Smart contracts manage over $90 billion in total value locked across DeFi protocols. Yet the vulnerability classes that enabled the 2016 DAO hack remain present in production code today.
1. Reentrancy — The Vulnerability That Wont Die
The pattern is simple: your contract sends ETH before updating its own state, and the recipient calls back into your contract while the state is stale.
\`solidity
// VULNERABLE
function withdraw() external {
uint256 amount = balances[msg.sender];
(bool success, ) = msg.sender.call{value: amount}("");
require(success);
balances[msg.sender] = 0; // Too late!
}
// FIXED: Checks-Effects-Interactions
function withdraw() external nonReentrant {
uint256 amount = balances[msg.sender];
balances[msg.sender] = 0; // State update FIRST
(bool success, ) = msg.sender.call{value: amount}("");
require(success);
}
`\
Detection: Run slither . --detect reentrancy-eth\ on every PR. Use OpenZeppelin ReentrancyGuard.
2. Oracle Manipulation — When Price Feeds Lie
DeFi protocols relying on single-source spot prices are vulnerable to flash loan attacks. The attacker borrows, manipulates the AMM price, triggers liquidation at the wrong price, and repays — all in one transaction.
Fix: Use Chainlink or Uniswap V3 TWAP (30-minute window). Never use getReserves()\ for pricing decisions. Cross-check multiple oracle sources.
Euler Finance lost ~$197M in March 2023 from manipulated collateral values.
3. Access Control Failures
Functions like mint()\, pause()\, or setFee()\ left public without modifiers. Simple oversight, catastrophic impact.
\solidity
// Use OpenZeppelin AccessControl
function mint(address to, uint256 amount) external onlyRole(MINTER_ROLE) {
_mint(to, amount);
}
\\
Detection: slither . --detect suicidal,unprotected-upgrade\ catches most patterns.
4. Integer Overflow in Unchecked Blocks
Solidity 0.8+ has overflow protection, but unchecked\ blocks bypass it. Developers use it for gas savings, creating the same old bugs.
Rule: Only use unchecked\ for loop counter increments where overflow is provably impossible. Never for user-controlled inputs.
5. Cross-Chain Message Verification
Bridge exploits produced the largest DeFi losses: Ronin ($624M, 2022), Wormhole ($326M, 2022), Nomad ($190M, 2022).
Every cross-chain message receiver needs 5 checks:
- Caller is the bridge contract
- Source chain is allowed
- Sender is trusted on that chain
- Replay protection (message hash dedup)
- Payload bounds validation
Security Checklist
| Check | Tool |
|---|---|
| Reentrancy | slither . --detect reentrancy-eth\ |
| Access control | slither . --detect suicidal\ |
| Unchecked blocks | grep -rn unchecked contracts/\ |
| Oracle usage | Search for getReserves\ calls |
| All detectors | slither . --detect all\ |
The most effective defense combines automated scanning on every commit, formal verification for critical functions, and manual audit before mainnet.
If you are looking for automated security scanning for your codebase, check out our free security audit API — 10 free scans per month, returns structured vulnerability reports with severity and remediation guidance.
Top comments (0)