SKILL: Smart Contract Vulnerabilities — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert smart contract audit techniques. Covers reentrancy (single, cross-function, cross-contract, read-only), integer overflow, access control, delegatecall, randomness manipulation, flash loans, signature replay, front-running/MEV, and CREATE2 exploitation. Base models miss subtle cross-contract reentrancy and storage layout collisions in proxy patterns.
0. RELATED ROUTING
- defi-attack-patterns when the vulnerability is part of a DeFi protocol exploit (flash loans, oracle manipulation, governance attacks)
- deserialization-insecure when the target is off-chain infrastructure deserializing blockchain data
Advanced Reference
Also load SOLIDITY_VULN_PATTERNS.md when you need:
- Side-by-side vulnerable vs fixed code patterns for each vulnerability class
- Gas optimization traps that introduce vulnerabilities
- Proxy pattern storage collision examples with slot calculations
1. REENTRANCY
The most iconic smart contract vulnerability. External calls transfer execution control; if state is not updated before the call, the callee can re-enter.
1.1 Classic Reentrancy (Single-Function)
Victim.withdraw()
├── checks balance[msg.sender] > 0 ✓
├── msg.sender.call{value: balance}("") ← external call
│ └── Attacker.receive()
│ └── Victim.withdraw() ← re-enters before state update
│ ├── checks balance[msg.sender] ← still > 0!
│ └── sends ETH again
└── balance[msg.sender] = 0 ← too late
1.2 Cross-Function Reentrancy
Two functions share state; attacker re-enters a different function during callback:
| Step | Execution | State |
|---|
| 1 | Call → external call | balance still positive |
| 2 | Attacker fallback calls | balance used before reset |
| 3 | reads stale balance → moves funds | attacker2 receives tokens |
| 4 | Original completes, zeroes balance | damage done |
1.3 Cross-Contract Reentrancy
Contract A calls Contract B, which calls back into Contract A (or Contract C that reads A's stale state). Especially dangerous in DeFi protocols where multiple contracts share state.
1.4 Read-Only Reentrancy
The re-entered function is a
function used by a third-party contract for price calculation. No state modification in the victim, but the stale intermediate state misleads the reader.
Real-world: Curve pool
read during
callback → inflated price → profit on dependent lending protocol.
Mitigations
| Pattern | Protection Level |
|---|
| Checks-Effects-Interactions (CEI) | Core defense; update state before external call |
| (OpenZeppelin) | Mutex lock; prevents same-tx re-entry |
| Pull payment pattern | Eliminate external calls in state-changing functions |
| CEI + guard on all public functions | Defense-in-depth against cross-function |
2. INTEGER OVERFLOW / UNDERFLOW
Pre-Solidity 0.8
Arithmetic silently wraps:
,
.
| Attack | Example |
|---|
| Balance underflow | balances[attacker] -= amount
|
| Supply overflow | wraps → bypass cap checks |
| Timelock bypass | lockTime[msg.sender] + extend
|
Post-Solidity 0.8
Default checked arithmetic reverts on overflow. But
blocks reintroduce risk:
solidity
unchecked {
// "gas optimization" — but if i can be influenced by user input, overflow returns
for (uint i = start; i < end; i++) { ... }
}
SafeMath Bypass Scenarios
- Casting: → truncation before SafeMath check
- Assembly blocks: / bypass Solidity-level checks
- Intermediate multiplication overflow before division: where overflows
3. ACCESS CONTROL
tx.origin vs msg.sender
| Property | | |
|---|
| Value | Immediate caller | EOA that initiated the tx |
| Safe for auth | Yes | No — phishing contract can inherit tx.origin |
Attack: trick owner into calling attacker contract → attacker contract calls victim with owner's
.
Common Patterns
| Issue | Impact |
|---|
| Missing on critical functions | Anyone can call admin functions |
| Unprotected | Anyone can destroy the contract, force-send ETH |
| Unprotected | Attacker executes arbitrary code in victim's context |
| Default visibility (pre-0.6.0) | Functions default to |
| Missing zero-address checks | Ownership transferred to |
4. RANDOMNESS MANIPULATION
On-chain randomness sources are predictable to miners/validators:
| Source | Predictability |
|---|
| Miner has ~15s window to manipulate |
blockhash(block.number - 1)
| Known to all at execution time |
| Always returns 0 (current block hash unknown) |
| / | Post-merge: known beacon chain value |
Commit-reveal bypass: If reveal phase doesn't enforce timeout or bond, attacker can choose not to reveal unfavorable outcomes (selective abort attack).
5. DELEGATECALL VULNERABILITIES
executes callee's code in caller's storage context. Storage slot layout must match exactly.
Storage Layout Collision
Proxy (storage): Implementation (code):
slot 0: owner slot 0: someVariable
slot 1: implementation slot 1: anotherVariable
Implementation writes to
(slot 0) → overwrites proxy's
. Attacker calls implementation function that writes slot 0 → becomes proxy owner.
Function Selector Collision
4-byte function selectors can collide. If proxy's
selector collides with implementation's
, calling
on the proxy executes
logic.
Tool:
cast selectors <bytecode>
(Foundry) to enumerate selectors.
