This repository contains examples of common Ethereum smart contract vulnerabilities, including code from real smart contracts. Use Not So Smart Contracts to
- learn about EVM and Solidity vulnerabilities
- as a reference when performing security reviews
- and as a benchmark for security and analysis tools.
Each Not So Smart Contract includes a standard set of information:
- Description of the unique vulnerability type
- Attack scenarios to exploit the vulnerability
- Recommendations to eliminate or mitigate the vulnerability
- Real-world contracts that exhibit the flaw
- References to third-party resources with more information
| Not So Smart Contract | Description |
|---|---|
| Bad randomness | Contract attempts to get on-chain randomness, which can be manipulated by users |
| Dangerous Strict Equalities | Use of strict equalities that can be easily manipulated by an attacker. |
| Denial of Service | Attacker stalls contract execution by failing in strategic way |
| Forced Ether Reception | Contracts can be forced to receive Ether |
| Honeypots | Adversarial contracts that use obscure edge cases in a wide selection of solidity compiler versions to steal money from you when you think you're taking money from them |
| Integer Overflow | Arithmetic in Solidity (or EVM) is not safe by default |
| Race Condition | Transactions can be frontrun on the blockchain |
| Reentrancy | Calling external contracts gives them control over execution |
| rtlo | Usage of malicious unicode character. |
| Tautology | Usage of always boolean expressions that are always true. |
| Unprotected Function | Failure to use function modifier allows attacker to manipulate contract |
| Unused Return Value | Return values from calls that is not used. |
These examples are developed and maintained by Trail of Bits. Contributions are encouraged and are covered under our bounty program.
If you have questions, problems, or just want to learn more, then join the #ethereum channel on the Empire Hacking Slack or contact us directly.