Nov 29, 2022

EVM Smart Contracts Security

Critical Severity:

  1. Reentrancy Attacks:

    • Contracts allowing an attacker to re-enter a function before the previous execution completes, enabling unauthorized fund transfers.

  2. Integer Overflow/Underflow:

    • Improper handling of arithmetic operations leading to unexpected behavior, such as wrapping or invalid calculation of values.

  3. Authorization & Access Control:

    • Lack of proper access controls allowing unauthorized users to execute sensitive functions or modify critical data.

  4. Unchecked External Calls:

    • Contracts interacting with external contracts or addresses without validating return data, leading to potential vulnerabilities.

  5. Denial of Service (DoS):

    • Vulnerabilities that could allow attackers to block the contract’s functionality or make it excessively expensive to use.

High Severity:

  1. Unchecked Return Values:
    • Ignoring return values of external calls, which might lead to unexpected behavior or vulnerabilities.
  2. Front-Running Attacks:
    • Vulnerabilities where attackers exploit transaction ordering to their advantage, typically in decentralized finance (DeFi) applications.
  3. Gas Limit & Loops:
    • Potential risks related to gas limits and excessive gas consumption due to inefficient or infinite loops.
  4. Timestamp Dependence:
    • Vulnerabilities arising from the dependence on block timestamps, which can be manipulated by miners.

Medium Severity:

  1. External Dependency Risks:
    • Contracts relying on external data sources or oracles without implementing proper security measures.
  2. Weak Randomness Sources:
    • Using predictable or unreliable sources for randomness, which can be exploited in gaming or gambling contracts.
  3. Unused Variables & Functions:
    • Unintended leftover or unused code that might have security implications or affect contract behavior.

Low Severity:

  1. Documentation & Clarity:

    • Lack of comprehensive comments and documentation, making it difficult for auditors and developers to understand the contract logic.

  2. Code Readability & Optimization:

    • Code that is hard to read or unnecessarily complex, potentially leading to errors or inefficiencies.

Advised practices:

  1. Reentrancy Attacks:

    • Implement the "Checks-Effects-Interactions" pattern to minimize reentrancy risks.
    • Use the "withdraw pattern" where external calls are made after updating state variables.

  2. Integer Overflow/Underflow:

    • Use SafeMath libraries or in-built language features to prevent arithmetic vulnerabilities.
    • Perform boundary checks and ensure data types are suitable to prevent overflows/underflows.

  3. Authorization & Access Control:

    • Use access control mechanisms like role-based permissions or whitelisting.
    • Implement proper authentication and authorization checks for sensitive functions.

  4. Unchecked External Calls:

    • Validate return data from external calls and use checks to handle failures.
    • Use known and audited external contracts and interfaces wherever possible.

  5. Denial of Service (DoS):

    • Limit gas consumption and utilize gas stipends judiciously.
    • Implement circuit breakers or limits on repetitive or expensive operations.

  6. Unchecked Return Values:

    • Always check and handle return values from external calls.
    • Use error handling mechanisms to prevent unexpected behavior.

  7. Front-Running Attacks:

    • Implement measures like commit-reveal schemes or random ordering to mitigate front-running.
    • Use time locks or delay mechanisms for critical transactions.

  8. Gas Limit & Loops:

    • Optimize contract logic to avoid gas-intensive operations.
    • Implement gas limits and use loop guards to prevent infinite loops.

  9. Timestamp Dependence:

    • Use block numbers or other secure sources instead of relying solely on timestamps.
    • Implement mechanisms that are resistant to manipulation based on block timestamps.

  10. External Dependency Risks:

    • Use trusted and decentralized oracles for external data sources.
    • Implement multiple data sources and consensus mechanisms for critical decisions.

  11. Weak Randomness Sources:

    • Use secure and decentralized sources for generating random numbers.
    • Implement verifiable randomness or commit-reveal schemes.

  12. Unused Variables & Functions:

    • Conduct regular code reviews and remove any unused or deprecated code.
    • Document reasons for unused code and ensure it's not vulnerable if present.

  13. Documentation & Clarity:

    • Maintain comprehensive and clear documentation explaining contract functionality and interactions.
    • Use standardized naming conventions and comments for improved readability.

  14. Code Readability & Optimization:

    • Write clean, modular, and well-commented code to enhance readability.
    • Optimize contract code for efficiency and cost-effectiveness where possible.

Also check out:

https://immunefi.com/immunefi-top-10/

https://samczsun.com/the-dangers-of-surprising-code/

Thanks for reading! If you want to see future content, you can follow me on Twitter or get connected over at LinkedIn.

← Older
Uniswap 3.0
Newer →
EVM Development Toolchains

Support My Content

If you find my content helpful, consider supporting a humanitarian cause (building homes for elderly people in rural Terai region of Nepal) that I am planning with your donation:

Ethereum (ETH)

0xb0b1B20062DA9Dd7BaA4D5b088DF49dbe4b46fF2

Thank you for your support!