Smart Contract Hackpedia

The endless array of smart contract vulnerabilities - Top 250

Smart contracts are inherently insecure and pose major risks to any web3 project.
This list is non-exhaustive and the most common 250 security vulnerabilities
we observe during smart contract audits performed.
This list is continuously updated with new threat vectors once identified and validated.

  1. Super User Account or Privilege Management
  2. Reentrancy vulnerabilities
  3. Oracle manipulation
  4. Flash loan attacks
  5. Blacklisting and Burning Functions
  6. Contract Logic or Asset Configuration can be arbitrarily changes
  7. Self-Destruct Functions
  8. Minting Functions
  9. Rolling Your Own Crypto and Unique Contract Logic
  10. Unauthorized Transfers
  11. Incorrect Signature Implementation or Arithmetic
  12. Untrusted Control Flow
  13. Transaction Order Dependence
  14. Modifying storage array by value
  15. Incorrect Parameter order in a shift instruction
  16. Contract name reused
  17. Public mappings with nested variables
  18. Right-To-Left-Override control character is used
  19. State variables shadowing
  20. Functions allowing anyone to destruct the contract
  21. Uninitialized state variables
  22. Uninitialized storage variables
  23. Insecure Symbolic Trace
  24. Unrestricted flaw in Transferproxy
  25. Intra-function reentrancy vulnerability
  26. Cross-function reentrancy vulnerability
  27. Arithmetic vulnerability
  28. Malicious use of REVERT, INVALID, SELFDESTRUCT, RETURN, or STOP functions
  29. Unprotected upgradeable contract
  30. Functions that send Ether to arbitrary destination
  31. Tainted array length assignment
  32. Controlled delegatecall destination
  33. Signed storage integer array compiler bug
  34. Unchecked tokens transfer
  35. Weak PRNG
  36. Detect dangerous Enum conversion
  37. Incorrect ERC20 interfaces
  38. Incorrect ERC721 interfaces
  39. Dangerous strict equalities
  40. Contracts that lock ether
  41. Deletion on mapping containing a structure
  42. State variables shadowing from abstract contracts
  43. Tautology or contradiction
  44. Unused write
  45. Misuse of Boolean constant
  46. Constant functions using assembly code
  47. Constant functions changing the state
  48. Imprecise arithmetic operations order
  49. Reused base constructor
  50. Dangerous usage of tx.origin
  51. Unchecked low-level calls
  52. Unchecked send
  53. Uninitialized local variables
  54. Unused return values
  55. Modifiers that can return the default value
  56. Built-in symbol shadowing; Local variables shadowing
  57. Uninitialized function pointer calls in constructors
  58. Local variables used prior their declaration
  59. Constructor called not implemented
  60. Multiple calls in a loop
  61. Missing Events Access Control
  62. Missing Events Arithmetic
  63. Dangerous unary expressions
  64. Missing Zero Address Validation
  65. Benign reentrancy vulnerabilities
  66. Reentrancy vulnerabilities leading to out-of-order Events
  67. Dangerous usage of block.timestamp
  68. Assembly usage
  69. Assert state change
  70. Comparison to boolean constant
  71. Deprecated Solidity Standards
  72. Un-indexed ERC20 event parameters
  73. Function initializing state variables
  74. Low level calls
  75. Missing inheritance
  76. Conformity to Solidity naming conventions
  77. If different pragma directives are used
  78. Redundant statements
  79. Incorrect Solidity version
  80. Unimplemented functions
  81. Unused state variables
  82. Costly operations in a loop
  83. Functions that are not used
  84. Reentrancy vulnerabilities through send and transfer
  85. Variable names are too similar
  86. Conformance to numeric notation best practices
  87. State variables that could be declared constant
  88. Public function that could be declared externally.
  89. Assert Violation
  90. Integer Overflow and Underflow
  91. Arbitrary Jump with Function Type Variable
  92. Write to Arbitrary Storage Location
  93. Uninitialized Storage Pointer
  94. Outdated Compiler Version
  95. Floating Pragma – Unchecked Call Return Value
  96. Unprotected Ether Withdrawal
  97. Unprotected SELFDESTRUCT Instruction
  98. Reentrancy – State Variable Default Visibility
  99. Uninitialized Storage Pointer
  100. Use of Deprecated Solidity Functions
  101. Delegatecall to Untrusted Callee
  102. DoS with Failed Call
  103. Authorization through tx.origin
  104. Block values as a proxy for time
  105. Incorrect Constructor Name
  106. Shadowing State Variables
  107. Weak Sources of Randomness from Chain Attributes
  108. Requirement Violation
  109. Write to Arbitrary Storage Location
  110. DoS With Block Gas Limit
  111. Typographical Error
  112. Unencrypted Private Data On-Chain
  113. Code With No Effects
  114. Message call with hardcoded gas amount
  115. Typographical Error
  116. DoS With Block Gas Limit
  117. Presence of unused variables
  118. Incorrect Inheritance Order
  119. Requirement Violation
  120. Weak Sources of Randomness from Chain Attributes
  121. Shadowing State Variables
  122. Loss of user funds staked (principal) by freezing or theft
  123. Incorrect accounting logic in the core protocol
  124. Theft of unclaimed yield
