🌿 Intermediate ⏱️ ongoing

Free Comprehensive Courses

After CTF challenges, structured courses fill knowledge gaps and teach industry best practices. All resources in this lesson are completely free — and the free options in Web3 security are genuinely world-class. The top auditors in the industry built their skills using these exact resources.

💡 How to Use This Lesson

You do not need to take all of these courses. The recommended path is: Cyfrin Updraft first, then supplement with specific resources for gaps in your knowledge. Do not take 5 courses simultaneously — depth beats breadth for skill development.

1. Cyfrin Updraft — The Gold Standard

Created by Patrick Collins (ex-Chainlink) and Tincho (The Red Guild), Cyfrin Updraft is the most comprehensive free security curriculum available. Period. If you only take one course, take this one.

Course ModuleDurationWhat You'll Build/Learn
Blockchain Basics4 hoursCryptography, consensus, EVM fundamentals
Solidity Fundamentals8 hoursFull Solidity syntax, testing with Foundry
Smart Contract Development12 hoursDeFi protocols: stablecoins, DEX, lending
Security and Auditing24+ hoursFull audit methodology, 5 complete audits
Advanced Security16+ hoursAssembly, Yul, EVM deep dives, MEV
🎯 Cyfrin Updraft Security Course — What You Get
The Security and Auditing module teaches: 1. Audit methodology (not just "find bugs"): - Reading documentation first - Scoping: what's in scope, what's out - Writing effective reports - Severity classification - Communication with development teams 2. 5 complete audits you perform yourself: - PasswordStore (simple, 2 bugs) - PuppyRaffle (reentrancy, randomness, DoS) - TSwap (AMM, price oracle) - Boss Bridge (bridge security, L1/L2) - Thunder Loan (flash loans, ERC-4626) 3. Guest lectures from industry: - Trail of Bits: formal verification - Sigma Prime: consensus layer security - Guardian Audits: DeFi auditing methodology 4. Tools deep dive: - Slither (static analysis) - Echidna (fuzzing) - Foundry (testing) - Aderyn (Rust-based analysis) URL: https://updraft.cyfrin.io/

2. Patrick Collins — Full Course on YouTube

The legendary Solidity and Foundry full course on YouTube. Over 30 hours of content covering everything from Remix IDE basics to advanced Foundry testing and DeFi protocol development. This is the course that launched thousands of Web3 careers.

📺 Patrick Collins YouTube Course — Content Breakdown
Course: "Learn Solidity, Blockchain Development, & Smart Contracts | Powered By AI" Hours 0-6: Solidity Basics - What is a blockchain? - Writing your first contract in Remix - Variables, functions, mappings - Storage: memory, calldata, storage Hours 6-16: Foundry Fundamentals - Setting up Foundry - Testing with forge test - Deploying with forge script - Gas optimization techniques - 3 full projects: Fund Me, Lottery, ERC-20 Hours 16-26: DeFi and Advanced Topics - How Uniswap works - Stablecoins and DAI mechanics - Cross-chain bridges - Merkle trees and proofs - Signatures and EIP-712 Hours 26-32: Security - Common vulnerability patterns - Writing security-focused tests - Using Slither for static analysis - Audit workflow overview After this course: You can build, test, and deploy → Move to Cyfrin Updraft Security for the auditing layer

3. Secureum Bootcamp — Community Legend

Secureum is a highly intensive community-run security education program. The free materials (RACE exams and documentation) are among the most important resources for anyone serious about Ethereum security.

🎓 Secureum Bootcamp Materials
What Secureum Offers (Free): 1. RACE Exams (Regular Audit Competitive Exam) - Monthly 8-question multiple choice exam - Top scorers get public recognition - Questions sourced from real audit findings - Archive: https://ventral.digital/posts/2022/8/14/rareskills-solidity-riddles 2. Epoch0 Free Content: - Ethereum 101 (200+ slides) - Solidity 101 (200+ slides) - Solidity 201 (advanced, 200+ slides) - Security pitfalls (300+ pitfalls documented) - Audit techniques and findings 3. Community: - Discord server with thousands of security researchers - Weekly discussion threads on recent exploits Quality of free materials: EXCEPTIONAL - Used by professional auditors as reference - More complete than most paid courses - Regularly updated URL: https://secureum.xyz/ RACE archive: search "Secureum RACE" on GitHub

4. Ethereum.org Developer Docs — The Official Source

When you need authoritative information about how Ethereum works, there is only one source: the official Ethereum documentation. Particularly valuable for understanding EVM mechanics, transaction lifecycle, and consensus.

