Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Top pitfalls of Web 3.0 Smart Contracts Security

Top pitfalls of Web 3.0 Smart Contracts Security

Share via:

The DeFi revolution has amplified smart contract capabilities. At the same time, the extensive smart contract capabilities have exposed deeper software vulnerabilities underpinning decentralized financial services. This article will consider the latest trends in Web 3.0 smart contact security, identify common smart contract vulnerability patterns, and provide recommendations on protecting your financial assets.

2022 Smart Contract Vulnerabilities in Figures

Key findings of 2022

$1.25 billion loss in 33 smart contract exploits
Small and medium exploits (< $10m) comprise three-quarters of all attacks
Two super exploits (> $100m) are behind 75% of the total loss

Errors in the smart contract code have been responsible for most instances of theft from DeFi protocols. Hackers are quick to cash in on smart contract vulnerabilities. The Defiyield rekt database reports 33 smart contract exploits in 2022. In total, these exploits amounted to $1.246 billion in losses. The top five biggest smart contract breaches were Ronin ($615m), Wormhole ($326m), Mirror Protocol ($90m), Qubit Finance ($80m), and Cashio ($48m).

Size	Small Exploits< $1 million	Medium Exploits < $10 million	Large Exploits> $10 million	Super Exploits> $100 million
Number of exploits	10	15	6	2
Total Loss	$4.1m	$93m	$255m	$941m

Most Common Smart Contract Vulnerabilities

The amount of funds stolen due to smart contract exploits has increased tremendously since the start of 2022. We have analyzed dozens of smart contract exploits that have taken place in 2022 and identified the following common vulnerabilities:

1. Re-entrancy. When a contract “calls” another contract, it can determine the amount of available gas. A malicious contract will make a re-entrant call. If the caller does not update its internal state, the hacker can drain all the funds.

2. Unhandled exceptions. This exploit happens when a low-level operation in solidity, i.e., send, does not return an exception on failure but a boolean. If the return value is not checked, the attacker can continue executing the operation even if the payment fails.

3. Locked Ether. The received funds can be permanently locked, or the contract will always run out of gas resulting in the locked funds. This happens when the contract depends on another contract that has been destroyed using a particular instruction.

4. Transaction order dependency. The attacker can exploit the Ethereum single-block property for multiple transactions. When the order of two transactions calling the same contract changes the final result.

5. Integer overflow and underflow. A loop counter can overflow to create an infinite loop resulting in the funds being locked. The attacker can manually trigger an overflow.

6. Unrestricted action. The attacker has the ability to bypass authorization. For example, there may be an error in withdrawal functionality. Every smart contract has a function responsible for governing the withdrawal of funds. Sometimes, these functions do not have enough protection, allowing hackers to withdraw tokens to their address.

Recommendations on Minimizing Smart Contract Exploits

Smart contract audits

A smart contract audit is a process whereby a third party or exchange analyzes a smart contract code behind a token or DeFi protocol. The audit confirms to the public that your contract contains no mechanisms and loopholes to steal investors’ funds. Hacken conducts top-tier smart contract audits for all networks, including Ethereum, Solana, BSC, Polygon, Avalanche, and Fantom. Another recommendation is to screen the wallets interacting with their smart contracts for prior transactions with known illicit addresses. This is the most essential tool for eliminating smart contract vulnerabilities.

Penetration Testing and Bug Bounties

In addition to smart contract audits, you can improve your overall cybersecurity through penetration testing and bug bounties. Hacken offers network, internal, and external Penetration Testing Services to estimate the level of your system’s resistance to cyberattacks. HackenProof is a bug bounty and vulnerability coordination platform that connects customers with thousands of ethical hackers. Crowdsourced bug bounties help find and resolve bugs before hackers can exploit vulnerabilities.