Smart contract security
Education / best practices
- Eth smart contract security best practices (see especially: known attacks)
- Most common smart contract bugs
Solana-specific
See SolanaProgramming/Security
Bughunting challenges:
- Damn Vulnerable DeFi
- OpenZeppelin Ethernaut
- Capture the Ether
- Paradigm CTF 2021
- Smart contract CTF list
Real-life vulnerabilities
Summaries
- Rekt leaderboard
- SlowMist stats - brief summaries of each hack
- web3isgoinggreat.com - a (slanted) aggregator of recent hacks, rugpulls, and scams
Notable issues and incidents, explained
This is only a sampling! We'd recommend that smart contract devs review all major exploits (the rekt leaderboard is a great starting point) to learn from previous failures.
Re-entrancy
Re-entrancy is a famous and common issue where the attacker can unexpectedly recursively call a function multiple times, to get the contract's state variables into an unexpected state.
- For an overview, see Preventing re-entrancy attacks: lessons from history
- Exploiting uniswap from reentrancy to actual profit (July 2019)
- Clear explanation of reentrancy vulnerability on Uniswap introduced by ERC777.
- Lendf.Me re-entrancy attack (May 2020)
- ERC777 strikes again
- Cream Finance AMP attack (Aug 2021)
- ERC777 strikes again. Cream Finance was susceptible, and AMP token had an ERC777-style contract
- Grim Finance exploit (Dec 2021)
- Grim Finance used a before-after pattern to determine how much was deposited (needed because some tokens have a transfer tax, in which case the deposited amount will differ from the transferred amount)
- Grim didn't guard against reentrancy between the before-after pattern.
- More details
- TheDAO exploit of 2016: the original re-entrancy bug, but listed last here because it's one of the hardest to understand.
- Race-to-Empty (written just before the exploit, describing a generic vulnerability)
- Analysis of TheDAO exploit (detailed explanation of the flaw as applied to TheDAO)
- For more historical background (less technical) see a history of 'The DAO' hack
Oracle attacks
Some AMMs provide on-chain oracle functions (i.e. to compute asset prices from the current state of their pools). Unfortunately, this could allow an attacker to manipulate the state of a pool (especially using a flash loan), then do something else on a different protocol which depends on that oracle price. Developers of protocols that depend on on-chain oracles for pricing should be especially cognizant of this.
- Cream Finance 130M hack (Oct 2021)
- oracle attack on a lending protocol due to a flawed custom oracle for yearn assets (see also: cream hack analysis)
- PancakeBunny reward overmint (May 2021)
- oracle manipulation attack on PancakeBunny AMM
- attacker gets way too many BUNNY reward tokens for LPing by unstaking in the middle of a massive mispricing from a flashloan
- Enzyme finance custom oracle bug
- an issue showing an interesting interaction between a governance token's custom oracle and its support for flashloans
- Visor finance pricing exploit (Nov 2021)
- reliance on spot prices for issuing shares
- Rari pool attack - TWAP manipulation of VUSD
- a specific pool was seemingly misconfigured to point at a pool with only concentrated liquidity
- thread includes discussion of how it is easier to manipulate a pool with only concentrated liquidity because trading loss is relatively small
- discussion of how TWAPs are still vulnerable because single huge input can move average a lot
- Harvest Finance exploit (Oct 2020)
- exploiter moved USDT/USDC on Curve up before depositing USDT into Harvest Finance, then down before withdrawing
- pool share calc uses market price as oracle instead of 1
- Oracle vulnerabilities
- samczsun discussion of some famous oracle attacks
Other interesting economic attacks
- bZx 2020 exploit (Feb 2020)
- lending protocol bZx allowed fancier functionality than a typical lending protocol, specifically allowing a user to put on a leveraged equity/debt position by routing to an AMM
- a missing check caused the protocol to be fooled into taking a negative-value position while moving an AMM price way out of line
- attacker made money by arbing the AMM back into line outside of the lending protocol, while abandoning the negative-value vault
- another great description of this issue
- another great description
- Spartan Protocol LP share value calc issue (May 2021)
- mechanical flaw in calculation of LP share value in a synthetic asset protocol
Bridge attacks
Bridges are complex because they involve multiple chains, and interaction with a third party. Also, from the perspective of a single chain, transfers to that chain just involve unlocking tokens (or minting claim tokens) from the bridge contract.
- Poly network hack (Aug 2021)
- more commentary here
- Polygon PoS bridge withdrawal bug (Oct 2021)
- bug allowing repeat withdrawals from the bridge contract
Missing checks
Unauthorized access
- Pickle Finance exploit
- See especially this diagram
- Pickle Finance was a fork of Yearn; Yearn published this vulnerability disclosure a month earlier
- Similar problem here
Frontend attacks
- BadgerDAO Cloudflare exploit (Dec 2021)
- frontend attack arising from Cloudflare bug which allowed attackers to preregister API keys by email address without email verification
- attacker used access to inject malicious scripts that prompted users to authorize tokens via MetaMask.
Logic bugs
Arguably all bugs are logic bugs, but some seem like pure logic issues...
- Compound overdistribution of governance token (Sep 2021)
- (see also this)
- Popsicle Finance exploit
- bug in computing users' share of fees when LP shares are transferred
- notable in that bug had been repeatedly exploited in other contracts, but was missed by creators and auditors
- MonoX hack (Nov 2021)
- vAMM protocol for trading synthetics
- when user swaps A for B, vAMM updates price of A to be lower than before, then updates price of B to be higher than before
- MonoX didn't prevent corner case where A == B, so user could use this to increase price of B
- attacker used this repeatedly to pump internal price of MONO token, then swap MONO into a lot of real value
- Opyn bug (Aug 2020)
- bug stemming from special case for ETH transfers