All Posts

Circle FFT — Part 1: Building the Circle Domain Circle STARKs is a new zk-STARK scheme that has been implemented in Stwo and Plonky3, and it has been adopted by several zkVM projects. Its key innovation lies in enabling the use of small 32-bit fields (Mersenne prime $2^{31}-1$) while still maintaining the mathematical properties needed for efficient FFT operations. […]

Multiplicative Subgroups and Primitive Elements Introduction This chapter continues our study of group theory by exploring subgroups and generators. The concept of a primitive element will be introduced at the end. We assume you are already familiar with the definition of a group. If you need a refresher, check out this article. To build intuition, […]

Square and Multiply Algorithm The square and multiply algorithm computes integer exponents in $\mathcal{O}(\log n)$ (logarithmic time). The naive way to compute an exponent $x^n$ is to multiply $x$ by itself, $n$ times, which would require $\mathcal{O}(n)$ time to compute. Suppose we want to compute $x^{20}$. Instead of multiplying $x$ with itself 20 times, we […]

Computing the Current Tick Given sqrtPriceX96 In the previous chapters, we saw that the protocol stores the square root of the price instead of the price itself. Therefore, it is necessary to relate ticks to the square root of the price in the fixed-point Q64.96 format. In this chapter, we will explore how to convert […]

Uniswap V3 Factory and the Relationship Between Tick Spacing and Fees In early chapters, we introduced the concept of ticks, which discretize the price curve. A tick is a price defined by the formula $p(i)=1.0001^i$, where $i$ is named tick index. Tick indexes are integers within the range $[-887272,887272]$, resulting in 1,774,545 ticks along the […]

ZK Proof of Selection Sort Most computations of interest are generally “stateful” — that is, they need to go through a series of steps to produce the final result. Sometimes, we do not need to show we executed the computation but only show the result. For example, if A is a list, we can prove […]

How a ZKVM Works A Zero-Knowledge Virtual Machine (ZKVM) is a virtual machine that can create a ZK-proof that verifies it executed a set of machine instructions correctly. This allows us to take a program (a set of opcodes), a virtual machine specification (how the virtual machine behaves, what opcodes it uses, etc), and prove […]

The Permutation Argument A permutation argument is a proof that two lists hold the same elements, but possibly in a different order. For example, [2,3,1] is a permutation of [1,2,3] and vice-versa. The permutation argument is useful for proving one list is a sorted version of another. That is, if list B has the same […]

ZK Friendly Hash Functions ZK-friendly hash functions are hash functions that require much fewer constraints to prove and verify than traditional cryptographic hash functions. Hash functions such as SHA256 or keccak256 make heavy use of bitwise operators such as XOR or bit rotation. Proving the correct execution of XOR or bit rotation requires representing the […]

MD5 Hash In Circom In this tutorial, we will implement the MD5 hash in Circom both to compute the hash and to constrain in Circom that it was computed correctly. Although the MD5 hash function is not cryptographically secure (since collisions have been found), the mechanics are similar to cryptographically secure hash functions. Importantly, the […]

32-Bit Emulation in ZK The default datatype in ZK is the field element, where all arithmetic is done modulo a large prime number. However, most “real” computation is done using 32, 64, or 256-bit numbers depending on the virtual machine or execution environment. Why Do We Need 32-Bit Emulation? Many cryptographic hash functions operate on […]

Modeling the Stack Data Structure in ZK This tutorial shows how to create a stack in Circom. Be warned — this chapter is long. However, the strategy for creating ZK proofs about stacks will be essential when we create a simple ZK Virtual Machine (ZKVM) in the next chapter. Most of the work for understanding […]

Swapping Two Items in an Array in Circom This chapter shows how to swap two signals in a list of signals. This is an important subroutine for a sorting algorithm. More generally, lists are a fundamental building block for more interesting functions like hash functions or modeling memory in a CPU, so we must learn […]

Introduction to Stateful Computations in ZK When carrying out iterative computations such as powers, factorials, or computing the Fibonacci sequence, we need to “stop the computation” after a certain point. For example, if we are computing $x^7$, we would multiply $x$ by itself seven times. However, conditional stopping is not possible in an arithmetic circuit. […]

Quin Selector The Quin Selector is a design pattern that allows us to use a signal as an index for an array of signals. As a prerequisite, we assume the reader has read the chapter on Conditional Statements in Circom. The following code does not compile, but it illustrates what we are trying to accomplish: […]

Conditional Statements in Circom Circom is very strict with the usage of if-statements. The following rules must be followed: Signals cannot be used to alter the behavior of an if-statement. A signal cannot be assigned a value inside an if-statement. The example circuit below demonstrates both violations: template Foo() { signal input in; signal input […]

Circom Components in a Loop Circom does not allow for components to be directly instantiated in a loop. For example, compiling the following code results in the error below. include "./node_modules/circomlib/circuits/comparators.circom"; template IsSorted(n) { signal input in[n]; for (var i = 0; i < n; i++) { component lt = LessEqThan(252); // error here lt.in[0] […]

Compute Then Constrain “Compute then constrain” is a design pattern in ZK circuits where an algorithm’s correct output is first computed without constraints. The correctness of the solution is then verified by enforcing invariants related to the algorithm. Motivation for compute then constrain If one were limited to only using add, multiply, and assign-then-constrain (==>), […]

Indicate Then Constrain If we want to say that “x can be equal to 5 or 6” we can simply use the following constraint: (x - 6) * (x - 5) === 0 However, suppose we want to say that “x is less than 5 or x is greater than 17.” In this case, we […]

Intermediate Signals and Sub-Component Circom’s primary purpose is to compile down to a Rank 1 Constraint System (R1CS), but its secondary purpose is to populate the witness. For most circuits, the value of a few signals determines what the rest of the signals will be. For example, it may seem a bit redundant to supply […]

Symbolic Variables in Circom A symbolic variable in Circom is a variable that has been assigned values from a signal. When a signal is assigned to a variable (thereby turning it into a symbolic variable), the variable becomes a container for that signal and for any arithmetic operations applied to it. A symbolic variable is […]

Quadratic Constraints Circom Constraints A Rank 1 Constraint System has at most one multiplication between signals per constraint. This is called a “quadratic” constraint. Any constraint containing an operation other than addition or multiplication will be rejected by Circom with the “Non quadratic constraints are not allowed” error. The following two examples will not compile […]

Circom Template Parameters, Variables, Loops, If Statements, Assert This chapter covers essential syntax, which you’ll see in most Circom programs. With Circom, we’re able to define a Rank 1 Constraint System (R1CS) using code instead of explicitly defining each constraint. We’ll explore those tools in this chapter. Template Parameters Previously, we looked at a circuit […]

Hello World Circom Introduction This chapter shows the relationship between Circom code and the Rank 1 Constraint System (R1CS) it compiles to. Understanding R1CSs is critical to understanding Circom, so be sure to brush up on Rank 1 Constraint Systems if you haven’t already. To explain the workings of Circom, we will start with a […]

Introduction to ZK Circuits with Circom Circom is a programming language for creating Rank 1 Constraint Systems (R1CS) and populating the witness vector of the R1CS. The R1CS format is of interest because of the utility of that format for constructing SNARKs, particularly Groth16. With SNARKs, we enable verifiable computation, allowing us to prove the […]

Tick limits in Uniswap V3 The smallest tick in Uniswap v3 is -887,272 and the largest tick is 887,272. This chapter explains the rationale behind this range, which is based on finding the tick that corresponds to the highest price that can be stored in the protocol. Price limit In the previous chapter, we saw […]

