Blockchain Development and Security

Instructor: Wu-chang Feng
TA: Jeff De Lamare
Contact and discussion: Office hours: here
TA office hours: Wednesday 10am-noon in Fishbowl
Course material
Useful links
Course Description This class provides an overview of blockchain systems, how they are built, and how they can be exploited. Students will get hands-on experience working with public blockchains such as Ethereum as well as build and deploy permissioned blockchains using Hyperledger Sawtooth on Google Cloud Platform. They will then examine security vulnerabilities in blockchain systems and how they may be automatically exploited.


Week Topic Slides Assignments Read/Listen
1 Course Overview
Overview and Applications
Underpinnings of blockchains
Public-key cryptography, Digital Signatures
Hash functions and properties

Lab 0
Labs 1.1, 1.2
Do you need a Blockchain? paper
Polyswarm podcast
Consensus protocols
Crash vs Byzantine fault-tolerance
Voting-based (BFT, Paxos)
Lottery-based (Proof-of-work, Proof-of-stake)
Blockchain Development
Bitcoin, Hyperledger overviews
Labs 1.3, 1.4 Consensus article
FLP and CAP article
Bitcoin overview
Ethereum & Smart Contracts overview (DApps)
Solidity programming (language overview, basic types and constructs)
Labs 2.1, 2.2 Ethereum beige paper
Solidity programming (Web3.js, ERC20, ICOs)
Ethereum tools (Metamask, EtherScan, MyCrypto, Remix)
Labs 2.3, 2.4  
5 10/28: NO CLASS
Blockchain security overview
DASP Top 10, SICTF intro
D6: Bad Randomness
Labs 3.1, 3.2 (Not so)smart contracts
D3: Arithmetic issues (Types), D2: Access Control
D5: Denial of Service, D4: Unchecked low-level calls
03c, 03d
03e, 03f
Labs 3.3, 3.4, 3.5, 3.6  
7 11/11: NO CLASS
D: Centralization, 51%
D1: Re-entrancy
03g, 03h Lab 3.7  
D7: Front-running, D8: Time manipulation, D10: Unknown unknowns
D9: Off-chain attacks
Advanced topics

Labs 3.8, 3.9

Labs 4.1, 4.2
Symbolic execution (Manticore)
05a Labs 5.1, 5.2, 5.3
Labs 5.4, 5.5
Advanced topics
Final project

Final project
Finals week
Final project screencast uploaded to Media Space as an unlisted video. Final project code and link to screencast on Media Space in final/url.txt
Friday, Dec. 13 at 11:30pm

Course objectives

  • Examine the underpinnings of blockchain systems and their applications
  • Develop and deploy blockchain applications and smart contracts (DApps)
  • Analyze smart contracts for security vulnerabilities
  • Exploit smart contract vulnerabilities
  • Use symbolic execution to automatically reveal smart contract vulnerabilities


Attendance and participation 10%
Lab notebooks 60%
Code in repository 10%
Final Project 20%
Attendance and participation To encourage collaboration and to establish a positive learning community, attendance and participation throughout the term will be graded. In addition, mutual respect, tolerance, and encouragement are expected, while comments seeking to demean, embarrass, or otherwise disrupt others' ability to learn are not. Specific examples of participation include asking questions, helping other students out, and identifying mistakes in the course content either in class or on the Slack channel.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.


Assignments and notebook
Assignments will be given covering the course material. You will perform each one, while maintaining a lab notebook (a single Google Doc) that documents your progress through the exercises.  Include screenshots and ensure that they include your wallet address, OdinID or your Google Cloud Platform project identifier in them.  You will submit your lab notebooks in parts on D2L. The notebooks will be graded based upon the following rubric:
  • Neatness and organization, including a generated table of contents.
  • Completeness
  • Inclusion of wallet address, OdinID or project identifier in screenshots
Code repository
For assignments that require code to be written, you will include your code via a private repository (via Gitlab) that is shared with the instructor and TA. The code will be graded upon the following rubric:
  • Overall functionality
  • Code documentation (such as Docstrings, comments)
  • Code readability and modularity
  • git repository activity (commits, commit messages, tags)
Final project
You (and/or a partner) will choose from a number of options for a project. Then, via a will create a narrated screencast of no more than 15 minutes (20 minutes for group projects), you will show the work you have done via a demo and a source code or level walkthrough. For group projects, each student must walkthrough the code or level he/she has written or solved. Screencast submission is to be done via PSU's Media Space. When uploading the screencast, ensure to change the media settings to Unlisted. Screencasts can be recorded via the software on Media Space (e.g. Kaltura Capture) or from tools such as QuickTime, Zoom, or Open Broadcaster. After uploading your screencast to Media Space, a directory in your repository named "final" should be created that includes a file called "url.txt" that the URL of your screencast in Media Space as well as any source files you created as part of your project. The project can be selected from the following:
  • Solving an additional SI CTF level with Manticore that has not been already included in the Docker container and creating a codelab walkthrough of it
  • Creating a DApp of your own using Vyper.
  • Creating a vulnerable CTF level of your own using Vyper.
Your project will also be graded using the following rubric:
  • Overall functionality
  • Code documentation (such as Docstrings, comments)
  • Code readability and modularity
  • git repository activity (commits, commit messages, tags)
  • Completeness of walkthrough including demonstration of code and your explanation of code that you have written.