Domain Context
The vocabulary, ecosystem, and incident catalogue a senior smart contract security engineer should be able to speak to without searching.
Vocabulary you must know cold
If a panelist drops one of these and you have to ask what it means, you've lost the round. Read once; reread before the loop.
FV tooling vocab
| Term | Meaning |
|---|---|
| CVL | Certora Verification Language — DSL for writing specs (rules, invariants, hooks). |
| SMT | Satisfiability Modulo Theories. The class of solvers FV tools lower to. |
| z3 / cvc5 | The two dominant SMT solvers. Certora typically uses both. |
| Symbolic execution | Run the program with symbolic inputs; explore all paths. |
| Fuzzing | Run the program with random inputs; sample the input space. |
| Property-based testing | State a property; tooling generates inputs to break it. |
| Invariant testing | Foundry's --invariant mode; sequences of random calls. |
| Slither detector | A single static-analysis rule. Slither ships with ~80; you can write custom. |
| Echidna | Trail of Bits' Solidity fuzzer. Property-based. |
| Medusa | Newer Go-based Solidity fuzzer from Trail of Bits. |
| Halmos | a16z's symbolic execution of Foundry tests. OSS. |
| Kontrol | Runtime Verification's K-framework-based EVM prover. |
| Manticore / Mythril | Older symbolic execution / analysis tools. Still useful, less actively maintained. |
| Taint analysis | Tracking flow of "tainted" (e.g., user-controlled) values through the program. |
| Control-flow graph (CFG) | Graph of basic blocks and the branches between them. |
| SWC | Smart Contract Weakness Classification registry. |
| DASP | Decentralized Application Security Project (top 10). |
EVM concepts
| Term | Meaning |
|---|---|
| Yul | Solidity's intermediate language; sometimes written directly via inline assembly. |
| Transient storage | EIP-1153 storage that clears at end-of-tx. Cheap reentrancy locks. |
| Immutable | Solidity keyword; value set in constructor, baked into runtime bytecode. |
| Constant | Compile-time constant; in bytecode literally. |
| delegatecall | Call opcode that executes target code in the caller's storage / msg.sender context. |
| staticcall | Read-only external call; reverts on state modification. |
| create / create2 | Deploy opcodes. CREATE2 lets you predict the address pre-deploy. |
| selfdestruct | Deprecated for most uses post-EIP-6780. No longer clears bytecode. |
| EIP-1559 | Fee market with base fee + tip. Mostly irrelevant for security. |
| EIP-2612 permit | Off-chain signed approvals for ERC-20. |
| Permit2 | Uniswap's universal token approval contract. |
| ERC-4626 | Tokenized vault standard. Donation attack lives here. |
Proxy patterns
| Pattern | Notes |
|---|---|
| Transparent Proxy | OpenZeppelin classic. Admin and user paths are separated to avoid selector clashes. |
| UUPS | Universal Upgradeable Proxy Standard (EIP-1822). Upgrade logic lives in the implementation, not the proxy. |
| Beacon | EIP-1967 beacon pattern. Multiple proxies point at a beacon that points at an implementation. One upgrade affects many proxies. |
| Diamond (EIP-2535) | One proxy routes to multiple "facet" contracts via selector lookup. Complex storage layout via Diamond Storage. |
| EIP-1167 Minimal Proxy (Clone) | Tiny proxy bytecode that delegatecalls to a known implementation. Cheap to deploy. |
| EIP-1967 slots | Standard slot locations for proxy state (implementation, admin, beacon). Avoids storage collisions. |
MEV vocabulary
| Term | Meaning |
|---|---|
| MEV | Maximal Extractable Value. Value extractable by ordering / inserting txs. |
| Sandwich | Frontrun + backrun a victim swap. Extracts slippage as profit. |
| JIT (Just-In-Time) LP | Add liquidity right before a swap, remove after, capture fees. |
| Atomic arbitrage | Cross-DEX price-difference capture within one tx. |
| Intent | User signs a desired outcome ("I want N USDC for my ETH"); a solver finds the path. Limits MEV by avoiding committing to exact path on-chain. |
| PBS | Proposer-Builder Separation. Block proposers buy ready-made blocks from builders. Standard on Ethereum post-merge. |
| Flashbots | Private mempool / order flow for MEV-aware tx submission. |
| MEV-Boost | Validator-side software for PBS. |
| Order flow auction | Auction off the right to fill user orders to MEV bots; share revenue with user. |
Audit firm ecosystem
| Firm | Notes |
|---|---|
| Trail of Bits | Long-standing, breadth across crypto + non-crypto. Maintainers of Slither, Echidna, Medusa. |
| OpenZeppelin | Audits + the de-facto Solidity library. Also operates Defender for ops. |
| ChainSecurity | Zürich-based, formal-methods leaning, strong on lending and stablecoin protocols. |
| Spearbit | Marketplace + curated lead model; senior auditors on a per-engagement basis. |
