Smart contract security

Education / best practices

Solana-specific

See SolanaProgramming/Security

Bughunting challenges:

Real-life vulnerabilities

Summaries

Notable issues and incidents, explained

This is only a sampling! We'd recommend that smart contract devs review all major exploits (the rekt leaderboard is a great starting point) to learn from previous failures.

Re-entrancy

Re-entrancy is a famous and common issue where the attacker can unexpectedly recursively call a function multiple times, to get the contract's state variables into an unexpected state.

Oracle attacks

Some AMMs provide on-chain oracle functions (i.e. to compute asset prices from the current state of their pools). Unfortunately, this could allow an attacker to manipulate the state of a pool (especially using a flash loan), then do something else on a different protocol which depends on that oracle price. Developers of protocols that depend on on-chain oracles for pricing should be especially cognizant of this.

  • Cream Finance 130M hack (Oct 2021)
    • oracle attack on a lending protocol due to a flawed custom oracle for yearn assets (see also: cream hack analysis)
  • PancakeBunny reward overmint (May 2021)
    • oracle manipulation attack on PancakeBunny AMM
    • attacker gets way too many BUNNY reward tokens for LPing by unstaking in the middle of a massive mispricing from a flashloan
  • Enzyme finance custom oracle bug
    • an issue showing an interesting interaction between a governance token's custom oracle and its support for flashloans
  • Visor finance pricing exploit (Nov 2021)
    • reliance on spot prices for issuing shares
  • Rari pool attack - TWAP manipulation of VUSD
    • a specific pool was seemingly misconfigured to point at a pool with only concentrated liquidity
    • thread includes discussion of how it is easier to manipulate a pool with only concentrated liquidity because trading loss is relatively small
    • discussion of how TWAPs are still vulnerable because single huge input can move average a lot
  • Harvest Finance exploit (Oct 2020)
    • exploiter moved USDT/USDC on Curve up before depositing USDT into Harvest Finance, then down before withdrawing
    • pool share calc uses market price as oracle instead of 1
  • Oracle vulnerabilities
    • samczsun discussion of some famous oracle attacks

Other interesting economic attacks

  • bZx 2020 exploit (Feb 2020)
    • lending protocol bZx allowed fancier functionality than a typical lending protocol, specifically allowing a user to put on a leveraged equity/debt position by routing to an AMM
    • a missing check caused the protocol to be fooled into taking a negative-value position while moving an AMM price way out of line
    • attacker made money by arbing the AMM back into line outside of the lending protocol, while abandoning the negative-value vault
    • another great description of this issue
    • another great description
  • Spartan Protocol LP share value calc issue (May 2021)
    • mechanical flaw in calculation of LP share value in a synthetic asset protocol

Bridge attacks

Bridges are complex because they involve multiple chains, and interaction with a third party. Also, from the perspective of a single chain, transfers to that chain just involve unlocking tokens (or minting claim tokens) from the bridge contract.

Missing checks

Unauthorized access

Frontend attacks

  • BadgerDAO Cloudflare exploit (Dec 2021)
    • frontend attack arising from Cloudflare bug which allowed attackers to preregister API keys by email address without email verification
    • attacker used access to inject malicious scripts that prompted users to authorize tokens via MetaMask.

Logic bugs

Arguably all bugs are logic bugs, but some seem like pure logic issues...

  • Compound overdistribution of governance token (Sep 2021)
  • Popsicle Finance exploit
    • bug in computing users' share of fees when LP shares are transferred
    • notable in that bug had been repeatedly exploited in other contracts, but was missed by creators and auditors
  • MonoX hack (Nov 2021)
    • vAMM protocol for trading synthetics
    • when user swaps A for B, vAMM updates price of A to be lower than before, then updates price of B to be higher than before
    • MonoX didn't prevent corner case where A == B, so user could use this to increase price of B
    • attacker used this repeatedly to pump internal price of MONO token, then swap MONO into a lot of real value
  • Opyn bug (Aug 2020)
    • bug stemming from special case for ETH transfers

Other