Solidity Vulnerabilities

#osint

  • Re-Entrancy

    • External contract, address call()
    • Check - Effects - Interaction
  • Arithmetic over/underflows

  • Unexpected Ether

    • Pre-computing addresses
    • selfdestruct
    • mine
  • Delegate Call

    • Storage Slots
  • Default Visibility

  • Libraries

    • Define address as constant when using a library contract
    • Or use internal functions so that solidity can replace inline and does modify state.
      • Uses JUMP and not DELEGATECALL
  • Unchecked CALL

  • DOS Attack

    • External calls without gas stipends
      • Low gas amount to DOS/Censor
      • No gas limit/stipend causing someone to consume all gas.
    • Looping through unbounded arrays
  • Hash Collision with multiple variable length arguments.

    • Do no allow users access to parameters with abi.encodePacked()
    • Use fixed length arrays
    • Or used abi.encoded
  • Signature Replay Attack

    • Signature Malleability
  • Common Mistakes

    • Update a variable/receiver but fail to invalidate the previous owner/sender.
#osint