Core concepts
Smart Contracts
Smart Contracts
Programs stored and executed on a blockchain when predefined conditions are met. They automate agreement execution without intermediaries. On Ethereum, smart contracts are written in Solidity and compiled to EVM bytecode.
Decentralised Applications (dApps)
Decentralised Applications (dApps)
Applications where the backend logic runs on smart contracts (transparent and auditable) and the frontend is typically a traditional web application connecting via
ethers.js or web3.js.Tokens and Coins
Tokens and Coins
- Coins: native currency of a blockchain (ETH, BTC)
- Utility tokens: grant access to a service (ERC-20)
- Security tokens: represent ownership of an asset
- NFTs: non-fungible tokens representing unique ownership (ERC-721)
DeFi and DEX
DeFi and DEX
Decentralised Finance (DeFi) replaces traditional financial intermediaries with smart contracts. Decentralised Exchanges (DEXes) like Uniswap use Automated Market Makers (AMMs) instead of order books.
Consensus mechanisms
| Mechanism | How it works | Energy | Examples |
|---|---|---|---|
| Proof of Work (PoW) | Miners compete to solve computational puzzles | High | Bitcoin |
| Proof of Stake (PoS) | Validators stake tokens as collateral | Low | Ethereum (post-merge) |
| Delegated PoS | Token holders vote for delegates who validate | Low | EOS, Tron |
Bitcoin fundamentals
Transaction structure
A Bitcoin transaction consumes inputs (references to previous unspent outputs) and produces outputs (new UTXOs with locking scripts).Privacy attacks on Bitcoin
Bitcoin is pseudonymous, not anonymous. Several heuristics de-anonymise transactions:| Attack | Technique |
|---|---|
| Common Input Ownership | All inputs in a transaction likely belong to the same wallet |
| UTXO change detection | The change output (non-round amount) goes back to the sender |
| Wallet fingerprinting | Different wallets create transactions with distinguishable patterns |
| Traffic analysis | Monitor network nodes to link transactions to IP addresses |
| Forced address reuse | Send dust to used addresses; recipient may combine them, linking addresses |
Privacy mitigations
- CoinJoin: combine multiple transactions into one, obscuring which input corresponds to which output
- PayJoin (P2EP): a CoinJoin variant that looks like a normal payment
- Tor: mask the originating IP when broadcasting transactions
- Avoid address reuse: use a fresh address for each transaction
Ethereum mechanics
Gas
Every Ethereum operation costs gas. Users paygas_used * gas_price in ETH.
Transaction lifecycle
- User signs a transaction (recipient, value, data, gas limit, nonce)
- Transaction is broadcast to the mempool
- A validator picks it up and includes it in a block
- EVM executes the transaction; state changes are committed
- Receipt is produced with gas used and logs
Web3 security overview
Web3 security requires understanding both traditional web vulnerabilities and blockchain-specific primitives:Smart Contract Security
Reentrancy, integer overflow, access control, oracle manipulation, flash loan attacks.
Web3 Red Teaming
Value-centric assessment methodology, DeFi exploitation, bridge attacks, signing workflow compromise.
MITRE AADAPT framework
MITRE’s Adversarial Attack and Defence for AI and Programmable Technology (AADAPT) maps blockchain attack paths to a structured taxonomy:- Reconnaissance: mapping smart contract interactions, oracle dependencies, and signer keys
- Resource development: acquiring flash loans, manipulating liquidity
- Initial access: exploiting vulnerable entry points (unchecked calls, delegatecall proxies)
- Impact: draining funds, manipulating prices, pausing protocols
Key resources
- Ethereum documentation: https://ethereum.org/en/developers/docs/
- OpenZeppelin contracts: https://github.com/OpenZeppelin/openzeppelin-contracts
- Etherscan: https://etherscan.io — explore transactions and contract source code
- Slither (static analyser): https://github.com/crytic/slither
- Foundry (testing framework): https://github.com/foundry-rs/foundry