It’s challenging to imagine Web3 without Smart Contracts; they are the pillars of the whole Web3 infrastructure. Smart Contracts allow us to explore the potential of blockchain technology, and there is still much more to discover. Web3 revolutionises the current world, and the whole of Web3 was possible due to Smart Contracts.
Looking at all the complex things smart contracts enable us to do, and as curious as we humans are, you will surely wonder if smart contracts are all good at one point. Or is there another side to it?
Well, if you ever did, you here have an answer, “Smart Contracts can too have flaws”, Yes, they can, and those flaws can sometimes cost millions of dollars to businesses. How?, Well, those flaws create a space for vulnerabilities. Those vulnerabilities make room for hackers to exploit, which results in hackers taking benefit of the vulnerabilities, and businesses have to face the consequences.
Therefore we must keep our Smart Contracts free from those vulnerabilities. Thus, here we are bringing you some of the advanced vulnerabilities Smart Contracts can have so that you can make better decisions and have a seamless Web3 experience.
This section will help you explore some of the vulnerabilities in smart contracts, which have cost businesses a huge loss. This checklist provides you with an extra layer of security when deploying or developing any smart contracts. All you need to do is take care that your smart contract is free from every vulnerability listed here.
Denial of Service with Block Gas Limit:-
Each block in the ethereum blockchain can spend an upper limit of 10,000,000 gas amount for computation. Thus when the gas consumed on any transaction exceeds this limit, then this leads to the denial of service, and the transaction fails. This happens especially in the case when the size of arrays is unknown.
Denial of Service with Failed Call:-
Even external calls in a smart contract can fail. This can happen by accident, primarily due to programming errors. However, an attacker can also do it intentionally by combining several calls in a single transaction and executing in a loop.
Randomness Using “Block Hash”:-
Randomness is extremely useful in some functionalities, and block hash can be used for that purpose. Still, the catch is that it can be manipulated like a timestamp because it is predictable by the miners, so using block hash as a source of randomness should be taken care of.
Usage of ‘tx.origin’:-
It is a global variable of solidity that returns the address of the transaction initiator; its usage can sometimes attract the attention of adversaries to imitate the initiator, which can make the contract vulnerable, These are directed on the wallet-type smart contracts.
Solidity uses some data types to store the value. These data types have an upper limit and a lower limit for storing an integer. For example, a data type may only be able to store numbers -7 to 7. If any operation results in any number greater than the value a data type can hold, then an ambiguous or garbage value is returned, distorting the whole calculation.
Recursive call attack is pretty famous. This happens when a malicious contract calls back into the calling contract before the first invocation of the function can finish, thus making it recursive in nature. This can result in the attacker making repetitive withdrawals without affecting the balance.
When an exception is raised due to the calling of another contract but not reported back to the called contract, this can lead to threats. It can attract attacks to use malicious code in contracts.
When ethers are transferred to a smart contract via send functionality and if the fallback function in the contract has a gas limit of twenty-three hundred units, an out-of-gas exception occurs. Malicious users can benefit from this vulnerability if this exception is not handled properly.
Call to the Unknown:-
This vulnerability is due to the attempt to use a functionality of another contract, but the other contract does not exist, or the given address is incorrect.
The ‘abi.encodePacked()’ can lead to a hash collision in some specific situations due to multiple variable-sized parameters. The abi.encodePacked() packs the element regardless of its original order, which can be exploited by an attacker by a change in the position of elements.
Insufficient Gas Griefing:-
When a sub-call fails, the whole transaction can be reverted. This can allow an attacker to effectively censor transactions by using just enough gas to execute the transaction but not enough for the sub-call to succeed.
Unprotected Ether Withdrawal:-
This vulnerability has to do with the missing or inadequate access control in the contract. Like improper naming of the functions intended to be constructors can be accessed by malicious users reinitiating the contract.
Always use the latest versions of the solidity smart contract. Using outdated ones might introduce bugs that attackers can use to perform unauthorized actions.
Delegate Calls have a context-preserving nature which can result in the creation of vulnerabilities when it runs in the context of other applications. It can lead to unexpected execution, such as self-destruction.
Unprotected to Self Destruct:-
The self-destruct functionality has a feature to transfer ether to a predefined contract in case executed. But if access controls are not managed properly, a malicious user can destroy the contract to snip all ethers of the contract.
These were some vulnerabilities commonly encountered while auditing a project, which has been known to have caused huge damage to businesses. Thus, having them fixed before getting the contract in use is crucial.
This checklist will help you keep your contracts secured from many types of smart contract attacks, incorporate this checklist in your development process to reduce the risk of getting hacked and provide users with secure and safe services and help QuillAudit’s mission to make Web3 a safer place by doing so.
When it comes to security and auditing as a service, smart contract auditing companies in India are doing exceptionally well. This field is being hugely explored by the skillful Indian developers making India become the powerhouse in the security sector. The future holds many opportunities in this sector and the world is seeing Indian auditing companies to be leading the field in the near future.
Interesting Related Article: “