All Vulnerabilities
Browse our complete database of 38 smart contract vulnerabilities
Showing 38 vulnerabilities
Delegatecall Untrusted Callee
Delegatecall to Untrusted Callee `Delegatecall` is a special variant of a message call. It is almost identical to a regular message call except the t...
Insufficient Access Control
Insufficient Access Control Access control is often imperative in management and ownership of smart contracts. It's important to consider ways in whi...
Off By One
Off-By-One Off-by-one errors are a common mistake made by programmers in which the intended boundaries are incorrect by only one, though these errors...
Overflow Underflow
Integer Overflow and Underflow In solidity, Integer types have maximum and minimum values. Integer overflow occurs when an integer variable exceeds th...
Reentrancy
Reentrancy Reentrancy is an attack that can occur when a bug in a contract may allow a malicious contract to reenter the contract unexpectedly during...
Dos Gas Limit
DoS with Block Gas Limit One of the primary benefits of a block gas limit is that it prevents attackers from creating an infinite transaction loop. I...
Dos Revert
DoS with (Unexpected) revert A DoS (Denial of Service) may be caused when logic is unable to be executed as a result of an unexpected revert. This ca...
Insufficient Gas Griefing
Insufficient Gas Griefing Insufficient gas griefing can be done on contracts which accept data and use it in a sub-call on another contract. This met...
Missing Protection Signature Replay
Missing Protection against Signature Replay Attacks Sometimes in smart contracts it is necessary to perform signature verification to improve usabili...
Signature Malleability
Signature Malleability It's generally assumed that a valid signature cannot be modified without the private key and remain valid. However, it is poss...
Timestamp Dependence
Timestamp Dependence **NOTE: This vulnerability no longer affects Ethereum mainnet as of the Proof of Stake merge. [Read more](https://ethereum.stack...
Unsecure Signatures
Unsecure Signatures......
Weak Sources Randomness
Weak Sources of Randomness from Chain Attributes Using chain attributes for randomness, e.g.: `block.timestamp`, `blockhash`, and `block.difficulty` ...
Arbitrary Storage Location
Write to Arbitrary Storage Location Only authorized addresses should have access to write to sensitive storage locations. If there isn't proper autho...
Assert Violation
Assert Violation In Solidity `0.4.10`, the following functions were created: `assert()`, `require()`, and `revert()`. Here we'll discuss the assert f...
Asserting Contract From Code Size
Asserting contract from Code Size A common method for asserting whether a sender is a contract or EOA has been to check the code size of the sender. ...
Authorization Txorigin
Authorization Through tx.origin `tx.origin` is a global variable in Solidity which returns the address that sent a transaction. It's important that y...
Hash Collision
Hash Collision when using `abi.encodePacked()` with Multiple Variable-Length Arguments In Solidity, the `abi.encodePacked()` function is used to crea...
Inadherence To Standards
Inadherence to Standards In terms of smart contract development, it's important to follow standards. Standards are set to prevent vulnerabilities, an...
Incorrect Constructor
Incorrect Constructor Name > [!NOTE] > This vulnerability is relevant to older contracts using Solidity versions before `0.4.22`. Modern Solidity v...
Incorrect Inheritance Order
Incorrect Inheritance Order In Solidity, it is possible to inherit from multiple sources, which if not properly understood can introduce ambiguity. T...
Lack Of Precision
Lack of Precision In Solidity, there are a limited variety of number types. Differently from many programming languages, floating point numbers are u...
Msgvalue Loop
Using ``msg.value`` in a Loop The value of ``msg.value`` in a transactionβs call never gets updated, even if the called contract ends up sending some...
Requirement Violation
Requirement Violation The `require()` method is meant to validate conditions, such as inputs or contract state variables, or to validate return value...
Shadowing State Variables
Shadowing State Variables It is possible to use the same variable twice in Solidity, but it can lead to unintended side effects. This is especially d...
Transaction Ordering Dependence
Transaction-Ordering Dependence Transactions on Ethereum are grouped together in blocks which are processed on a semi-regular interval, 12 seconds. B...
Unbounded Return Data
Unbounded Return Data The [Byzantium](https://blog.ethereum.org/2017/10/12/byzantium-hf-announcement) 2017 mainnet hard-fork introduced [EIP-211](htt...
Unchecked Return Values
Unchecked Return Values The main idea behind this type of vulnerability is the failure to properly handle the return values of external function call...
Unencrypted Private Data On Chain
Unencrypted Private Data On-Chain Ethereum smart contract code, storage, and any data transacted on-chain can always be read. Treat it as such. Even ...
Unexpected Ecrecover Null Address
Unexpected `ecrecover` Null Address `ecrecover` is a precompiled built-in cryptographic function which recovers an address associated with the public...
Uninitialized Storage Pointer
Uninitialized Storage Pointer > [!NOTE] > As of solidity `0.5.0`, uninitialized storage pointers are no longer an issue since contracts with uninit...
Unsafe Low Level Call
Unsafe Low-Level Call In Solidity, you can either use low-level calls such as: `address.call()`, `address.callcode()`, `address.delegatecall()`, and ...
Unsupported Opcodes
Unsupported Opcodes EVM-compatible chains, such as zkSync Era, BNB Chain, Polygon, Optimism and Arbitrum implement the Ethereum Virtual Machine (EVM)...
Default Visibility
Default Visibility Visibility specifiers are used to determine where a function or variable can be accessed from. As explained in the [solidity docs]...
Floating Pragma
Floating Pragma It is considered best practice to pick one compiler version and stick with it. With a floating pragma, contracts may accidentally be ...
Outdated Compiler Version
Outdated Compiler Version Developers often find bugs and vulnerabilities in existing software and make patches. For this reason, it's important to us...
Unused Variables
Presence of Unused Variables Although it is allowed, it is best practice to avoid unused variables. Unused variables can lead to a few different prob...
Use Of Deprecated Functions
Use of Deprecated Functions As time goes by, functions and operators in Solidity are deprecated and often replaced. It's important to not use depreca...