Top 10 smart contract vulnerabilities on Ethereum
Understand what are the most common security threats within the Ethereum Smart Contracts
NCC group started an initiative called DASP for Decentralized Application Security Project in 2018. It covers the top 10 vulnerabilities found in smart contracts running on the Ethereum blockchain.
This is a quick summary of the top 10:
Reentrancy: Occurs when external contract calls are allowed to make new calls to the calling contract before the initial execution is complete. For example, we call to another function before to update the contract value.
Access Control: When the smart contract is created the owner has to be setup properly and afterwards enough controls have to be in place to allow certain functions to be executed only by the owner.
Arithmetic Issues: Integer underflows or overflows might be an issue when dealing with the contract’s value.
Unchecked Return Values For Low Level Calls: Low level functions
send()can return false. We must verify the return value before assume that it was executed successfully.
Denial of Service: When dealing with smart contracts, gas prices are important. In a DOS attack for smart contracts, the gas price is higher than the maximum gas price allowed. Therefore, the contract cannot be run.
Bad Randomness: Smart contracts are publicly open on the blockchain. Do not codify any pseudo-random logic on them and use an external oracle as a source of entropy.
Front-Running (Race conditions): Users can specify higher fees to have their transactions mined more quickly than others. A malicious user can overrun another transaction by sending their transaction with higher fees to preempt the original transaction.
Time manipulation: If there is a time dependency built-in in the smart contract, a malicious miner could hold their stake to adapt to the specified timestamp.
Short Address Attack: Smart contract addresses are uint256, if a developer only uses uint the EVM will pad with zeroes the remaining bytes manipulating the recipient address.
Unknown Unknowns: Solidity is a new computer language… anything can happen.
More info: https://www.dasp.co/
SWC Registry: Smart Contract Weakness Classification and Test Cases
The SWC Registry is also another great resource to classify Web3 vulnerabilities properly. Similar to the MITRE CWE.