Loading...
Understand every vulnerability our 34 detectors catch — no coding knowledge required. Learn what attackers look for and how to stay safe.
The foundational smart contract bugs — well-known, still devastating
An attacker calls back into your contract before it finishes, draining funds repeatedly.
Think of it like...
Imagine a bank teller who hands you cash before updating your balance. You keep asking for more before the records catch up.
Numbers wrap around when they get too big or too small, creating impossible balances.
Think of it like...
Like an odometer that rolls from 999,999 back to 000,000 — suddenly your car looks brand new.
Your contract sends money but never checks if the transfer actually worked.
Think of it like...
Mailing a check without tracking — you assume it arrived, but it might have been lost.
Anyone can permanently delete the contract and steal all its funds.
Think of it like...
A building with a demolition button in the lobby that anyone can press.
Critical functions like withdrawals have no permission checks — anyone can call them.
Think of it like...
A vault door with no lock. The door is there, but anyone can open it.
The contract uses predictable on-chain data to generate "random" numbers.
Think of it like...
A lottery where the winning number is printed on the back of every ticket.
An attacker makes the contract unusable, blocking withdrawals or votes.
Think of it like...
Someone parks a broken car in the drive-through lane. Nobody behind them can move.
Miners can slightly adjust the block timestamp to win time-based games.
Think of it like...
A referee who can move the clock forward a few seconds to change who wins.
Exploits that target financial logic — where the real money is
Borrow millions for free in one transaction, manipulate prices, profit, repay — all instant.
Think of it like...
Borrowing a billion dollars for 10 seconds to rig an auction, then returning the money.
The contract gets its price data from a source an attacker can influence.
Think of it like...
Checking the price of gold by asking the person trying to sell you gold.
Someone sees your trade waiting to happen and places their trade first to profit off yours.
Think of it like...
A stock broker who sees your big buy order and buys first, then sells to you at a higher price.
Your transaction gets trapped between two attacker transactions, squeezing value from the price impact.
Think of it like...
Someone cuts in line at a store, buys all the sale items, then sells them to you at full price.
Tiny rounding errors in math operations accumulate into real money loss.
Think of it like...
Skimming fractions of pennies from millions of transactions — the Office Space attack.
Flaws in token supply, fee, or reward mechanics that let attackers drain value.
Think of it like...
A loyalty program where you can earn points faster than the company intended.
When the people running the project are the vulnerability
One wallet or a small group has too much power — they can change rules, drain funds, or freeze the contract.
Think of it like...
A democracy where one person has a master key to the treasury.
Attackers borrow voting power to pass malicious proposals.
Think of it like...
Someone borrows 51% of a company's stock for one shareholder meeting to vote themselves CEO.
Upgradeable contracts let owners swap out the logic — potentially replacing a fair contract with a malicious one.
Think of it like...
A vending machine where the owner can secretly change what comes out after you've paid.
Malicious code hidden in imported libraries or dependencies.
Think of it like...
Buying a pre-built house that looks fine, but the contractor hid a backdoor in the basement.
Where different blockchains connect — the most attacked surface in crypto
Attackers forge messages to convince a bridge that fake deposits happened on another chain.
Think of it like...
Faxing a fake bank statement to a foreign branch to withdraw money that doesn't exist.
A valid transaction on one chain is copied and replayed on another chain.
Think of it like...
Using a photocopy of a signed check at a different bank.
An attacker modifies a valid signature without breaking it, creating a second valid version.
Think of it like...
Slightly altering someone's handwritten signature so it still passes verification but has a different hash.
Vulnerabilities unique to specific chains and Layer 2 rollups
Your contract assumes the L2 sequencer is always online — when it goes down, bad things happen.
Think of it like...
A store that only accepts one credit card processor. When it goes down, nobody can pay.
Gas costs differ between L1 and L2 — contracts that assume L1 gas pricing break on L2.
Think of it like...
Budgeting for gas prices in Texas while driving in California.
Cross-layer messages between L1 and L2 can be forged if origin isn't verified.
Think of it like...
Accepting a phone call from 'your bank' without verifying the caller ID.
BNB Chain-specific issues: validator set centralization, gas token differences, bridge assumptions.
Think of it like...
Rules that work in one country but not another — different chains, different gotchas.
Cairo language-specific bugs: felt overflow, missing reverts, storage collision in Starknet contracts.
Think of it like...
Speaking a different programming language — the same concept has different pitfalls.
Starknet's native account abstraction creates unique validation and fee-handling risks.
Think of it like...
A bank that lets you customize your own security system — powerful but easy to misconfigure.
Subtle bugs in code patterns that create exploitable conditions
Known bugs in specific Solidity compiler versions that can silently corrupt your contract.
Think of it like...
A spell-checker that occasionally introduces spelling errors — the tool itself is broken.
Confusing memory (temporary) with storage (permanent) causes data to silently disappear.
Think of it like...
Writing important notes on a whiteboard instead of a notebook — erased when you leave the room.
Tokens that don't follow the ERC-20/721/1155 standard break when used in other protocols.
Think of it like...
A USB-C cable that looks right but doesn't actually follow the spec — it might fry your device.
Business rules that should always be true can be broken by specific transaction sequences.
Think of it like...
A rule that says 'total deposits always equals total withdrawals' — until someone finds the edge case.
Sophisticated DoS attacks using gas limits, unbounded loops, or external call failures.
Think of it like...
Ordering every item on the menu so nobody else can eat.
Detects tokens designed to trap buyers — you can buy but never sell.
Think of it like...
A roach motel for your money: checks in, never checks out.
Problems when tokens interact with protocols: fee-on-transfer, rebasing, or blacklist tokens.
Think of it like...
A key that fits the lock but doesn't turn — compatible-looking but actually broken.