book

Mastering Ethereum, 2nd Edition

by Carlo Parisi, Alessandro Mazza, Niccolo Pozzolini, Gavin Wood, Andreas M. Antonopoulos

October 2025

Intermediate to advanced

570 pages

15h 40m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Quizzes

Preface
How to Use This BookIntended AudienceCode ExamplesEthereum Addresses and Transactions in this BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsContacting CarloContacting AlessandroContacting NiccolòAcknowledgments by CarloAcknowledgments by AlessandroAcknowledgments by NiccolòContributions
1. What Is Ethereum?
Ethereum Compared to BitcoinComponents of a BlockchainThe Birth of EthereumEthereum’s Stages of DevelopmentEthereum: A General-Purpose BlockchainEthereum’s ComponentsEthereum and Turing CompletenessTuring Completeness as a “Feature”Implications of Turing CompletenessFrom General-Purpose Blockchains to DAppsEthereum’s Development CultureWhy Learn Ethereum?Conclusion
2. Ethereum Basics
Ether Currency UnitsChoosing an Ethereum WalletControl and ResponsibilityGetting Started with MetaMaskCreating a WalletSwitching NetworksGetting Some Test EtherSending Ether from MetaMaskExploring the Transaction History of an AddressIntroducing the World ComputerExternally Owned Accounts and ContractsA Simple Contract: A Test Ether FaucetCompiling the Faucet ContractCreating the Contract on the BlockchainInteracting with the ContractViewing the Contract Address in a Block ExplorerFunding the ContractWithdrawing from Our ContractConclusion
3. Ethereum Nodes
Ethereum NetworksShould I Run a Full Node?Full Node Advantages and DisadvantagesPublic Testnet Advantages and DisadvantagesLocal Blockchain Simulation Advantages and DisadvantagesRunning an Ethereum NodeHardware Requirements for a Full NodeSoftware Requirements for Building and Running a ClientPreparation PhaseGeth-PrysmReth-LighthouseThe First Synchronization of Ethereum-Based BlockchainsThe JSON-RPC InterfaceRemote Ethereum ClientsMobile (Smartphone) WalletsBrowser WalletsHardware WalletsConclusion
4. Cryptography
Keys and AddressesPKC and CryptocurrencyPrivate KeysPublic KeysElliptic Curve Cryptography ExplainedElliptic Curve Arithmetic OperationsGenerating a Public KeyElliptic Curve LibrariesCryptographic Hash FunctionsEthereum’s Cryptographic Hash Function: Keccak-256Which Hash Function Am I Using?Ethereum AddressesEthereum Address FormatsHex Encoding with Checksum in Capitalization (ERC-55)Detecting an Error in an ERC-55 Encoded AddressValidators’ CryptographyIntroductionRequirementsBLS Digital SignaturesHow Does It Work?In SummaryKZG CryptographyIntroductionPolynomial Commitment SchemesUsing Merkle TreesKZG CommitmentKZG ProofKZG PropertiesMultiproofsIn SummaryConclusion
5. Wallets
Overview of Wallet TechnologiesNondeterministic (Random) WalletsDeterministic (Seeded) WalletsHierarchical Deterministic Wallets (BIP-32/BIP-44)Seeds and Mnemonic Codes (BIP-39)Wallet Best PracticesMnemonic Code Words (BIP-39)Optional Passphrase in BIP-39Working with Mnemonic CodesCreating an HD Wallet from the SeedHD Wallets (BIP-32)Extended Public and Private KeysHardened Child Key DerivationIndex Numbers for Normal and Hardened DerivationHD Wallet Key Identifier (Path)Navigating the HD Wallet Tree StructureSecurityImproving on User ExperienceAccount AbstractionSocial RecoveryENSConclusion
6. Transactions
The Structure of a TransactionLegacy TransactionsEIP-2930 TransactionsEIP-1559 TransactionsEIP-4844 TransactionsEIP-7702 TransactionsThe Transaction NonceKeeping Track of NoncesGaps in Nonces, Duplicate Nonces, and ConfirmationConcurrency, Transaction Origination, and NoncesTransaction GasEIP-1559: Base Fee and Priority FeeHow to Know the “Correct” Gas PriceTransaction RecipientTransaction Value and DataTransmitting Value to EOAs and ContractsTransmitting a Data Payload to an EOA or ContractSpecial Transaction: Contract CreationDigital SignaturesThe ECDSAHow Digital Signatures WorkECDSA MathTransaction Signing in PracticeRaw Transaction Creation and SigningDeserializing the TransactionLow-Level Manual Construction of an EIP-1559 Raw TransactionRaw Transaction Creation with EIP-155The Signature Prefix Value (v) and Public Key RecoverySeparating Signing and Transmission (Offline Signing)Transaction Life CycleCreating and Signing the TransactionSending the Transaction to the NetworkBuilding the BlockFinalizing the TransactionAn Alternative Life CycleMEV and Proposer and Builder SeparationPrivate MempoolsNew Transaction Life CycleMultiple-Signature TransactionsConclusion
7. Smart Contracts and Solidity
What Is a Smart Contract?Life Cycle of a Smart ContractIntroduction to Ethereum High-Level LanguagesBuilding a Smart Contract with SoliditySelecting a Version of SolidityDownloading and Installing SolidityDevelopment EnvironmentWriting a Simple Solidity ProgramCompiling with the Solidity Compiler (solc)The Ethereum Contract ABISelecting a Solidity Compiler and Language VersionProgramming with SolidityData TypesVariables: Definition and ScopePredefined Global Variables and FunctionsContract DefinitionFunctionsContract ConstructorFunction ModifiersContract InheritanceMultiple InheritanceError HandlingEventsCalling Other ContractsGas ConsiderationsBest PracticesEstimating Gas CostConclusion
8. Smart Contracts and Vyper
Vulnerabilities and VyperComparison to SolidityModifiersClass InheritanceInline AssemblyFunction OverloadingVariable TypecastingDecoratorsFunction and Variable OrderingCompilationProtecting Against Overflow Errors at the Compiler LevelReading and Writing DataConclusion
9. Smart Contract Security
Security Best PracticesSecurity Risks and AntipatternsReentrancyDELEGATECALLEntropy IllusionUnchecked CALL Return ValuesRace Conditions and Front-RunningDenial of ServiceFloating Point and PrecisionPrice ManipulationImproper Input ValidationSignature Replay AttackSmart Contracts MisconfigurationContract LibrariesAdditional ResourcesConclusion

