A simplified Rust-Audit-Roadmap

Before delving into the Alphas, I invite you to explore this brief article detailing the current status of Rust in the Web3 industry: Rust in the Web3 industry.

Presently, eWASM in Ethereum appears to be largely inactive. However, it's worth noting that WASM is thriving in various other blockchain ecosystems.

Here's a straightforward recommendation:

1. Acquire a solid understanding of blockchain and smart contract fundamentals.
2. Familiarize yourself with Rust programming language.

The popularity of the following frameworks and protocols is as follows (as of Dec 2023):

1. !ink
2. CosmWasm
3. CosmWasm Security
4. Astar

Blockchain and smart contracts basics

You first need to be familiar with the basic concepts of blockchain technologies and smart contracts in general. I came from Solidity and Ethereum auditing myself, so I'm not very sure which ones to recommend if you don't have any experience and don't want to get much into it… For readers Mastering Ethereum, the most popular would be Patrick Collins blockchain elaborations.

:information_desk_person: You can probably find a lot of recommendations for this already :)

Patrick Collins Blockchain for Beginners

⌨️ (00:09:05) Lesson 1: Blockchain Basics

What is a Blockchain? What does a blockchain do?

• What is a Smart Contract?
• Hybrid Smart Contracts
• Blockchain Oracles
• Terminology
• Web3
• What is a blockchain

The Purpose Of Smart Contracts

⌨️ (00:18:27) The Purpose of Smart Contracts

• 🎥 Original Video
• 🦬 My ETH Denver Talk
• 🍔 McDonalds Scandal
• ⛓ More on the evolution of agreements
• ✍️ What is a Smart Contract?
• 🧱 How does a blockchain work?
• 🔮 Chainlink & Oracles

Other Blockchain Benefits

⌨️ (00:30:41) Other Blockchain Benefits

• Decentralized
• Transparency & Flexibility
• Speed & Efficiency
• Security & Immutability
• Counterparty Risk Removal
• Trust Minimized Agreements

What have Smart Contracts done so far?

⌨️ (00:36:36) What have Smart Contracts done so far?

• DeFi
  • Defi Llama
  • Why DeFi is Important
• DAOs
• NFTs

Rust language

Summary: Why Rust for Smart Contracts?

The choice of Rust for smart contracts, particularly with ink!, is rooted in several compelling reasons:

1. Ideal Contract Language: Rust is inherently suitable for smart contracts due to its type safety, memory safety, and absence of undefined behaviors. It produces small binaries by avoiding unnecessary elements like a garbage collector, and advanced optimizations enhance efficiency by eliminating dead code. Rust can automatically guard against integer overflow through compiler flags.

2. Robust Ecosystem: Leveraging the Rust ecosystem comes as a bonus, with ink! automatically benefiting from ongoing language developments. This ensures continuous access to new features and functionalities, enhancing the overall capability of writing smart contracts.

3. Comprehensive Tooling: Being aligned with Rust standards, ink! seamlessly integrates with widely used tools such as rustfmt, clippy, and rust-analyzer. This compatibility extends to code formatting and syntax highlighting in modern text editors. Rust's integrated test and benchmark runner contribute to effective testing practices.

4. Minimal Runtime Overhead: Rust imposes minimal runtime overhead, contributing to the efficiency and streamlined execution of smart contracts.

5. Safety and Efficiency: Rust offers zero-cost and safe abstractions, prioritizing the creation of secure and efficient smart contracts.

6. Productivity Boost: Utilizing Cargo and the crates.io ecosystem enhances productivity, providing a robust infrastructure for managing dependencies and facilitating efficient code development.

7. First-Class Wasm Support: Rust ensures first-class support for WebAssembly (Wasm), aligning seamlessly with the demands of the blockchain environment.

8. Small Code Size: In the context of space-constrained blockchains where size is crucial, Rust's compiler aids in minimizing code size. By reordering struct fields intelligently, Rust achieves compact data structures, often surpassing the compactness achieved in C.

In essence, Rust stands out as a language for smart contracts, offering a balance of safety, efficiency, productivity, and compatibility with the broader Rust ecosystem.

