Free Comprehensive Courses
After CTF challenges, structured courses fill knowledge gaps and teach industry best practices. All resources in this lesson are completely free — and the free options in Web3 security are genuinely world-class. The top auditors in the industry built their skills using these exact resources.
You do not need to take all of these courses. The recommended path is: Cyfrin Updraft first, then supplement with specific resources for gaps in your knowledge. Do not take 5 courses simultaneously — depth beats breadth for skill development.
1. Cyfrin Updraft — The Gold Standard
Created by Patrick Collins (ex-Chainlink) and Tincho (The Red Guild), Cyfrin Updraft is the most comprehensive free security curriculum available. Period. If you only take one course, take this one.
| Course Module | Duration | What You'll Build/Learn |
|---|---|---|
| Blockchain Basics | 4 hours | Cryptography, consensus, EVM fundamentals |
| Solidity Fundamentals | 8 hours | Full Solidity syntax, testing with Foundry |
| Smart Contract Development | 12 hours | DeFi protocols: stablecoins, DEX, lending |
| Security and Auditing | 24+ hours | Full audit methodology, 5 complete audits |
| Advanced Security | 16+ hours | Assembly, Yul, EVM deep dives, MEV |
The Security and Auditing module teaches:
1. Audit methodology (not just "find bugs"):
- Reading documentation first
- Scoping: what's in scope, what's out
- Writing effective reports
- Severity classification
- Communication with development teams
2. 5 complete audits you perform yourself:
- PasswordStore (simple, 2 bugs)
- PuppyRaffle (reentrancy, randomness, DoS)
- TSwap (AMM, price oracle)
- Boss Bridge (bridge security, L1/L2)
- Thunder Loan (flash loans, ERC-4626)
3. Guest lectures from industry:
- Trail of Bits: formal verification
- Sigma Prime: consensus layer security
- Guardian Audits: DeFi auditing methodology
4. Tools deep dive:
- Slither (static analysis)
- Echidna (fuzzing)
- Foundry (testing)
- Aderyn (Rust-based analysis)
URL: https://updraft.cyfrin.io/2. Patrick Collins — Full Course on YouTube
The legendary Solidity and Foundry full course on YouTube. Over 30 hours of content covering everything from Remix IDE basics to advanced Foundry testing and DeFi protocol development. This is the course that launched thousands of Web3 careers.
Course: "Learn Solidity, Blockchain Development, & Smart Contracts | Powered By AI"
Hours 0-6: Solidity Basics
- What is a blockchain?
- Writing your first contract in Remix
- Variables, functions, mappings
- Storage: memory, calldata, storage
Hours 6-16: Foundry Fundamentals
- Setting up Foundry
- Testing with forge test
- Deploying with forge script
- Gas optimization techniques
- 3 full projects: Fund Me, Lottery, ERC-20
Hours 16-26: DeFi and Advanced Topics
- How Uniswap works
- Stablecoins and DAI mechanics
- Cross-chain bridges
- Merkle trees and proofs
- Signatures and EIP-712
Hours 26-32: Security
- Common vulnerability patterns
- Writing security-focused tests
- Using Slither for static analysis
- Audit workflow overview
After this course: You can build, test, and deploy
→ Move to Cyfrin Updraft Security for the auditing layer3. Secureum Bootcamp — Community Legend
Secureum is a highly intensive community-run security education program. The free materials (RACE exams and documentation) are among the most important resources for anyone serious about Ethereum security.
What Secureum Offers (Free):
1. RACE Exams (Regular Audit Competitive Exam)
- Monthly 8-question multiple choice exam
- Top scorers get public recognition
- Questions sourced from real audit findings
- Archive: https://ventral.digital/posts/2022/8/14/rareskills-solidity-riddles
2. Epoch0 Free Content:
- Ethereum 101 (200+ slides)
- Solidity 101 (200+ slides)
- Solidity 201 (advanced, 200+ slides)
- Security pitfalls (300+ pitfalls documented)
- Audit techniques and findings
3. Community:
- Discord server with thousands of security researchers
- Weekly discussion threads on recent exploits
Quality of free materials: EXCEPTIONAL
- Used by professional auditors as reference
- More complete than most paid courses
- Regularly updated
URL: https://secureum.xyz/
RACE archive: search "Secureum RACE" on GitHub4. Ethereum.org Developer Docs — The Official Source
When you need authoritative information about how Ethereum works, there is only one source: the official Ethereum documentation. Particularly valuable for understanding EVM mechanics, transaction lifecycle, and consensus.
