Five Common Smart Contract Bugs
Most security bugs in smart contracts end up with a similar impact: you can abuse them to withdraw or destroy tokens that are not yours.
We’d like to introduce Jonathan Dupre, our latest vCISO at Cloud Security Labs. This is his introductory article on Last Week As A vCISO. You can see some of his previous writings at jonathandupre.com.
Common Smart Contract Bugs
Some of the more common bugs involved in major crypto security incidents include:
Reentrancy: May allow you to drain funds from a contract by invoking a function as many times as you want.
Unprotected function: May allow you to drain funds from a contract or make it self-destruct by using a public function.
Insufficient checks/validation: May let you drain funds from a contract by calling functions you shouldn't be allowed to.
Error in reward calculation logic: May let you make unfair swaps by abusing a logical error.
Integer overflow/underflow: May let make unfair swaps by turning a small number into a bigger one and the other way around.
Security budgets often go to smart contract audits, but it's not just bugs in the software that you want to find.
You also want to find bugs in the
Economic design of your crypto system
The configuration of your crypto system
Operation of your crypto system
A History Of Smart Contract Security
In 2021, 40% of incidents involving loss of funds involved one or more of the following events:
Price manipulation with flash loans: Flash loans allow you to borrow large sums of money as long as you repay it before the end of the transaction. Attackers use these to abuse economic design flaws.
Abuse of a misconfiguration: Smart contract, like other software, receives a configuration when it's deployed. IT operational mistakes lead to misconfigurations. Attackers abuse these misconfigurations to steal or destroy tokens.
Private key compromise: Attackers steal private keys through tactics like spear phishing. Access to these keys gives them to ability to steal or destroy funds. This is an operational security concern.
Smart Contract Audits Don't Cover All Information Risk
Many organizations will conduct an audit or pentest and think they have covered everything from a security point of view. However, there is no one silver bullet.
Security teams should spend at least a quarter of their budget to review crypto economic system design, secure IT operations (DevSecOps), and operational security.