top of page

Smart Contract Vulnerabilities and How to Prevent Them

Smart contracts operate on the blockchain, executing transactions automatically without the need for any manual intervention or approval. Each smart contract operates based on specific conditions and cannot deviate from these conditions. For example, simple conditions like "if condition A is met, execute action B" are often used. However, over time, this technology has advanced, allowing for more complex transactions with multiple conditions.


Smart contracts form the backbone of the blockchain-based economy. If you have ever used a decentralized finance platform or conducted transactions on an NFT platform, you have interacted with smart contracts. Currently, efforts are underway to enable banking services and payment systems to operate on the blockchain through smart contracts.


The more advanced the blockchain network becomes, the more functions smart contracts can perform. As a result, these networks are increasingly attracting entrepreneurs. Ethereum, with its extensive use of smart contracts, has become the central infrastructure for decentralized finance and NFT platforms.


img source:chainlink onchain and offchain smart contracts


Despite the various benefits of smart contracts, these systems are not flawless. Blockchain networks cannot exchange data with each other, leading to bridge solutions that rely entirely on automated mechanisms based on smart contracts. These bridge solutions enable the transfer of assets from one blockchain network to another. However, in recent times, we have witnessed several smart contracts, including bridge solutions, being hacked.


How Can Users Avoid the Risks of Smart Contracts?


Today, there are a wide variety of decentralized finance and NFT platforms available. Users on these platforms are exposed to various risks because they conduct transactions using smart contracts.


The cryptocurrency ecosystem still consists of highly experimental and evolving technologies. Therefore, conducting transactions on well-known platforms that have been in operation for a long time and have met a certain level of trust and customer satisfaction will greatly reduce the risk probability.


Are smart contracts safe ?

Smart contracts created by platforms must interact with your wallet to complete a transaction. Asset transfers from the wallet cannot be made without the user's approval. It is crucial to read the confirmation messages that arrive in your wallet as soon as you send a transaction request. These messages may be seeking permissions far beyond the intended transaction. In such a case, refusing consent is sufficient. Otherwise, you may inadvertently hand over access to your entire wallet to a hacker while trying to perform a simple transaction.




Additionally, if you want to transact on a platform you are unfamiliar with and do not trust, it is one of the safest methods to start by creating a new empty wallet, testing the platform with a small amount of funds, and transferring the actual amount to the new wallet if everything appears to be in order.


Finally, syncing your browser-based wallet with your hardware wallet will maximize your security. This is because hardware wallets add a second approval process for completing transactions. Even if an incorrect transaction is made from the browser-based wallet, you will have another chance to rectify the error using the hardware wallet.



Most Common Smart Contract Errors


  • Reentrancy Attacks Reentrancy attacks occur when transactions are sent to a smart contract in quick succession. When the contract attempts to move to another transaction before completing the current one, unexpected errors can arise. Hackers exploit these errors to maliciously manipulate the contract.

Although reentrancy attack is considered quite old over the past two years, there have been cases

  • Uniswap/Lendf.Me hacks (April 2020) – $25 mln, attacked by a hacker using a reentrancy.

  • The BurgerSwap hack (May 2021) – $7.2 million because of a fake token contract and a reentrancy exploit.

  • The SURGEBNB hack (August 2021) – $4 million seems to be a reentrancy-based price manipulation attack.

  • CREAM FINANCE hack (August 2021) – $18.8 million, reentrancy vulnerability allowed the exploiter for the second borrow.

  • Siren protocol hack (September 2021) – $3.5 million, AMM pools were exploited through reentrancy attack. Source: Link



  • Integer Arithmetic Errors These errors relate to the type of numbers used when processing data within the contract. For example, it is more accurate for a function to operate in cents rather than USD, as using the latter can lead to errors, especially with amounts like 0.5 USD. Therefore, contracts are typically coded with minimized variables that can handle up to 18 decimal places.


  • Incorrect Calculation Similar to the previous point, this error arises from mathematical functions within the contract not working correctly. If the contract fails to accurately calculate fractions, commission fees, or transaction order for large-scale operations, it can result in significant financial losses.

