List of Security Vulnerabilities

Table of Contents

1. Integer Arithmetic
2. Floating Point Arithmetic
3. Reentrancy
4. Access Control
   1. Default Visibility
   2. Authentication With tx.origin
   3. Signature Verification
   4. Unprotected Functions
5. Code Injection via delegatecall
6. Signature Replay Attacks
7. Unchecked External Calls
   1. Insufficient Gas Attacks
8. DOS
   1. Unexpected Revert
   2. Block Gas Limit
   3. External Calls without Gas Stipends
   4. Offline Owner
9. Entropy Illusion
10. Privacy Illusion
11. Miner Attacks
    1. Transaction Ordering
    2. Timestamp Manipulation
12. Unexpected Ether
13. External Contract Referencing
14. Uninitialized Storage Pointers
15. Writes to Arbitrary Storage Locations
16. Incorrect Interface
17. Arbitrary Jumps with Function Variables
18. Variable Shadowing
19. Assert Violation
20. Dirty Higher Order Bits
21. Complex Modifiers
22. Outdated Compiler
23. Use of Deprecated Solidity Functions
24. Function Selector Abuse
25. Experimental Language Features
26. Frontend (Off Chain) Attacks
    1. Short Address Attack
27. Historic Attacks
    1. Constructor Names
    2. Call Depth Attack
    3. Constantinople Reentrancy
    4. Solidity Abi Encoder v2 Bug
28. Payable Multcall
29. References

This page contains a comprehensive list of common smart contract security vulnerabilities, compiled from various sources. We use it as our reference list for security audits. In this page we only include basic information. Follow the links given in each section for more information.

Integer Arithmetic

Neither the EVM nor Solidity (before v0.8) provide builtin error reporting for arithmetic overflow/underflow. Consequently, applications need to check for these cases themselves. Furthermore, one cannot make the (seemingly reasonable) assumption that x != -x, because of this case.

Note that since Solidity version 0.8, arithmetic operations revert on overflow and underflow. The developer can choose to bypass these checks by using the unchecked keyword, for example with unchecked { x = a + b; }

• Consensys Best Practices: Integer Overflow and Underflow
• DASP: Arithmetic Issues
• Sigmaprime: Arithmetic Over/Under Flows
• Solidity Documentation: Two's Complement / Underflows / Overflows
• Solidity Documentation: Checked or Unchecked Arithmetic
• SWC Registry: Integer Overflow and Underflow
• Trail of Bits: Integer Overflow

Floating Point Arithmetic

Fixed point numbers are not yet fully supported by solidity. User implementations may contain errors.

• Sigmaprime: Floating Points and Precision

Reentrancy

When a contract calls an external function, that external function may itself call the calling function. This can have unexpected effects. To prevent this sort of attack, a contract can implement a lock in storage that prevents re-entrant calls.

• Consensys Best Practices: Reentrancy
• DASP: Reentrancy
• Sigmaprime: Reentrancy
• Solidity Documentation: Reentrancy
• SWC Registry: Reentrancy
• Trail of Bits: Reentrancy

Access Control

There are a number of common mistakes relating to access control.

• DASP: Access Control

Default Visibility

The default visibility for Solidity functions is public. Developers may forget to specify the visibility for a function that is intended to be private, leading to possible vulnerabilities.

• SWC Registry: State Variable Default Visibility
• SWC Registry: Function Default Visibility
• Sigmaprime: Default Visibilities

Authentication With tx.origin

Solidity has a global variable, tx.origin, which returns the address of the account that originally sent the call. Using this variable for authentication leaves the contract vulnerable to a phishing-like attack.

• Sigmaprime: tx.origin Authentication
• SWC Registry: Authentication Through tx.origin
• Solidity Documentation: tx.origin

Signature Verification

If a smart contract system implements its own signature verification scheme, it may contain vulnerabilities.

• SWC Registry: Lack of Proper Signature Verification

Unprotected Functions

Contracts may implement other (more complex) forms of access control themselves. Errors in this code can lead to functions that should be private being accessible by an attacker. In particular, one should always check that any selfdestruct calls and ether withdrawals can only be made by those who are intented to be able to.

• SWC Registry: Unprotected SELFDESTRUCT
• SWC Registry: Unprotected Ether Withdrawal
• Trail of Bits: Unprotected Functions

Code Injection via delegatecall

Solidity allows calling external contracts via the DELEGATECALL opcode, which executes the code of an external contract in the persistent context of the present contract. Certain contracts perform DELEGATECALL calls using user-provided call data, which can effectively give full control to an attacker.

• Sigmaprime: delegatecall
• SWC Registry: delegatecall to Untrusted Callee

Signature Replay Attacks

If a smart contract system performs any sort of signature verification, it may be vulnerable to signature replay attacks. (Keep in mind that any signature sent to a contract via calldata will be publicly available.) Keeping track of processed signatures in storage is a simple way to prevent such attacks. Furthermore, in some cases, signatures may be malleable, i.e. an attacker may be able to modify them (so that they may be replayed) without destroying their validity.