  125. Unable to shut down the protocol in the global settlement process
  126. Freezing of unclaimed yield
  127. Temporary freezing of funds for at least 24 hours
  128. Unable to call smart contracts
  129. Smart contract fails to deliver promised returns
  130. Incorrect data supplied by third party oracles
  131. Oracle manipulation
  132. Flash loan attacks
  133. Basic economic governance attacks (e.g., 51% attack)
  134. Lack of liquidity
  135. Best practice critiques
  136. Sybil attacks
  137. Centralization risks
  138. Flash loan attacks
  139. Running out of gas
  140. Block stuffing
  141. Susceptibility to frontrunning
  142. Signature malleability
  143. Susceptibility to replay attacks
  144. Weak randomness
  145. Weak encryption
  146. Unverified contract
  147. Unlimited minting to a malicious destination
  148. Infinite token supply
  149. Dangerous token migration
  150. Pausing token transfers anytime for unlimited period
  151. Pausing token transfer for limited period (defined in the contract)
  152. Pausing funds withdrawals (Centralized pausing for any funds withdrawals)
  153. Pausing funds withdrawals with emergency withdrawal available
  154. Proxy patterns
  155. Funds lock with centralized control
  156. Unfair token distribution: high % of team rewards suspicious functions
  157. Insufficient time lock for important contract changes Overprivileged EOA-contract-owner
  158. The owner can call a function that allows to withdraw all staked in the contract funds to a needed address.
  159. The owner can change address of token reward distribution.
  160. The owner can change location of staked user funds)
  161. Unrestricted fee setting
  162. withdrawal fee can be set up to 100%.
  163. user reward fee can be decreased.
  164. Team reward increased without any limitations in centralized way.
  165. Other protocol fees with unexpected security consequences)
  166. Using a singular exchange as a price source.
  167. Unverified contracts unlimited minting to a malicious destination
  168. Dangerous token migration
  169. Pausing token transfers any time for unlimited period
  170. Pausing token transfer for limited period (defined in the contract)
  171. Pausing funds withdrawals (centralized pausing for any funds withdrawals)
  172. Pausing funds withdrawals with emergency withdrawal available
  173. Funds lock with centralized control.
  174. Compiler errors.
  175. Race conditions and Reentrancy.
  176. Cross-function race conditions.
  177. Possible delays in data delivery.
  178. Vulnerable Oracle calls.
  179. Front running.
  180. Timestamp dependence.
  181. Integer Overflow and Underflow.
  182. DoS with Revert.
  183. DoS with block gas limit.
  184. Methods execution permissions.
  185. Economy model of the contract.
  186. The impact of the exchange rate on the logic.
  187. Private user data leaks.
  188. Malicious Event log.
  189. Scoping and Declarations.
  190. Uninitialized storage pointers.
  191. Arithmetic accuracy.
  192. Design Logic.
  193. Cross-function race conditions.
  194. Safe Open Zeppelin contracts implementation and usage.
  195. Fallback function security.
  196. Infinite Mint Glitch
  197. Integer Division
  198. Integer Overflow and Underflow
  199. Integer signedness error
  200. Integer Truncation
  201. Symbolic Attack
  202. Wrong Operator
  203. Hidden built-in symbols
  204. Hidden state variables
  205. Wrong inheritance order
  206. Uninitialized Local/state Variables
  207. Uninitialized storage variable
  208. Right-To-Left-Override control character (U+202E)
  209. Delete Dynamic Array Elements:
  210. Using continue-statements in do-while-statements
  211. Reentrancy Vulnerability
  212. Unhandled Exception
  213. Forced accept ethers
  214. Locked money (ether)
  215. Pre-sent ether
  216. Hash Collisions with Multiple Variable Length Arguments
  217. Short address attack
  218. Signature with wrong parameter
  219. The call address or data are externally controlled
  220. Non-standard token interface
  221. Any type of specified function variable
  222. Use assembly code return in the constructor
  223. Complex fallback function
  224. DOS by gaslimit
  225. DOS by non-existent address or contract
  226. Results of contract execution affected by miners
  227. Transaction order dependence
  228. Storage overlap attack
  229. Invariant in loop
  230. Invariant is not declared constant
  231. Unused public functions within a contract should be declared external
  232. Excessive Gas Fee Consumption – Incorrect use of byte[]
  233. Replay attack
  234. Suicidal contract
  235. origin for authentication
  236. Wasteful contract
  237. Write the wrong constructor’s name
  238. Non-public variables are accessed by public or external function
  239. Public data
  240. Implicit visibility level
  241. Non-standard naming
  242. Unlimited compiler versions
  243. Use deprecated built-in symbols
  244. Too many digits
  245. Change the contract status in the view or constant function
  246. Improper use of require, assert, and revert
  247. Indirect execution of unknown code
  248. Using the blockhash function
  249. Incorrect calculation of the output token amount
  250. Vulnerable to Fuzzing Attacks

Stay in touch

Join the community