ADVERTISEMENT

Ethereum smart contract vulnerabilities can lead to millions in losses

Ethereum smart contract vulnerabilities
Bernard Meyer
Bernard Meyer Senior Researcher
Nov 12, 2020 Updated: 28 April 2025 6 min read
Cybernews pro tip

Increase your online security and privacy by sending your data through an encrypted tunnel.

Protect your data with a VPN

Methodology

  1. We scanned 6 months' worth of blocks on the Ethereum network for smart contracts
  2. We performed a static analysis of these contracts using three tools: Slither, Securify and Oyente
  3. Once notified of the vulnerabilities, we deployed the same contract over Testnet – Ethereum’s secondary blockchain that’s used for testing purposes and holds no real value – and we attempted to exploit those contracts to confirm the vulnerabilities
  • Integer underflow: when an attacker has zero balance and sends one token, the contract circles around and gives the attacker the maximum value of tokens – about 4.3 billion
  • Integer overflow: when the balance reaches its maximum value, and an attacker receives one token, it circles around and starts from zero
  • Unprotected Ether withdrawal: due to inadequate access control, any attacker can withdraw Ether funds from the contract
  • Unprotected selfdestruct: any attacker can kill the contract and send the balance to any specified address
Four Biggest Vulnerabilities

Understanding Ethereum smart contracts

The underflow attack

ADVERTISEMENT

The unprotected attacks

Previous vulnerabilities: the 2016 reentrancy attack

How this could impact you

How to fix or avoid this vulnerability

List of vulnerabilities discovered

VulnerabilitySeverityInstancesSWC IDShort Description
Integer UnderflowHigh189101When an account with zero balance sends out one token, the balance cycles up to the maximum value.
Integer OverflowHigh1331101When an account with maximum value adds one token, the balance cycles down to zero.
Unprotected Ether WithdrawalHigh16105The return value of a message call is not checked.This allows for anyone to withdraw funds from the contract.
Unprotected SelfdestructHigh50106Anyone can kill this contract and withdraw its balance to an arbitrary address.
External Call To User-Supplied AddressMedium827107An external message is sent to an address specified by the caller. Note that the callee account might contain arbitrary code and could re-enter any function with this contract.
Use of callcodeMedium516 The callcode method executes code of another contract in the context of the caller account. It was therefore deprecated and may be removed in the future.
Use of tx.originMedium1950111The smart contract retrieves the transaction origin (tx.origin) using msg.origin. Use of msg.origin is deprecated and the instruction may be removed in the future.
Jump to an arbitrary instructionMedium421127The caller can jump to any point in the code.This can lead to unintended consequences.
State change after external callMedium241107The contract account state is changed after an external call to a user defined address.
Exception StateLow197110A reachable exception has been detected.
Dependence on predictable environment variableLow613120A control flow decision is made based on a predictable variable.
Multiple Calls in a Single TransactionLow86113This call is executed after a previous call in the same transaction.
Unchecked Call Return ValueLow84104The return value of a message call is not checked.

Our hand-picked digital services for online presence and privacy

ADVERTISEMENT