README.md

Smart contract attack vectors

The goal of this repository is to compile all possible smart contract vulnerabilities and resources for learning about them.

Feel free to submit a pull request, with anything from small fixes to docs or tools you'd like to add.

List of Security Vulnerabilities

• Access Control
  • Authentication With tx.origin
  • Default Visibility
  • Signature Verification
  • Unprotected Ether Withdrawal
  • Unprotected SELFDESTRUCT Instruction
  • Missed Modifier
  • Incorrect Modifier Names
  • Overpowered Roles
• Account Existence Check for low level calls
• Arbitrary Jumps with Function Variables
• Assert Violation
• Bypass Contract Size Check
• Code With No Effects
• Complex Modifiers
• DOS
  • Unexpected Revert
  • Block Gas Limit
  • External Calls without Gas Stipends
• Dirty Higher Order Bits
• Entropy Illusion / Insecure Randomness
• Experimental Language Features
• External Contract Referencing
• Flash Loan Attacks
• Floating Point Arithmetic
• Frontend (Off Chain) Attacks
  • Short Address Attack
• Force Feeding
• Function Selector Abuse
• Griefing
• Hiding Malicious Code
• Historic Attacks
  • Constructor Names
  • Call Depth Attack
  • Solidity Abi Encoder v2 Bug
• Improper Array Deletion
• Incorrect Interface
• Insufficient Gas Attacks
• Integer Arithmetic
• Loop through long arrays
• Message call with hardcoded gas amount
• Miner Attacks
  • Transaction Ordering / Frontrunning
  • Timestamp Manipulation
• Offline Owner
• Oracle Manipulation
• Outdated Compiler
• Payable Multicall
• Precision Loss in Calculations
• Privacy Illusion
• Proxy Storage Collision
• Reentrancy
• Right-To-Left-Override control character (U+202E)
• Sandwich Attacks
• Signature Replay
• Unchecked External Calls
• Uninitialized Storage Pointers
• Unprotected Upgrades
• Unsafe Delegatecalls
• Unused Variable
• Use of Deprecated Solidity Functions
• Variable Shadowing
• Writes to Arbitrary Storage Locations
• Wrong inheritance

CTFs

Security Tools

Articles / Papers to read

• Blockchain Security Roadmap - https://lnkd.in/gPw7Nf4J

• The Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts - https://lnkd.in/gnzDrXaH

• BLOCKEYE - Hunting For DeFi Attacks on Blockchain - https://lnkd.in/gvxmW8Hu

• Topological Anomaly Detection in Dynamic Multilayer Blockchain Networks - https://lnkd.in/gPG6vrAM

• Verification of the Incremental Merkle Tree Algorithm with Dafny - https://lnkd.in/gfk3YrEd

• GoHammer Blockchain Performance Test Tool - https://lnkd.in/gHhjWdHj

• EtherClue: Digital investigation of attacks on Ethereum smart contracts - https://lnkd.in/gvuaaKaT

• Requirement Analyses and Evaluations of Blockchain Platforms per Possible Use Cases - https://lnkd.in/g7G9Rpxj

• A Note on Privacy in Constant Function Market Makers - https://lnkd.in/guEEV7Gm

• An approach to detect Denial of Service Vulnerability in Ethereum Smart Contracts - https://lnkd.in/gT3C-9fq

• AGSolT: a Tool for Automated Test-Case Generation for Solidity Smart Contracts - https://lnkd.in/gYDvEndF

• Reentrancy Vulnerability Identification in Ethereum Smart Contracts - https://lnkd.in/g6EVMjpg

• Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities - https://lnkd.in/gqTS47JW

• SuMo: A Mutation Testing Strategy for Solidity Smart Contracts - https://lnkd.in/gm_ut_ev

• A Framework and DataSet for Bugs in Ethereum Smart Contracts - https://lnkd.in/gGNzC8iz

• Extracting Smart Contracts Tested and Verified in Coq - https://lnkd.in/gYv2VgFJ

• Trustless, privacy-preserving blockchain bridges - https://lnkd.in/gxzndTd2

• Security checklists for Ethereum smart contract development: patterns and best practices - https://lnkd.in/grF8DuMU

• Dynamic Vulnerability Detection on Smart Contracts Using Machine Learning - https://lnkd.in/gpbsEGve

• Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts - https://lnkd.in/g38PzXy3

• OptSmart: A Space Efficient Optimistic Concurrent Execution of Smart Contracts - https://lnkd.in/gFJhgamn

• DEFECTCHECKER: Automated Smart Contract Defect Detection by Analyzing EVM Bytecode - https://lnkd.in/gKNNN34h

• Profiling Gas Leaks in Solidity Smart Contracts - https://lnkd.in/g2dMHYac

• Ethereum SmartContract Vulnerability Detection using Deep Neural Network and Transfer Learning - https://lnkd.in/gV8Thsxe

Other useful resources

• The Auditors Book

• CryptoFin Solidity Auditing Checklist

• SWC Registry

• Trail of Bits Reference List

Support Me

Your support is crucial to help me continue doing what I love - educating DeFi & Crypto users.

If you find value in my work and want to support my work, you can send me a donation to the address -

• Ethereum/Polygon/BSC/Arbiturm/etc Address – 0xB8B14B7f0E4dF000f0654aF98498d52e567F2bfE

• Solana Address – 2fM5d1cupj2Mceh1wSYTrq1PSz2JbTbcYipJ4RxRSgMB

• Bitcoin – bc1q5nmjw8x40upjd3k9akpmtj682xa3zus7sr7rm3

• DogeCoin - DPFhZeZkybzLZj3ReJPdWHnDzv1zU5pugA

• LiteCoin - ltc1qzs3tj276zdjtuv5qy7aww3cc3frus8yvjdukln

• Binance Referral Link

Much much thanks every single one of you! Your support enables me to create more content, improve the quality of my work, and ultimately make a positive impact on the community.

Drop me a message on LinkedIn if you have any doubts or need any help -

Linktree

Thank you! Stay safe!