Key sections for security auditors:
ethereum.org/developers/docs/
├── intro-to-ethereum/ ← Start here if brand new
├── accounts/ ← EOAs vs contracts
├── transactions/ ← Transaction structure
├── blocks/ ← Block structure
├── gas/ ← Gas mechanics
├── evm/ ← EVM opcodes and execution
├── smart-contracts/ ← Solidity overview
├── standards/tokens/erc-20/ ← ERC-20 standard (most used)
├── standards/tokens/erc-721/ ← NFT standard
└── consensus-mechanisms/ ← PoS mechanics
Most important for auditors:
1. EVM docs: understanding opcode costs and behavior
2. Transaction docs: understanding msg.sender, tx.origin, value
3. ABI specification: understanding how calls are encoded
The ABI spec is particularly important:
→ How function selectors work
→ How arguments are encoded
→ Why selector clashes happen5. OpenZeppelin Learn — Contract Patterns Reference
OpenZeppelin maintains a comprehensive library of audited, battle-tested smart contract patterns. Reading their source code and documentation is one of the best ways to learn what "correct" looks like.
OpenZeppelin Contracts Library:
https://docs.openzeppelin.com/contracts/5.x/
Essential contracts to read and understand:
Access Control:
- Ownable.sol ← Simplest ownership pattern
- AccessControl.sol ← Role-based access (RBAC)
- Pausable.sol ← Emergency pause mechanism
Token Standards:
- ERC20.sol ← Full ERC-20 implementation
- ERC721.sol ← NFT implementation
- ERC1155.sol ← Multi-token standard
Finance/DeFi:
- VestingWallet.sol ← Vesting patterns
- PaymentSplitter.sol ← Revenue sharing
Proxy Patterns:
- TransparentProxy ← Most common proxy type
- UUPS Proxy ← Upgrade logic in implementation
- ERC1967Storage ← Storage slots for proxy
Security:
- ReentrancyGuard.sol ← nonReentrant modifier
- SafeERC20.sol ← Safe token transfer wrappers
- MerkleProof.sol ← Allowlist patterns
Why read OZ source: It shows you what "correct" looks like.
When auditing a fork of OZ contracts, any deviation is a finding.6. CryptoZombies — Gamified Solidity Introduction
If you are completely new to Solidity and want to learn through a game-like experience, CryptoZombies is an excellent starting point. You build a "zombie game" on Ethereum while learning Solidity syntax progressively.
Lesson 1: Solidity Basics
- contracts, state variables, functions
- uint, structs, arrays
Lesson 2: Data Types
- mappings, addresses, msg.sender
- storage vs memory
Lesson 3: Advanced Solidity
- function modifiers, events, payable
- interfaces and multiple contracts
Lesson 4: Zombie Battle System
- calling contracts, libraries
Lesson 5-6: Advanced (Web3.js, ERC-721)
- Interacting via JavaScript
- NFT standard implementation
Best for: Complete beginners who want a fun on-ramp
Not best for: People who already know a programming language
→ They should go straight to Cyfrin Updraft
URL: https://cryptozombies.io/7. LearnWeb3.io — Structured Learning Path
LearnWeb3 provides a structured curriculum from beginner to senior level, with both Solidity and security tracks. Good for those who want a defined path with clear milestones.