10. Tokens
How Tokens Are UsedTokens and FungibilityCounterparty RiskTokens and IntrinsicalityUtility, Equity, or Cash Grab?It’s a Duck!Tokens on EthereumThe ERC-20 Token StandardLaunching Our Own ERC-20 TokenIssues with ERC-20 TokensERC-721: NFT StandardERC-1155: Multitoken StandardUsing Token StandardsWhat Are Token Standards and What Is Their Purpose?Should You Use These Standards?Detecting Standards: EIP-165Security by MaturityExtensions to Token Interface StandardsConclusion
11. Oracles
Why Oracles Are NeededOracle Use Cases and ExamplesOracle Design PatternsImmediate-ReadPublish-SubscribeRequest-ResponseData AuthenticationComputation OraclesDecentralized OraclesCross-Chain Messaging ProtocolsConclusion
12. Decentralized Applications
What Is a DApp?Backend (Smart Contract)Data StorageFrontend (Web User Interface)A Basic DApp ExampleInstallation RequirementsCreating the DAppStarting the ChainDeploying Your ContractStarting the FrontendInteracting with Your ContractDeploying Your Contract to a Live BlockchainDeploying to VercelFurther Decentralizing the DAppDecentralized WebsitesLimitationsDeploying to IPFSFrom App to DAppConclusion
13. Decentralized Finance
DeFi Versus Traditional FinanceDeFi PrimitivesDecentralized ExchangesWhy the Constant Product Formula WorksLending MarketsOraclesStablecoinsLiquid StakingReal-World AssetsBridges and Omnichain Protocols(De)centralized FinanceRisks and Challenges in DeFiConclusion
14. The Ethereum Virtual Machine
What Is the EVM?Comparison with Existing TechnologyWhat Are Other Blockchains Doing?The EVM Instruction Set (Bytecode Operations)Ethereum StateEthereum StatelessMerkle-Patricia TrieA Deep Dive into the Components of the EVMStackMemoryStorageCalldataLet’s Put Everything Together with a Concrete ExampleCompiling Solidity to EVM BytecodeContract Deployment CodeDisassembling the BytecodeTuring Completeness and GasWhat Is Gas?Gas Accounting During ExecutionBlock Gas LimitConcrete ImplementationsThe Biggest EVM Upgrade: EVM Object FormatJumpdest AnalysisAdding and Deprecating FeaturesCode and Data SeparationStack Too DeepEOFThe Future of the EVMConclusion
15. Consensus
Principles of ConsensusSafetyFinalityLivenessBlock Trees and ForkingConsensus via Proof of WorkConsensus via Proof of StakePoS TerminologyNodes and ValidatorsBlocks and AttestationsLMD-GHOSTLatest Message DrivenGreediest Heaviest Observed SubtreeIncentivesCasper FFG: The Finality GadgetEpochs and CheckpointsJustification and FinalizationSlashingFork Choice RuleThe Casper CommandmentsAccountable Safety and Plausible LivenessA Practical Example: The Life Cycle of a CheckpointFirst Round: JustificationSecond Round: FinalizationConflicting JustificationGasper: A Real ExampleControversy and CompetitionTiming GamesCentralization of SupermajorityConclusion
16. Scaling Ethereum
The Problems of Ethereum’s Layer 1The Scalability TrilemmaGas Costs and Network CongestionState Growth and Storage IssuesBlock Propagation and MEVSolutionsScaling the L1RollupsOther Types of Scaling SolutionsValidiumsSidechainsBased RollupsBooster RollupsNative RollupsDankshardingProto-DankshardingStateless EthereumWeak StatelessnessVerkle TreesStrong StatelessnessConclusion
17. Zero-Knowledge Proofs
HistoryDefinition and PropertiesHow Ethereum Uses Zero-Knowledge ProofsL2s Also Benefit from ZKA Small ExampleLet’s Prove ItIssuesZero KnowledgeProver CommitmentAdding Randomness to the CommitmentConclusion? Or Not…Fiat-Shamir HeuristicConclusion?SNARK Versus STARKZk-EVM and zk-VMConclusion
Index
About the Authors

