Smart contracts have become one of the most important applications of blockchain technology. Its combination with permissionless and transparent cryptocurrency transactions has enabled a new financial ecosystem known as DeFi.
Although due to its characteristics of open-source, decentralized, and permissionless execution, smart contracts have become a prime target of hackers. This field has become a major hub of experiment for hackers who see it as fun or rather comfy than executing hacks in traditional internet. The functionality of smart contracts allows to execute transactions without any authorization which hackers often exploit using different techniques and loopholes.
In this article we will explore several tactics that are used to target smart contract vulnerabilities and compromise security, which often leads to loss of millions of crypto assets. Let’s get into it after shortly revising what are the smart contracts and their vulnerabilities.
What are the Smart Contracts?
Smart contracts are self-executing programs typically deployed on a blockchain to facilitate automated transactions. These programs are triggered after meeting predefined conditions on the current state of the blockchain.
The structure of smart contracts includes different sets of functions and instructions given to process specified executions. It is used for various onchain operations such as moving crypto assets between wallets, time-locking funds, or creating innovative dApps.
What is a Smart Contract Vulnerability?
Vulnerability in smart contracts can be defined as bugs or loopholes that compromise its functionality and security. A vulnerability could be exploited in a variety of ways which results in huge loss of crypto assets for users and DeFi platforms.
5 Common Smart Contract Vulnerabilities
Smart contract vulnerabilities differ according to the method of exploitation. Below are the common five vulnerabilities that are found in smart contracts.
Reentrancy
Reentrancy is the most commonly exploited smart contract vulnerability. It typically occurs when a smart contract calls an external smart contract within its execution.
Here, the primary contract requires calling functions of the secondary contract before updating the state and that contract calls back the primary contract which causes an infinite loop. While the execution is ongoing, the secondary contract is invoked to provide specified information to the primary contract.
(Edit image: Contract X=A, Y=B, Send Funds = Transactions)
For instance, Contract A has a function that requires execution of Contract B, while Contract B has a function to callback Contract A. This creates repetitive calls for both contracts resulting in keeping the state execution of Contract A open until Contract B is revoked. This method is used in attacking and exploiting smart contracts, hence it is called Reentrancy Attack.
The attack on Grim Finance was a prime example of Reentrancy attack which caused a loss of over $30 million.
Integer Underflow and Overflow
Smart contracts are fundamentally computer programs that are developed using programming languages such as Solidity. These programs include several variables that store information to certain binary limits. This is where the vulnerability of integer underflow or overflow could occur if the integer value exceeds those limits.
This vulnerability is exposed when an integer within the smart contract is provided with a value higher than the maximum limit or lower than the minimum limit. For example, a 32-bit signed integer can store values between -2,147,483,648 and 2,147,483,647. When a calculation within the program provide results in a number outside of this range, there occurs the integer overflow or underflow.
Invalidated External Calls
Most smart contracts interact with external smart contracts. This flow can even go further if the external contract also calls another contract. To benefit from this, some bad actors could use the primary smart contract’s capability and exploit it if external calls are not validated.
This vulnerability came to be known much popularly after the Dexible exploit in February 2023. The hacker exploited one of the functions by calling a malicious ERC20 contract and drained nearly $2 million worth of crypto assets from the Dexible proxy.
Developers are required to validate external calls necessarily as a security measure. These external calls must be allowed only for trusted and intended addresses.
Default Visibility
The default visibility vulnerability in smart contracts is tied to functions or state variables that are declared under the default visibility modifier. While programming the smart contract, the developer needs to specify what visibility should be assigned to state variables or functions, which can be public, private, internal, or external. If the developer does not specify the visibility, it will be internal by default.
This vulnerability could be used to control and manipulate the internal state of smart contact by using external contracts. The prime example of this vulnerability is the Bancor exploit in 2018 which caused the protocol a loss of approximately $23.5 million of ETH and BNT tokens.
Logical Error
Logical errors or bugs in the smart contract code are also vulnerabilities that can be exploited by hackers. The developers of smart contracts might unknowingly leave bugs in the programming such as variable misplacing, unnecessary functions, typos, etc. This all decreases the security of smart contracts and could lead to misuse of their functioning.
Some of these logical errors can be easily found while compiling the program or testing it in a local environment. However, some critical bugs might hide in between the complex structure of smart contracts that can not be identified unless a serious problem arises.
Beside the above listed vulnerabilities, several other smart contract vulnerabilities are also popular among hackers such as front-running attack, arithmetic overflow, price oracle attack and more. These vulnerabilities must need to be resolved to avoid security incidents that may cause loss of several millions dollars.
How To Prevent Smart Contract Vulnerabilities
Smart contract vulnerabilities are found via different methods of security practices. There are several tools and techniques available to expose vulnerabilities in smart contracts. Some of the popular methods are as below;
Smart Contract Audits
Audit is the practice of performing security assessment and detailed analysis on the smart contract code. In this process, the auditor checks each and every function as well as the business logic behind it. It also ensures the credibility of the code by test-executing functions separately. Most of the smart contract vulnerabilities are carried out in auditing as it is generally performed by security experts and experienced developers.
Bug Bounty
Bug bounty is another popular method of finding vulnerabilities in smart contracts. The company or the developer of the smart contract hosts Bug Bounty campaigns where bounty hunters participate to find potential bugs or vulnerabilities. When developers successfully find a vulnerability in code, they are incentivized by hosts. Bug Bounty campaigns are one of the most impactful ways of finding vulnerability in smart contracts as it involves volunteer participation for bounty hunters from all around the world.
Penetration Testing
Similar to the method of evaluating traditional softwares, Penetration testing is also helpful in going through security measures of smart contracts. This method involves launching live attacks on the smart contract to find out vulnerabilities and potential breaches.
Conclusion
As the smart contracts are automated and permissionless, it becomes an easy target of security breaches and hacking. The proper testing and auditing of smart contracts provides security assurance to developers and everyone who interacts with it. To find and resolve vulnerabilities in smart contracts, it is necessary for developers to perform security analysis and thorough testing before deploying on the blockchain.
FAQs
What are the vulnerabilities in smart contracts?
Vulnerability are technical bugs or loopholes in smart contracts codes that could be exploited externally resulting in loss of funds or misuses.
What is Reetrancy in smart contracts?
Reetrancy is a common vulnerability found in smart contracts. It refers to a situation where hacker repeatedly calls a smart contract function to exploit the arithmetic operations or manipulate the output.
What are the examples of smart contract vulnerabilities?
Reetrancy, Integer Overflow/underflow, Invalidate External Calls, Default Visibility etc. are the most common vulnerabilities found in smart contracts.
