Smart Contract Vulnerabilities

In our Education blog, Hacken has already covered the basics of a smart contract security audit, the most common smart contract vulnerabilities, and our smart contract audit methodology. To recap, a smart contract is an automated agreement between parties that is executed when all predefined conditions are met. Smart contracts are the backbone of all transactions. Thus, we should be aware of specific smart contract vulnerabilities that our auditors encounter in real projects and their classification under industry standards.

It is worth noting that the vulnerabilities featured in the list below are recognized as industry standards. They are classified in the Smart Contract Weakness (SWC) registry. The SWC registry is the holy grail of smart contract weaknesses. The registry serves as a foundation for a standardized identification of vulnerabilities in smart contracts. We also provide the link to the Common Weakness Enumeration CWE base where you can learn more about each vulnerability. CWE base is a community-developed list of software and hardware weakness types serving as a baseline for weakness identification.

The following is the list of all smart contract vulnerabilities we look for when conducting crypto audits for all networks, including our most popular service – Ethereum smart contract audit.

• Access to Critical Private Variable via Public Method
  • unencrypted private data on-chain
• Irrelevant Code
  • code with no effects
  • presence of unused variables
• Improper Initialization
  • message call with hardcoded gas amount
  • incorrect constructor name
• Authentication Bypass by Capture-replay
  • hash collisions with multiple variable length arguments
• Improper Locking
  • unexpected Ether balance
• User Interface Misrepresentation of Critical Information
  • right-to-left-override control character
• Use of Incorrect Operator
  • typographical error
• Uncontrolled Resource Consumption
  • DoS with block gas limit
• Use of Low-Level Functionality
  • arbitrary jump with function type variable
• Insufficient Control Flow Management
  • insufficient gas griefing
• Incorrect Behavior Order
  • incorrect inheritance order
• Write-what-where Condition
  • write to the arbitrary storage location
• Improper Following of Specification by Caller
  • requirement violation
• Insufficient Verification of Data Authenticity
  • Lack of proper signature verification
• Improper Verification of Cryptographic Signature
  • missing protection against signature replay attacks
• Use of Insufficiently Random Values
  • weak sources of randomness from chain attributes
• Improper Adherence to Coding Standards
  • shadowing state variables
  • state variable default visibility
• Improper Initialization
  • signature malleability
• Inclusion of Functionality from Untrusted Control Sphere
  • Block values as a proxy for time
• Use of Obsolete Function
  • Authorization through tx.origin
• Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
  • Transaction Order Dependence
• Improper Check or Handling of Exceptional Conditions
  • DoS with Failed Call
• Inclusion of Functionality from Untrusted Control Sphere
  • Delegatecall to Untrusted Callee
• Use of Obsolete Function
  • Use of Deprecated Solidity Functions
• Always-Incorrect Control Flow Implementation
  • Assert Violation
• Access of Uninitialized Pointer
  • Uninitialized Storage Pointer
• Improper Enforcement of Behavioral Workflow
  • Reentrancy
• Improper Access Control
  • Unprotected SELF DESTRUCT Instruction
  • Unprotected Ether Withdrawal
• Unchecked Return Value
  • Unchecked Call Return Value
• Improper Control of a Resource Through its Lifetime
  • Floating Pragma
• Using Components with Known Vulnerabilities
  • Outdated Compiler Version
• Incorrect Calculation
  • Integer Overflow and Underflow
• Improper Adherence to Coding Standards
  • Function Default Visibility

It is understandable that some vulnerabilities are more prevalent than others. In practice, it may be difficult to categorize a particular vulnerability under one category in the SWC registry. To that end, we want to share with you the most common smart contract vulnerabilities that Hacken auditors deal with. These include arithmetic over/underflows, default visibilities, entropy illusions, race conditions/front running, DoS, re-entrancy, constructions with care, and tx.origin authentication. In our smart contract audit reports, we also often recognize function calls with an incorrect argument, deserialization of untrusted data, numeric errors, improper initialization, improper input validation, privilege escalation, and improper synchronization.

This is a comprehensive and classified list of all possible smart contract vulnerabilities. If these weaknesses do not tell you anything, they may be too difficult for a general reader to comprehend. No worries, though. Our brilliant auditors know everything about each vulnerability and how to find them.

In this article, we wanted to emphasize that smart contract audits are difficult. Many companies offer smart contract services, but only a few can produce audits of exceptional quality. Delivering an effective and protective smart contract audit requires special knowledge and experience. At Hacken, we prioritize learning and excellence. That’s why our security experts always follow best practices and focus on industry standards when it comes to smart contract vulnerability identification.