Achieving a high level of proficiency in Rust programming isn't necessary when you're just starting. Instead, focus on developing a clear understanding of Rust code and the ability to create basic programs, which can be quite challenging, in my opinion. If you have any questions along the way, consider the Rust Book as your primary reference.

There are numerous free basic courses available, such as Udemy: Ultimate Rust Crash Course and its follow-up, Ultimate Rust 2.

:bulb: Explore easy-to-follow code examples or try your hand at implementing them by visiting Rust by Example. These tutorials are a must do Exercism's Rust path, offer additional Rust exercises.

:star: Personally, I found Rustlings enjoyable. It lets you learn Rust by fixing code snippets that you need to understand beforehand, akin to auditing.

For quick and ready-to-go testing of random code and behaviors, make use of Rust Playground.

If you want to focus soley on Solana: Blog post by Vitto

Substrate

Substrate is a Software Development Kit (SDK) that allows you to build application-specific blockchains that can run as standalone services or in parallel with other chains with the shared security provided by the Polkadot ecosystem. **Summary:

Substrate, in conjunction with Rust, offers a comprehensive framework for blockchain development. The process is tailored to cater to different levels of expertise and preferences. Here's a quick overview:

1. Quick Start:

   • Target Audience: New developers with no prior Substrate or FRAME experience.
   • Objective: Set up a development environment and initiate a blockchain node on the local computer.
   • Steps:
     • Brief overview of Substrate.
     • Learning to compile and start a node.
     • Exploring node template code.
     • Modifying the runtime.

2. Developer Journey:

   • Structured Information:
     • Learn: Core blockchain and Substrate concepts and operations.
     • Install: Platform-specific installation instructions and troubleshooting tips.
     • Build: Tools and techniques for building custom blockchain applications.
     • Test: Approaches for unit testing and benchmarking code.
     • Deploy: Options for deploying nodes, preparation, and transitioning from test to production.
     • Maintain: General information on network maintenance, upgrades, and infrastructure management.

3. Tutorials:

   • Hands-on Learning:
     • Build a Blockchain Tutorials: Focus on network basics, starting from a single node to creating private blockchains, monitoring operations, and upgrading networks.
     • Build Application Logic Tutorials: Implementation of application-specific logic using existing and custom pallets.
     • Build a Parachain Tutorials: Guidance on transitioning from a standalone chain to a parachain, connecting to a relay chain, and inter-chain messaging.

4. Reference:

   • Technical Information:
     • Rust API: Direct access to technical details.
     • Command-Line Tools: Assistance and information on command-line tools.

In essence, the integration of Rust and Substrate provides a versatile and accessible approach to blockchain development, accommodating diverse learning styles and levels of expertise. The documentation is organized into a narrative developer journey, hands-on tutorials, and a reference section for technical details.

• Documentation
• Website
• Leverage Rust in Substrate

!ink

ink! is a programming language for smart contracts — one of several that blockchains built with the Substrate framework can choose from. It’s an opinionated language at Parity have built by extending the popular Rust programming language with functionality needed to make it smart contract compatible.

• Blog on !ink
• Documentation
• !ink vs Solidity
• !ink vs CosmWasm)

CosmWasm

By now, you should possess a basic understanding of blockchain technologies, smart contracts, and Rust. It's time to delve into CosmWasm. Ethan Frey [@ethanfrey] has curated a series of posts, albeit outdated, providing a comprehensive overview and comparison with other technologies:

• CosmWasm for Developers
• CosmWasm for CTOs 0, I: the architecture, II: advanced usage, IV: native integrations

:milky_way: Since CosmWasm operates as a Cosmos SDK module, running on Cosmos chains, it's crucial to familiarize yourself with Cosmos fundamentals. Begin by reading the following Cosmos documentation:

1. Introduction section covers a high-level overview, application-specific blockchains, blockchain architecture, and main components of the Cosmos SDK.
2. Basics section includes the anatomy of a Cosmos SDK application, transaction lifecycle, query lifecycle, accounts, and gas and fees.

