The DeFi revolution has amplified smart contract capabilities. At the same time, the extensive smart contract capabilities have exposed deeper software vulnerabilities underpinning decentralized financial services. This article will consider the latest trends in Web 3.0 smart contact security, identify common smart contract vulnerability patterns, and provide recommendations on protecting your financial assets.
2022 Smart Contract Vulnerabilities in Figures
Key findings of 2022
$1.25 billion loss in 33 smart contract exploits
Small and medium exploits (< $10m) comprise three-quarters of all attacks
Two super exploits (> $100m) are behind 75% of the total loss
Errors in the smart contract code have been responsible for most instances of theft from DeFi protocols. Hackers are quick to cash in on smart contract vulnerabilities. The Defiyield rekt database reports 33 smart contract exploits in 2022. In total, these exploits amounted to $1.246 billion in losses. The top five biggest smart contract breaches were Ronin ($615m), Wormhole ($326m), Mirror Protocol ($90m), Qubit Finance ($80m), and Cashio ($48m).
Small Exploits< $1 million
Medium Exploits < $10 million
Large Exploits> $10 million
Super Exploits> $100 million
Number of exploits
Most Common Smart Contract Vulnerabilities
The amount of funds stolen due to smart contract exploits has increased tremendously since the start of 2022. We have analyzed dozens of smart contract exploits that have taken place in 2022 and identified the following common vulnerabilities:
1. Re-entrancy. When a contract “calls” another contract, it can determine the amount of available gas. A malicious contract will make a re-entrant call. If the caller does not update its internal state, the hacker can drain all the funds.
2. Unhandled exceptions. This exploit happens when a low-level operation in solidity, i.e., send, does not return an exception on failure but a boolean. If the return value is not checked, the attacker can continue executing the operation even if the payment fails.
3. Locked Ether. The received funds can be permanently locked, or the contract will always run out of gas resulting in the locked funds. This happens when the contract depends on another contract that has been destroyed using a particular instruction.
4. Transaction order dependency. The attacker can exploit the Ethereum single-block property for multiple transactions. When the order of two transactions calling the same contract changes the final result.
5. Integer overflow and underflow. A loop counter can overflow to create an infinite loop resulting in the funds being locked. The attacker can manually trigger an overflow.
6. Unrestricted action. The attacker has the ability to bypass authorization. For example, there may be an error in withdrawal functionality. Every smart contract has a function responsible for governing the withdrawal of funds. Sometimes, these functions do not have enough protection, allowing hackers to withdraw tokens to their address.
Recommendations on Minimizing Smart Contract Exploits
Smart contract audits
A smart contract audit is a process whereby a third party or exchange analyzes a smart contract code behind a token or DeFi protocol. The audit confirms to the public that your contract contains no mechanisms and loopholes to steal investors’ funds. Hacken conducts top-tier smart contract audits for all networks, including Ethereum, Solana, BSC, Polygon, Avalanche, and Fantom. Another recommendation is to screen the wallets interacting with their smart contracts for prior transactions with known illicit addresses. This is the most essential tool for eliminating smart contract vulnerabilities.
Penetration Testing and Bug Bounties
In addition to smart contract audits, you can improve your overall cybersecurity through penetration testing and bug bounties. Hacken offers network, internal, and external Penetration Testing Services to estimate the level of your system’s resistance to cyberattacks. HackenProof is a bug bounty and vulnerability coordination platform that connects customers with thousands of ethical hackers. Crowdsourced bug bounties help find and resolve bugs before hackers can exploit vulnerabilities.
share via social
Subscribe to our research
Enter your email address to subscribe to Hacken Reseach and receive
notifications of new posts by email
On 27th October 2022, Team Finance lost $14.5 million due to a smart contract exploit in its migration function. The “v2 to v3 migration function” – the one that caused the exploit – was added a few months after the audit completion by Hacken. After they added the “migrate” functionality, Team Finance chose Zokyo as
The internet revolution has presented the world with Web3, the third iteration of a constantly evolving ecosystem. Also known as decentralized web, Web3 ecosystems are designed to replace centralized infrastructure and allow every user to maintain complete control over the data, irrespective of whether they are interacting with an application or another user. The Web3
Modern businesses are focused on choosing the new competitive strategies to dominate the market in the coming decade. Turning to Web3 may constitute their jump to new heights. But why have we assumed that Web 3.0 is an inevitable future? What big benefits does it provide to businesses and common people? And what about security,