Introduction to smart contract vulnerabilities
Smart contracts are programs that are designed to run on top of blockchain networks. Smart contracts are implemented as code associated with blockchain accounts that can be created and called using transactions on the blockchain.
As blockchain-based programs, programming vulnerabilities within smart contracts are a serious concern. Three types of vulnerabilities within smart contracts are general programming vulnerabilities, blockchain-specific vulnerabilities and platform-specific vulnerabilities.
General programming vulnerabilities
The potential for general programming vulnerabilities exist within smart contracts because they are programs and potentially contain some vulnerabilities as a result. Two examples of general programming vulnerabilities within smart contracts are:
- Arithmetic vulnerabilities: Smart contracts commonly perform integer comparisons (for balance checks before performing transfers). Many smart contract platforms used signed and unsigned variables and different length integers, creating the potential for integer overflow and underflow vulnerabilities to enable an attacker to bypass these checks.
- Right-to-left control characters: Many smart contract platforms have websites that enable users to audit the smart contract code with the intention of building trust in the code. However, these platforms also support right-to-left control characters (for use in handling languages like Arabic that are written right to left), making it possible for the displayed version of the contract to be misleading.
Smart contracts are programs that run on top of a blockchain, which is a very different operating environment from the computers that many programs are written for. This creates several potential vulnerabilities that are unique to smart contracts:
- Access control vulnerabilities: Some smart contracts are designed to provide certain functionality only to the smart contract owner or other privileged users. These lists of privileged users are often set by calling a special function within the contract. However, some contracts fault to set this function to only be callable a single (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/E7qbgFlsPs0/