Cyfrin Updraft 🟩

The Solana Development Course has dropped on Updraft. 12 programs. Native Rust + Anchor. Security CTFs. Completely free.

This is the difference between "I tested 50 cases and it worked" and "I proved it works for every possible state of the contract." Learn formal verification with Certora and more in the Smart Contract Security course on Updraft, completely free. updraft.cyfrin.io/courses/securi…

One subtle catch: `balanceBefore` is a uint256. If it's at max value, adding 1 causes overflow. The fix: use `mathint` instead of `uint256`. This gives you arbitrary precision math inside Certora rules so overflow can't silently break your proof. ⚠️

Formal verification isn't just "better testing." It's mathematical proof that your code does what you claim. Here's how to prove an NFT mint function only ever mints exactly one NFT. 🧵

Learn to write and deploy your own ERC-20 from scratch in the Chainlink Fundamentals course on Updraft. Free, step by step. updraft.cyfrin.io/courses/chainl…

Also make sure you're using "Injected Provider - MetaMask" as your environment, not the default Remix VM. The Remix VM is local only. If you deploy there, nothing hits the testnet. Your contract exists nowhere but your browser tab.

Most people deploy their first ERC-20 and never actually verify it worked. Here's a quick checklist so you don't lose track of your contract the moment you need it. 🧵

Multisig wallets don't help if signers blindly approve. Every signer needs to verify transaction data on their hardware device, not just the web interface. Learn how these attacks work and how to prevent them in the Updraft Security course: updraft.cyfrin.io/courses/securi…

The UI showed a normal transfer. The actual transaction was rewriting the proxy's brain. This is why hardware wallet verification exists. The Ledger screen shows what you're actually signing, not what a potentially compromised UI displays. ⚠️

The Bybit hack wasn't a smart contract bug. It was a signer not checking their hardware wallet screen. $1.4 billion gone because of one skipped verification step. 🧵

Learn how encoding, low-level calls, and the EVM actually work in the free Security course on Updraft. updraft.cyfrin.io/courses/securi…

This is how protocols make arbitrary calls, how proxies delegate execution, and how attackers craft malicious payloads. If you don't understand encoding at this level, you'll miss entire categories of vulnerabilities during an audit. ⚠️

Most Solidity devs call functions through interfaces and never think about what's actually happening underneath. But every function call is just encoded bytes stuffed into a transaction's data field. Understanding this changes how you think about smart contracts. 🧵