Square Root Price in Uniswap V3 In Uniswap V2, the protocol tracks token reserves and derives the spot price, $p_x=y/x$, and total liquidity, $L=xy$, where $x$ and $y$ are the reserves of tokens X and Y. Uniswap V3, instead, tracks the current price and liquidity, and derives the reserves. This calculation is complex and will […]

ERC-6909 Minimal Multi-Token Standard The ERC-6909 token standard is a streamlined alternative to the ERC-1155 token standard. The ERC-1155 standard introduced a multiple-token interface that allows a single smart contract to incorporate fungible and non-fungible tokens (i.e., ERC20 & ERC721). ERC-1155 addressed several challenges, such as reducing deployment costs, minimizing redundant bytecode on the Ethereum […]

Coding a Solidity rebase token A “rebase token” (sometimes “rebasing token”) is an ERC-20 token where the total supply, and the balances of token holders, can change without transfers, minting, or burning. DeFi protocols often use rebasing tokens to track the amount of asset it owes to a depositor — including profit the protocol made. […]

The Diamond Proxy Pattern Explained The Diamond Pattern (ERC-2535) is a proxy pattern where the proxy contract uses multiple implementation contracts simultaneously, unlike the Transparent Upgradeable Proxy and UUPS, which rely on just one implementation contract at a time. The proxy contract determines which implementation contract to delegatecall based on the function selector of the […]

Q Number Format Q number format is a notation for describing binary fixed-point numbers. A fixed-point number is a popular design pattern in Solidity for storing fractional values, since the language does not support floating point numbers. Thus, to “capture” the fractional portion of a number, we multiply the fraction by a whole number so […]

Introduction to Proxies Proxy contracts enable smart contracts to retain their state while allowing their logic to be upgraded. By default, smart contracts cannot be upgraded because deployed bytecode cannot be modified. The only mechanism in the EVM to change bytecode is to deploy a new contract. However, the storage in this new contract would […]

Introducing ticks in Uniswap V3 This article explains what ticks are in Uniswap V3. Ticks enable gas-efficient accounting of concentrated liquidity, so let’s quickly review concentrated liquidity first. Concentrated liquidity means that liquidity is not necessarily constant across the price curve like Uniswap V2. Liquidity providers can choose segments in the price curve to place […]

How Concentrated Liquidity in Uniswap V3 Works This article explains how Uniswap V3 implements concentrated liquidity. We assume the reader already understands Uniswap V2. To understand concentrated liquidity, we first need to precisely define liquidity, which itself depends on understanding the reserves. Reserve The reserve of a token is the balance of a specific tradeable […]

ERC-1155 Multi Token Standard The ERC-1155 standard describes how to create both fungible and non-fungible tokens then incorporate them into a single smart contract. This saves significant deployment costs when several tokens are involved. Imagine you are a game developer trying to incorporate NFTs and ERC-20 tokens into your platform, representing various types of assets […]

Range Proof A range proof in the context of inner product arguments is a proof that the scalar $v$ has been committed to $V$ and $v$ is less than $2^n$ for some non-negative integer $n$. This article shows how the Bulletproofs paper constructs such a proof. The high level idea is that if we can […]

Reducing the number of equality checks (constraints) through random linear combinations Random linear combinations are a common trick in zero knowledge proof algorithms to enable $m$ equality checks to be probabilistically checked with a single equality check. Suppose we have $m$ inner products we are trying to prove. Instead of creating $m$ proofs, we create […]

Inner Product Algebra In this article, we give some useful algebraic tricks for inner products that will be useful in deriving range proofs (and encoding circuits as inner products) later. Each rule will be accompanied by a simple proof. Notation Variables in bold, like $\mathbf{a}$, denote a vector. Variables not in bold, like $v$, denote […]

Bulletproofs ZKP: Zero Knowledge and Succinct Proofs for Inner Products Bulletproofs ZKPs allow a prover to prove knowledge of an inner product with a logarithmic-sized proof. Bulletproofs do not require a trusted setup. In the previous chapters, we showed how to prove knowledge of an inner product without revealing the vectors or the inner product, […]

Logarithmic sized proofs of commitment In a previous chapter, we showed that multiplying the sums of elements of the vectors $\mathbf{a}$ and $\mathbf{G}$ computes the sum of the outer product terms, i.e. $\sum \mathbf{a}\otimes\mathbf{G}=\sum\mathbf{a}\sum\mathbf{G}$. We also showed that the outer product “contains” the inner product along its main diagonal. To “extract” the inner product $\langle\mathbf{a},\mathbf{G}\rangle$, […]

Succinct proofs of a vector commitment If we have a Pedersen vector commitment $A$ which contains a commitment to a vector $\mathbf{a}$ as $A = a_1G_1 + a_2G_2+\dots + a_nG_n$ we can prove we know the opening by sending $\mathbf{a}$ to the verifier who would check that $A \stackrel{?}= a_1G_1 + \dots + a_nG_n$. This […]

A Zero Knowledge Proof for the Inner Product An inner product argument is a proof that the prover carried out the inner product computation correctly. This chapter shows how to construct a zero knowledge proof for an inner product argument. In the previous chapter, we showed how to multiply two scalars together in a zero […]

Zero Knowledge Multiplication Zero Knowledge Multiplication of Polynomials Using the polynomial commitment scheme from the previous chapter, a prover can show that they have three polynomials $l(x)$, $r(x)$, and $t(x)$ and prove that $t(x) = l(x)r(x)$. For this algorithm to work, the verifier must believe that the polynomial evaluations are correct — but this is […]

Introduction to ZK Bulletproofs Bulletproofs are a zero knowledge inner product argument, which enable a prover to convince a verifier that they correctly computed an inner product. That is, the prover has two vectors $\mathbf{a} = [a_1, a_2, \dots, a_n]$ and $\mathbf{b} = [b_1, b_2, \dots, b_n]$ and they computed $v = \langle\mathbf{a},\mathbf{b}\rangle=a_1b_1+a_2b_2 + \dots […]

Storage Slots of Dynamic Types (Mappings, Arrays, Strings, Bytes) Dynamic-sized types in Solidity (sometimes referred to as complex types) are data types with variable size. They include mappings, nested mappings, arrays, nested arrays, strings, bytes, and structs that contain any of those types. This article shows how they are encoded and kept in storage. Mappings […]

Assembly revert Reverting transactions using inline assembly can be more gas-efficient than using the high-level Solidity revert or require statement. In this guide, we’ll explore how the different types of reverts in Solidity work under the hood by simulating their implementations in assembly. The example below shows that the revert statement in the assembly version […]

get_D() and get_y() in Curve StableSwap This article shows algebraically step-by-step how the code for get_D() and get_y() are derived from the StableSwap invariant. Given the StableSwap Invariant: $$ An^n\sum x_i +D=An^nD+\frac{D^{n+1}}{n^n\prod x_i} $$ There are two frequent math operations we wish to conduct with it: Compute $D$ given fixed values for $A$, and the […]

20 Common Solidity Beginner Mistakes Our intent is not to be patronizing towards developers early in their journey with this article. Having reviewed code from numerous Solidity developers, we’ve seen some mistakes occur more frequently and we list those here. By no means is this an exhaustive list of mistakes a Solidity developer can make. […]

The intuition behind elliptic curve digital signatures (ECDSA) This article explains how the ECDSA (Elliptic Curve Digital Signature Algorithm) works as well as why it works. We will incrementally “rediscover” the algorithm from first principles in this tutorial. Prerequisites We assume prior knowledge of Elliptic Curve Arithmetic Elliptic Curve Arithmetic in Finite Fields Digital Signature […]