6. FRONT-RUNNING / MEV
Transaction Ordering Manipulation
Victim submits DEX swap tx (visible in mempool)
├── Front-runner: buy token before victim (raise price)
├── Victim tx executes at worse price
└── Back-runner: sell token after victim (profit from spread)
= Sandwich attack
Protection Patterns
| Defense | Mechanism |
|---|
| Commit-reveal | Hide transaction intent until reveal |
| Flashbots / private mempool | Submit tx directly to block builder |
| Slippage protection | Set to limit MEV extraction |
| Time-lock | Delay execution to reduce predictability |
7. SIGNATURE REPLAY
Missing Nonce
Reuse a valid signature to repeat the action (e.g., transfer) multiple times.
Cross-Chain Replay
Same contract deployed on multiple chains with same address → signature valid on all chains. Must include
in signed message.
EIP-712 Implementation Errors
| Error | Consequence |
|---|
| Missing with chainId | Cross-chain replay |
| Domain separator cached at deploy | Breaks after hard fork changing chainId |
| Missing nonce in struct hash | Signature replay |
| returns on invalid sig | Passes owner check |
8. SELF-DESTRUCT & FORCE-SEND ETH
force-sends all contract ETH to recipient — bypasses
and
, cannot be rejected.
Breaks contracts that rely on
for logic (e.g.,
require(balance == expected)
).
Post-EIP-6780 (Dencun):
only sends ETH; code/storage deletion only if called in same tx as creation.
9. CREATE2 & DETERMINISTIC ADDRESS EXPLOITATION
address =
keccak256(0xff ++ deployer ++ salt ++ keccak256(initCode))
.
| Attack | Method |
|---|
| Pre-fund exploitation | Predict address → send tokens/ETH before deployment → → redeploy different code at same address |
| Pre-approve exploitation | Predicted address gets token approvals → deploy malicious contract → drain approved tokens |
| Metamorphic contracts | → → with same salt but different (pre-EIP-6780) |
10. FLASH LOAN ATTACK PATTERNS
Single transaction:
├── Borrow large amount (no collateral)
├── Manipulate state (price oracle, governance, etc.)
├── Extract profit from manipulated state
├── Repay loan + fee
└── Keep profit
Key: entire sequence must succeed atomically or the whole tx reverts.
11. SHORT ADDRESS ATTACK
EVM pads missing bytes in ABI-encoded calldata with zeros. If
transfer(address, uint256)
is called with a 19-byte address, the uint256 amount shifts left by 8 bits → multiplied by 256.
Mitigation: validate calldata length; modern Solidity compilers add checks.
12. TOOLS
| Tool | Purpose | Usage |
|---|
| Slither | Static analysis, vulnerability detection | in project root |
| Mythril | Symbolic execution, path exploration | myth analyze contract.sol
|
| Echidna | Property-based fuzzing | Define invariants, fuzz for violations |
| Foundry (Forge) | Test framework, fuzzing, gas analysis | forge test --fuzz-runs 10000
|
| Hardhat | Development, testing, deployment | |
| Certora | Formal verification | Write specs, prove/disprove properties |
| 4naly3er | Automated gas optimization + vuln report | CI integration |
13. DECISION TREE
Auditing a smart contract?
├── Is it a proxy pattern?
│ ├── Yes → Check storage layout collision (Section 5)
│ │ ├── Compare slot assignments between proxy and implementation
│ │ ├── Check for function selector collision
│ │ └── Verify initializer cannot be called twice
│ └── No → Continue
├── Does it make external calls?
│ ├── Yes → Check reentrancy (Section 1)
│ │ ├── State updated before call? → CEI pattern OK
│ │ ├── ReentrancyGuard present? → Check all entry points
│ │ ├── Cross-function state sharing? → Cross-function reentrancy risk
│ │ └── View functions read during callback? → Read-only reentrancy
│ └── No → Continue
├── Does it handle tokens/ETH?
│ ├── Yes → Check integer overflow (Section 2)
│ │ ├── Solidity < 0.8? → All arithmetic suspect
│ │ ├── unchecked{} blocks? → Verify no user-influenced values
│ │ └── Casting between uint sizes? → Truncation risk
│ └── Also check self-destruct force-send (Section 8)
├── Does it use signatures?
│ ├── Yes → Check replay (Section 7)
│ │ ├── Nonce included? → Verify incremented
│ │ ├── ChainId included? → Cross-chain safe
│ │ └── ecrecover result checked for address(0)? → OK
│ └── No → Continue
├── Does it use on-chain randomness?
│ ├── Yes → Predictable (Section 4)
│ │ └── Recommend Chainlink VRF or commit-reveal with bond
│ └── No → Continue
├── Does it interact with DeFi protocols?
│ ├── Yes → Load [defi-attack-patterns](../defi-attack-patterns/SKILL.md)
│ │ ├── Flash loan vectors
│ │ ├── Oracle manipulation
│ │ └── MEV exposure
│ └── No → Continue
├── Does it use CREATE2?
│ ├── Yes → Check deterministic address exploitation (Section 9)
│ └── No → Continue
└── Run automated tools (Section 12)
├── Slither for static analysis
├── Mythril for symbolic execution
└── Echidna for fuzzing invariants