JamesPolk.net

Top 100 Smart Contract Vulnerabilities

The LIST

  • Access control vulnerabilities

    • Missing or incorrect access modifiers

    • Use of tx.origin for authentication

    • Unrestricted delegatecall usage

    • Unprotected selfdestruct calls

    • Misconfigured RBAC

    • Publicly accessible critical functions

    • Default visibility functions

    • Incorrect constructor definitions

    • Improper use of require

    • Lack of input validation

  • Arithmetic/numeric issues

    • Integer overflow/underflow

    • Division by zero

    • Floating point precision errors

    • Unbounded loops

    • Incorrect use of SafeMath

    • Off-by-one errors

    • Incorrect type casting

    • Improper handling of decimals

    • Deprecated Solidity versions

    • Incorrect gas calculations

  • Reentrancy/call issues

    • Classic reentrancy attacks

    • Cross-function reentrancy

    • Reentrancy via fallback/receive

    • Reentrancy in loops

    • Unprotected external calls

    • Use of call.value()

    • Delegatecall to untrusted contracts

    • Unrestricted call usage

    • Lack of checks-effects-interactions

    • Recursive call stack overflow

  • Denial of service issues

    • Gas limit and loops

    • Block gas limit reached

    • Unbounded arrays

    • External contract failures

    • Self-destruct in loops

    • Unprotected assert

    • Unexpected revert DoS

    • Block timestamp manipulation

    • Block number manipulation

    • Storage exhaustion

  • Front-running/transaction ordering

    • Front-running attacks

    • Time dependency

    • Block hash dependency

    • Miner extractable value (MEV)

    • Lack of commit-reveal

    • Predictable contract addresses

    • Public function calls

    • Lack of nonce usage

    • Gas price manipulation

    • Inadequate randomness

  • Signature/authentication issues

    • Signature replay attacks

    • Incorrect signature verification

    • Malleable signatures

    • Missing signature expiry

    • Improper msg.sender checks

    • Use of tx.origin for auth

    • Missing nonce in messages

    • Weak hash functions

    • Insecure off-chain signatures

    • Lack of domain separation

  • Storage/memory issues

    • Uninitialized storage pointers

    • Storage collision in proxies

    • Incorrect storage slot calculation

    • Unbounded storage growth

    • Improper delete usage

    • Variable shadowing

    • Incorrect memory allocation

    • selfdestruct affecting storage

    • Storage layout changes in upgrades

    • Improper handling of mappings

  • Upgradeability/proxy pattern issues

    • Unprotected upgrade functions

    • Incorrect implementation address

    • Storage misalignment

    • Delegatecall to malicious contracts

    • Lack of upgrade auth checks

    • Improper initialization

    • Multiple inheritance conflicts

    • Upgrade loops

    • Missing upgrade events

    • Upgrade incompatibility

  • Economic/financial vulnerabilities

    • Flash loan attacks

    • Oracle manipulation

    • Price manipulation

    • Pump and dump schemes

    • Rug pulls

    • Ponzi schemes

    • Improper fee calculations

    • Inadequate collateralization

    • Interest rate manipulation

    • Token inflation bugs

  • Miscellaneous vulnerabilities

    • Short address attack

    • Fallback function misuse

    • Incorrect event emissions

    • Timestamp dependency

    • Block number dependency

    • Gas limit assumptions

    • Unrestricted Ether reception

    • Lack of emergency stop

    • Inadequate testing

    • Poor documentation

Count of Vulnerabilities Where ABI Exploitation Is Involved

  • Access control (10 of 10)

    • All access control flaws

  • Arithmetic/numeric (4 of 10)

    • Certain overflow, underflow, unbounded loops, off-by-one exploits

  • Reentrancy/call (10 of 10)

    • All reentrancy-related vulnerabilities

  • DoS (5 of 10)

    • Unbounded arrays, external failures, revert-based DoS, storage exhaustion, unexpected revert

  • Front-running/MEV (3 of 10)

    • Front-running, commit-reveal absence, gas price manipulation

  • Signature/auth (6 of 10)

    • Signature replay, incorrect verification, malleable sigs, missing expiry, missing nonce, domain separation

  • Storage/memory (5 of 10)

    • Storage collisions, slot issues, uninitialized pointers, storage growth, mapping mishandling

  • Upgradeability/proxy (8 of 10)

    • Unprotected upgrades, wrong implementation address, lack of checks, improper init, event issues, upgrade loops, storage misalignment, delegatecall abuse

  • Economic/financial (5 of 10)

    • Flash loan, oracle manipulation, price manipulation, token inflation, improper fees

  • Miscellaneous (4 of 10)

    • Fallback misuse, short address attack, unrestricted Ether reception, inadequate testing