Smart Contract Foundry Upgrades with the OpenZeppelin Plugin Upgrading a smart contract is a multistep and error-prone process, so to minimize the chances of human error, it is desirable to use a tool that automates the procedure as much as possible. Therefore, the OpenZeppelin Upgrade Plugin streamlines deploying, upgrading and managing smart contracts built with Foundry or […]

UUPS: Universal Upgradeable Proxy Standard (ERC-1822) The UUPS pattern is a proxy pattern where the upgrade function resides in the implementation contract, but changes the implementation address stored in the proxy contract via a delegatecall from the proxy. The high level mechanism is shown in the animation below: Similar to the Transparent Upgradeable Proxy, the […]

Trusted Setup A trusted setup is a mechanism ZK-SNARKs use to evaluate a polynomial at a secret value. Observe that a polynomial $f(x)$ can be evaluated by computing the inner product of the coefficients with successive powers of $x$: For example, if $f(x)=3x^3+2x^2+5x+10$, then the coefficients are $[3,2,5,10]$ and we can compute the polynomial as […]

The Schwartz-Zippel Lemma and its application to Zero Knowledge Proofs Nearly all ZK-Proof algorithms rely on the Schwartz-Zippel Lemma to achieve succintness. The Schwartz-Zippel Lemma states that if we are given two polynomials $p(x)$ and $q(x)$ with degrees $d_p$ and $d_q$ respectively, and if $p(x) \neq q(x)$, then the number of points where $p(x)$ and […]

Building a Zero Knowledge Proof from an R1CS Given an arithmetic circuit encoded as a Rank 1 Constraint System, it is possible to create a ZK-proof of having a witness, albeit not a succinct one. This article describes how to accomplish that. A zero knowledge proof for an R1CS is accomplished by converting the witness […]

Lagrange Interpolation with Python Lagrange interpolation is a technique for computing a polynomial that passes through a set of $n$ points. Interpolating a vector as a polynomial Examples A straight line through two points Consider that if we have two points, they can be interpolated with a line. For example, given $(1, 1)$ and $(2, […]

Polynomial Commitments Via Pedersen Commitments A polynomial commitment is a mechanism by which a prover can convince a verifier a polynomial $p(x)$ has an evaluation $y = p(x)$ at point $x$ without revealing anything about $p(x)$. The sequence is as follows: The prover sends to the verifier a commitment $C$, “locking in” their polynomial. The […]

Homomorphisms by Example A homomorphism between two groups exists if a structure preserving map between the two groups exists. Suppose we have two algebraic data structures $(A,\square)$ and $(B, \blacksquare)$, where the binary operator of $A$ is $\square$ and the binary operator of $B$ is $\blacksquare$. A homomorphism from $A$ to $B$ exists if and […]

Elementary Group Theory for Programmers This article provides several examples of algebraic groups so that you can build an intuition for them. A group is a set with: a closed binary operator the binary operator is also associative an identity element every element having an inverse We also discussed abelian groups. An abelian group has […]

Abstract Algebra Abstract Algebra is the study of sets that have one or more operators on that set. For our purposes, we only care about sets where the operator is a binary operator. Given a set with a binary operator, we can categorize those sets based on how the binary operator behaves, and what elements […]

Try Catch and all the ways Solidity can revert This article describes all the kinds of errors that can happen when a smart contract is called, and how the Solidity Try / Catch block responds (or fails to respond) to each of them. To understand how Try / Catch works in Solidity, we must understand […]

The Beacon Proxy Pattern Explained A Beacon Proxy is a smart contract upgrade pattern where multiple proxies use the same implementation contract, and all the proxies can be upgraded in a single transaction. This article explains how this proxy pattern works. Prerequisites We are going to assume that you already know how a minimal proxy […]

Storage Slots in Solidity: Storage Allocation and Low-level assembly storage operations This article examines the storage architecture of the Ethereum Smart Contracts. It explains how variables are kept in the EVM storage and how to read and write to storage slots using low-level assembly (Yul). This information is a prerequisite to understanding how proxies in […]

AliasCheck and Num2Bits_strict in Circomlib An alias bug in Circom (or any ZK circuit language) occurs when a binary array of signals encodes a number larger than the field element can hold. We will refer to signals and field elements interchangeably in this article. We refer to the characteristic of the field as p. Loosely […]

Invariant Testing in Foundry Introduction In this article, we will discuss invariants and how to perform an invariant test on solidity smart contracts using foundry test suites. Invariant testing is another test methodology like unit test and fuzzing to verify the correctness of code. If you are unfamiliar with unit tests, please see our article […]

ERC-7201 Storage Namespaces Explained ERC-7201 (formerly EIP-7201) is a standard for grouping storage variables together by a common identifier called a namespace, and also to document the group of variables via NatSpec annotation. The purpose of the standard is to simplify managing storage variables during upgrades. Namespaces Namespaces are a common approach in programming languages […]

Fixed Point Arithmetic in Solidity (Using Solady, Solmate, and ABDK as Examples) A fixed-point number is an integer that stores only the numerator of a fraction — while the denominator is implied. This type of arithmetic is not necessary in most programming languages because they have floating point numbers. It is necessary in Solidity because […]

The Transparent Upgradeable Proxy Pattern Explained in Detail The Transparent Upgradeable Proxy is a design pattern for upgrading a proxy while eliminating the possibility of a function selector clash. A functional Ethereum proxy needs at least the following two features: A storage slot holding the address of the implementation contract A mechanism for an admin […]

Understanding ABI encoding for function calls ABI encoding is the data format used for making function calls to smart contracts. It is also how smart contracts encode data when making calls to other smart contracts. This guide will show how to interpret ABI encoded data, how to compute the ABI encoding, and teach the relationship […]

Cross Program Invocation In Anchor Cross Program Invocation (CPI) is Solana’s terminology for a program calling the public function of another program. We’ve already done CPI before when we sent a transfer SOL transaction to the system program. Here is the relevant snippet by way of reminder: pub fn send_sol(ctx: Context<SendSol>, amount: u64) -> Result<()> […]

Nodelegatecall Explained The nodelegatecall modifier prevents delegatecalls from being sent to a contract. We will first show the mechanism for how to accomplish this then later discuss the motivation for why one might do this. Below, we’ve simplified the nodelegatecall modifier originally created by Uniswap V3’s noDelegateCall: contract NoDelegateCallExample { address immutable private originalAddress; constructor() […]

Reading Another Anchor Program’s Account Data On Chain In Solidity, reading another contract’s storage requires calling a view function or the storage variable being public. In Solana, an off-chain client can read a storage account directly. This tutorial shows how an on-chain Solana program can read the data in an account it does not own. […]

Delegatecall: The Detailed and Animated Guide This article explains how delegatecall works in detail. The Ethereum Virtual Machine (EVM) offers four opcodes for making calls between contracts: CALL (F1) CALLCODE (F2) STATICCALL (FA) and DELEGATECALL (F4). Notably, the CALLCODE opcode has been deprecated since Solidity v5, being replaced by DELEGATECALL. These opcodes have a direct […]

Low Level Call vs High Level Call in Solidity A contract in Solidity can call other contracts via two methods: through the contract interface, which is considered a high-level call, or by using the call method, which is a low-level approach. Despite both methods using the CALL opcode, Solidity handles them differently. In this article, we’ll compare […]

Finite Fields and Modular Arithmetic for ZK Proofs This article is the third in a series. We present finite fields in the context of circuits for zero-knowledge proofs. The previous chapters are P vs NP and its Application to Zero Knowledge Proofs and Arithmetic Circuits. In the previous chapter on arithmetic circuits, we pointed out […]

Arithmetic Circuits for ZK In the context of zero-knowledge proofs, an arithmetic circuit is a system of equations that models a problem in NP. A key point from our article on P vs NP is that any solution to a problem in P or NP can be verified by modeling the problem as a Boolean […]

