Security.md

Smart contract security

Education / best practices

• Solcurity - opinions from t11s on security best practices
• Eth smart contract security best practices (see especially: known attacks)
• Smart Contract Weakness Registry - an enumeration of common weaknesses in smart contracts, with code samples
• Most common smart contract bugs

Solana-specific

See SolanaProgramming/Security

Bughunting challenges:

• Damn Vulnerable DeFi
• OpenZeppelin Ethernaut
• Capture the Ether
• Paradigm CTF 2021
• Smart contract CTF list

Real-life vulnerabilities

Summaries

• Rekt leaderboard
• SlowMist stats - brief summaries of each hack
• web3isgoinggreat.com - a (slanted) aggregator of recent hacks, rugpulls, and scams

Notable issues and incidents, explained

This is only a sampling! We'd recommend that smart contract devs review all major exploits (the rekt leaderboard is a great starting point) to learn from previous failures.

Re-entrancy

Re-entrancy is a famous and common issue where the attacker can unexpectedly recursively call a function multiple times, to get the contract's state variables into an unexpected state.

• For an overview, see Preventing re-entrancy attacks: lessons from history
• Exploiting uniswap from reentrancy to actual profit (July 2019)
  • Clear explanation of reentrancy vulnerability on Uniswap introduced by ERC777.
• Lendf.Me re-entrancy attack (May 2020)
  • ERC777 strikes again
• Cream Finance AMP attack (Aug 2021)
  • ERC777 strikes again. Cream Finance was susceptible, and AMP token had an ERC777-style contract
• Grim Finance exploit (Dec 2021)
  • Grim Finance used a before-after pattern to determine how much was deposited (needed because some tokens have a transfer tax, in which case the deposited amount will differ from the transferred amount)
  • Grim didn't guard against reentrancy between the before-after pattern.
  • More details
• TheDAO exploit of 2016: the original re-entrancy bug, but listed last here because it's one of the hardest to understand.
  • Race-to-Empty (written just before the exploit, describing a generic vulnerability)
  • Analysis of TheDAO exploit (detailed explanation of the flaw as applied to TheDAO)
  • For more historical background (less technical) see a history of 'The DAO' hack

Oracle attacks

Some AMMs provide on-chain oracle functions (i.e. to compute asset prices from the current state of their pools). Unfortunately, this could allow an attacker to manipulate the state of a pool (especially using a flash loan), then do something else on a different protocol which depends on that oracle price. Developers of protocols that depend on on-chain oracles for pricing should be especially cognizant of this.

• Cream Finance 130M hack (Oct 2021)
  • oracle attack on a lending protocol due to a flawed custom oracle for yearn assets (see also: cream hack analysis)
• PancakeBunny reward overmint (May 2021)
  • oracle manipulation attack on PancakeBunny AMM
  • attacker gets way too many BUNNY reward tokens for LPing by unstaking in the middle of a massive mispricing from a flashloan
• Enzyme finance custom oracle bug
  • an issue showing an interesting interaction between a governance token's custom oracle and its support for flashloans
• Visor finance pricing exploit (Nov 2021)
  • reliance on spot prices for issuing shares
• Rari pool attack - TWAP manipulation of VUSD
  • a specific pool was seemingly misconfigured to point at a pool with only concentrated liquidity
  • thread includes discussion of how it is easier to manipulate a pool with only concentrated liquidity because trading loss is relatively small
  • discussion of how TWAPs are still vulnerable because single huge input can move average a lot
• Harvest Finance exploit (Oct 2020)
  • exploiter moved USDT/USDC on Curve up before depositing USDT into Harvest Finance, then down before withdrawing
  • pool share calc uses market price as oracle instead of 1
• Oracle vulnerabilities
  • samczsun discussion of some famous oracle attacks
• Inverse Finance oracle attack (Apr 2022) (required price manipulation across multiple blocks)
• Inverse Finance oracle attack 2 (June 2022)
• Related: discussion of UniV3 TWAP oracle manipulation

Other interesting economic attacks

• bZx 2020 exploit (Feb 2020)
  • lending protocol bZx allowed fancier functionality than a typical lending protocol, specifically allowing a user to put on a leveraged equity/debt position by routing to an AMM
  • a missing check caused the protocol to be fooled into taking a negative-value position while moving an AMM price way out of line
  • attacker made money by arbing the AMM back into line outside of the lending protocol, while abandoning the negative-value vault
  • another great description of this issue
  • another great description
• Spartan Protocol LP share value calc issue (May 2021)
  • mechanical flaw in calculation of LP share value in a synthetic asset protocol

Bridge attacks

Bridges are complex because they involve multiple chains, and interaction with a third party. Also, from the perspective of a single chain, transfers to that chain just involve unlocking tokens (or minting claim tokens) from the bridge contract.

• Poly network hack (Aug 2021)
  • more commentary here
• Polygon PoS bridge withdrawal bug (Oct 2021)
  • bug allowing repeat withdrawals from the bridge contract

Missing checks

• Polygon lack of balance/allowance check in MRC20 contract (Dec 2021)

Uninitialized proxy

The proxy upgrade pattern is a very popular mechanism for making code upgradeable by moving business logic to an implementation contract while maintaining state on a proxy contract. The proxy contract maintains a (switchable) pointer to the implementation and delegatecalls to the implementation contract for business logic.

• Unfortunately, there at one point there was a vulnerability in the standard OpenZeppelin pattern where the proxy contract could be bricked (funds in the proxy could be stuck permanently) which was fixed here.
• Uninitialized proxy in Harvest finance (bounty) (Nov 2021)
• Uninitialized proxy in Wormhole bridge contract (bounty) (Feb 2022)

Unauthorized access

• Pickle Finance exploit
  • See especially this diagram
  • Pickle Finance was a fork of Yearn; Yearn published this vulnerability disclosure a month earlier
  • Similar problem here
• Parity wallet bug (2017)

Frontend attacks

• BadgerDAO Cloudflare exploit (Dec 2021)
  • frontend attack arising from Cloudflare bug which allowed attackers to preregister API keys by email address without email verification
  • attacker used access to inject malicious scripts that prompted users to authorize tokens via MetaMask.

Logic bugs

Arguably all bugs are logic bugs, but some seem like pure logic issues...

• Compound overdistribution of governance token (Sep 2021)
  • (see also this)
• Popsicle Finance exploit
  • bug in computing users' share of fees when LP shares are transferred
  • notable in that bug had been repeatedly exploited in other contracts, but was missed by creators and auditors
• MonoX hack (Nov 2021)
  • vAMM protocol for trading synthetics
  • when user swaps A for B, vAMM updates price of A to be lower than before, then updates price of B to be higher than before
  • MonoX didn't prevent corner case where A == B, so user could use this to increase price of B
  • attacker used this repeatedly to pump internal price of MONO token, then swap MONO into a lot of real value
• Opyn bug (Aug 2020)
  • bug stemming from special case for ETH transfers

Other

• Interview with whitehat samczsun