack of Separation of Privileges
- DoS (Denial of Service)
- Usage of unverified accounts
- Case Study (Appchain Registry)
- Storage Bloating
- Prepaid Gas Exceeding
- Log/Event Bombing
- Race Condition / Reentrancy
- Logical Vulnerabilities
- Case Study (Custom NEP-141 Token)
- Case Study (Custom Storage
Deposit)
- Tips & Best Practices
- Redundant state assertion
- Missing Zero Value Checks
- Unchecked Attached Deposit
- Usage of .take()
- require!()
- Tautological expressions
- 2-step ownership transfer process
- Lack of Pausability
- Usage of Incorrect JSON Type
- Two Factor Authentication