Uniswap V2: Calculating the Settlement Price of an AMM Swap This article explains how to determine the price settlement of a trading pair in an Automated Market Maker (AMM). It answers the question of “How many token X can be swapped for token Y from the AMM?”. The swap() function on Uniswap V2 requires you […]

P vs NP and its application to zero knowledge proofs The P = NP problem asks: “If we can quickly verify a solution to a problem is correct, can we also quickly compute the solution?” Most researchers believe the answer is no, i.e., P ≠ NP. By understanding the P vs NP problem, we can […]

[derive(Accounts)] in Anchor: different kinds of accounts #[derive(Accounts)] in Solana Anchor is an attribute-like macro for structs that holds references to all the accounts the function will access during its execution. In Solana, every account the transaction will access must be specified in advance One reason Solana is so fast is that it executes transactions […]

Three ways to detect if an address is a smart contract This article describes three methods in Solidity for determining if an address is a smart contract: Check if msg.sender == tx.origin. This is not a recommended method, but because many smart contracts use it, we discuss this method for completeness. The second (and recommended […]

ERC-1363 Standard Explained ERC-1363 enables a smart contract to detect and respond to an incoming transfer of tokens. What problem does ERC-1363 Solve? Suppose a user transfers an ERC-20 token to a contract. The smart contract cannot credit the user for the transfer because it has no mechanism to see who made the transfer. Although […]

Creating Raw Ethereum Interactions in Go: Blob Transactions, Tracing Transactions, and Others. The ethclient package from Go-Ethereum (Geth) provides an API wrapper for JSON-RPC requests to the Ethereum network, similar to web3.js and ethers.js. However, some capabilities of the JSON-RPC, like transaction tracing, are not exposed in API of ethclient (and web3.js and ethers.js). This […]

Understanding the Function Selector in Solidity The function selector is a 4 byte id that Solidity uses to identify functions under the hood. The function selector is how a Solidity contract knows which function you are trying to call in the transaction. You can see the 4 byte id using the .selector method: pragma solidity […]

How ERC721 Enumerable Works An Enumerable ERC721 is an ERC721 with added functionality that enables a smart contract to list all the NFTs an address owns. This article describes how ERC721Enumerable functions and how we can integrate it into an existing ERC721 project. We’ll use Open Zeppelin’s popular implementation of ERC721Enumerable for our explanation. Prerequisites […]

Checklist for Technical Writing Fluff Are fluff transitions removed? (” It is important to note,” Why did they do this?”, “Here’s how we can solve this problem.”) Sometimes, they are necessary for flow, but most can be removed. “It is important to note” is the most overused phrase in technical writing. Don’t use it. If […]

Hacking Underconstrained Circom Circuits With Fake Proofs The <-- operator in Circom can be dangerous because it assigns values to signals but does not constrain them. But how do you actually exploit write a POC (proof of concept) for this vulnerability? We will be hacking the following circuit: pragma circom 2.1.8; template Mul3() { signal […]

Modifying accounts using different signers In our Solana tutorials thus far, we’ve only had one account initialize and write to the account. In practice, this is very restrictive. For example, if user Alice is transferring points to Bob, Alice must be able to write to an account initialized by user Bob. In this tutorial we […]

Deleting and Closing Accounts and Programs in Solana In the Anchor framework for Solana, close is the opposite of init (initializing an account in Anchor) — it reduces the lamport balance to zero, sending the lamports to a target address, and changes the owner of the account to be the system program. Here is an […]

PDA (Program Derived Address) vs Keypair Account in Solana A program derived address (PDA) is an account whose address is derived from the address of the program that created it and the seeds passed in to the init transaction. Up until this point, we’ve only used PDAs. It is also possible to create an account […]

Owner vs Authority in Solana Newcomers to Solana are frequently confused by the distinction between an “owner” and an “authority.” This article attempts to clear up the confusion as succinctly as possible. Owner vs Authority Only programs can write data to accounts — specifically, only to accounts they own. A program cannot write data to […]

Multicall in Solana: Batching Transactions and Transaction Size Limit Solana has multicall built in In Ethereum, we use the multicall pattern if we want to batch multiple transactions together atomically. If one fails, the rest fails. Solana has this built into the runtime, so we don’t need to implement a multicall. In the example below, […]

Init_if_needed in Anchor and the Reinitialization Attack In previous tutorials, we’ve had to initialize an account in a separate transaction before we can write data to it. We may wish to be able to initialize an account and write data to it in one transaction to simplify things for the user. Anchor provides a handy […]

Understanding Account Ownership in Solana: Transferring SOL out of a PDA The owner of an account in Solana is able to reduce the SOL balance, write data to the account, and change the owner. Here is the summary of account ownership in Solana: The system program owns wallets and keypair accounts that haven’t been assigned […]

Transferring SOL and building a payment splitter: “msg.value” in Solana This tutorial will introduce the mechanism by which Solana Anchor programs can transfer SOL as part of the transaction. Unlike Ethereum where wallets specify msg.value as part of the transaction and “push” the ETH to the contract, Solana programs “pull” the Solana from the wallet. […]

Function modifiers (view, pure, payable) and fallback functions in Solana: why they don’t exist Solana does not have fallback or receive functions A Solana transaction must specify in advance the accounts it will modify or read as part of a transaction. If a “fallback” function accesses an indeterminant account, then the entire transaction will fail. […]

Reading an account balance in Anchor: address(account).balance in Solana Reading an account balance in Anchor Rust To read the Solana balance of an address inside a Solana program, use the following code: use anchor_lang::prelude::*; declare_id!("Gnf6u7S7fGJbqEGH9PuDE5Prq6f6ZrDxHY3jNJ4SYySQ"); #[program] pub mod balance { use super::*; pub fn read_balance(ctx: Context<ReadBalance>) -> Result<()> { let balance = ctx.accounts.acct.to_account_info().lamports(); msg!("balance in […]

Cost of storage, maximum storage size, and account resizing in Solana When allocating storage space, the payer must pay a certain number of SOL per byte allocated. Solana calls this the “rent”. This name is a bit misleading because it implies a monthly top-up is required, but this is not always the case. Once the […]

Creating “mappings” and “nested mapping” in Solana In the previous tutorials, the seeds=[] parameter was always empty. If we put data into it, it behaves like a key or keys in a Solidity mapping. Consider the following example: contract ExampleMapping { struct SomeNum { uint64 num; } mapping(uint64 => SomeNum) public exampleMap; function setExampleMap(uint64 key, […]

Read account data with Solana web3 js and Anchor This tutorial shows how to read account data directly from the Solana web3 Javascript client so that a web app could read it on the frontend. In the previous tutorial we used solana account <account address> to read the data we wrote, but this won’t work […]

Solana counter tutorial: reading and writing data to accounts In our previous tutorial, we discussed how to initialize an account so that we could persist data in storage. This tutorial shows how to write to an account we have already initialized. Below is the code from the previous tutorial on initializing Solana accounts. We have […]

Initializing Accounts in Solana and Anchor Up until this point, none of our tutorials have used “storage variables” or stored anything permanent. In Solidity and Ethereum, a more exotic design pattern to store data is SSTORE2 or SSTORE3 where the data is stored in the bytecode of another smart contract. In Solana, this is not […]

Introduction to Solana Compute Units and Transaction Fees In Ethereum, the price of a transaction is computed as $\text{gasUsed} \times \text{gasPrice}$. This tells us how much Ether will be spent to include the transaction on the blockchain. Before a transaction is sent, a gasLimit is specified and paid upfront. If the transaction runs out of […]