| Cantina | Combination audit firm + bounty / competitive audit platform. |
| Code4rena | Competitive audit platform; many auditors compete on a fixed scope for a prize pool. |
| Sherlock | Audit + coverage / insurance product; competitive audit format. |
| Zellic | Strong on novel cryptography, ZK, and exotic VMs. |
| Sigma Prime | Australian; consensus / staking-leaning + protocol audits. |
| Halborn | Bigger shop; range across protocols and infrastructure. |
| Certora | Formal verification vendor (CVL, the Prover). Also publishes audit reports. |
| Runtime Verification | Formal verification firm (Kontrol, K-framework). |
| Hexens / Dedaub / quantstamp / etc | Several others worth knowing exist. |
Bounty platform ecosystem
| Platform | Notes |
|---|---|
| Immunefi | Largest by volume and dollars paid. Hosts most major DeFi bounties. |
| Hats Finance | On-chain bounty payouts via vaults; decentralized. |
| Cantina | Spans contests and bounties; growing in 2024-2025. |
| HackenProof / HackerOne | Broader (web2 too), occasional smart contract programs. |
| In-house | Some larger protocols run direct disclosure programs. |
Must-know incident catalogue
Six incidents you should be able to summarize in three sentences each: root cause class, mechanism, lesson.
The DAO (2016) — $60M
Classic reentrancy on the splitDAO / withdraw flow. External call before balance update. Led to the Ethereum / Ethereum Classic fork. Lesson: CEI is non-negotiable; reentrancy is the original sin of smart contracts.
Parity multi-sig (2017) — $300M frozen
Library contract behind the wallet contract was uninitialized; an attacker called initWallet() and became owner, then kill()'d the library. All wallets using it bricked. Lesson: initializers must be locked on implementation contracts; selfdestruct is a weapon.
bZx (2020) — $1M
Flash-loan amplified oracle manipulation. Used a manipulable AMM as oracle; attacker swapped to move the price, used the inflated price to borrow against insufficient collateral. Lesson: never use spot AMM price as oracle; flash loans make manipulability free.
Wormhole (2022) — $325M
Bridge signature verification flaw on the Solana side. The contract didn't validate the system address used in signature verification, accepting a forged "guardian" signature. Lesson: bridge security is the floor of cross-chain DeFi; signature verification correctness is load-bearing.
Ronin Bridge (2022) — $625M
Five of nine validator keys compromised via social engineering; attackers signed a malicious withdrawal. Lesson: validator-set hygiene; multi-sig threshold isn't just a number, it's a function of how well signers are protected.
Beanstalk (2022) — $182M
Governance flash-loan attack. Attacker flash-loaned voting power, passed a malicious proposal that drained the treasury, repaid the flash loan within the tx. Lesson: voting power must be snapshotted at proposal time, not execution time; emergency proposals need a delay even if regular proposals don't.
Curve re-entrancy (July 2023) — ~$70M
Vyper compiler bug in specific versions caused the reentrancy guard's compilation to be incorrect. Several Curve pools (and several other Vyper contracts) had an effectively-disabled guard. Attackers re-entered. Lesson: compiler bugs are real; pin a specific compiler version; cross-check the compiled bytecode for known-buggy patterns.
Euler Finance (2023) — $197M
A donateToReserves function that didn't update the user's debt accounting properly, combined with a complex liquidation flow, let an attacker create an under-collateralized position by self-donating then self-liquidating. Lesson: liquidation and accounting flows interact in subtle ways; invariants like "user health post-action ≥ threshold" must hold across complex compound operations, not just simple ones.
Mango Markets (2022) — $115M
Oracle manipulation on the MNGO token (thin market) to inflate the value of the attacker's collateral, then borrowed everything against it. Technically legal in the protocol's rules at the time of attack. Lesson: oracle quality matters; "we used the available oracle" isn't a defense if the oracle was manipulable.
Cream Finance (2021) — multiple ~$130M total
Various — oracle manipulation and a donation/share-inflation incident on the yUSD market. Money market for long-tail assets is structurally riskier than for blue-chips because oracles are thinner. Lesson: long-tail asset support is high-risk; per-asset risk parameters matter; consider isolated markets.
For each incident: be able to give the 30-second summary, name the root cause class from the taxonomy in 08, and name the mitigation pattern. If asked "have you seen anything like X bug class?", these are your reference points.