Smart Contracts & Associated Security Risks

What are smart contracts?

Smart contracts are digital contracts stored on a blockchain that are automatically executed when predetermined terms and conditions are met.

Smart contracts are typically used to automate the execution of an agreement so that all participants can be immediately certain of the outcome, without any intermediary’s involvement or time loss. They can also automate a workflow, triggering the next action when predetermined conditions are met.

Take one use case as an example Proof of Reserve (PoR) enabling smart contracts to audit the true collateralization of any on-chain asset backed by off-chain reserves such as fiat-backed stablecoins, cross-chain tokens, tokenized assets, and more.

Securing Smart Contracts and Their Major Vulnerabilities

Reentrancy Attacks: A reentrancy attack happens when a function is externally invoked during its execution, allowing it to be run multiple times in a single transaction. This typically occurs when a contract calls another contract before it resolves its state.

Integer Overflow and Underflow: Integer overflow and underflow occur when arithmetic operations exceed the maximum or minimum size that an integer-type variable can hold, causing the value to wrap around to the opposite extreme.

Timestamp Dependence: Contracts that depend on block timestamps for critical operations are susceptible to manipulation, as miners can slightly adjust the timestamps.

Access Control Vulnerabilities: Access control vulnerabilities exist when a contract fails to properly restrict who can call certain functions. This can result in unauthorized function calls.

Front-running Attacks: Front-running happens when someone sees a pending transaction and manages to get their own transaction processed first by offering a higher gas price. This is possible in public blockchain networks like Ethereum where transaction data is publicly accessible before being mined.

Denial of Service (DoS) Attacks: Denial of Service (DoS) is an attack where an adversary manages to halt the normal operations of a smart contract, making it unavailable to users.

Logic Errors: Logic errors occur when the contract’s code doesn’t correctly implement the intended logic. This might be due to misunderstanding, error, or omission on the developer’s part.

Insecure Randomness: Generating randomness in Ethereum is challenging because every node must come to the same conclusion on the state of the blockchain. Hence, naive approaches to generate randomness can be manipulated by miners or observant attackers.

Gas Limit Vulnerabilities: If a function requires more gas than the block gas limit to complete its execution, it will inevitably fail. These vulnerabilities typically occur in loops that iterate over dynamic data structures.

Unchecked External Calls: In Ethereum, when a contract calls another contract, the called contract can fail silently without throwing an exception. If the calling contract doesn’t check the outcome of the call, it might assume that the call was successful, even if it wasn’t.

How can Bright Disruptive Labs help you here?

We leverage a manual review approach for smart contracts security assessment by leveraging tools like: https://www.openzeppelin.com/

Please contact us for more information!