ERC20 Votes: ERC5805 and ERC6372 ERC20 Votes Knowledge of ERC20 Snapshot is assumed, please refer to our article on ERC20 Snapshot for an introduction to the subject. ERC20 Votes does not actually handle conducting the poll, it’s still a regular ERC20 token with snapshot and delegated voting abilities. Voting is usually handled by governance contracts. […]

Tx.origin, msg.sender, and onlyOwner in Solana: identifying the caller In Solidity, the msg.sender is a global variable that represents the address that called or initiated a function call on a smart contract. The global variable tx.origin is the wallet that signed the transaction. In Solana, there is no equivalent to msg.sender. There is an equivalent […]

Solana logs, “events,” and transaction history Solana programs can emit events similar to how Ethereum emits events, though there are some differences we will discuss. Specifically, events in Solana are intended to pass information to the frontend rather than document past transactions. To get past history, Solana transactions can be queried by address. Solana Logs […]

Solana Sysvars Explained In Solana, sysvars are read-only system accounts that give Solana programs access to the blockchain state as well as network information. They are similar to Ethereum global variables, which also enable smart contracts to access network or blockchain state information, but they have unique public addresses like the Ethereum precompiles. In Anchor […]

The Solana clock and other “block” variables Today we will cover the analogs of all the block variables from Solidity. Not all of them have 1-1 analogs. In Solidity, we have the following commonly used block variables: block.timestamp block.number blockhash() And the lesser known ones: block.coinbase block.basefee block.chainid block.difficulty / block.prevrandao We assume you already […]

Visibility and “inheritance” in Rust and Solana Today we will be learning how Solidity’s function visibility and contract inheritance can be conceptualized in Solana. There are four levels of function visibility in Solidity, they are: public – accessible from within the contract and externally. external – accessible from outside the contract only. internal – accessible […]

Rust Structs and Attribute-like and Custom Derive Macros Attribute-like and custom derive macros in Rust are used to take a block of Rust code and modify it in some way at compile time, often to add functionality. To understand attribute-like and custom derive macros in Rust, we first need to briefly cover implementation structs in […]

Rust function-like procedural Macros This tutorial explains the distinction between functions and function like macros. For example, why does msg! have an exclamation point after it? This tutorial will explain this syntax. As a strongly typed language, Rust cannot accept an arbitrary number of arguments to a function. For example, the Python print function can […]

The unusual syntax of Rust Readers coming from a Solidity or Javascript background may find Rust’s usage and syntax of &, mut, <_>, unwrap(), and ? to be weird (or even ugly). This chapter explains what these terms mean. Don’t worry if everything doesn’t sink in right away. You can always come back to this […]

Basic Rust for Solidity Developers This tutorial goes over the most commonly used syntax in Solidity and demonstrates the equivalent in Rust. If you want a high level overview of the differences of Rust vs Solidity please see the linked tutorial. This tutorial assumes you already know Solidity, so please see our free Solidity tutorial […]

Solana programs are upgradeable and do not have constructors In this tutorial we will peek behind the scenes of anchor to see how a Solana program gets deployed. Let’s look at the test file anchor creates for us when we run anchor init deploy_tutorial: describe("deploy_tutorial", () => { // Configure the client to use the […]

Require, Revert, and Custom Errors in Solana In Ethereum, we often see a require statement restricting the values a function argument can have. Consider the following example: function foobar(uint256 x) public { require(x < 100, "I'm not happy with the number you picked"); // rest of the function logic } In the code above, the […]

Solana Anchor Program IDL The IDL (Interface Definition Language) is a JSON file that describes how to interact with a Solana program. It is automatically generated by the Anchor framework. There is nothing special about the function called “initialize” — it’s a name Anchor picks. What we will learn in this tutorial is how the […]

Arithmetic and Basic Types in Solana and Rust Today we will learn how to create a Solana program that accomplishes the same things as the Solidity contract below. We will also learn how Solana handles arithmetic issues like overflow. contract Day2 { event Result(uint256); event Who(string, address); function doSomeMath(uint256 a, uint256 b) public { uint256 […]

Solana Hello World (Installation and Troubleshooting) This is a Solana hello world tutorial. We will walk you through the steps to install Solana and troubleshoot issues that may arise. If you encounter an issue, please check the Troubleshooting section at the end of this article. Installation steps Install Rust Skip this if you already have […]

Layer 2 Calldata Gas Optimization Update for mid 2024 As of the Dencun upgrade, calldata optimization doesn’t have as much of an impact since the transactions on most L2s are stored on blobs, instead calldata. We keep this article for historical purposes. When developing applications on an L2, the majority of gas costs come from […]

How Chainlink Price Feeds Work Chainlink price oracles are smart contracts with public view functions that return the price of a particular asset denominated in USD. Off-chain nodes collect the prices from various sources like exchanges and write the price data to the smart contract. Here is the smart contract for getting the price of […]

How Compound V3 Allocates COMP Rewards Compound issues rewards in COMP tokens to lenders and borrowers in proportion to their share of the a market’s lending and borrowing. The algorithm is extremely similar to the MasterChef Staking Algorithm, so the reader should familiarize themselves with that first. High level overview of Compound V3 rewards Similar […]

Bulkers in Compound V3 The bulker contracts in Compound V3 are multicall-like contracts for batching several transactions. For example, if we wanted to supply Ether, LINK, and wBTC as collateral and borrow USDC against it in one transaction, we can do that. We can also reduce the collateral holdings and withdraw a loan in one […]

Understanding Collateral, Liquidations, and Reserves in Compound V3 In this chapter we will examine the following topics about Compound V3: collateral valuation absorbing insufficiently collateralized loans (liquidations) selling absorbed collateral what reserves are and how reserves affect liquidations. These are a lot of topics to go over in one article, but they are all heavily […]

cUSDC V3 (Compound V3) as a non-standard Rebasing Token, CometExt.sol The Compound V3 contract behaves like a rebasing ERC 20 token. A rebasing token is a token which has an algorithmically adjusted supply rather than a fixed one. The “token” here represents the present value of positive USDC balances. That is, lenders can transfer the […]

DeFi Interest Rate Indexes: Principal value and Present Value in Compound V3 The intuitive way to track lender deposits is to record the amount of USDC they deposited and the time they deposited. Compound V3 does not do this. Instead, similar to SushiSwap Masterchef Staking Algorithm, Compound V3 tracks the hypothetical gain of one dollar […]

Compound V3 Interest Per Second The Compound V3 protocol measures interest on the scale of seconds. The Compound V3 frontend scales the number up to years for human friendliness. When we check the interest rate parameters for Compound V3 on Etherscan, we see the following parameters for borrowers. In the following section, we will corroborate these parameters […]

The Architecture of the Compound V3 Smart Contract Introduction and prerequisites Compound is one of the most significant lending protocols in DeFi, having inspired the design of nearly every lending protocol on several blockchains. This article explains the smart contract architecture of V3. Since Compound is a lending protocol, we assume the reader is familiar […]

DeFi Lending: Liquidations and Collateral In TradFi, when someone defaults on a loan, the creditor has the right to seize assets or garnish wages. In DeFi, when someone defaults on a loan it isn’t possible to take assets from their wallet. To enforce repayment, users must deposit a larger notional value of cryptocurrency than they […]

The Fallback Extension Pattern The fallback-extension pattern is a simple way to circumvent the 24kb smart contract size limit. Suppose we have functions foo() and bar() in our primary contract and wish to add baz() but cannot due to a lack of space. We add a fallback function to our primary smart contract that delegates […]