• SWC Registry: Missing Protection Against Signature Replay Attacks
• SWC Registry: Signature Malleability

Unchecked External Calls

In Solidity, there are multiple ways to call an external contract and send ether. The function transfer reverts if the transfer fails. However, the functions call and send return false. Programmers may mistakenly expect call and send to revert, and fail to check for their return value.

• DASP: Unchecked Low Level Calls
• Sigmaprime: Unchecked CALL Return Values
• Trail of Bits: Unchecked External Calls
• SWC Registry: Unchecked Call Return Value

Insufficient Gas Attacks

If a function makes a call to an external subroutine with call, an attacker may be able to cause the function to only partially execute by sending a (precise) insufficient amount of gas.

• Consensys Best Practices: Insufficient Gas Griefing

DOS

This is a broad category of attacks where an attacker may render a contract inoperable, temporarily or permanently.

• DASP: Denial of Service
• Sigmaprime: Denial of Service
• Trail of Bits: Denial of Service

Unexpected Revert

An attacker may be able to exploit the fact that transfer (alternatively require(addr.send(amount))) reverts on failure to prevent a function from ever completing execution.

• Consensys Best Practices: DOS with Unexpected Revert
• SWC Registry: DOS with Failed Call

Block Gas Limit

In cases where the users of a system can manipulate how much computation (gas) is necessary for the execution of some function, it may be possible to DOS the system by causing the required gas to exceed the block gas limit. This is often the case in systems that loop over an array or mapping that can be enlarged by users at little cost.

• Consensys Best Practices: DOS with Block Gas Limit
• SWC Registry: DOS with Block Gas Limit
• Solidity Documentation: Gas Limit and Loops

External Calls without Gas Stipends

In some cases, developers may want to make a transfer and continue execution regardless of the result. One way to achieve this is with call.value(v)(), however this may allow the recipient to consume all the gas of the calling function, preventing execution from continuing. See example 1 here:

• Sigmaprime: Denial of Service

Offline Owner

Some systems may become inoperable if the owner or some other authority goes offline / loses their private key. This should be avoided.

Entropy Illusion

The EVM does not have support for uncertainty/random number generation. Contracts may try to simulate uncertainty in a way that is in fact predictable and exploitable.

• DASP: Bad Randomness
• Sigmaprime: Entropy Illusion
• Trail of Bits: Bad Randomness
• SWC Registry: Weak Sources of Randomness from Chain Attributes
• Solidity Documentation: Private Information and Randomness

Privacy Illusion

Developers may forget that everything on chain is public, and store private data in the open.

Miner Attacks

Transaction Ordering

Miners can see transactions for a short time before they get included in a block, and exploit this information. They can also alter the order of transactions within a block. Users also have some influence over this process by setting gas prices. This can often pose a security risk, especially in systems where users are bidding or otherwise competing for something.

• DASP: Front-Running
• Sigmaprime: Race Conditions / Front-Running
• Consensys Best Practices: Front-Running
• Trail of Bits: Race Conditions
• SWC Registry: Transaction Order Dependence

Timestamp Manipulation

Many contracts use block timestamps for various purposes. Keep in mind that miners can slightly adjust them to their advantage.

• DASP: Time Manipulation
• Sigmaprime: Block Timestamp Manipulation
• Consensys Best Practices: Timestamp Dependence
• SWC Registry: Timestamp Dependence

Unexpected Ether

Certain contracts behave erroneously when their account contains ether. It is always possible to forcibly send ether to a contract (without triggering its fallback function), using selfdestruct, or by mining to the account.

• Sigmaprime: Unexpected Ether
• Consensys Best Practices: Forcibly Sending Ether
• Trail of Bits: Forced Ether Reception
• Solidity Documentation: Sending and Receiving Ether

External Contract Referencing

When a contract delegates some of its functionality to an external contract whose address is either inaccessible or subject to change, a benign implementation may be swapped out for a malicious one.

• Sigmaprime: External Contract Referencing

Uninitialized Storage Pointers

Local variables in solidity functions default to storage or memory depending on their type. Uninitialized local storage variables can point to unexpected storage locations in the contract, leading to intentional or unintentional vulnerabilities.

• Sigmaprime: Uninitialized Storage Pointers
• SWC Registry: Uninitialized Storage Pointer

Writes to Arbitrary Storage Locations

In general, writes to arbitrary storage locations should be avoided. This can occur, for example, if a storage array is written to at an index specified by a user.

• SWC Registry: Write to Arbitrary Storage Location

Incorrect Interface

Typos or mistakes in the type signature of a function can lead to the fallback function being called instead.

