What are the most common smart contract exploits?

Reentrancy Attacks

1. Reentrancy attacks occur when a malicious contract repeatedly calls back into a vulnerable contract before the initial execution completes. This exploit takes advantage of external calls that transfer control to untrusted code.

2. A famous example is the DAO hack in 2016, where an attacker drained over $60 million by recursively withdrawing funds before the balance was updated.

3. These attacks often target functions that send Ether or tokens and do not follow the checks-effects-interactions pattern.

Integer Overflow and Underflow

1. Smart contracts written in Solidity versions prior to 0.8.0 did not automatically check for arithmetic overflows or underflows, allowing attackers to manipulate balances.

2. An overflow happens when a number exceeds its maximum value and wraps around to zero; an underflow occurs when it drops below zero and wraps to the maximum.

3. In 2018, the BeautyChain token lost millions due to an integer overflow in its transfer function, enabling attackers to generate massive token amounts.

Front-Running (Transaction Ordering Dependence)

1. Front-running occurs when miners or bots observe pending transactions in the mempool and submit their own transactions with higher gas fees to execute first.

2. This is especially prevalent in decentralized exchanges and auctions, where timing impacts financial outcomes.

3. For instance, if a user places a large buy order, a bot can detect it and purchase the asset just before, then sell at a higher price immediately after.

Unprotected Upgradeability and Ownership

1. Many smart contracts include upgradeable patterns using proxies, but improper access control can allow malicious upgrades.

2. If ownership privileges are not properly managed, a single compromised key can lead to total contract takeover.

3. There have been cases where developers retained excessive control, leading to rug pulls or unauthorized fund withdrawals.

Phishing and Fake Token Deployments

1. Attackers deploy counterfeit tokens with names and symbols mimicking popular projects to deceive users.

2. These tokens often appear in decentralized exchange listings, tricking traders into swapping real assets for worthless ones.

3. Some fake tokens exploit interface bugs in wallet software, displaying incorrect balances or enabling automatic approvals.

Frequently Asked Questions

What is a flash loan attack?A flash loan attack leverages uncollateralized loans from DeFi protocols to manipulate market conditions temporarily. Attackers borrow large sums, execute trades to influence prices or exploit logic flaws, then repay the loan within the same transaction—all while keeping the profit.

How can I verify if a smart contract has been audited?Check the project’s official website or GitHub repository for audit reports from reputable firms like CertiK, OpenZeppelin, or PeckShield. Cross-reference the deployed contract address with the one listed in the audit documentation.

Why are proxy contracts risky?Proxy contracts separate logic and storage, enabling upgrades. However, if the admin implementation is compromised or poorly designed, attackers can redirect the logic to malicious code, effectively taking over the entire system without changing the main contract address.

Can a smart contract be patched after deployment?Immutable contracts cannot be altered once deployed. For upgradable contracts, developers use proxy patterns to change logic while preserving data. Any patch must follow strict governance and security validation to avoid introducing new vulnerabilities.