ohmygod

Posted on Feb 3

5 Smart Contract Vulnerabilities That Cost DeFi $2B in 2025

#security #blockchain #webdev #beginners

DeFi protocols lost over $2 billion to exploits in 2025. Here are the 5 most common vulnerability patterns — and how to prevent them.

1. Reentrancy Attacks (Still!)

Yes, it's 2026 and reentrancy is STILL the #1 killer. The classic pattern:

// ❌ Vulnerable
function withdraw(uint amount) external {
    require(balances[msg.sender] >= amount);
    (bool success, ) = msg.sender.call{value: amount}("");
    require(success);
    balances[msg.sender] -= amount; // State update AFTER external call
}

// ✅ Fixed (Checks-Effects-Interactions)
function withdraw(uint amount) external {
    require(balances[msg.sender] >= amount);
    balances[msg.sender] -= amount; // State update BEFORE external call
    (bool success, ) = msg.sender.call{value: amount}("");
    require(success);
}

Why it still happens: Cross-function and cross-contract reentrancy are harder to detect than the basic pattern. Read-only reentrancy through view functions is the latest evolution.

Prevention: Use OpenZeppelin's ReentrancyGuard, follow CEI pattern, and audit ALL external calls.

2. Oracle Manipulation

Price oracles are the backbone of DeFi. Manipulate the price feed, manipulate everything.

// ❌ Vulnerable - spot price from AMM
function getPrice() public view returns (uint) {
    (uint reserve0, uint reserve1, ) = pair.getReserves();
    return reserve1 * 1e18 / reserve0; // Easily manipulated via flash loan
}

// ✅ Fixed - TWAP oracle
function getPrice() public view returns (uint) {
    return oracle.consult(token, 1e18, TWAP_PERIOD); // Time-weighted average
}

The attack: Flash loan → manipulate AMM reserves → call vulnerable protocol → profit → repay flash loan. All in one transaction.

Prevention: Use Chainlink oracles, implement TWAP with sufficient window (30+ minutes), add price deviation checks.

3. Deadline and Slippage Bugs

This one is subtle but devastating. Setting deadline: block.timestamp is the same as setting no deadline at all:

// ❌ Vulnerable
router.swapExactTokensForTokens(
    amountIn,
    amountOutMin,
    path,
    address(this),
    block.timestamp // Always passes! Miners can hold tx
);

// ✅ Fixed
router.swapExactTokensForTokens(
    amountIn,
    amountOutMin,
    path,
    address(this),
    block.timestamp + 300 // 5 minute deadline
);

Similarly, setting amountOutMinimum = 0 means accepting ANY slippage — a gift to MEV bots.

Prevention: Always use meaningful deadlines and calculate minimum output amounts based on oracle prices.

4. Access Control Failures

Missing or incorrect access controls let attackers call admin functions:

// ❌ Vulnerable - anyone can call
function setFeeRecipient(address _new) external {
    feeRecipient = _new;
}

// ✅ Fixed
function setFeeRecipient(address _new) external onlyOwner {
    feeRecipient = _new;
}

More subtle cases include:

Functions that should be internal but are public
Missing checks on msg.sender in proxy patterns
Unprotected initializer functions

Prevention: Use OpenZeppelin's Ownable or AccessControl, audit visibility modifiers, protect initializers with initializer modifier.

5. ERC4626 Share Inflation (First Depositor Attack)

The newest pattern targeting vault protocols:

1. Attacker deposits 1 wei → gets 1 share
2. Attacker donates 1M tokens directly to vault
3. Now 1 share = 1M + 1 tokens
4. Victim deposits 999K tokens → gets 0 shares (rounded down)
5. Attacker redeems 1 share → gets everything

Prevention:

Mint dead shares on first deposit (virtual offset)
Use OpenZeppelin's ERC4626 with virtual shares/assets
Require minimum initial deposit

// OpenZeppelin's approach
function _decimalsOffset() internal pure override returns (uint8) {
    return 3; // Virtual offset prevents inflation
}

The Common Thread

All five vulnerabilities share one trait: they're well-known but keep getting deployed. The fix is rarely complex — it's about awareness and thorough auditing.

Your Security Checklist

[ ] Reentrancy guards on all external calls
[ ] TWAP or Chainlink oracles (never spot prices)
[ ] Meaningful deadlines and slippage parameters
[ ] Access control on every state-changing function
[ ] First depositor protection on vault contracts
[ ] Professional security audit before mainnet

Resources

Building in DeFi? Get your contracts audited before someone else finds the bugs. Follow for more security deep-dives.

DEV Community