Vulnerability Taxonomy

The foundational Ethereum vulnerability. A contract makes an external call before updating its own state, allowing a malicious contract to call back into the original function and repeat the withdrawal/action before the balance is decremented. First exploited at scale in The DAO (2016, $60M) and reappeared in Cream Finance August 2021 (ERC-777 callback, $25M) and Curve Finance July 2023 (compiler-introduced guard failure, $47–73M).

Sub-types: Classic (single-function), Cross-function (two state-sharing functions), Cross-contract (between separate contracts), Read-only (view functions used in balance calculations). Read-only reentrancy is the hardest variant to detect.

Integer overflow and underflow occur when arithmetic operations produce values outside the valid range of the integer type. Pre-Solidity 0.8.0, all arithmetic silently wrapped around (e.g., uint256(0) - 1 = 2^256 - 1). This enabled attacks like the BeautyChain token exploit and Uranium Finance ($50M, 2021 — a fork that copied an off-by-one in balance comparison).

Solidity 0.8.0 (December 2020) introduced automatic revert on overflow/underflow, eliminating this class for standard arithmetic. Residual risks remain via: unchecked blocks (explicitly opted out), type casting (downcasting from uint256 to uint128 can truncate silently), and precision loss from integer division (rounding down always, accumulates errors).

The highest-dollar-impact category in 2024, accounting for $953.2M in documented losses that year alone. Encompasses missing function modifiers (onlyOwner, onlyRole), unprotected initializer functions (especially in upgradeable/proxy contracts), tx.origin authentication bypass, improper role management, and constructor visibility bugs (historical).

Notable cases: Parity Wallet #1 (2017, $30M — initWallet() publicly callable), Poly Network (2021, $611M — privilege escalation across chain-specific contract roles). Private key compromise (Ronin $625M, Harmony $100M, Bybit $1.4B) is access control failure at the operational/key-management layer, not the code layer.

DeFi protocols must know the price of assets to function. When that price is sourced from a manipulable on-chain mechanism — particularly a Uniswap v2 spot price readable in the same transaction — attackers can use flash loans to transiently inflate or deflate the price, then exploit the mispriced protocol before restoring the price and repaying the loan.

40+ oracle manipulation incidents occurred in 2022 alone, causing $403M+ in losses. Major cases: bZx (2020, $954K — first demonstration), Harvest Finance (2020, $34M), Cream Finance October 2021 ($130M, yUSD price pump), Mango Markets (2022, $117M — self-pump without flash loan), Alpha Finance (2021, $37.5M).

Business logic bugs do not have a syntactic footprint that automated tools can detect without formal specifications. The code is valid Solidity; it simply does not implement the intended protocol behavior. Subcategories: incorrect accounting, off-by-one errors, reward calculation errors, fee-on-transfer token assumptions (protocol assumes tokens transfer 1:1 but they have built-in fees), and rebasing token accounting errors.

Euler Finance's donateToReserves() — the function that enabled the $197M exploit — was correct Solidity. Its exploitation required understanding its economic interaction with the liquidation mechanism. Pickle Finance (2020, $19M) was exploited via a fake "jar" contract exploiting missing input validation on the controller.

Flash loans allow borrowing unlimited capital within a single Ethereum transaction with zero collateral, as long as the loan is repaid before the transaction ends. They do not create vulnerabilities; they amplify pre-existing economic design flaws. Every flash loan attack has a root vulnerability (spot price oracle, governance voting, accounting error) that would exist even without flash loans — just requiring more capital to exploit.

Flash loans are net positive for the ecosystem: they enable efficient arbitrage, liquidations, and debt refinancing. The attack enablement is a secondary effect of democratizing large capital access. Removing flash loans would not remove vulnerabilities — it would require attackers to have real capital.

Ethereum's transparent mempool allows searchers (bots) to observe pending transactions and insert their own transactions ahead (front-running), behind (back-running), or around (sandwich attacks) the target. Maximal Extractable Value (MEV) is the total value extractable by reordering, inserting, or censoring transactions within blocks.

MEV is not always malicious: arbitrage MEV tightens price spreads. But sandwich attacks directly harm users by inflating the price of an asset the victim is buying, executing the buy, then selling back — all within a single block. Per-victim losses are small but aggregate to millions per day.

Any call from one contract to another is an external call that may fail, behave unexpectedly, or introduce reentrancy. Key sub-types: unchecked return values (ignoring failed transfer() calls), calls to arbitrary user-supplied contract addresses, delegatecall misuse (executing code in the context of the calling contract, which can corrupt storage), and gas griefing (forcing a call to consume more gas than budgeted, causing downstream failures).

Many ERC-20 tokens deviate from the standard in ways that break protocol accounting assumptions. "Weird ERC-20" tokens include: fee-on-transfer tokens (protocol receives less than it sent), rebasing tokens (balance changes without transfer events), missing return values, and ERC-777 tokens (include transfer hooks that re-enter calling contracts — exploited in Cream Finance August 2021).

Proxy patterns (transparent proxy, UUPS, Diamond) allow upgradeable contracts but introduce storage collision risks (if proxy and implementation use overlapping storage slots, one can overwrite the other's critical variables), uninitialized proxy contracts (open to hostile initialization), and malicious upgrade risk (admin can push any new implementation).

The Parity Wallet frozen funds ($150M, 2017) demonstrate storage + initialization failure on a library used via delegatecall. EIP-1967 pseudo-random storage slots largely resolve storage collision for standard proxy patterns but require careful implementation.

Governance attacks exploit the mechanisms by which DAOs make decisions. Flash loan governance attacks (Beanstalk, $182M) manufacture voting supermajorities within a single transaction using borrowed tokens. Slow-accumulation attacks (Build Finance, 2022) acquire governance tokens over time at market prices, then vote to extract treasury value. Social engineering attacks (Tornado Cash, 2023) submit malicious proposals that appear legitimate to voters.

Cross-chain bridges are the single highest-value exploit category in blockchain history. Every bridge must solve the oracle problem: how does Chain B verify that an event occurred on Chain A? Solutions range from trusted multisig (fast but dangerous) to ZK proofs (secure but expensive). Multisig bridges — used by Ronin ($625M), Harmony ($100M), and early Wormhole — concentrate massive value behind small numbers of private keys, creating catastrophic-scale single points of failure.

Nomad's $190M exploit demonstrates initialization bug risk: a routine upgrade introduced a zero-hash sentinel value as a "valid root," making any transaction passable without proof. Once discovered, hundreds of actors copied the exploit simultaneously, draining the bridge in hours.