Hello there,
The solidity docs are phenomenal, but it lacks a key feature, which is not having a dedicated category on the docs specific to Security.
Under my humble point of view having a dedicated category that shows the most critical vulnerabilities on Solidity Smart contracts would greatly benefit developers on making their contracts less prone to critical vulnerabilities.
The layout I’m thinking would be best to first explain the vulnerability, then add a vulnerable code snippet, explaining it why it’s vulnerable and after that a secure code snippet also explaining why it’s secure. This way, developers can further enhance the security of their contracts.
It doesn’t take too much effort and it does a great good to the community. Let’ me know what you think.
Best regards,
Diego
I believe Cyfrin is trying to do this already. You can check out Solidit by Cyfrin. I use this most of the time to check past vulnerabilities or to check if my implementation is not vulnerable.
1 Like
Thanks for the comment. Solodit is indeed a great place, personally I use it on a daily basis, but I’m referring to a site where you can learn and see the comparison of vulnerable vs secure code snippets plus an explanation of why that is the case. The best example of what I’m thinking has been done by Zokyo Auditing (https://zokyo-auditing-tutorials.gitbook.io/zokyo-tutorials) It would be great though, if the official Solidity docs had a dedicated page for this and kept up to date with the latest attacks.
Honestly I think it would level up the docs overall quality.
Best regards
Hey @ciphermalware! Thanks for proposing this category as part of the official Solidity docs.
The main focus of the Solidity compiler team is the development and maintenance of the compiler and official docs. IMO, although valuable to the community, resources like these are currently not in the scope of the team’s goals and priorities for two main reasons:
- Bandwidth constraints: Do understand that the Solidity project comprises of a small team of compiler engineers. Maintaining a list of known or possible real-world vulnerabilities in Solidity contracts out in the wild from the entire ecosystem definitely does not “not take too much effort“
It is okay to rather rely on external resources such as EEA EthTrust Security Levels Specification v-after-2 Editor's Draft and Tutorial 1: Front-Running | Zokyo Auditing Tutorials by teams focused on education around smart contract security and auditing.
- Encouraging community involvement: Delegating high-level education efforts around the use of the language and best practices to the community, especially auditors and security researchers, allows the team to focus on development while fostering a culture of open source and a community of experts that can help provide valuable resources for the ecosystem.
That being said, we do maintain resources such as:
…as part of the official docs and the blog in a separate category dedicated to security alerts, known bugs and vulnerabilities in the compiler.
Hope this helps understand the team’s pov. 
4 Likes