Recommended Learning Path by Goal
| Week | Resource | Goal | Hours |
|---|---|---|---|
| 1-2 | Cyfrin Updraft — Blockchain Basics + Solidity 101 | Understand the foundation | 20h |
| 3-4 | Cyfrin Updraft — Foundry Fundamentals | Write and test Solidity | 20h |
| 5-6 | Ethernaut (levels 1-15) | Practice vulnerability patterns | 30h |
| 7-8 | Cyfrin Updraft — Security Course (start) | Learn audit methodology | 20h |
| 9-10 | DVDF challenges 1-6 | DeFi attack patterns | 30h |
| 11-12 | Cyfrin Updraft — Complete 5 audits | End-to-end audit practice | 30h |
| 13-16 | Secureum RACE exams + OpenZeppelin reading | Fill knowledge gaps | 40h |
| 17+ | Code4rena First Flights / Sherlock contests | Real competition auditing | Ongoing |
How to Take Notes Effectively
Tool recommendation: Obsidian (free, local markdown, linkable notes)
Alternative: Notion (free tier), GitHub wiki
Folder structure:
/vulnerabilities/ ← One file per vulnerability type
reentrancy.md
integer-overflow.md
oracle-manipulation.md
/protocols/ ← Notes on DeFi protocol mechanics
uniswap-v2.md
aave-v3.md
/findings/ ← Your own findings from CTFs/audits
[date]-[protocol]-[finding].md
/tools/ ← Commands and usage notes
foundry-cheatsheet.md
slither-tips.md
For each vulnerability, record:
- Name and category
- Code pattern (what does vulnerable code look like?)
- Exploit technique (how do you prove it?)
- Detection tips (what to search for in an audit?)
- Prevention (what's the correct fix?)
- Real world examples (with dollar amounts and links)Building Projects While Learning
The most dangerous learning trap: completing a course tutorial by following each step, then discovering you cannot build anything on your own. After each major section, close the tutorial and try to rebuild what you just learned from memory. Then check the tutorial for what you missed. This active recall approach produces 4x better retention than passive watching.
Project 1 (after Solidity basics):
Build a simple ERC-20 token WITHOUT using OpenZeppelin
Requirements: mint, burn, transfer, approve, transferFrom
Then: compare your implementation to OpenZeppelin's ERC20.sol
Finding: every difference between yours and OZ is a potential vulnerability
Project 2 (after Foundry basics):
Port your ERC-20 to Foundry tests
Write: happy path tests, edge case tests, fuzz tests
Goal: achieve 100% line coverage
Project 3 (after security course):
Find an old, simple audit report (Code4rena archive)
Read the protocol without reading the findings
Try to find the bugs yourself
Compare your list to the official findings
Project 4 (ongoing):
Weekly: read 1 post-mortem from rekt.news
Reproduce the exploit in Foundry (mainnet fork)
Write a blog post explaining what happenedCommon Mistakes Section
Starting Cyfrin Updraft, then switching to Patrick Collins' YouTube, then starting the Secureum materials — without completing any of them. The value is in completion and building projects. Pick one primary course and finish it. Use others only to supplement specific gaps.
Notes that are never reviewed are just expensive bookmarks. Schedule a weekly review: open your vulnerability library, pick 3 entries, and test yourself. Can you write the vulnerable code pattern from memory? Can you write the exploit? Regular review converts "I've seen this" into "I will always spot this".
Security auditing involves reading economic incentives, AMM math, and protocol invariants. You don't need to be a mathematician, but you must be comfortable with basic algebra and be willing to reason through formulas. Protocols that involve x * y = k, interest rate models, or reward distribution math require you to verify the math manually — calculators are fine, but understand what you're calculating.
Summary / Key Takeaways
| Resource | Best For | Time Investment | Priority |
|---|---|---|---|
| Cyfrin Updraft | Complete security curriculum | 80+ hours | 1st — do this first |
| Patrick Collins YouTube | Solidity + Foundry from scratch | 30+ hours | If new to coding |
| Secureum RACE Exams | Test and benchmark your knowledge | Monthly practice | Ongoing supplement |
| OpenZeppelin Docs | Reference for "correct" patterns | 10 hours reading | Essential reference |
| ethereum.org Docs | Authoritative EVM knowledge | 10 hours reading | Foundational reference |
| CryptoZombies | Fun beginner on-ramp | 10 hours | Only if brand new |