Blockchain & Smart Contract Security

Blockchain and smart contract security focuses on vulnerabilities in decentralized applications (dApps), DeFi protocols, and cryptocurrency systems. Unlike traditional applications, smart contract bugs are immutable once deployed—a single vulnerability can result in millions of dollars stolen. This guide covers Solidity security, common attack patterns, and audit methodology.

Immutability = Permanent Bugs

Smart contracts deployed on Ethereum mainnet are immutable (unless using proxy patterns). A vulnerability cannot be patched—it remains exploitable forever. Always audit on testnets (Goerli, Sepolia) before mainnet deployment.

Smart Contract Attack Surface

🔮 Smart Contract

• Reentrancy vulnerabilities
• Integer overflow/underflow
• Access control bugs
• Front-running attacks
• Delegatecall injection

💼 DeFi Protocol

• Flash loan attacks
• Oracle manipulation
• Liquidity pool exploits
• Price manipulation
• Governance attacks

👛 Wallet/User

• Phishing attacks
• Private key theft
• Malicious transaction signing
• Rug pulls / exit scams
• Social engineering

Common Smart Contract Vulnerabilities

1. Reentrancy (The DAO Hack)

External contract calls before state updates allow attacker to recursively drain funds. Famous $60M DAO hack in 2016.

victim.call.value(amount)(""); // BAD: sends ETH before updating balance

2. Integer Overflow/Underflow

Arithmetic operations exceeding uint256 max (2^256-1) wrap around to zero. Fixed in Solidity 0.8.0+ with automatic checks.

uint256 balance = 0; balance -= 1; // underflows to MAX_UINT

3. Access Control Bugs

Missing or incorrect onlyOwner modifiers allow unauthorized users to call privileged functions.

function withdrawAll() public {} // BAD: anyone can withdraw

4. Unchecked External Calls

Failing to check return value of send() or call() can result in silent failures.

addr.send(amount); // BAD: doesn't revert on failure

Famous DeFi Hacks

Date	Project	Loss	Vulnerability
2016-06	The DAO	$60M	Reentrancy attack
2021-08	Poly Network	$610M	Cross-chain bridge exploit
2022-03	Ronin Network	$625M	Validator key compromise
2022-10	Mango Markets	$114M	Oracle price manipulation

Smart Contract Testing Tools

Static Analysis

• Slither (Trail of Bits)
• Mythril
• Securify
• Manticore

Fuzzing

• Echidna
• Foundry (forge fuzz)
• Harvey
• Diligence Fuzzing

Testing Frameworks

• Hardhat
• Foundry
• Truffle
• Brownie

The $90B Lesson

Over $3 billion has been stolen from DeFi protocols since 2020. The majority of hacks exploit basic vulnerabilities (reentrancy, access control, oracle manipulation). Always get a professional audit before mainnet deployment.

Audit Checklist

✓ Reentrancy: Checks-Effects-Interactions pattern enforced?
✓ Access Control: All privileged functions have proper modifiers?
✓ Integer Arithmetic: Using SafeMath or Solidity 0.8.0+?
✓ External Calls: Return values checked? Gas limits considered?
✓ Oracle Security: Using decentralized oracles (Chainlink)? Time-weighted average price (TWAP)?
✓ Flash Loan Resistance: Critical operations protected against single-block attacks?
✓ Upgradeability: If using proxies, is upgrade mechanism secure?
✓ Front-Running: Critical functions protected against MEV attacks?