EIP 1967 Storage Slots for Proxies EIP 1967 is a standard for where to store information that proxy contracts need to execute. Both the UUPS (Universal Upgradeable Proxy Standard) and the Transparent Upgradeable Proxy Pattern use it. Remember: EIP 1967 only states where certain storage variables go and what logs get emitted when they change, […]

The interest rate model of AAVE V3 and Compound V2 Interest rates in TradFi (traditional finance) are largely determined by central banks and influenced by market factors. In contrast, DeFi interest rates are algorithmically determined by the demand for loans and the supply of funds from lenders. Concepts in this article will be explained through […]

The second preimage attack for Merkle Trees in Solidity The second preimage attack in Merkle trees can happen when an intermediate node in a merkle tree is presented as a leaf. The name of this attack is quite misleading because it implies hashes have a second preimage. Modern hash functions do not have multiple (computable) […]

The staking algorithm of Sushiswap MasterChef and Synthetix The MasterChef and Synthetix staking algorithms distribute a fixed reward pool among stakers according to their time-weighted contributions to a pool. To save on gas, the algorithms use a cumulative counter of token-level reward and defer the reward distribution. Imagine we have a fixed pool of 100,000 […]

Uniswap V2 Architecture: An Introduction to Automated Market Makers Uniswap is a DeFi app that enables traders to swap one token for another in a trustless manner. It was one of the early automated market makers for trading (though not the first). Automated market makers are an alternative to an order book, which the reader […]

How Uniswap V2 computes the mintFee Uniswap V2 was designed to collect 1/6th of the swap fees to the protocol. Since a swap fee is 0.3%, 1/6th of that is 0.05%, so 0.05% of every trade would go to the protocol. Although this feature was never actually activated, we discuss this feature anyway since some […]

Uniswap v2 router code walkthrough The Router contracts provide a user-facing smart contract for safely minting and burning LP tokens (adding and removing liquidity) safely swapping pair tokens They add the ability to swap Ether by integrating with the wrapped Ether (WETH) ERC20 contract. They add the slippage related safety checks omitted from the core […]

A comprehensive guide to the ERC 721 standard and related security issues ERC721 (or ERC-721) is the most widely used Ethereum standard for nonfungible tokens. It associates a unique number with an Ethereum address, thereby denoting that address owns the unique number — the NFT. There is indeed no shortage of tutorials covering this famous […]

Flash Loans and how to hack them: a walk through of ERC 3156 Flash loans are loans between smart contracts that must be repaid in the same transaction. This article describes the ERC 3156 flash loan specification as well as the ways flash lenders and borrowers can be hacked. Suggested security exercises are provided at […]

UniswapV2Library Code Walkthrough UniswapV2Library The Uniswap V2 Library simplifies some interactions with pair contracts and is used heavily by the Router contracts. It contains eight functions that are not state-changing,. They are also handy for integrating Uniswap V2 from a smart contract. getAmountOut() and getAmountIn() If we want to predict the amount of token y […]

How the TWAP Oracle in Uniswap v2 Works What exactly is “price” in Uniswap? Suppose we have 1 Ether and 2,000 USDC in a pool. This implies that the price of Ether is 2,000 USDC. Specifically, the price of Ether is 2,000 USDC / 1 Ether (ignoring decimals). More generally, the price of an asset, […]

Checklist for building a Uniswap V2 clone It’s very educational to rebuild Uniswap v2 from scratch using modern Solidity (or Huff if you really want to do it in hard mode). Here are some pointers and suggestions for doing so. Use an updated version of solidity. Be aware that this will lead to syntactic changes. […]

Uniswap V2 Mint and Burn Functions Explained The lifecycle of Uniswap V2 is someone mints LP tokens (supplies liquidity, i.e. tokens to the pool) for the first time, then a second depositor mints liquidity, swaps happen, then eventually the liquidity providers burn their LP tokens to redeem pool tokens. It turns out to be easier […]

Breaking Down the Uniswap V2 Swap Function Uniswap V2’s swap function is cleverly designed, but many devs find its logic counterintuitive the first time they encounter it. This article explains how it works in depth. Here is the code reproduced below: Admittedly, this is a wall of code, but let’s break it down. On line […]

What are Pedersen Commitments and How They Work Pedersen commitments allow us to encode arbitrarily large vectors with a single elliptic curve point, while optionally hiding any information about the vector. It allows us to make claims about a vector without revealing the vector itself. Motivation When we discuss Bulletproof Zero Knowledge Proofs, they will […]

Elliptic Curve Point Addition This article describes how elliptic curve addition works over real numbers. Cryptography uses elliptic curves over finite fields, but elliptic curves are easier to conceptualize in a real Cartesian plane. This article is aimed at programmers and tries to strike a balance between getting too math heavy and too hand-wavy. Set […]

Circom language tutorial with circomlib walkthrough This tutorial introduces the Circom language and how to use it, along with common pitfalls. We will also explain a significant portion of the circomlib library in order to introduce common design patterns. A note about production use Circom is a fantastic tool for learning ZK-SNARKS. However, because it […]

Elliptic Curves over Finite Fields What do elliptic curves in finite fields look like? It’s easy to visualize smooth elliptic curves, but what do elliptic curves over a finite field look like? The following is a plot of $y² = x³ + 3 \pmod {23}$ Because we only allow integer inputs (more specifically, finite field […]

R1CS to Quadratic Arithmetic Program over a Finite Field in Python To make the transformation from R1CS to QAP less abstract, let’s use a real example. Let’s say we are encoding the arithmetic circuit $$z = x⁴ – 5y²x²$$ Converted to a Rank 1 Constraint System, this becomes $$\begin{align*} v_1 &= xx \\ v_2 &= […]

Ten beginner project ideas after you learn Solidity Now that you”ve completed our solidity tutorial, what”s next? You now have enough knowledge to build any of the following projects. Knowledge comes by study, but skill comes with practice. You need both knowledge and skill if you want to be a successful solidity developer! Here are […]

The RareSkills Book of Solidity Gas Optimization: 80+ Tips TABLE OF CONTENTS The RareSkills Book of Gas Optimization Gas optimization tricks do not always work Beware of complexity and readability Comprehensive treatment of each topic isn’t possible here We do not discuss application-specific tricks 1. Most important: avoid zero to one storage writes where possible […]

Groth16 Explained The Groth16 algorithm enables a quadratic arithmetic program to be computed by a prover over elliptic curve points derived in a trusted setup, and quickly checked by a verifier. It uses auxiliary elliptic curve points from the trusted setup to prevent forged proofs. Prerequisites This article is a chapter in the RareSkills Book […]

Evaluating a Quadratic Arithmetic Program on a Trusted Setup Evaluating a Quadratic Arithmetic Program (QAP) on a trusted setup enables a prover to demonstrate that a QAP is satisfied without revealing the witness while using a constant sized proof. Specifically, the QAP polynomials are evaluated at an unknown point $\tau$. The QAP equation $$\sum_{i=1}^m a_iu_i(x)\sum_{i=1}^m […]

Quadratic Arithmetic Programs A quadratic arithmetic program is an arithmetic circuit, specifically a Rank 1 Constraint System (R1CS) represented as a set of polynomials. It is derived using Lagrange interpolation on a Rank 1 Constraint System. Unlike an R1CS, a Quadratic Arithmetic Program (QAP) can be tested for equality in $\mathcal{O}(1)$ time via the Schwartz-Zippel […]

Solidity Coding Standards The purpose of this article is not to rehash the official Solidity Style Guide, which you should read. Rather, it is to document the common deviations from the style guide that come up in code reviews or audits. Some of the items here are not in the style guide, but are common […]