  • Front Running Attacks Smart contracts can be conditioned for companies or individuals to execute their own strategies. For instance, an automated smart contract can be created to exploit arbitrage opportunities. However, since transactions are public, hackers can identify such contracts. Once detected, a hacker can pay a higher commission than the smart contract to prioritize their own transaction, exploiting the arbitrage opportunity and causing a loss for the smart contract.



How can you protect yourself or your project?

1. Smart contract Audit

The safest approach for individuals or companies developing smart contracts is to obtain services from auditing firms specializing in security services in this field. However, it's important to note that if any part of the contract is altered after the audit, the audit process may need to be repeated, making such services costly.


2. Bug Bounties

Another method is to initiate a bug bounty program after an internal audit of the contract. A bug bounty program involves companies setting a reward and inviting the public, often via social media, to identify vulnerabilities in their contracts. Those who find vulnerabilities and report them to the company can receive the reward. This way, smart contracts undergo scrutiny by thousands of individuals rather than just a few, enhancing security.


Both methods have various benefits and costs. However, it is not possible to claim that contracts are 100% secure with either method. Even if it's just a 0.01% chance, it's essential to acknowledge that there will always be a margin of error. In fact, it's crucial not to forget that even platforms established with significant budgets can be hacked due to simple mistakes.


For example, Ethereum DAO smart contract was hacked using the Reentrancy Attack method in 2016, resulting in the theft of 3.6 million ETH. The hacker successfully disrupted the contract's operation by sending consecutive withdrawal requests. Similarly, in 2017, Veritasium lost 8.4 million USD to the same reentrancy attack method.


3. Proper Project management

Attempting to accelerate the software process or momentary carelessness can lead to significant losses. Attacks based on incorrect calculations or instructions mentioned in points 2 and 3 resulted in the hacking of the Yearn Finance platform. After a contract that had been mistakenly present on the platform for over three years was discovered by a hacker, the hacker sent 10,000 USDT to the platform and managed to mint 1.2 quadrillion USDC tokens.



img source: https://pbs.twimg.com/media/Ftkzc-TaMAERjiA?format=webp&name=large



These tokens were later exchanged for other stablecoins and ETH, causing an $11.6 million loss. The reason for the contract's error was that the developer directed it to the iUSDT address instead of the iUSDC address. This shows that even a single letter difference in wallet addresses can lead to contract vulnerabilities.


In addition to common technical errors, we occasionally see the use of social engineering and classic methods. In the recent past, the hack of the Ronin bridge, resulting in the theft of 600 million USD in assets, is a prime example. The hacker sent fake job offers to the platform's developers and received responses from a developer. After a few fake interviews, a PDF containing a job offer was sent to the developer. When the PDF was opened, a virus infiltrated the developer's computer and allowed the theft of private key information. Using this information, the hacker successfully manipulated the wallet.


As seen in the last point, we witness various hack attacks causing significant damage not only through technical means but also by exploiting human vulnerabilities.




The Future of Smart contracts

Today, communication systems between platforms have significantly improved. Audit companies and artificial intelligence and bot systems created for this purpose promptly report any suspicious transactions they detect. Thanks to these notifications, platforms can quickly take action to either minimize or completely prevent losses.


The process of laundering stolen funds has also become more challenging after a hack. The wallet responsible for the attack is flagged, making it impossible to transfer the money to exchanges and consequently to banks. Even if the money has entered an exchange, it has become commonplace for the exchange to seize these funds and return them to the platform.


Furthermore, stablecoin companies blacklist assets if they have been converted into stablecoins. This makes it impossible to convert the stablecoin back into fiat currency (USD, Euro, etc.).


All these measures have led to a significant increase in the number of white hat hackers. These hackers can be described as a cooperative hacker group. white hat hackers occasionally prevent malicious hackers' operations and receive commissions from platforms, and sometimes they themselves carry out hack attacks, returning assets to the platform in exchange for a commission, often around 10%. The community generally considers such requests reasonable because they help identify vulnerabilities in smart contracts without causing significant losses to platforms.


Smart contracts contribute to increasing the value generated by blockchain networks and enable users to easily use platforms. However, it's essential to remember that they are still a developing and experimental field, and the risks they pose need to be carefully considered.


To Learn About Smart Contracts, Cryptocurrencies and stay clear of vulnerabilities take a look at the certified auditor program below!




bottom of page