Chapter 14 Further Reading

Essential References

Design Patterns and Security

  • "Ethereum Smart Contract Security Best Practices" — Consensys Diligence https://consensys.github.io/smart-contract-best-practices/ The definitive guide to Solidity security patterns. Covers reentrancy, integer overflow, access control, and dozens of other vulnerability classes with code examples. Required reading for any production Solidity developer.

  • "SWC Registry: Smart Contract Weakness Classification" — SmartContractSecurity.org https://swcregistry.io/ A registry of known smart contract vulnerabilities modeled after the CWE (Common Weakness Enumeration) used in traditional software security. Each entry includes a description, code example, and remediation. Useful as an audit checklist.

  • "Solidity Patterns" — Fravoll https://fravoll.github.io/solidity-patterns/ A curated collection of Solidity design patterns with detailed explanations and code examples. Covers security patterns (checks-effects-interactions, access restriction, emergency stop), behavioral patterns (state machine, oracle), and gas optimization patterns.

OpenZeppelin

  • OpenZeppelin Contracts Documentation https://docs.openzeppelin.com/contracts/ Official documentation for the OpenZeppelin Contracts library. Includes API references, usage guides, and interactive examples for all major contracts (ERC-20, ERC-721, AccessControl, proxy patterns, etc.).

  • "Contracts Wizard" — OpenZeppelin https://wizard.openzeppelin.com/ An interactive code generator that produces boilerplate OpenZeppelin contracts based on your requirements. Select token type, access control model, upgrade pattern, and other features, and the wizard generates the Solidity code.

  • OpenZeppelin Security Audits https://blog.openzeppelin.com/security-audits/ Published audit reports for major DeFi protocols. Reading these reports is one of the best ways to learn about real-world vulnerability patterns and the level of rigor expected in professional audits.

Proxy Patterns and Upgradability

  • "Proxy Upgrade Pattern" — OpenZeppelin Documentation https://docs.openzeppelin.com/upgrades-plugins/ Official guide to implementing upgradeable contracts with OpenZeppelin. Covers UUPS and transparent proxy patterns, initializers, storage layout rules, and the OpenZeppelin Hardhat/Foundry upgrade plugins.

  • "EIP-1967: Standard Proxy Storage Slots" — Ethereum Improvement Proposals https://eips.ethereum.org/EIPS/eip-1967 The standard that defines where proxy contracts store the implementation address, admin address, and beacon address. Understanding this EIP is essential for working with any proxy pattern.

  • "EIP-1822: Universal Upgradeable Proxy Standard (UUPS)" — Ethereum Improvement Proposals https://eips.ethereum.org/EIPS/eip-1822 The original UUPS specification. Explains the motivation for placing upgrade logic in the implementation rather than the proxy, and the security considerations this introduces.

  • "EIP-1167: Minimal Proxy Contract" — Ethereum Improvement Proposals https://eips.ethereum.org/EIPS/eip-1167 The specification for the minimal proxy (clone) pattern used in gas-efficient factory deployments. Includes the exact bytecode of the proxy and deployment considerations.

  • "Proxy Patterns" by Santiago Palladino — OpenZeppelin Blog https://blog.openzeppelin.com/proxy-patterns/ An accessible deep dive into how proxy patterns work, the role of delegatecall, and the trade-offs between different proxy architectures. Written by one of the primary architects of OpenZeppelin's proxy implementations.

Gas Optimization

  • "Gas Optimization Tips" — Rareskills https://www.rareskills.io/post/gas-optimization A comprehensive, regularly updated guide to EVM gas optimization with benchmarks. Covers storage packing, calldata vs. memory, unchecked arithmetic, short-circuiting, and dozens of other techniques with measured gas savings.

  • "EVM Codes: An Interactive Reference to EVM Opcodes" https://www.evm.codes/ An interactive reference showing every EVM opcode with its gas cost, stack input/output, and behavior. Essential for understanding why certain Solidity patterns are more gas-efficient than others.