Viem React Js Example: Transfer, Mint, and View Blockchain State In this tutorial, we’ll build a fully functional Dapp with the Viem typescript library + React (Next.js). We’ll cover the necessary steps to connect your wallet, transfer crypto, interact with smart contracts (eg.g mint NFTs) and query the blockchain. Viem is a Typescript alternative to […]

Elementary Set Theory for Programmers Why another set theory tutorial? The target audience for this piece is the sort of folks who don’t care about abstract math unless they see a direct use-case for it. They want to get the essential parts they need and move on. This piece caters to that audience. Our end […]

Bilinear Pairings in Python, Solidity, and the EVM Sometimes also called bilinear mappings, bilinear pairings allow us to take three numbers, $a$, $b$, and $c$, where $ab = c$, encrypt them to become $E(a)$, $E(b)$, $E(c)$, where $E$ is an encryption function, then send the two encrypted values to a verifier who can verify $E(a)E(b) […]

Converting Algebraic Circuits to R1CS (Rank One Constraint System) This article is explains how to turn a set of arithmetic constraints into Rank One Constraint System (R1CS). The focus of this resource is implementation: we cover a lot more corner cases of doing this transformation than other materials, discuss optimizations, and explain how the Circom […]

How Tornado Cash Works (Line by Line for Devs) Introduction to Tornado Cash Tornado cash is a cryptocurrency smart contract mixer that enables users to deposit crypto with one address and withdraw with another wallet without creating a traceable link between those two addresses. Tornado cash is probably the most iconic zero knowledge smart contract […]

Getting a smart contract audit: what you need to know A smart contract audit is a review by blockchain security experts to ensure that users will not lose funds due to a malfunction or security vulnerability. Furthermore, an audit tries to anticipate unexpected and undesirable smart contract behavior before the contract is deployed. Navigating this […]

ZK-addition-dapp with Noir and Nextjs We will demonstrate a step-by-step exploration of a basic zk-dapp designed for verifying additions. This application enables users to prove that the sum of two numbers, X and Y, equals Z without disclosing the actual numbers on the blockchain. Although solving this problem does not necessarily demand zero-knowledge proofs, we […]

Web3.js Example. Latest version 4.x. Transfer, Mint and Query the Blockchain The newest version of web3.js, 4.x, has just been unveiled. In this guide, we’ll delve into integrating web3.js into HTML to Transfer, Mint NFTs as well as querying the Blockchain. Several features within the web3.js v 1.10.0 documentation are set to be deprecated, therefore […]

Understanding smart contract metadata When solidity generates the bytecode for the smart contract to be deployed, it appends metadata about the compilation at the end of the bytecode. We will examine the data contained in this bytecode. A simple smart contract Let’s look at the compiler output of the simplest possible solidity smart contract //SPDX-License-Identifier: […]

Over 150 interview questions for Ethereum Developers All of these questions can be answered in three sentences or less. Easy What is the difference between private, internal, public, and external functions? Approximately, how large can a smart contract be? What is the difference between create and create2? What major change with arithmetic happened with Solidity […]

Smart Contract Security This article serves as a mini course on smart contract security and provides an extensive list of the issues and vulnerabilities that tend to recur in Solidity smart contracts. A security issue in Solidity boils down to smart contracts not behaving the way they were intended to. This can fall into four […]

The initializable smart contract design pattern Initializers are how upgradeable contracts achieve the behavior of a constructor. When deploying contracts, it’s common to call a constructor to initialize storage variables. For example, a constructor might set the name of a token or the maximum supply. In an upgradeable contract, this information needs to be stored […]

Wagmi + ReactJS Example: Transfer Crypto and Mint an NFT In this tutorial, we’ll learn how to build a Web3 Dapp (Decentralized Application) that connects to your crypto wallet, allowing you to transfer funds and mint NFTs. We’ll be using Next.js, a popular React framework, and Wagmi.sh, a collection of React Hooks that easily integrates […]

Ethereum precompiled contracts Ethereum precompiles behave like smart contracts built into the Ethereum protocol. The nine precompiles live in addresses 0x01 to 0x09. The utility of precompiles falls into four categories – Elliptic curve digital signature recovery – Hash methods to interact with bitcoin and zcash – Memory copying – Methods to enable elliptic curve […]

Solidity Mutation Testing Mutation testing is a method to check the quality of the test suite by intentionally introducing bugs into the code and ensuring the tests catch the bug. The kind of bugs that get introduced are straightforward. Consider the following examples: // original function function mint() external payable { require(msg.value >= PRICE, "insufficient […]

Foundry Unit Tests This article will describe how to create unit tests in Solidity using Foundry. We will cover how to test all the state transitions that can occur in a smart contract, plus some additional useful features Foundry provides. Foundry has very extensive testing capabilities, so rather than rehashing the documentation, we will focus […]

Solidity Staticcall EIP 214 Staticcall is like a regular Ethereum call except that it reverts if a state change happens. It cannot be used to transfer Ether. Both the EVM opcode, the Yul assembly function, and the built-in solidity function named staticcall. EIP 214 Staticcall was introduced in EIP 214 added to Ethereum in 2017 […]

Openzeppelin Ownable: Use Ownable2Step Instead The onlyOwner modifier is probably one of the most common patterns in Solidity. In the following example, the function setMessage() can only be called by the address designated to be the owner. function setMessage(string calldata _message) external onlyOwner { message = _message; } However, the commonly used Openzeppelin ownable implementation […]

Foundry forge coverage Visual line coverage report with LCOV If you run “forge coverage” in a foundry project, you’ll get a table showing how much of your lines and branches are covered. If you want to see visually which lines and branches are or are not covered, use the following steps Instructions to get line […]

Solidity test internal function To test an internal solidity function, create a child contract that inherits from the contract being tested, wrap the parent contract’s internal function with an external one, then test the external function in the child. Foundry calls this inheriting contract a “harness” though others call it a “fixture.” Don’t change the […]

Uint256 max value The uint256 max value can be obtained with type(uint256).max; which is 115792089237316195423570985008687907853269984665640564039457584007913129639935 or 2²⁵⁶-1. But it’s cleaner and safer to use type(uint256).max. The same can be used for signed integer types //57896044618658097711785492504343953926634992332820282019728792003956564819967 type(int256).max; //-57896044618658097711785492504343953926634992332820282019728792003956564819968 type(int256).min; The math behind maximum values in integers and unsigned integers For unsigned integers, just put 2 ** […]

Solidity Events Solidity events are the closest thing to a print or console.log statement in Ethereum. We will explain how they work, best practices for events, and go into a lot of technical details often omitted in other resources. Here is a minimal example to emit a solidity event. contract ExampleContract { // We will […]

EIP-2930 – Ethereum access list Introduction An Ethereum access list transaction enables saving gas on cross-contract calls by declaring in advance which contract and storage slots will be accessed. Up to 100 gas can be saved per accessed storage slot. The motivation for introducing this EIP was to mitigate breaking changes in EIP 2929, which […]

EIP-150 and the 63/64 Rule for Gas Introduction EIP-150, or Ethereum Improvement Proposal 150, is a protocol upgrade for the Ethereum blockchain. It was proposed on March 18, 2016, and implemented on July 20, 2016, as part of the Ethereum Byzantium hard fork. There were several changes in the protocol, but we will focus on […]

Solidity Signed Integer Solidity signed integers enable using negative numbers in a smart contract. This article documents how they are used at the EVM level. Basic familiarity with the EVM and binary numbers is assumed. Two’s Complement Explained Solidity and the EVM use Two’s Complement representation for signed integers Like every datatype, Solidity still uses […]

