From d94d398c93daf74a5e5ada94792ae14cf6bbce97 Mon Sep 17 00:00:00 2001 From: jg8481 Date: Mon, 9 Sep 2024 00:30:07 -0400 Subject: [PATCH] Update README.md --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c7a0995..0c138c7 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ By using this software you understand the risks of Web3 and blockchain technologies. This toolkit is intended for testing and learning exciting concepts in the Web3 and blockchain industry with a security-minded self-education approach. The blockchain and DeFi ecosystems do not show mercy in any way to even the smallest mistakes. [I recommend that you self-educate yourself first and read MetaMask's security knowledge base before experimenting with this repository.](https://metamask.zendesk.com/hc/en-us/articles/360015489591-Basic-Safety-and-Security-Tips-for-MetaMask) **You are responsible for your own personal cryptocurrency funds and Web3 wallet private keys, and it is your personal responsibility to educate yourself to protect them.** Any misuse or mishandling of this software on any of the EVM compatible blockchain mainnets or testnets is at your own risk. -Also just a **friendly warning, DO NOT ATTEMPT TO SEND FUNDS to any of the** [**20 test accounts**](https://dev.to/alex_bobes/making-an-ethereum-bot-a-step-by-step-guide-3ol4) provided by `hardhat`. +Also just a **friendly warning, DO NOT ATTEMPT TO SEND FUNDS to any of the** [**20 test accounts**](https://dev.to/alex_bobes/making-an-ethereum-bot-a-step-by-step-guide-3ol4) provided by `Hardhat`. ## Ethereum set the standard, but cross-chain is the future @@ -22,7 +22,7 @@ Also just a **friendly warning, DO NOT ATTEMPT TO SEND FUNDS to any of the** [** ## Solidity clean-room environment testing is safe and repeatable -This [multichain toolkit](https://github.com/jg8481/Robot-Framework-Solidity-Testing-Toolkit) contains keyword-driven automation that helps **locally test EVM compatible Solidity smart contracts, [deploys them using a multichain approach](https://roycewells.io/writing/multichain-development/), and has the basic building blocks for creating blockchain event monitoring bots**. One of the primary components is a custom-made `robotframework-hardhat-remote-library.js` that was built using [hardhat](https://hardhat.org/) and [ethers.js](https://github.com/ethers-io/ethers.js/) libraries for [Web3](https://ethereum.org/en/web3/) development, and combined together using [comick's node-robotremoteserver](https://github.com/comick/node-robotremoteserver). This toolkit has been designed to [create local clean-room environment mainnet forks through Hardhat Network](https://hardhat.org/hardhat-network/docs/guides/forking-other-networks) for deploying smart contracts on multiple types of blockchains that support the EVM. I have included small checks and basic RPA automation scripts that work for Ethereum, Fantom, Avalanche, Polygon, but they can be adapted to cover many others as well by simply adjusting minor `hardhat` CLI options and altering the provided config files. Also all of the [automated checks in this repository are spending ZERO actual gas because they are mostly reading or interacting with simulated blockchains running on a local machine](https://ethereum.stackexchange.com/questions/18183/gas-costs-reading-data-is-this-free), and not sending testnet transactions (scroll down to see risks of frequently doing that) or touching anything on mainnets. +This [multichain toolkit](https://github.com/jg8481/Robot-Framework-Solidity-Testing-Toolkit) contains keyword-driven automation that helps **locally test EVM compatible Solidity smart contracts, [deploys them using a multichain approach](https://roycewells.io/writing/multichain-development/), and has the basic building blocks for creating blockchain event monitoring bots**. One of the primary components is a custom-made `robotframework-hardhat-remote-library.js` that was built using [Hardhat](https://hardhat.org/) and [ethers.js](https://github.com/ethers-io/ethers.js/) libraries for [Web3](https://ethereum.org/en/web3/) development, and combined together using [comick's node-robotremoteserver](https://github.com/comick/node-robotremoteserver). This toolkit has been designed to [create local clean-room environment mainnet forks through Hardhat Network](https://hardhat.org/hardhat-network/docs/guides/forking-other-networks) for deploying smart contracts on multiple types of blockchains that support the EVM. I have included small checks and basic RPA automation scripts that work for Ethereum, Fantom, Avalanche, Polygon, but they can be adapted to cover many others as well by simply adjusting minor `Hardhat` CLI options and altering the provided config files. Also all of the [automated checks in this repository are spending ZERO actual gas because they are mostly reading or interacting with simulated blockchains running on a local machine](https://ethereum.stackexchange.com/questions/18183/gas-costs-reading-data-is-this-free), and not sending testnet transactions (scroll down to see risks of frequently doing that) or touching anything on mainnets. ## "Ethereum is a Dark Forest" - Dan Robinson and Georgios Konstantopoulos @@ -31,14 +31,14 @@ You may be wondering. What's so special about Hardhat Network, [Trufflesuite's G **_Some Testnet testing disadvantages and risks:_** - [Most