• Hacken
  • Blog
  • Insights
  • Top pitfalls of Web 3.0 Smart Contracts Security

Top pitfalls of Web 3.0 Smart Contracts Security

3 minutes

The DeFi revolution has amplified smart contract capabilities. At the same time, the extensive smart contract capabilities have exposed deeper software vulnerabilities underpinning decentralized financial services. This article will consider the latest trends in Web 3.0 smart contact security, identify common smart contract vulnerability patterns, and provide recommendations on protecting your financial assets.

2022 Smart Contract Vulnerabilities in Figures

Key findings of 2022

  • $1.25 billion loss in 33 smart contract exploits
  • Small and medium exploits (< $10m) comprise three-quarters of all attacks
  • Two super exploits (> $100m) are behind 75% of the total loss

Errors in the smart contract code have been responsible for most instances of theft from DeFi protocols. Hackers are quick to cash in on smart contract vulnerabilities. The Defiyield rekt database reports 33 smart contract exploits in 2022. In total, these exploits amounted to $1.246 billion in losses. The top five biggest smart contract breaches were Ronin ($615m), Wormhole ($326m), Mirror Protocol ($90m), Qubit Finance ($80m), and Cashio ($48m).

SizeSmall Exploits< $1 millionMedium Exploits < $10 millionLarge Exploits> $10 millionSuper Exploits> $100 million
Number of exploits101562
Total Loss$4.1m$93m$255m$941m

Most Common Smart Contract Vulnerabilities

The amount of funds stolen due to smart contract exploits has increased tremendously since the start of 2022. We have analyzed dozens of smart contract exploits that have taken place in 2022 and identified the following common vulnerabilities:

1. Re-entrancy. When a contract “calls” another contract, it can determine the amount of available gas. A malicious contract will make a re-entrant call. If the caller does not update its internal state, the hacker can drain all the funds.

2. Unhandled exceptions. This exploit happens when a low-level operation in solidity, i.e., send, does not return an exception on failure but a boolean. If the return value is not checked, the attacker can continue executing the operation even if the payment fails.

3. Locked Ether. The received funds can be permanently locked, or the contract will always run out of gas resulting in the locked funds. This happens when the contract depends on another contract that has been destroyed using a particular instruction.

4. Transaction order dependency. The attacker can exploit the Ethereum single-block property for multiple transactions. When the order of two transactions calling the same contract changes the final result. 

5. Integer overflow and underflow. A loop counter can overflow to create an infinite loop resulting in the funds being locked. The attacker can manually trigger an overflow.

6. Unrestricted action. The attacker has the ability to bypass authorization. For example, there may be an error in withdrawal functionality. Every smart contract has a function responsible for governing the withdrawal of funds. Sometimes, these functions do not have enough protection, allowing hackers to withdraw tokens to their address.

Recommendations on Minimizing Smart Contract Exploits

Smart contract audits

A smart contract audit is a process whereby a third party or exchange analyzes a smart contract code behind a token or DeFi protocol. The audit confirms to the public that your contract contains no mechanisms and loopholes to steal investors’ funds. Hacken conducts top-tier smart contract audits for all networks, including Ethereum, Solana, BSC, Polygon, Avalanche, and Fantom. Another recommendation is to screen the wallets interacting with their smart contracts for prior transactions with known illicit addresses. This is the most essential tool for eliminating smart contract vulnerabilities.

Penetration Testing and Bug Bounties

In addition to smart contract audits, you can improve your overall cybersecurity through penetration testing and bug bounties. Hacken offers network, internal, and external Penetration Testing Services to estimate the level of your system’s resistance to cyberattacks. HackenProof is a bug bounty and vulnerability coordination platform that connects customers with thousands of ethical hackers. Crowdsourced bug bounties help find and resolve bugs before hackers can exploit vulnerabilities.

Subscribe
to our newsletter

Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.

Speaker Img

Table of contents

Tell us about your project

Follow Us

Read next:

More related

Trusted Web3 Security Partner