Types of Servers and Systems Storing/Monitoring ABI

  • Frontend web servers

    • Serve ABI in JavaScript bundles

  • Backend/API servers

    • Use ABI to encode/decode tx data

  • DevOps/CI-CD systems

    • Store and version ABI build artifacts

  • IPFS/Arweave decentralized storage

    • Host ABI + UI off-chain

  • Cloud function hosts

    • Use ABI to trigger blockchain actions

  • Blockchain indexers

    • Parse logs/events with ABI

  • Monitoring/tracing servers

    • Simulate and trace txs using ABI

  • Security engines

    • Scan contracts for unsafe functions

  • Transaction relayers

    • Relay calls using ABI definitions

  • Custom ABI gateway servers

    • Serve ABI on-demand via API

Issues to Consider in Bitlayer’s LVM + ABI Context

  • ABI remains critical for EVM-compatible LVM

  • Bitcoin multisig vaults don’t use ABI

  • Bridged token contracts on Bitlayer do need ABI

  • Contract upgrades change ABI

  • Multisig management requires correct ABI integration

  • Cross-chain bridging needs ABI standardization

  • Need for dynamic ABI updates

Best Practices for ABI Management in Bitlayer Ecosystem

  • Maintain updated ABI files

  • Use version control

  • Automate ABI retrieval

  • Securely store ABI files

  • Test ABI interactions thoroughly

Most Common ABI Management and Retrieval Systems

  • Version-controlled build artifacts

  • Hardhat/Truffle/Foundry outputs

  • CI/CD pipelines pushing ABI files

  • Etherscan verification/API retrieval

  • Central ABI service/microservice

  • Frontend bundling with updated ABIs

Minimal and Secure Proxy Contract Patterns

  • EIP-1167 minimal proxy

  • Transparent proxy pattern

  • UUPS proxy pattern

  • Use of separate ProxyAdmin contract

  • Strict upgrade access control

  • Avoid inline upgrade logic in proxy

Can ChatGPT Find Smart Contract Vulnerabilities?……yes.

ABI Management Architecture

1️⃣ Development & Version Control Layer

  • Developers write smart contracts in Solidity and compile them using tools like Hardhat or Foundry.
  • Compilers generate ABI JSON files into local artifacts/ directories.
  • ABI files are committed into Git repositories alongside source code for version control and collaborative development.

2️⃣ CI/CD & Build Layer

  • Continuous integration pipelines pull the latest ABI files and run tests to ensure consistency between contracts and frontend/backend code.
  • During build, ABIs are optionally minified, obfuscated, or transformed into typed bindings (e.g., TypeScript interfaces).
  • Build artifacts (including ABI) are bundled with the frontend or stored in a cloud artifact repository (e.g., AWS S3, Google Cloud Storage).

3️⃣ Deployment & Serving Layer

  • Frontend apps (React, Vue, etc.) typically include ABI JSON as local assets or fetch from a backend API endpoint.
  • Backend services might also store ABI in memory or retrieve them on-demand from verified sources (like Etherscan APIs) when interacting with contracts programmatically.
  • Some projects deploy a dedicated ABI API Gateway service that responds to client requests with the appropriate ABI version, implementing authentication and rate limiting.

4️⃣ Runtime Interaction Layer

  • Frontends use libraries like ethers.js or web3.js with ABI definitions to encode function calls, decode responses, and build event listeners.
  • Backend services do the same for tasks like monitoring contracts, automating interactions, or relaying transactions.

Internet & Data Security for ABI Code

✅ Common Security Measures:

  • API Access Control: ABI-serving endpoints use API keys, OAuth, or other authentication methods to control access.
  • Transport Security: ABI files (and any interaction data) are served over HTTPS with TLS encryption to prevent interception.
  • Integrity Verification: Using checksums or digital signatures to ensure ABI files haven’t been tampered with.
  • Obfuscation & Minimization: Optional technique to make ABI JSON less human-readable in production to deter casual scraping.
  • Access Logging & Rate Limiting: Preventing abuse and tracing potential malicious activity when ABIs are served dynamically.

⚠️ Security Considerations:

  • ABI is generally not considered secret data (because contract bytecode and function selectors are publicly visible on-chain).
  • The real security focus is on ensuring that malicious actors can’t trick users into using fake ABIs (spoofing attacks) or inject modified ABIs into frontends.
  • Protect sensitive functions (e.g., admin/upgrade) in the contract itself via robust on-chain access control mechanisms, since ABI exposure alone doesn’t cause security holes.

️ Recommended Security Practices

  • Sign or checksum ABI files in CI/CD pipelines.
  • Serve ABI via trusted and authenticated endpoints.
  • Use secure source maps / source verification tools to ensure ABI matches deployed contract bytecode (e.g., Etherscan verification).
  • Build rigorous frontend checks that confirm contract addresses and ABIs match expected deployments (avoid connecting to malicious contracts with seemingly identical ABIs).