Common vulnerabilities in smart contracts
Much of the work in contract audits involves checking contracts for security vulnerabilities. Many vulnerabilities use advanced techniques and strategies to drain funds. For example, market manipulation can be combined with vulnerable smart contracts to conduct flash loan attacks. To discover these problems, auditors of smart contracts will decipher the testing process and simulate malicious attacks on smart contracts.
Common vulnerabilities include:
1. Reentrancy issues: When a smart contract makes an external call to another external contract before any impact has been resolved. Then, because the balance of that original contract has not been updated, the external contract can recursively call that original smart contract and interact with it in a way it should not have.
2. Integer overflow and underflow: When a smart contract performs arithmetic operations, but the output exceeds the storage capacity (usually 18 decimal places). This can cause errors in the calculated amount.
3. Front-running trading opportunities: Poorly structured code can provide early warning of buying or selling in the market. This in turn allows others to use this information to conduct transactions for their own benefit.
4. Platform security vulnerabilities
Most audits include looking at the network hosting the contract and even the API used to interact with the DApp. If a project could be vulnerable to a DDoS attack, or its website UI is compromised, this means users would effectively be connecting their wallets to a malicious blockchain application.