While most hacks in Web3 come as rug pulls and access control compromises, smart contract vulnerability exploits account for a regularly significant share of losses. In Q3 2023, Web3 projects lost nearly $100M due to smart contract hacks.
With so much money at stake, it’s at least understandable why smart contract developers go over the dark side and try themselves in hacking. In this article, let’s try to uncover that perspective and discuss how smart contracts can be exploited. Our goal is to give you the information, and it’s you who makes the hacking vs protecting decision.
Keep an eye out throughout this text for the most helpful resources.
Smart contracts are the backbone of decentralized trading, lending, and staking applications. Developed as deterministic programs in a high-level language (Solidity, Rust, etc.), smart contracts are compiled into bytecode for a runtime environment (EVM, WebAssembly, etc.). Once deployed, they operate continuously on the blockchain like Ethereum, Radix, or NEAR.
Because smart contracts are stored on-chain, hackers can examine the public codebase for vulnerabilities, such as reentrancy or missing checks, and then conduct their attacks. For example, the most recent KyberSwap $47M hack had a reentrancy error in the mint function of their new token implementation. Hackers can even combine their exploits with flash loans for maximum damage, as in the case of the SushiSwap DEX hack.
Hence, knowing how smart contracts operate and the potential weak spots of the most common tech stacks is vital for both hacking and protecting the underlying assets.
A robust setup is essential for identifying and exploiting vulnerabilities in smart contract development and security testing. Critical components of this setup include development frameworks and runtime environments.
Understanding Ethereum Virtual Machine (EVM) or WebAssembley is critical because it will run your smart contracts on the blockchain. Knowledge of EVM’s inner workings aids in comprehending contract behaviors and potential vulnerabilities.
Let’s discuss the most common ways smart contracts are not secure.
Issue: Functions call external contracts before updating their state.
Scenario: Based on Rari Capital 2022 hack, the attacker exploited a vulnerability in the borrow function, which executed asset transfer before updating the state.
Mitigation: Implement the “Checks-Effects-Interactions” pattern—execute all checks and state updates before external calls, use reentrancy guard, and limit available gas for functions to prevent loop exploits.
Issue: Lack of secure, random number generation in Ethereum smart contracts.
Scenario: Attackers manipulate block hashes or timestamps to influence outcomes, like in lotteries.
Mitigation: Avoid reliance on on-chain randomness. Emerging solutions include verifiable delay functions and Randao commit-reveal schemes.
Issue: Contracts performing bulk operations are vulnerable to stalling if a component fails.
Scenario: A failed refund transaction can indefinitely stall the process in an auction contract.
Mitigation: Prefer pull
over push
mechanisms and efficiently manage loops to handle large data structures.
Issue: Contracts can unintentionally receive Ether, disrupting their functions.
Scenario: Use of selfdestruct
in a contract forcibly sends Ether to another contract.
Mitigation: Design contracts to handle unexpected Ether receipts, avoiding assumptions about contract balances.
Issue: Solidity’s integer operations can overflow or underflow, leading to errors.
Scenario: ERC20 tokens without underflow checks can result in attackers gaining excessive tokens.
Mitigation: Use libraries like OpenZeppelin’s SafeMath and validate all arithmetic operations.
Issue: The time gap between transaction creation and acceptance can be exploited.
Scenario: In ERC20 tokens, approve and transferFrom can be manipulated, allowing unintended token transfers.
Mitigation: Implement zero balance approval requirements and design contracts to anticipate and handle front-running scenarios.
See related: Top 6 Smart Contract Vulnerabilities And How to Stop Them
You won’t be able to hack anything if you don’t know how to create a smart contract in the first place.
Start with setting up a development environment. For example, Remix IDE offers tools for writing, compiling, and deploying smart contracts. The process includes writing the contract code in Solidity, the most popular programming language for smart contracts, and compiling the code to ensure it’s ready for deployment. Next, you should deploy the contract to a test network like Goerli using tools like Metamask to confirm its behavior. Once tested and debugged, which may involve experimenting with various inputs and observing the outcomes to ensure proper functionality, you can go to the mainnent to interact with other contracts. Related resources:
Deploying your first smart contract is only the beginning, and you really have to master a smart contract programming language and learn a lot about the DeFi business even to spot unprotected liquidity. Here are the best resources to learn:
Standard and Testing:
Assuming you excel in these steps, it’s time to hone your offensive skills. Participate in wargames and playgrounds. Here are a few resources that are definitely worth your time:
Even ignoring the ethical and legal considerations, smart contract hacking is an extremely challenging and risky endeavor. A successful hack requires a perfect alignment of factors – finding unaudited and/or vulnerable contracts, being the first to discover and act, having the right skills for an attack, and managing to evade detection while vanishing with the stolen assets. As a result, the path of a smart contract hacker will be largely unrewarding for most people.
Yet, software engineers passionate about discovering vulnerabilities can engage in a more rewarding path. Independent ethical hackers, auditors, and bug hunters have all discovered that Web3 offers a different way of challenging your snooper character.
See related: How To Become A Smart Contract Auditor
Every smart contract hack always offers valuable learning opportunities. Let’s take Onyx Protocol exploit, for example. Onyx, a Compound Finance fork, lost $2.1 million due to a rounding error when creating new liquidity markets. But there’s a catch. The exact same vulnerability had already hit Hundred Finance and Midas earlier this year. It wasn’t the first time that projects didn’t implement simple workarounds to high-profile vulnerabilities.
So the implication is clear: read about hacks and learn from them. Resources like rekt and Hacken Insights may help.
A multi-stage approach is essential for thorough vulnerability discovery. Here are some key tips and smart contract audit tools used in this process:
1. Preliminary Assessment:
2. In-Depth Review:
3. Verification:
Reference authoritative resources to verify found vulnerabilities in Solidity and other programming languages:
See related: Smart Contract Audit Process Followed By Top Auditors
Secure smart contract development rests on several key pillars, each contributing to a robust defense against potential vulnerabilities:
Stay updated with blockchain language and network advancements, actively engage in open-source communities, and share knowledge for professional growth in this dynamic field.
The challenges and risks associated with hacking, coupled with legal and ethical considerations, make it a largely unrewarding option for most engineers. Instead, aspiring ethical hackers can find a rewarding career in safeguarding blockchain technology. Engaging in security analysis, learning from past vulnerabilities, and joining communities like Hackenproof are ways to contribute positively to the Web3 ecosystem. Choosing security over hacking offers a fulfilling career and is crucial in building a safer digital blockchain world.
Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.
Table of contents
Tell us about your project
10 min read
Discover
13 min read
Discover
13 min read
Discover