Sitemap

The Big Five Smart Contract Vulnerabilities Behind the Most Devastating Hacks: A 2025 Postmortem

3 min readJul 5, 2025

--

The Big Five Smart Contract Vulnerabilities Behind the Most Devastating Hacks: A 2025 Postmortem

Last week I wrote about delegatecall mishaps, and earlier this month we unpacked flash‑loan chaos. Today, let’s stitch the narrative together and examine the five recurring smart‑contract flaws that still drain billions.

— -

Why Another Postmortem?

Because postmortems work. They transform painful incidents into actionable knowledge. By placing the most common exploit classes side by side, we can spot the shared root causes — and design layered defenses.

Below, each section follows the same structure:

  1. What it is
  2. Real‑world breach
  3. Exploit flow
  4. Root cause
  5. Prevention checklist

— -

1. Reentrancy (“The DAO” Pattern)

Breach: The DAO (2016) — $60M drained

An external call inside withdraw() let the attacker recursively re‑enter before state variables updated.

Exploit Flow

  1. Attacker calls withdraw().
  2. Contract sends ETH before setting balance to 0.
  3. Fallback re‑enters withdraw() repeatedly.

Root Cause: State changes after external calls.

Prevention Checklist

  • Use checks‑effects‑interactions pattern.
  • Guard with reentrancy mutex (ReentrancyGuard).
  • Favor pull over push payments.

— -

2. Flash‑Loan‑Driven Liquidity Manipulation

Breach: bZx (2020) — $8.1M across three incidents

Exploit Flow

  1. Borrow large capital via flash loan.
  2. Manipulate DEX price oracle within same tx.
  3. Open under‑collateralized position / drain pool.

Root Cause: Reliance on on‑chain spot prices without TWAP oracles.

Prevention Checklist

  • Use time‑weighted average price (TWAP) feeds.
  • Cap slippage; add circuit breakers.
  • Isolate lending pools per asset.

— -

3. Access‑Control & delegatecall Confusion

(Covered in detail here but summarized for completeness.)

Breach: Parity Multisig (2017) — $150M frozen

Exploit Flow

  1. Library contract lacked onlyOwner on initWallet.
  2. Attacker became owner, then killed library.

Root Cause: Unprotected initialization + dangerous delegatecall context.

Prevention Checklist

  • Initialize once; lock constructors.
  • Use OpenZeppelin’s Ownable or AccessControl.
  • Avoid delegatecall unless absolutely required.

— -

4. Integer Overflow & Underflow

Breach: Fei Rari Fuse (2022) — $80M lost

Exploit Flow

  1. Crafted input caused supply() math underflow.
  2. Bypass collateral checks; mint excess tokens.

Root Cause: Custom math without SafeMath (pre‑0.8) or unchecked blocks (post‑0.8).

Prevention Checklist

  • Solidity >=0.8 auto‑reverts on overflow — keep compiler up to date.
  • Use unchecked {} only with explicit bounds checks.
  • Fuzz test with extreme values.

— -

5. Oracle Manipulation

Breach: Harvest Finance (2020) — $34M drained

Exploit Flow

  1. Flash loan to swing Curve pool prices.
  2. Deposit & withdraw from Harvest at skewed NAV.

Root Cause: Protocol read raw pool balances as price oracle.

Prevention Checklist

  • Use off‑chain oracles (Chainlink) with deviation limits.
  • Validate price feeds across multiple sources.
  • Pause deposits on >X% deviation.

— -

Defense‑in‑Depth Checklist for 2025

  • Automated static analysis: Slither, MythX, Echidna fuzzing.
  • Runtime monitoring: Forta bots, on‑chain anomaly detection.
  • Bug bounties: Public programs on Immunefi & HackenProof.
  • Timelocks & pausability: Delay critical changes; add circuit breakers.
  • Layered reviews: Internal + external audits + community contest.

Security is a process, not a product. Every line of code is a potential liability — treat it accordingly.

— -

Further Reading

Thanks for reading — let’s keep building and securing the decentralized future.

--

--

Mohammad Khezer
Mohammad Khezer

Written by Mohammad Khezer

Cybersecurity expert, blockchain innovator, and founder of Shuman. Tech enthusiast by day, adventurous filmmaker and nature lover by heart. 🌍📽️

No responses yet