Content preview from Mastering Ethereum, 2nd Edition

Chapter 9. Smart Contract Security

Security is one of the most important considerations when writing smart contracts. In the field of smart contract programming, mistakes are costly and easily exploited. In this chapter, we will look at security best practices and design patterns as well as security antipatterns, which are practices and patterns that can introduce vulnerabilities into smart contracts.

As with other programs, a smart contract will execute exactly what is written, which is not always what the programmer intended. Furthermore, all smart contracts are public, and any user can interact with them simply by creating a transaction. Any vulnerability can be exploited, and losses are almost always impossible to recover. It is therefore critical to follow best practices and use well-tested design patterns.

Think of robust development as the first layer in a “Swiss cheese model” of security. Each layer of protection acts like a slice of Swiss cheese: none is flawless on its own, but together they create a stronger defense. The very first layer is following solid development practices: using reliable design patterns, writing clear and intentional code, and actively avoiding known pitfalls. This foundational layer gives us the best start in securing our contracts from vulnerabilities. Beyond this, other layers like testing, code reviews, and bug bounties add extra protection, but it all begins with our development practices.

Security Best Practices

Defensive programming is ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098168414Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering Ethereum, 2nd Edition

by Carlo Parisi, Alessandro Mazza, Niccolo Pozzolini, Gavin Wood, Andreas M. Antonopoulos

Chapter 9. Smart Contract Security

Security Best Practices

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.