  • "Ethereum Yellow Paper" by Dr. Gavin Wood https://ethereum.github.io/yellowpaper/paper.pdf The formal specification of the Ethereum Virtual Machine. Appendix H contains the complete gas cost schedule. Dense reading, but it is the authoritative source for understanding gas at the lowest level.

Oracle Integration

  • Chainlink Documentation https://docs.chain.link/ Official documentation for all Chainlink services: data feeds, VRF (verifiable randomness), Automation (formerly Keepers), CCIP (cross-chain interoperability), and Functions (custom off-chain computation). Includes deployment addresses for every supported network.

  • "The Oracle Problem" by Sergey Nazarov (Chainlink whitepaper) https://chain.link/whitepaper The Chainlink whitepaper explains the oracle problem in depth and presents Chainlink's solution: decentralized oracle networks with economic incentives for honest reporting. Essential reading for understanding the trust model.

  • "Using Uniswap V3 as a TWAP Oracle" — Uniswap Documentation https://docs.uniswap.org/concepts/protocol/oracle Documentation on using Uniswap V3's built-in time-weighted average price (TWAP) oracle, an alternative to Chainlink for on-chain price data that requires no external trust but has different trade-offs (susceptibility to manipulation in low-liquidity pools).

Events and Indexing

  • The Graph Documentation https://thegraph.com/docs/ Official documentation for The Graph protocol. Covers subgraph creation, schema definition, mapping functions, querying via GraphQL, and deploying to the decentralized network.

  • "Events in Solidity" — Ethereum Documentation https://docs.soliditylang.org/en/latest/abi-spec.html#events The official Solidity documentation on events, including the ABI encoding, topic structure, indexed parameters, and Bloom filter behavior.

Case Study Primary Sources

Wormhole Hack (Case Study 14.1)

  • "Wormhole Incident Report" — Wormhole Team The official post-mortem detailing the vulnerability, the exploit sequence, and the remediation steps taken by the team.

  • "Wormhole Bridge Exploit" — Rekt News https://rekt.news/wormhole-rekt/ Rekt News's analysis of the Wormhole exploit, including on-chain transaction analysis, timeline reconstruction, and the broader implications for cross-chain bridge security.

  • "Cross-Chain Bridge Hacks: A Systematic Analysis" — Chainalysis https://www.chainalysis.com/blog/cross-chain-bridge-hacks-2022/ Chainalysis's analysis of the pattern of bridge exploits in 2022, including Wormhole, Ronin, and Nomad, with a focus on the systemic risks of cross-chain infrastructure.

Compound Governance (Case Study 14.2)

  • "Compound Governance Proposal 62 Post-Mortem" — Compound Forum https://www.comp.xyz/ Community discussion of the Proposal 62 bug, including technical analysis, impact assessment, and the governance response through Proposals 63 and 64.

  • "Compound Accidentally Gives Away $80 Million" — Rekt News https://rekt.news/overcompensated/ Rekt News's analysis of the Compound governance incident, including the technical details of the distribution bug and the broader implications for governance-controlled upgrades.

Advanced Topics

  • "Trail of Bits: Building Secure Smart Contracts" https://github.com/crytic/building-secure-contracts A free course by Trail of Bits (one of the top smart contract auditing firms) covering secure development practices, testing techniques, and the use of automated analysis tools like Slither and Echidna.

  • "Damn Vulnerable DeFi" by Tincho https://www.damnvulnerabledefi.xyz/ A set of increasingly difficult Solidity challenges that teach smart contract security through hands-on exploitation. Each challenge presents a vulnerable contract and asks you to write the exploit. The best way to internalize the patterns from this chapter.

  • "Immunefi Bug Bounty Writeups" https://immunefi.com/bounty/ Published writeups of bug bounty submissions. Reading how white-hat hackers find and report real vulnerabilities provides practical insight that no textbook can fully replicate.

  • "Foundry Book" https://book.getfoundry.sh/ Documentation for Foundry, the modern Solidity development framework. Covers forge (testing and building), cast (interacting with contracts), anvil (local testnet), and chisel (Solidity REPL). Foundry's fork testing capabilities are essential for testing upgrades against mainnet state.