of the time a testnet will be slow](https://www.reddit.com/r/ethereum/comments/cxdno6/ropsten_very_slow/) - Even though it's a testnet you still need to worry about paying gas fees for every Metamask wallet transaction -- If you're using `hardhat` or `truffle` there is a risk that you can [expose your Metamask wallet private key in your deployment configuration files by accidentally pushing them into GitHub](https://consensys.net/blog/developers/how-to-avoid-uploading-your-private-key-to-github-approaches-to-prevent-making-your-secrets-public/) +- If you're using `Hardhat` or `Truffle` there is a risk that you can [expose your Metamask wallet private key in your deployment configuration files by accidentally pushing them into GitHub](https://consensys.net/blog/developers/how-to-avoid-uploading-your-private-key-to-github-approaches-to-prevent-making-your-secrets-public/) - Deploying smart contracts to a blockchain testnet is immutable or permanent. [Which is exactly how mainnets behave as well](https://www.gemini.com/cryptopedia/blockchain-testnet-devnet-sandbox-crypto-mainnet#section-what-is-a-blockchain-testnet) - If you are in the security sector of the blockchain industry, [testing on an Ethereum Testnet can have other possible serious risks](https://medium.com/immunefi/why-you-should-never-test-exploits-on-mainnet-or-public-testnets-7e904a2cbf05). Testnets are constantly being attacked on a daily basis. **Very bad actors are good at tracking all transactions on testnets and mainnets, which could lead to various security risks. One of those risks includes indirectly exposing your Metamask address to these bad actors** **_Some Mainnet testing disadvantages and risks:_** - [Very expensive to test on a mainnet](https://www.coingecko.com/en/coins/ethereum) - You need to worry about paying real gas fees for every Metamask wallet transaction -- If you're using `hardhat` or `truffle`, similar to testnets, there is the [same risk of exposing your Metamask wallet private key](https://decrypt.co/30222/hacker-steals-1200-worth-of-ethereum-in-under-100-seconds) +- If you're using `Hardhat` or `Truffle`, similar to testnets, there is the [same risk of exposing your Metamask wallet private key](https://decrypt.co/30222/hacker-steals-1200-worth-of-ethereum-in-under-100-seconds) - Deploying smart contracts to a blockchain mainnet is immutable or permanent. [It will stay there on the blockchain forever](https://academy.binance.com/en/glossary/immutability) - Same possible security risks found on testnet that I mentioned above, [but on mainnet it can be much worse. Click here to read an interesting real-life Ethereum Mainnet "horror story"](https://www.paradigm.xyz/2020/08/ethereum-is-a-dark-forest) @@ -63,6 +63,7 @@ In the future I plan to expand this toolkit into the following areas. - Create a `robotframework-truffle-remote-library.js` remote library using the [Truffle toolkit](https://trufflesuite.com/), and design similar features that are found in the `robotframework-hardhat-remote-library.js` remote library. - Progress: - (February 12, 2023 - **Ready To Use**) Created a working Truffle Suite library using a similar design as the Hardhat library, but utilizes [web3.js](https://web3js.org) and added a few different tests too. + - (September 21, 2023 - **Consensys Announcement**) There was an [announcement from the Truffle and Ganache lead developer Consensys](https://consensys.io/blog/consensys-announces-the-sunset-of-truffle-and-ganache-and-new-hardhat?utm_source=github&utm_medium=referral&utm_campaign=2023_Sep_truffle-sunset-2023_announcement_) that both projects were officially sunsetted and support has ended. I will no longer update my `robotframework-truffle-remote-library.js` remote library. I recommend using either Hardhat or Foundry. - Create more static analysis, security, and vulnerability scanning RPA automation integrated with popular tools (for example: [Consensys Diligence Tools](https://consensys.io/diligence/tools/)) in the Web3 and blockchain industry. - Progress: - (August 11, 2024 - **Ready To Use**) Created various security focused workflows that handle static analysis and vulnerability scanning of smart contracts. @@ -81,7 +82,7 @@ In the future I plan to expand this toolkit into the following areas. ### Technical Requirements -The following are the basic technical requirements needed to run these automated checks. Please note that this entire toolkit was developed on a MacOS machine, but should also work for most Linux users (preferably most current Ubuntu LTS versions etc.) and I would keep an eye on whatever the `hardhat` or `truffle` (source: https://github.com/trufflesuite/ganache-ui/releases) communities recommend for Linux distributions. +The following are the basic technical requirements needed to run these automated checks. Please note that this entire toolkit was developed on a MacOS machine, but should also work for most Linux users (preferably most current Ubuntu LTS versions etc.) and I would keep an eye on whatever the `Hardhat` or `Truffle` (source: https://github.com/trufflesuite/ganache-ui/releases) communities recommend for Linux distributions. - Python 3 -> https://www.python.org/downloads/ - NodeJS 22 -> https://nodejs.org/en/ or use https://github.com/nvm-sh/nvm - If you're using `nvm`, you can run `nvm install 22` to install version 22