Common Smart Contract Vulnerabilities
The following are common vulnerabilities that are part of the current smart contract audit checklist.
Reentrancy problem
Reentrancy attacks can occur when smart contract functions are called by untrusted external contracts. A reentrancy attack that enables this external contract to drain user funds or perform other malicious operations by recursively calling the original contract.
Integer overflow and underflow
Integer overflow or underflow may occur when a smart contract performs an arithmetic operation to output a number that exceeds the current storage capacity, resulting in a calculation error.
Early trading opportunities
Poorly designed code can leak information about transactions that have not yet occurred in the dApp, which other users can run first, locking in profits at the expense of the protocol.
Replay attack
A replay attack occurs when data is maliciously delayed or repeated, especially during a hard fork event, where an attacker can use messages on the new system to extract funds from the legacy system.
Random number bug
If a dApp uses publicly available numbers (such as block hashes) to seed nonces, it is vulnerable to exploitation, which is why many protocols use Chainlink VRF to achieve randomness.
Function visibility error
Functions intended to be private must be defined as private, since the default visibility property in Solidity is public. If public, anyone can call the function.
Centralization risk
Centralization has the problem of a single point of failure, and if a single private key or similar key is compromised, it can compromise the security of the protocol. Timelocks and granting DAO privileges are common techniques for dealing with centralization risks.
Unlocked compiler version
Solidity has many compiler versions. dApps should lock the version of the compiler they use so that users cannot compile it with a different version, which could lead to different bytecodes and unexpected issues.
Solidity gas optimization
Gas refers to the fee required to perform a specific operation on the Ethereum network. Gas optimization is the process of reducing the cost of smart contract code execution, which becomes increasingly important as projects scale and require more gas to run. It also helps prevent protocol abuse.
Solidity gas optimization techniques include:
Enables the Solidity compiler optimizer to minimize code size.
Minimize the amount of on-chain data required.
Free up unused storage space.
Smart Contract Audit Tool
Among the 10 most common blockchain network security attacks, Scam appears most frequently and directly causes the highest asset loss to users. According to Peckshield’s data, in 2021, crypto’s on-chain economic losses due to various scams will reach 12 billion US dollars, which is 6.7 times higher than the losses caused by direct attacks by hackers.