Verify Signature Solidity in Foundry Here is a minimal (copy and paste) example of how to safely create and verify ECDSA signatures with OpenZeppelin in the Foundry environment. Contract: Verifier.sol // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol"; contract Verifier { using ECDSA for bytes32; address public verifyingAddress; constructor(address _verifyingAddress) { verifyingAddress = _verifyingAddress; } […]

Convert gas to USD (Ethereum) Understanding gas cost can be tricky because there are three components at play: the gas price, the price of ether, and the units of gas. The “gas price” that you might see on a website like etherscan.io/gastracker, which fluctuates with network demand. The price of Ether. Obviously, the more expensive […]

EIP-3448 MetaProxy Standard: Minimal Proxy with support for immutable metadata The minimal proxy standard allows us to parameterize the creation of the clone, but this requires an extra initialization transaction. It is possible to bypass this step entirely and parameterize the value we care about in the bytecode of the proxy, instead of using storage. […]

Governance Contract in Solidity The pattern of governance many DeFi applications follows is heavily inspired by Compound Finance’s implementation. Although, there isn’t an Ethereum Improvement Proposal related to create a standard governance interface, most DeFi governance implementations generally follow the same set of principles. Ultimately, governance contracts tend behave like multisignature wallets with votes weighted […]

ERC20 Snapshot ERC20 Snapshot solves the problem of double voting. If votes are weighed by the number of tokens someone holds, then a malicious actor can use their tokens to vote, then transfer the tokens to another address, vote with that, and so forth. If each address is a smart contract, then the hacker can […]

EIP-1167: Minimal Proxy Standard with Initialization (Clone pattern) Image from https://pixabay.com/photos/stormtrooper-star-wars-lego-storm-2899993/ Introduction EIP-1167, which is also referred to as the minimal proxy contract, is a commonly used solidity pattern for cheaply creating proxy clones. If a use case requires deploying an identical contract (or very similar contract) repeatedly, this is a more gas efficient way […]

A bootcamp with a job guarantee is a bad idea Because the word “bootcamp” appears on some of our pages, we occasionally get asked if we have a job guarantee. We do not. Here are six reasons why we think job guarantees are a bad thing. 1. Companies insert “gotcha” clauses to make the guarantee […]

ERC4626 Interface Explained ERC4626 is a tokenized vault standard that uses ERC20 tokens to represent shares of some other asset. How it works is you deposit one ERC20 token (token A) into the ERC4626 contract, and get another ERC20 token back, call it token S. In this example, token S represents your share of all […]

What makes blockchain immutable? Note: This article is intended to be understandable by non-technical readers, to gain a very technical understanding, refer to our blockchain bootcamp after reading this article. Contrary to popular belief, blockchains are not immutable because of cryptography, but because of economic incentive. Cryptography is just a nice tool that makes the […]

Mastering Solidity: Master the Computer Science Fundamentals First I hate computer science! I’ll spare you the traditional arguments for why you should study and practice what is considered “the fundamentals.” I know, the relationship between reversing a LinkedList and writing a secure and gas-efficient smart contract seems non-existent. You’ve probably never needed to implement an […]

Ethereum smart contract creation code 608060405260405160893803806089833981016040819052601e916025565b600055603d565b600060208284031215603657600080fd5b5051919050565b603f80604a6000396000f3fe6080604052600080fdfea26469706673582212204a131c1478e0e7bb29267fd8f6d38a660b40a25888982bd6618b720d4498b6b464736f6c634300080700330000000000000000000000000000000000000000000000000000000000000001 This article explains what happens at the bytecode level when an Ethereum smart contract is constructed and how the constructor arguments are interpreted. Table of contents We discuss the following topics with visual examples: Introduction Init code Payable constructor contract Non-payable constructor contract Runtime code Runtime code breakdown Constructor […]

Solidity Gasleft Introduction The purpose of this article is to describe the behavior of the solidity gasleft() function and its uses. It is a built-in function that is used to check the remaining gas during a contract call. It is one of the special variables and functions that always exist in the global namespace and […]

Generate Ethereum Address from Private Key Python Generate Ethereum Address from Public Key An Ethereum address is the last 20 bytes of the keccack256 of the public key. The public key algorithm is secp256k1, the same used in bitcoin. Because it is an elliptic curve algorithm, the public key is an (x, y) pair corresponds […]

Smart contract creation cost Smart contract creation cost can be anywhere from \$10 to \$2,000 assuming Ether costs between \$1,500 to \$2,000. The biggest factors are 1) Ethereum price, 2) the size of the compiled contract (in bytes), 3) the current gas price on the Ethereum network. There are a total of six components that […]

Zero knowledge programming languages Zero knowledge proof moon math Zero knowledge proofs demonstrate you executed a computation correctly without revealing the inputs to the computation. A zero knowledge programming language is a convenient way to represent that computation. A common, but misleading analogy for zero knowledge proofs is “I can prove I’m over 21 without […]

Where to find solidity reentrancy attacks Reentrancy can only happen when your smart contract calls another smart contract via function call or sending ether. If you do not call another contract or send ether in the middle of an execution, you cannot hand over execution control, and reentrancy cannot happen. function proxyVote(uint256 voteChoice) external { […]

Leetcode problems and questions – the best 50 Whether web2 or web3, doing well on data structure, algorithm, and leetcode questions is important, not only for getting a job but developing a good foundation in computer science. Many developers know they should be practicing leetcode (or alternatively, hackerrank, codecademy, or codewars), but if you haven’t […]

Solidity RSA signatures for aidrops and presales: Beating ECDSA and Merkle Trees in Gas Efficiency Updated: Aug 4, 2023 By Suthan Somadeva and Michael Burke ECDSA Vs RSA Introduction Creating a contract that gives certain addresses permissions goes by several names: airdrops, presale, whitelist, allowlist, and so forth. But the essence of the idea is […]

Generate a random number with Solidity on the blockchain Random Number Randomness is tricky on the blockchain because the blockchain is deterministic, but randomness requires non-determinism (otherwise it becomes predictable). This article assumes the user has some familiarity with solidity already, especially the operations block.number(), block.hash(), and digital signatures. If you use data like block.timestamp […]

Solana Smart Contract Programming Language Solana programming language The primary Solana programming language is Rust, but C, C++, and even Python are supported. Solana coding language uses Rust, C, and C++ in a similar way. We’ll discuss Python in a later section. Rust is a compiled language. If you compile Rust on your computer, it […]

The Solidity Engineer Salary is a Myth Is gold in your future if you study blockchain? There is no shortcut to a high solidity developer salary This might sound funny coming from a blockchain bootcamp, but it’s true. It’s not that you can’t improve your blockchain engineer salary. You absolutely can. But the problem is, […]

Solidity vs Rust A common misconception is that learning blockchain is about learning a new programming language. It isn’t. Learning blockchain is far more akin to learning a framework than a programming language. For example, just because you can program in python or go, it doesn’t automatically make you a frontend developer any more than […]

Blockchain – Top Web3 Job List Blockchain job rankings All industries have a tier list or implied ranking. It’s usually unspoken, but it’s a real thing that should inform your strategy for getting a job as a blockchain engineer or smart contract engineer. Blockchain developer jobs: At RareSkills, we get a lot of questions about […]

The blockchain shortage of developers is not real. Photo by markuswinkler (https://unsplash.com/@markuswinkler) It’s hard to read news about developers and not get the impression there is a shortage of talent. Makes sense right? Companies wouldn’t pay someone $100,000 per year if they could easily fill the job role with someone cheaper. But there is no […]

Learn Solidity: Easy to Learn, Hard to Master? Is solidity hard to learn? Learning solidity as a language is arguably one of the easier languages to learn. However, learning the Ethereum environment is hard. It looks very similar to javascript, or pretty much any curly bracket language derived from C. If statements, for loops, class […]