:point_right: Now, let's immerse ourselves in CosmWasm. Reading the CosmWasm Book cover to cover is an excellent starting point for grasping all the concepts before venturing into contract development. Additionally, this resource serves as a helpful quick reference, offering details not explicitly covered in The Book.

Your next focus will be on CosmWasm smart contract programming. You should be able to write simple CosmWasm contracts, and CW Template provides a great resource for experimentation. A list of resources is provided below, and while some content may overlap, the intention is to offer multiple options rather than completing all of them:

1. CosmWasm zero to hero
2. CosmWasm Academy
3. Area 52
4. Terra academy: CosmWasm smart contracts I

:heavy_plus_sign: CosmWasm Plus comprises publicly available base contracts, akin to OpenZeppelin. Reviewing key contracts and understanding their architecture and behavior is an excellent way to hone your Smart Contract analysis skills, a vital skill for future auditors:

• CW20 fungible token
• CW721 non-fungible token
• CW1 fixed multisig

:100: Additionally, familiarize yourself with Smart Contract testing, as you'll craft your own PoCs using these. Refer to Mastering CosmWasm Multi-Test for a practical crash course. Further documentation on the most used libraries can be found at:

• Module cosmwasm_std::testing
• Crate cw_multi_test, with a chapter in the CW Book

Getting acquainted with IBC in CosmWasm is a valuable addition, as it will likely become more common in CosmWasm contracts. While not mandatory initially, understanding IBC is crucial for your development journey.

An alternative framework for building CosmWasm smart contracts is the Sylvia Framework. However, its community traction is uncertain at the moment, as I haven't encountered requests for audits related to it.

CosmWasm Security

Now that you've covered all the prerequisites, it's time to delve into the audit and security specifics of CosmWasm. If you're transitioning from Solidity auditing, you'll likely notice a scarcity of resources compared to the abundance of beginner security material available for Sol/EVM.

:scroll: Begin with the CosmWasm Security Spotlight posts, and keep an eye out for future posts on Medium (@jcsec-audits). Additionally, DAO DAO's CosmWasm security best practices offer valuable insights.

:muscle: The next step involves practical examples:

1. Oak's CosmWasm Security Dojo: This resource not only provides challenges but also includes an EXPLANATION.md in each directory, offering further details and concepts that prove highly beneficial.

2. Oak Security CTF: This CosmWasm Capture The Flag (CTF), created by Oak Security for Awesomwasm 2023, offers a comprehensive overview of various security issues in CW contracts, with a medium difficulty level.

3. DeFiVulnLabsCosmWasm

Given the limited availability of additional resources, the next step involves reading CosmWasm audit reports. This is the most effective way to familiarize yourself with the types of security issues identified during security reviews by auditors.

Three companies known for publishing multiple public reports on CosmWasm audits are:

1. Oak Security
2. SCV Security
3. Halborn

Astar

Astar Network functions as a smart contract platform that accommodates both EVM and WebAssembly (Wasm) environments. As a parachain of Polkadot, it places emphasis on fostering corporate adoption and capturing consumer interest in web3 technologies. It's important to note that The Block is an autonomous media outlet, providing news, research, and data.

• What is Astar?
• Audit Reports

Tooling

I prefer using a VM instead of Windows WSL. It's faster, trust me. Learnt the hard way when participating hackathons.

• Rust analyzer
• Better TOML
• Inline Bookmarks - audit is just not the same without this one, MVP
• CodeLLDB - Do you know you can debug rust unit tests for CW smart contracts? I may write a Medium post in the future
• Coverage Gutters - easily displays test coverage from a lcov file
• Line Note - I sometimes like to add 2/3 lines of additional info without breaking the total number of lines and not creating very large one-line comments
• Cosmy Wasmy - To be honest this has not been helpful to me at the moment, but I keep it in check as it will probably be a nice addition soon when they further polish some of the features.

Side Note:

Whenever you use Rust or any frameworks. Ensure that different frameworks supports the same Rust Version. Once interfered, the debugging can be days....