📚 ethereum.org — What to Read and When
Key sections for security auditors: ethereum.org/developers/docs/ ├── intro-to-ethereum/ ← Start here if brand new ├── accounts/ ← EOAs vs contracts ├── transactions/ ← Transaction structure ├── blocks/ ← Block structure ├── gas/ ← Gas mechanics ├── evm/ ← EVM opcodes and execution ├── smart-contracts/ ← Solidity overview ├── standards/tokens/erc-20/ ← ERC-20 standard (most used) ├── standards/tokens/erc-721/ ← NFT standard └── consensus-mechanisms/ ← PoS mechanics Most important for auditors: 1. EVM docs: understanding opcode costs and behavior 2. Transaction docs: understanding msg.sender, tx.origin, value 3. ABI specification: understanding how calls are encoded The ABI spec is particularly important: → How function selectors work → How arguments are encoded → Why selector clashes happen

5. OpenZeppelin Learn — Contract Patterns Reference

OpenZeppelin maintains a comprehensive library of audited, battle-tested smart contract patterns. Reading their source code and documentation is one of the best ways to learn what "correct" looks like.

🛡️ OpenZeppelin — Essential Resources for Auditors
OpenZeppelin Contracts Library: https://docs.openzeppelin.com/contracts/5.x/ Essential contracts to read and understand: Access Control: - Ownable.sol ← Simplest ownership pattern - AccessControl.sol ← Role-based access (RBAC) - Pausable.sol ← Emergency pause mechanism Token Standards: - ERC20.sol ← Full ERC-20 implementation - ERC721.sol ← NFT implementation - ERC1155.sol ← Multi-token standard Finance/DeFi: - VestingWallet.sol ← Vesting patterns - PaymentSplitter.sol ← Revenue sharing Proxy Patterns: - TransparentProxy ← Most common proxy type - UUPS Proxy ← Upgrade logic in implementation - ERC1967Storage ← Storage slots for proxy Security: - ReentrancyGuard.sol ← nonReentrant modifier - SafeERC20.sol ← Safe token transfer wrappers - MerkleProof.sol ← Allowlist patterns Why read OZ source: It shows you what "correct" looks like. When auditing a fork of OZ contracts, any deviation is a finding.

6. CryptoZombies — Gamified Solidity Introduction

If you are completely new to Solidity and want to learn through a game-like experience, CryptoZombies is an excellent starting point. You build a "zombie game" on Ethereum while learning Solidity syntax progressively.

🧟 CryptoZombies — What It Teaches
Lesson 1: Solidity Basics - contracts, state variables, functions - uint, structs, arrays Lesson 2: Data Types - mappings, addresses, msg.sender - storage vs memory Lesson 3: Advanced Solidity - function modifiers, events, payable - interfaces and multiple contracts Lesson 4: Zombie Battle System - calling contracts, libraries Lesson 5-6: Advanced (Web3.js, ERC-721) - Interacting via JavaScript - NFT standard implementation Best for: Complete beginners who want a fun on-ramp Not best for: People who already know a programming language → They should go straight to Cyfrin Updraft URL: https://cryptozombies.io/

7. LearnWeb3.io — Structured Learning Path

LearnWeb3 provides a structured curriculum from beginner to senior level, with both Solidity and security tracks. Good for those who want a defined path with clear milestones.

