Hacken Token
$ -- --.--

Top pitfalls of Web 3.0 Smart Contracts Security

The DeFi revolution has amplified smart contract capabilities. At the same time, the extensive smart contract capabilities have exposed deeper software vulnerabilities underpinning decentralized financial services. This article will consider the latest trends in Web 3.0 smart contact security, identify common smart contract vulnerability patterns, and provide recommendations on protecting your financial assets.

2022 Smart Contract Vulnerabilities in Figures

Key findings of 2022

  • $1.25 billion loss in 33 smart contract exploits
  • Small and medium exploits (< $10m) comprise three-quarters of all attacks
  • Two super exploits (> $100m) are behind 75% of the total loss

Errors in the smart contract code have been responsible for most instances of theft from DeFi protocols. Hackers are quick to cash in on smart contract vulnerabilities. The Defiyield rekt database reports 33 smart contract exploits in 2022. In total, these exploits amounted to $1.246 billion in losses. The top five biggest smart contract breaches were Ronin ($615m), Wormhole ($326m), Mirror Protocol ($90m), Qubit Finance ($80m), and Cashio ($48m).

SizeSmall Exploits< $1 millionMedium Exploits < $10 millionLarge Exploits> $10 millionSuper Exploits> $100 million
Number of exploits101562
Total Loss$4.1m$93m$255m$941m

Most Common Smart Contract Vulnerabilities

The amount of funds stolen due to smart contract exploits has increased tremendously since the start of 2022. We have analyzed dozens of smart contract exploits that have taken place in 2022 and identified the following common vulnerabilities:

1. Re-entrancy. When a contract “calls” another contract, it can determine the amount of available gas. A malicious contract will make a re-entrant call. If the caller does not update its internal state, the hacker can drain all the funds.

2. Unhandled exceptions. This exploit happens when a low-level operation in solidity, i.e., send, does not return an exception on failure but a boolean. If the return value is not checked, the attacker can continue executing the operation even if the payment fails.

3. Locked Ether. The received funds can be permanently locked, or the contract will always run out of gas resulting in the locked funds. This happens when the contract depends on another contract that has been destroyed using a particular instruction.

4. Transaction order dependency. The attacker can exploit the Ethereum single-block property for multiple transactions. When the order of two transactions calling the same contract changes the final result. 

5. Integer overflow and underflow. A loop counter can overflow to create an infinite loop resulting in the funds being locked. The attacker can manually trigger an overflow.

6. Unrestricted action. The attacker has the ability to bypass authorization. For example, there may be an error in withdrawal functionality. Every smart contract has a function responsible for governing the withdrawal of funds. Sometimes, these functions do not have enough protection, allowing hackers to withdraw tokens to their address.

Recommendations on Minimizing Smart Contract Exploits

Smart contract audits

A smart contract audit is a process whereby a third party or exchange analyzes a smart contract code behind a token or DeFi protocol. The audit confirms to the public that your contract contains no mechanisms and loopholes to steal investors’ funds. Hacken conducts top-tier smart contract audits for all networks, including Ethereum, Solana, BSC, Polygon, Avalanche, and Fantom. Another recommendation is to screen the wallets interacting with their smart contracts for prior transactions with known illicit addresses. This is the most essential tool for eliminating smart contract vulnerabilities.

Penetration Testing and Bug Bounties

In addition to smart contract audits, you can improve your overall cybersecurity through penetration testing and bug bounties. Hacken offers network, internal, and external Penetration Testing Services to estimate the level of your system’s resistance to cyberattacks. HackenProof is a bug bounty and vulnerability coordination platform that connects customers with thousands of ethical hackers. Crowdsourced bug bounties help find and resolve bugs before hackers can exploit vulnerabilities.

Tell us about your project

  • This field is required
  • This field is required
    • whatsapp icon WhatsApp
    • telegram icon Telegram
    • wechat icon WeChat
    • signal icon Signal
  • This field is required
  • This field is required
  • This field is required
  • This field is required
This field is required
departure icon

Thank you for your request

Get security score on

  • certified logo
  • coingeco logo
  • coin market cap logo

800+ projects with $250B protected MarketCap

companies logos

Apply for partnership

  • This field is required
  • This field is required
  • This field is required
  • This field is required
    • Foundation
    • VC
    • Angel investments
    • IDO or IEO platform
    • Protocol
    • Blockchain
    • Legal
    • Insurance
    • Development
    • Marketing
    • Influencer
    • Other
This field is required
This field is required
departure icon

Thank you for your request

Get security score on

  • certified logo
  • coingeco logo
  • coin market cap logo

800+ projects with $250B protected MarketCap

companies logos

Get in touch

  • This field is required
  • This field is required
  • This field is required
  • This field is required
This field is required
By submitting this form you agree to the Privacy Policy and information beeing used to contact you
departure icon

Thank you for your request

Get security score on

  • certified logo
  • coingeco logo
  • coin market cap logo
hackenproof logo

The world trusted Bug Bounty Platform. Run custom-tailored Bug Bounty Programs to secure your business and assets.

hackenproof logo

The world trusted Bug Bounty Platform. Run custom-tailored Bug Bounty Programs to secure your business and assets.

hackenproof logo

The world trusted Bug Bounty Platform. Run custom-tailored Bug Bounty Programs to secure your business and assets.