Note: Also check our Compiled List of Solidity Vulnerabilities.
When things go wrong with the development, testing and auditing processes, vulnerable contracts are deployed to mainnet and go into production.
These vulnerabilities are then either found by the good hackers and the project is patched, or they are exploited by the bad hackers and the project crashes. Sometimes weird things happen, when the definitions of good, bad, and crash are not very clear.
But this is how we learn. Things go wrong and then we figure out ways to make it better next time. It’s a very interesting cycle, full of drama and epic moments that we will always remember.
In here we would like to make a list of the post-mortems that describe why things went wrong. We are not in a hurry, so this will be a wiki post to which we can all contribute and complete over time. Let’s start…
Livepeer Slashing Vulnerability
Published on July 29th, 2019.
0x Invalid Signatures
Published on July 13th, 2019.
Edgeware Lockdrop Denial of Service
The Edgeware project plans to give away their EDG tokens in exchange for locked ether or a signal of interest by ether holders. There was a bug in the contract that allowed people to deposit ether to a future lock contract and bring the lockdrop to a halt. The bug was patched and a new lockdrop contract was deployed. No funds were at risk.
Found and responsibly disclosed by Neil McLaren. Published on July 1st, 2019.
MakerDAO’s Governance Vulnerability
Published on May 6th, 2019.
SpankChain Reentrancy Issue in Payment Channels
Published on October 8th, 2018.
PoWH Coin Ponzi Scheme Overflow
Published on February 1st, 2018
Parity Multi-Sig Library Self-Destruct
Published on November 8th, 2017.
Published on August 17th, 2017.
Parity Multi-Sig Unguarded Reset Ownership
Published on July 21th, 2017.
- Official announcement by Parity.
- Post-mortem by Parity.
- Explanation of the issue by Santiago Palladino.
- Explanation of the issue by Lorenz Breidenbach.
The DAO Reentrancy Hack
Published on June 17th, 2016.
- Official announcement by the Ethereum Foundation.
- Explanation of the issue by Phil Daian.
- 15 lines of code that could have prevented TheDAO Hack by Manuel Araoz.
GovernMental Denial of Servie
Published on April 26th, 2016.
King of the Ether Unchecked Return Value
Published on February 20th, 2016.
Other classifications of vulnerabilities
- Compiled list of solidity vulnerabilities, by @fasteater from OpenZeppelin.
- Solidity Security: Comprehensive list of known attack vectors and common anti-patterns, by Sigma Prime.
- Smart Contract Weakness Classification and Test Cases, by the Mythril team.