Recommended Learning Path by Goal

WeekResourceGoalHours
1-2Cyfrin Updraft — Blockchain Basics + Solidity 101Understand the foundation20h
3-4Cyfrin Updraft — Foundry FundamentalsWrite and test Solidity20h
5-6Ethernaut (levels 1-15)Practice vulnerability patterns30h
7-8Cyfrin Updraft — Security Course (start)Learn audit methodology20h
9-10DVDF challenges 1-6DeFi attack patterns30h
11-12Cyfrin Updraft — Complete 5 auditsEnd-to-end audit practice30h
13-16Secureum RACE exams + OpenZeppelin readingFill knowledge gaps40h
17+Code4rena First Flights / Sherlock contestsReal competition auditingOngoing

How to Take Notes Effectively

📝 Note-Taking System for Security Learning
Tool recommendation: Obsidian (free, local markdown, linkable notes) Alternative: Notion (free tier), GitHub wiki Folder structure: /vulnerabilities/ ← One file per vulnerability type reentrancy.md integer-overflow.md oracle-manipulation.md /protocols/ ← Notes on DeFi protocol mechanics uniswap-v2.md aave-v3.md /findings/ ← Your own findings from CTFs/audits [date]-[protocol]-[finding].md /tools/ ← Commands and usage notes foundry-cheatsheet.md slither-tips.md For each vulnerability, record: - Name and category - Code pattern (what does vulnerable code look like?) - Exploit technique (how do you prove it?) - Detection tips (what to search for in an audit?) - Prevention (what's the correct fix?) - Real world examples (with dollar amounts and links)

Building Projects While Learning

🚨 Don't Just Follow Along — Build Your Own

The most dangerous learning trap: completing a course tutorial by following each step, then discovering you cannot build anything on your own. After each major section, close the tutorial and try to rebuild what you just learned from memory. Then check the tutorial for what you missed. This active recall approach produces 4x better retention than passive watching.

🔨 Projects to Build Alongside Courses
Project 1 (after Solidity basics): Build a simple ERC-20 token WITHOUT using OpenZeppelin Requirements: mint, burn, transfer, approve, transferFrom Then: compare your implementation to OpenZeppelin's ERC20.sol Finding: every difference between yours and OZ is a potential vulnerability Project 2 (after Foundry basics): Port your ERC-20 to Foundry tests Write: happy path tests, edge case tests, fuzz tests Goal: achieve 100% line coverage Project 3 (after security course): Find an old, simple audit report (Code4rena archive) Read the protocol without reading the findings Try to find the bugs yourself Compare your list to the official findings Project 4 (ongoing): Weekly: read 1 post-mortem from rekt.news Reproduce the exploit in Foundry (mainnet fork) Write a blog post explaining what happened

Common Mistakes Section

⚠️ Mistake #1: Course Hopping Without Completing

Starting Cyfrin Updraft, then switching to Patrick Collins' YouTube, then starting the Secureum materials — without completing any of them. The value is in completion and building projects. Pick one primary course and finish it. Use others only to supplement specific gaps.

⚠️ Mistake #2: Taking Notes Without Reviewing Them

Notes that are never reviewed are just expensive bookmarks. Schedule a weekly review: open your vulnerability library, pick 3 entries, and test yourself. Can you write the vulnerable code pattern from memory? Can you write the exploit? Regular review converts "I've seen this" into "I will always spot this".

⚠️ Mistake #3: Skipping the Math

Security auditing involves reading economic incentives, AMM math, and protocol invariants. You don't need to be a mathematician, but you must be comfortable with basic algebra and be willing to reason through formulas. Protocols that involve x * y = k, interest rate models, or reward distribution math require you to verify the math manually — calculators are fine, but understand what you're calculating.

Summary / Key Takeaways

ResourceBest ForTime InvestmentPriority
Cyfrin UpdraftComplete security curriculum80+ hours1st — do this first
Patrick Collins YouTubeSolidity + Foundry from scratch30+ hoursIf new to coding
Secureum RACE ExamsTest and benchmark your knowledgeMonthly practiceOngoing supplement
OpenZeppelin DocsReference for "correct" patterns10 hours readingEssential reference
ethereum.org DocsAuthoritative EVM knowledge10 hours readingFoundational reference
CryptoZombiesFun beginner on-ramp10 hoursOnly if brand new