Developer Introduction to Smart Contracts
Ten lessons on how smart contracts actually work — EVM mechanics, Solidity reading, the bug classes that drain protocols, access control, oracle attacks, upgradeability, and how professional audits are structured.
About this course
A developer-facing introduction to smart contract programming on the Ethereum Virtual Machine. Lessons are reading-focused (rather than tutorial-coding-focused) — the goal is to give you the mental model to read existing contracts critically, recognise the bug classes that have drained billions of dollars, and engage productively with audit reports. Topics include the EVM as a state machine, Solidity language fundamentals, the transaction lifecycle, reentrancy and the checks-effects-interactions pattern, integer arithmetic bugs, access control and signature verification, oracle and price manipulation, proxy-based upgradeability and storage layout, the structure of professional audit reports, and a closing exploit walk-through. ~22 minutes per lesson plus a 15-question final quiz. No solutions to deploy, no audit methodology certification — just the structural literacy that lets you read contracts and audit reports critically.
What you'll be able to do
- Describe the EVM as a state machine — stack, memory, storage, calldata, and the gas accounting that constrains every operation.
- Read a typical Solidity contract critically, identify storage variables vs locals, and trace control flow through modifiers and external calls.
- Recognise reentrancy patterns at the call-graph level and explain why the checks-effects-interactions ordering eliminates the class.
- Identify the arithmetic-bug surface area in Solidity ≥0.8 (unchecked blocks, fixed-point precision loss) versus the pre-0.8 overflow / underflow surface.
- Spot common access-control failures — missing modifier, role-system misuse, signature replay, EIP-712 typed-data mistakes.
- Explain how oracle and price manipulation works against AMM-derived TWAPs and how flash loans amplify these attacks.
- Read transparent and UUPS proxy contracts, identify storage layout collisions, and understand why initialiser ordering matters.
- Decode a professional audit report (Code4rena, Spearbit, Trail of Bits format) by severity rating, attack precondition, and mitigation type.
Who this is for
- Web2 developers (TypeScript, Python, Go, Rust) moving into Web3 who want a non-tutorial introduction to the bug classes that actually cause loss of funds.
- Security researchers and analysts who need a faster on-ramp to reading EVM contracts critically.
- Engineering managers and tech leads who oversee a smart-contract team and need to engage substantively with the audit process.
- DeFi power users who already use protocols and want to understand the code they're trusting with their capital.
Who this is NOT for
- Absolute beginners who haven't yet completed an introductory programming course — this assumes general programming literacy (functions, types, control flow).
- Anyone looking for a 'how to deploy your first ERC-20' tutorial — this is reading-and-understanding focused, not deployment focused.
- Anyone wanting a certification or proof-of-skill credential — there is none here; this is a literacy course.
- Anyone wanting financial advice, token picks, or investment guidance — there is none here.
Lessons
- 1
Lesson 1 — The EVM in plain English: stack, memory, storage, gas
~22 minEvery smart-contract bug ultimately bottoms out in EVM semantics. Today: the mental model — what the EVM is, what its memory model looks like, and how gas turns 'infinite loops are bad' into a hard physical constraint.
- 2
Lesson 2 — Solidity primer: types, functions, modifiers, events
~22 minThe minimum Solidity vocabulary you need to read DeFi contracts critically — without trying to make you a contract author. Today: the language constructs that show up everywhere and what each is hiding.
- 3
Lesson 3 — The transaction lifecycle: from eth_sendRawTransaction to inclusion
~22 minEvery state change starts as a signed transaction someone broadcasts. Today: the journey from your wallet's signature to a block, and the places adversaries intervene along the way.
- 4
Lesson 4 — Reentrancy: the bug class that drained the DAO
~24 minReentrancy is the bug class that triggered Ethereum's first hard fork and still drains DeFi protocols. Today: the precise mechanism, why checks-effects-interactions eliminates the class, and the modern variants.
- 5
Lesson 5 — Arithmetic bugs: overflow, underflow, precision loss
~22 minPre-0.8 Solidity wrapped integers silently. Post-0.8 it doesn't — except in `unchecked` blocks. Today: when overflow still matters, and why fixed-point precision loss has replaced overflow as the dominant arithmetic bug class.
- 6
Lesson 6 — Access control: onlyOwner, roles, multisig, signatures
~22 minMost catastrophic exploits aren't clever — they're a missing modifier on an admin function. Today: the access-control surface area, including the EIP-712 signature mistakes that have drained protocols.
- 7
Lesson 7 — Oracle and price manipulation: flash loans against TWAPs
~22 minWhen a lending or derivatives protocol asks 'what's the price of X?', the answer can be manipulated. Today: how price oracle attacks work, why spot prices from a single AMM are deadly, and what makes a robust oracle.
- 8
Lesson 8 — Upgradeability: transparent and UUPS proxies, storage layout
~22 minUpgradeable contracts let a project fix bugs without redeploying. They also create a new bug class: storage collisions, initialiser races, and admin-takeover-via-upgrade. Today: how proxies work and what they break.
- 9
Lesson 9 — Reading audits: Code4rena, Spearbit, Trail of Bits
~22 minAudit reports are the most-cited and least-read document in DeFi. Today: how to read them — severity ratings, attack preconditions, mitigation types — and which findings should make you walk away.
- 10
Lesson 10 — Putting it together: walk through an exploit's commit log
~24 minThe closing lesson takes everything from the prior nine and applies it to a real, recent exploit — reading the exploit transaction on-chain, mapping it back to the vulnerable code, and identifying which defence would have caught it.
Final quiz
When you've worked through every lesson, pass the final quiz to mark the course complete. You can retry any number of times.
Educational only.
Nothing in this course constitutes financial, investment, tax, or legal advice. Cryptocurrency carries significant risk, including total loss. Always consult qualified professionals for advice specific to your situation. We earn nothing from any project, exchange, or tool mentioned anywhere on this site.