Home/Blockchain/Security Best Practices Game/Common Vulnerabilities
โ†
Previous Module
Cross-chain Bridge Visual

โš ๏ธ Common Vulnerabilities: Reentrancy & More

Understand the top 10 smart contract attack vectors

Protect your dApp from common vulnerabilities

Your Progress

0 / 5 completed
1
2
3
4
5

๐Ÿ› Vulnerability Catalog

Beyond the big four (reentrancy, overflow, access control, front-running), production contracts face dozens of subtle vulnerabilities. Logic errors from incorrect assumptions. External call risks where malicious contracts manipulate your state. Gas-related attacks that lock contracts by hitting block limits. DoS vectors where griefers break core functionality. This section catalogs 14 common vulnerabilities with code examples, exploitation techniques, and fixes. Recognizing these patterns is the first step to writing secure contracts.

๐ŸŽฎ Interactive: Vulnerability Database

Browse vulnerabilities by category. Each includes vulnerable code, exploitation method, and secure fix.

๐Ÿงฉ

Logic Errors

Business logic flaws and incorrect assumptions

Timestamp Dependence
Medium

Using block.timestamp for critical logicโ€”miners can manipulate ยฑ15 seconds

// โŒ Vulnerable
function claim() public {
  require(block.timestamp > deadline);
  // Miner can manipulate within 15s window
}
โœ… Fix

Use block.number instead, or accept timestamp manipulation risk for non-critical logic.

Unchecked Return Values
High

Ignoring return values from external callsโ€”silent failures

// โŒ Vulnerable
token.transfer(recipient, amount);
// If transfer fails, execution continues
โœ… Fix

require(token.transfer(...), "Transfer failed") or use SafeERC20 library.

Race Conditions
Medium

Multiple transactions can manipulate state in unexpected order

// โŒ Vulnerable
function approve(uint amount) { allowance = amount; }
function transferFrom() { /* uses allowance */ }
// Attacker frontuns approve() to drain old + new allowance
โœ… Fix

Use increaseAllowance/decreaseAllowance pattern instead of approve().

Default Visibility
Critical

Functions without visibilityโ€”public by default in old Solidity

// โŒ Vulnerable (Solidity <0.5)
function withdraw() { /* no visibility = public! */ }
โœ… Fix

Always explicitly declare function visibility: public, external, internal, private.

๐ŸŽฎ Interactive: Attack Simulation

Step through a reentrancy attack in real-time. See how the exploit unfolds step-by-step.

โšก
Step 1 of 4

Attacker deploys malicious contract

Contract deployed with fallback function

๐ŸŽฏ Prevention Checklist

โœ“ Checks-Effects-Interactions

1. Validate inputs 2. Update state 3. External calls last

โœ“ Use ReentrancyGuard

OpenZeppelin modifier prevents nested calls

โœ“ Pull Over Push

Let users withdraw funds, don't push to them

โœ“ Explicit Visibility

Always declare public/external/internal/private

โœ“ Check Return Values

Never ignore call(), transfer(), delegatecall() results

โœ“ Avoid Loops on Unbounded Data

Limit array sizes or use pull pattern