• Trail of Bits: Incorrect Interfaces

Arbitrary Jumps with Function Variables

If a contract uses function variables, an attacker may be able to manipulate a function variable to point to an unexpected location.

• SWC Registry: Arbitrary Jump with Function Type Variable

Variable Shadowing

If multiple variables with the same name are declared in different scopes, there may be unintended effects. This is easy to miss in the case where a contract inherits from a contract implemented in a separate file.

• Trail of Bits: Variable Shadowing
• SWC Registry: Incorrect Inheritance Order
• SWC Registry: Shadowing State Variables

Assert Violation

Properly functioning code should never violate an assert statement. This can occur if developers mistakenly use assert instead of require.

• SWC Registry: Assert Violation
• SWC Registry: Requirement Violation
• Solidity Documentation: Error Handling

Dirty Higher Order Bits

If keccak256(msg.data) or some similar hash functionality is used (for example to log past calls), be aware that functions of types that don't occupy 32 bytes may be called with identical arguments but different hashes.

• Solidity Documentation: Minor Details

Complex Modifiers

Use modifiers only for input validation with require. Modifiers should not contain any substantive logic, because that logic will be executed before any input validation done at the start of function bodies.

• Consensys Best Practices: Use Modifiers Only for Assertions

Outdated Compiler

Never use a compiler version that is significantly out of date. Implementations should specify an exact compiler version with pragma.

• SWC Registry: Outdated Compiler
• SWC Registry: Floating Pragma

Use of Deprecated Solidity Functions

Avoid the use of deprecated solidity functions.

• SWC Registry: Use of Deprecated Solidity Functions

Function Selector Abuse

To call a function on another contract, the standard ABI way to do so is to pass as calldata a function "selector", followed by the encoded arguments. You can read more here, but a short example follows.

In solidity, a call may look like otherContract.foo("hello"), but in reality, the call becomes address(otherContract).call(abi.encodeWithSignature("foo(string)", "hello")) which in practice becomes

0xf31a69690000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000568656c6c6f000000000000000000000000000000000000000000000000000000

The first 4 bytes 0xf31a6969, are called the function selector, and consist of the first 4 bytes of the Keccak256 hash of the string "foo(string)". All ABI-compliant contracts on Ethereum begin by looking at these bytes of the calldata and jump to the corresponding function body.

If a contract performs a call to an external contract, and the user can influence any part of the method signature (such as the function name, or its type), they can call any function on the external contract, simply by manipulating the string until a selector matching the desired one is found.

This was behind the Poly Network hack in August 2021, where an attacker crafted messages on one chain which got processed on another chain. The contracts assumed well-behaved transactions, and the attacker managed to trick the contracts into calling privileged functions on yet other contracts. https://twitter.com/kelvinfichter/status/1425217056660721666

Experimental Language Features

Avoid experimental language features, as these are not properly tested and have contained vulnerabilities in the past.

Constructor call

Frontend (Off Chain) Attacks

These are possible vulnerabilities in frontends to ethereum contracts, not vulnerabilities in the contracts themselves. (Possibly out of scope.)

Short Address Attack

Frontends should validate any input used to make transactions on chain.

• Sigmaprime: Short Address / Parameter Attack
• DASP: Short Address Attack

Historic Attacks

Constructor Names

Fixed in solidity v0.4.22

• Sigmaprime: Constructors with Care
• Trail of Bits: Wrong Constructor Name
• SWC Registry: Incorrect Constructor Name

Call Depth Attack

Fixed in EIP 150

• Consensys Best Practices: Call Depth Attack
• Solidity Documentation: Callstack Depth

Constantinople Reentrancy

• Consensys Best Practices: Constantinople Reentrancy Attack

Solidity Abi Encoder v2 Bug

Fixed in solidity v0.5.7

• Ethereum.org Blog

Payable Multicall

This is present when Multicall is used on any contract which reads the value of msg.value. Multicall is a pattern to call several contract endpoints in one transaction, using delegatecall. A contract endpoint may implicitly assume that it is called in a single transaction, by looking at msg.value. Since the value is defined per transaction, calling the same endpoint twice in one multicall means that the same msg.value may be read several times, even though the value was only transferred once.

For example, if a token contract accepts ETH in exchange for tokens in a swap function, and the contract implements multicall, an attacker may call swap several times in one transaction. Let's say the attacker sends along 1 ETH in the multicall transaction, which would normally give them 100 tokens. Each call to the swap function will read msg.value and transfer 100 tokens to the attacker. If the attacker calls swap 10 times in one multicall, they will get 1,000 tokens in exchange for 1 ETH.

• Uniswap v3 issue

References

• DASP Top 10
• Sigmaprime Solidity Security
• Consensys Best Practices
• Trail of Bits "Not So Smart Contracts"
• SWC Registry
• Solidity Documentation: Security Considerations
• Ethereum Wiki: Safety
• Trail of Bits Reference List